hey folks-- #493874 (gnome-keyring doesn't ask for confirmation with ssh keys), in combination with #516230 (gnome-keyring daemon acts as ssh-agent even when instructed not to) causes a potentially serious security problem.
In particular, people who use ssh-agent regularly, and expect to receive
confirmation before use of their keys are at risk. Since the default
debian desktop installs gnome, and gnome installs gnome-keyring, those
users are at a serious risk of having their keys available for
non-confirmed use.
if gnome-keyring is unable to honor a constraint requested by a user, it
should *not* import the key in the first place and fail hard, as opposed
to importing it and ignoring the requested constraint.
--dkg
signature.asc
Description: OpenPGP digital signature
