-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi,
Am Do den 15. Okt 2015 um 21:56 schrieb Daniel Kahn Gillmor: > On Wed 2015-10-14 05:14:11 -0400, Klaus Ethgen wrote: > > Package: pinentry-gtk2 > > Version: 0.9.6-2 > > > In newest version, pinentry is displaying password when typing. (It is > > displaying the last letter but a observer can easily read the password.) > > i'm not seeing this behavior at all. I'm using pinentry-gtk2 0.9.6-2, > and libgtk2.0-0 2.24.28-1, just like you are. The password entry field > i see is just dots, no characters. > > Could you try to reproduce it simply and help me to reproduce it? > > To start with, can you reproduce it from the command line, by invoking > "pinentry-gtk-2" directly, and then after it says "OK Pleased to meet > you", type "GETPIN" and hit enter. > > Does the prompting still show the text for you? Yes, it does. > > Please revert that recent change back to the secure way of just > > displaying dots. > > I'm unaware of such a change, please help me track it down! :) > > the main recent change is that pinentry now relies on the underlying > toolkit's password-entry widget. is it possible that you have some > unusual settings for your gtk.Entry widgets in general when they're in > password mode? > > can you try it from a new/clean user account on your machine? can you > try it from another machine with the same version installed? Yes, the same. I created a completely fresh user and seen the same result. And I have the same on all of my machines that run debian sid. (I have no desktop not running sid but the problem just occurred recently.) And I heard from others that they also experienced that problem. Maybe that gtk.Entry stuff is not secure to use. I am not aware what exactly the recent change did. Regards Klaus - -- Klaus Ethgen http://www.ethgen.ch/ pub 4096R/4E20AF1C 2011-05-16 Klaus Ethgen <kl...@ethgen.de> Fingerprint: 85D4 CA42 952C 949B 1753 62B3 79D0 B06F 4E20 AF1C -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQGcBAEBCgAGBQJWILXXAAoJEKZ8CrGAGfasM+AL/2LsHpD6Q7U3l/rGwwnUWNWA 3xzTvdZLDpN9I0FSllfs7RenS4BYrlsxCagCpqkFwcTZw5EPJpoNDYs5p5XKcA8k zJl3pbi+rN2FWmMQJM1U6u8k7eWFQxNx6AMrXvvac+uENRw/qUBFSQlHa03NzReB OObAoY/VFkW3FWwhSTOasW5YMUg+VIuJ2Yh5NQhseb7BIXNZqVw8k0A1jGeCXiBS XKTu2+gZIiUhw3YCuoR9LYNkJqx7NdqyvM89eqeJ1CQeqScgc0+ncImcpCZzgMTK k7cXzqIBDj62rqwF270PAErQo1UIlD7iaVQMU2g+yKdq98d7dspfGEDkolsJU2ag Dh4Y20iIhpiQP/rzpDkV0NLgRmLuwukpknF2a9ENasWFh11cniHaRsn1rCEeSy4P LeWQXIcg6YThAe4fW2GQzkF0DWBnCacxOIbRe3SfdUFE/Ji+2UdqfVfNucjktX4q AHkGIHil1Is3/sEY4Nw6Eg9HAdyuCLuN0NQCCIkbow== =+T3F -----END PGP SIGNATURE-----
