12 Jan
2021
12 Jan
'21
10:55 p.m.
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Tuesday, January 12, 2021 8:08 PM, Karl <gmkarl@gmail.com> wrote:
`pip3 install python-gnupg` this installs a fork on github with a high version number that hasn't been updated for 3 years.
this fork has a fix for a severe vulnerability related to subprocess execution. (e.g. original sources vulnerable to arbitrary code execution.) i prefer this fork, which also includes the subprocess fixes: git clone https://github.com/isislovecruft/python-gnupg.git cd python-gnupg make install make test note that an alternative approach is to use the GPGME library, ala pygpgme: https://bazaar.launchpad.net/~jamesh/pygpgme/trunk/files best regards,