python-gnupg community fragmentation
coderman
coderman at protonmail.com
Tue Jan 12 14:55:43 PST 2021
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Tuesday, January 12, 2021 8:08 PM, Karl <gmkarl at gmail.com> wrote:
> `pip3 install python-gnupg`
> this installs a fork on github with a high version number that hasn't
> been updated for 3 years.
this fork has a fix for a severe vulnerability related to subprocess execution. (e.g. original sources vulnerable to arbitrary code execution.)
i prefer this fork, which also includes the subprocess fixes:
git clone https://github.com/isislovecruft/python-gnupg.git
cd python-gnupg
make install
make test
note that an alternative approach is to use the GPGME library, ala pygpgme: https://bazaar.launchpad.net/~jamesh/pygpgme/trunk/files
best regards,
More information about the cypherpunks
mailing list