python-gnupg community fragmentation
Karl
gmkarl at gmail.com
Tue Jan 12 16:09:40 PST 2021
i'm trying to reply to this email and i keep closing the window while trying.
the fork you referenced is the one i was concernde about that hasn't
been updated for 3 years. i was wrong about the todo file.
we're clearly still trying to make people think that slavers and human
traffickers are altering our communications, since we aren't signing
our emails and aren't explaining why.
On 1/12/21, coderman <coderman at protonmail.com> wrote:
>
> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> On Tuesday, January 12, 2021 8:08 PM, Karl <gmkarl at gmail.com> wrote:
>
>> `pip3 install python-gnupg`
>> this installs a fork on github with a high version number that hasn't
>> been updated for 3 years.
>
> this fork has a fix for a severe vulnerability related to subprocess
> execution. (e.g. original sources vulnerable to arbitrary code execution.)
>
>
> i prefer this fork, which also includes the subprocess fixes:
>
> git clone https://github.com/isislovecruft/python-gnupg.git
> cd python-gnupg
> make install
> make test
>
>
> note that an alternative approach is to use the GPGME library, ala pygpgme:
> https://bazaar.launchpad.net/~jamesh/pygpgme/trunk/files
>
>
> best regards,
>
More information about the cypherpunks
mailing list