Comments on: GnuPG Turns 10 http://pthree.org/2007/12/20/gnupg-turns-10/ Linux. GNU. Freedom. Fri, 17 May 2013 20:46:35 +0000 hourly 1 http://wordpress.org/?v=3.6-beta2-24176 By: Mark A. Hershberger http://pthree.org/2007/12/20/gnupg-turns-10/#comment-85316 Mark A. Hershberger Thu, 20 Dec 2007 22:36:15 +0000 http://www.pthree.org/2007/12/20/gnupg-turns-10/#comment-85316 Under GPG’s response to CVE-2006-6235, Werner Koch writes:

However, for reasons of code cleanness and easier audits we will soon start to change all these stack based filter contexts to heap based ones.

And another place, he says

This problem has been in GnuPG since the beginning but Jim seems to be the first one who noticed that. We need better auditing folks!

So, it looks to me like he is responsive and even proactively changing things (e.g. stack- to heap-based).

The only announcment I found of the fefe patch was on the full disclosure mailing list and it isn’t clear that he actually notified Werner Koch with a copy of the patch.

]]> By: maks http://pthree.org/2007/12/20/gnupg-turns-10/#comment-85260 maks Thu, 20 Dec 2007 16:50:58 +0000 http://www.pthree.org/2007/12/20/gnupg-turns-10/#comment-85260 gnugpg should implement better coding style. it is a shame how many security updates it generates and even current state is quite dubious. See for example the fefe auditing that gave no response of Werner Koch.

]]>