Comments on: GnuPG Turns 10 Linux. GNU. Freedom. Thu, 15 Feb 2018 18:04:15 +0000 hourly 1 By: Mark A. Hershberger Thu, 20 Dec 2007 22:36:15 +0000 Under GPG's response to CVE-2006-6235, Werner Koch writes:

However, for reasons of code cleanness and easier audits we will soon start to change all these stack based filter contexts to heap based ones.

And another place, he says

This problem has been in GnuPG since the beginning but Jim seems to be the first one who noticed that. We need better auditing folks!

So, it looks to me like he is responsive and even proactively changing things (e.g. stack- to heap-based).

The only announcment I found of the fefe patch was on the full disclosure mailing list and it isn't clear that he actually notified Werner Koch with a copy of the patch.

By: maks Thu, 20 Dec 2007 16:50:58 +0000 gnugpg should implement better coding style. it is a shame how many security updates it generates and even current state is quite dubious. See for example the fefe auditing that gave no response of Werner Koch.