Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Worth noting: minisign and age were also affected by a couple things here.

GnuPG has decided a couple things are out of scope, fixed a couple others. Not all is in distro packages yet.

age didn't have the clearest way to report things - discord is apparently the point of contact. Which will probably improve soon.

minisign was affected by most everything GnuPG was, but had a faster turnaround to patching.



The minisign bug was much less severe than the (insane) GPG signing bugs, and the age bug wasn't a cryptographic thing at all, just a dumb path sanitization thing. Minisign was not in fact affected by most everything GPG was. The GnuPG team wontfixed one of the most significant bugs!


The mark of good security is not "has no bugs". It's how the maintainers respond to security-relevant bugs.


… in which case, ‘on Discord’ is not off to a good start.


Indeed. A mail list plus IRC would be a better start.

Go runs on far more platforms than Discord. And, worse, Discord it's propietary.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: