Enigmail uses GCR without user confirmation
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
enigmail (Ubuntu) |
Confirmed
|
Medium
|
Unassigned |
Bug Description
After my Xubuntu update from 12.04 to 14.04 I suddenly needed to input my GPG passphrase only once per login session instead of the configured 20 minutes.
After some analysis it turns out that Enigmail used GCR for managing the PGP passphrase.
So why is Engimail doing this without any user intervention?
Why is this not documented?
Modifying the behavior of critical security tools under the hood without user confirmation is bad security practice.
Especially when the default of the the tools employed are very lax.
ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: enigmail 2:1.5.2-0ubuntu1
ProcVersionSign
Uname: Linux 3.13.0-27-generic x86_64
NonfreeKernelMo
ApportVersion: 2.14.1-0ubuntu3.2
Architecture: amd64
CurrentDesktop: XFCE
Date: Tue Jun 3 08:57:28 2014
InstallationDate: Installed on 2014-04-24 (39 days ago)
InstallationMedia: Xubuntu 14.04 LTS "Trusty Tahr" - Release amd64 (20140416.2)
SourcePackage: enigmail
UpgradeStatus: No upgrade log present (probably fresh install)
information type: | Private Security → Public Security |
Tried it on a freshly installed machine. Same results. Enigmail uses GCR without me ever telling it to....