Re: Security flaw in pgg-gpg-process-region?

[Florian Weimer]

* Richard Stallman:

>     It would probably be fairly simple to change the implementation to
>     unlink the temp file _before_ writing the contents and pass only the
>     still-open file-descriptor (after rewinding) to Fcall_process (or
>     rather, to some common subroutine derived from Fcall_process).
>
> We would have to unlink the file before writing the contents into it.

This doesn't achieve much, I'm afraid.  Even unnamed files can be
written to disk by the kernel.  It's not much different from
passphrases stored in process images ending up in the swap file,
though.  I'm pretty sure I looked at the situation when I wrote gpg.el
a couple of years ago, and decided that all things considered, it's
not terribly important.  It's a significant PR issue, admittedly, but
back then, I didn't care about that. 8-)

As Greg suggested, the passphrase handling should be moved from Emacs
into a separate process (which may request special privileges to lock
memory regions etc.).