Package: gnupg / 1.4.18-7+deb8u5

0043-doc-Add-warning-note-about-not-acting-as-an-oracle-t.patch Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
From 6186637cc9a4cbe4964ae0ca2aa00ed1738fc6a4 Mon Sep 17 00:00:00 2001
From: Werner Koch <wk@gnupg.org>
Date: Mon, 23 Feb 2015 13:10:57 +0100
Subject: [PATCH 43/45] doc: Add warning note about not acting as an oracle to
 --batch.

--
---
 doc/gpg.texi | 23 +++++++++++++++++------
 1 file changed, 17 insertions(+), 6 deletions(-)

diff --git a/doc/gpg.texi b/doc/gpg.texi
index 67dc3d0..d311732 100644
--- a/doc/gpg.texi
+++ b/doc/gpg.texi
@@ -949,12 +949,23 @@ Try to be as quiet as possible.
 @opindex batch
 @opindex no-batch
 Use batch mode.  Never ask, do not allow interactive commands.
-@option{--no-batch} disables this option.  Note that even with a
-filename given on the command line, gpg might still need to read from
-STDIN (in particular if gpg figures that the input is a
-detached signature and no data file has been specified).  Thus if you
-do not want to feed data via STDIN, you should connect STDIN to
-@file{/dev/null}.
+@option{--no-batch} disables this option.  This option is commonly
+used for unattended operations.
+
+WARNING: Unattended operation bears a higher risk of being exposed to
+security attacks.  In particular any unattended use of GnuPG which
+involves the use of secret keys should take care not to provide an
+decryption oracle.  There are several standard pre-cautions against
+being used as an oracle.  For example never return detailed error
+messages or any diagnostics printed by your software to the remote
+site.  Consult with an expert in case of doubt.
+
+Note that even with a filename given on the command line, gpg might
+still need to read from STDIN (in particular if gpg figures that the
+input is a detached signature and no data file has been specified).
+Thus if you do not want to feed data via STDIN, you should connect
+STDIN to @file{/dev/null}.
+
 
 @item --no-tty
 @opindex no-tty
-- 
2.1.4