From: skyhawk@cpac.washington.edu
Date: Tue, 27 Jul 93 00:56:07 PDT
To: cypherpunks@toad.com
Subject: Re: Alpha testers wanted: GNU Emacs, RMAIL, and PGP
Message-ID: <9307270752.AA27586@bailey.cpac.washington.edu>
MIME-Version: 1.0
Content-Type: text/plain


> From: jpp@markv.com <jpp/daemon>
> Subject: Alpha testers wanted: GNU Emacs, RMAIL, and PGP
> 
> [...]  Pgpmail also helps fix a known security hole -- it doesn't send you
> passphrase on the command line, but uses the environment instead.

The security-conscious way to send something to a subprocess is to use a pipe.
Looking at environment variables requires just a single extra flag to ps(1).
If PGP can't be set up to use a pipe to get the passphrase, it would be best to
modify PGP to clear its arguments when it's done getting a copy of them.

--
Scott Northrop          <skyhawk@cpac.washington.edu>            (206)784-2083
ObVirus:   The demand for obedience is inherently evil.
ObVirus2:  As a juror in a Trial by Jury, you have the right, power and duty
           to acquit the defendant if you judge the law itself to be unjust.