Thanks for writing this up, Neal. However, I found the claim a bit
inaccurate by now. I am attaching a proposed fix for this.
Emacs keeps all key presses buffered.
(You can see the recent key presses by typing {C-h l}
({view-lossage}) in emacs.)
This is not the case with the common `read-passwd' function, which
clears the log on every key press. See:
Because of this concern, Emacs doesn't
enable this by default (the user has to run {(pinentry-start)},
e.g., from his or her {.emacs} file, explicitly).
This is no longer true. Emacs checks the allow-emacs-pinentry option
of gpg-agent, and start it if desired.
Further, Emacs is a huge program,
which doesn't provide any process isolation to speak of. As such,
having it handle the passphrase adds a huge chunk of code to the
user's trusted computing base.
Yes. However, all official packages on elpa.gnu.org are digitally
signed and supposed to work courteously. Users can still use unsigned
or 3rd party packages, but I think it is similar to the situation
where distribution packages are used.
In conclusion, I would say the Emacs pinentry provides the same level
of security as the current pinentry-gtk2 (as long as the
implementation is sane). My only concern was that Emacs `read-passwd'
is implemented in Elisp and thus cannot use secure memory. However,
it is also true for pinentry-gtk2, which uses the default GtkEntry
now.