Cryptkeeper sets the same password “p” independently of user input

&gt; It looks as though cryptkeeper makes assumptions about encfs&#x27; command-line interface that are no longer valid.<p>This looks like a developer mistaking a command line interface for an API.<p>Unless an (interactive) CL interface is explicitly marked as being an API, and documented in such a way, and regression tests exist to make sure the interface remains backwards-compatible - you should never program against it. Ask for a proper API to access.<p>(edit: formatting)

Ouch. For a long time this form of error was the #1 cause of system breakage in SunOS. Someone would go in and change an option or add a &#x27;version&#x27; line that would print before the output, or re-order how you typed args, and <i>blam!</i> a bunch of bug reports would come flying in what some program was broken (sometimes commercial programs where now source was available) because they had system(&#x27;foo bar bletch&#x27;); in them somewhere.<p>Very hard to test for as there weren&#x27;t explicit dependencies and no amount of &#x27;don&#x27;t count on this output staying the same&#x27; warning messages helped.

The &#x27;p&#x27; it sends is asked for by encfs when setting up a new encrypted folder (not when mounting an existing in encfs).<p>As the comment in the code says, it&#x27;s for setting the pre-configured &quot;Paranoia&quot; mode (AES, PBKDF2, IV-chaining, etc) in encfs.<p>Bad that it&#x27;s not checking any results whatsoever when sending stuff..<p>[1] <a href="https:&#x2F;&#x2F;linux.die.net&#x2F;man&#x2F;1&#x2F;encfs" rel="nofollow">https:&#x2F;&#x2F;linux.die.net&#x2F;man&#x2F;1&#x2F;encfs</a>

&gt; But later, when I mounted it once again, cryptkeeper said the password is wrong (though, I 100% know, it&#x27;s true!).<p>Is it a vulnerability if the product wasn&#x27;t even working in the first place?

This issue highlights another common problem on FOSS:<p>If I create a small utility &quot;just for fun&quot; and someone includes it in a major distro and then nobody (including myself) touches it for 10 years, who is to blame if there are security (or any other) issues with the software?

Yet another example of why command-line interfaces are not safe. Can we start to use something other than arrays of null-terminated strings for input?

How can you ever know if encryption is working properly?

The bug here is probably with encfs and most frontend tools to enc are doing exactly what cryptkeeper is doing.<p>For those who want alternative to cryptkeeper,there is SiriKali[1], next version will be released on Feb 1st and it will have support for OSX.<p><pre><code> execlp (&quot;encfs&quot;, &quot;encfs&quot;, &quot;-S&quot;, crypt_dir, mount_dir, NULL); </code></pre> That line of code also has a bug as its wrong to pass NULL in C++ to a variadic function. IMHO,usage of NULL in C++ should be strongly discouraged in all cases.<p>[1] <a href="https:&#x2F;&#x2F;github.com&#x2F;mhogomchungu&#x2F;sirikali" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;mhogomchungu&#x2F;sirikali</a>

It should at least have been using `expect`!

What bothers me is how it got into &#x27;testing&#x27; without any actual testing. This tells something about processes in Debian.

A great example of the falsehood that people often repeat mindlessly about &quot;thousands of eyeballs watching the source&quot;.