LinuxFormat 60 (UK) and GnuCash security ??

[Neil Williams]

Issue 60 arrived by subscription today and includes a round-up review of 
personal finance packages. GnuCash gets an 8/10.

There's no URL yet, so I can only quote snippets:

"friendly wizards will generate a set of accounts that most suit your needs"

"decent launch wizard that provides a lot of hand-holding for potentially the 
most confusing process"

"perhaps the most essential feature is scheduled transactions and here GnuCash 
is really on the ball; the implementation is elegant and easy to configure."

"GnuCash is an enjoyable application to use. It has depth, style and enough 
tools to make even the most financially obsessed accountant happy,"

All good, up to here:

The 'missing' feature that counted against GnuCash in the review was 
'security', strangely.

"What's not great are the security features - there aren't any. You can't 
password protect a file or encrypt it and, even worse, GnuCash retains it's 
XML data in a plain text file. It's relatively simple to comb through this 
file and find dates and amounts of transactions. This is the application's 
biggest weakness and although it can be overcome with the addition of KDE's 
or Gnome's own encryption systems, it certainly doesn't make it seamless in 
use"

"Despite my reservations on security (and it's final rating would have been 
9/10 if this had been addressed), GnuCash is the best application here. If 
you want serious features for very little effort, install it and get used to 
the routine of encrypting your files."

Hmm. Well the XML is only readable once someone has got passed the usual 
GNU/Linux login and having a plain text format (or in future a SQL backend) 
is useful, isn't it?

Should GnuCash hide all the transactions in password protected files?
Isn't that what permissions are for?

The magazine and reviewers do genuinely welcome feedback on reviews from users 
and developers. Rather than mail bombing them (!), if there's a consensus 
here, a 'collective' letter can be sent?

What would the reviewer think of multi-user access?

(Moneydance with 56-bit DES encryption won praise for security but the same 
mark overall.)

GnuCash was deemed to best overall in the review, but the idea of encrypting 
GnuCash data is a mystery to me. Why should it be so important?

Do we care?

Are there reasons for security to NOT be used?

Have we missed something?
Has the reviewer missed something?
(These aren't GNU/Linux newbies, the reviews are usually excellent and the 
writers are respected and knowledgeable. The magazine does emphasise the 
newbie angle.)

I'm often accused of being overly paranoid about security and encryption - my 
GnuPG signatures have caused lots of reaction on other (more Windowsie) lists 
- but encrypting my GnuCash file just didn't occur to me.

All my bank statements are in the filing cabinet behind me - it's not locked. 
That's far easier to access than my Debian box once I've logged out.

(The lack of an automatic backup also features as a minor point.)

-- 

Neil Williams
=============
http://www.codehelp.co.uk/
http://www.dclug.org.uk/
http://www.isbn.org.uk/
http://sourceforge.net/projects/isbnsearch/

http://www.biglumber.com/x/web?qs=0x8801094A28BCB3E3
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.gnucash.org/pipermail/gnucash-devel/attachments/20041023/3b52a703/attachment.bin