Comment 21 for bug 1536871

Hey,

 - gpgme_release() is called in finalize() unless you can see where we're not deallocating an object on error
 - as_store_from_xml() operates on a UTF-8 string, so any embedded NULs would be invalid anyway
 - /etc/pki/ is a cross-distro spec, no?
 - /var/cache/app-info/xmls is specified in the AppStream specification
 - I've switched away from using /tmp in https://github.com/hughsie/fwupd/commit/b8956d41ee00c03d83f42adcf787463443218d09
 - dfu encryption is where a vendor doesn't want to ship raw firmware that can be RE'd, and where the device has existing XTEA secret tokens
 - XTEA is used as USB devices do not have the CPU or SRAM capability for public/private key algorithms -- see my youtube talk for more information on this
 - Using single-pass MD5 as a KDF allows us to match the output from other proprietary flashing tools. I'd be open to adding a mode to use another KDF if this is an issue, although with XTEA you only get 128 bits of "private key" which I'm not sure is the right word at all as XTEA is just a simple block cipher.