Comment 20 for bug 1536871

Here's the other miscellaneous notes I've made so far:

- fu_keyring_setup() doesn't use gpgme_release() on gpg_set_protocol()
  failure
- fu_main_daemon_update_metadata() checks signature over an entire file
  but uses g_strndup() to copy it in memory; a file may use an embedded
  ASCII NUL to truncate the duplication early. There's probably no
  security issue here but it may be surprising.
- Hardcoded paths:
  - /etc/pki/fwupd-metadata
  - /var/cache/app-info/xmls/fwupd.xml
  - /tmp/firmware.xml.gz
  - /tmp/firmware.xml.gz.asc
- dfu encryption?
  - what problem is it solving? what is the threat model?
  - why xtea?
  - single-pass md5 is a poor KDF

Thanks