Seahorse doesn't warn the user when a private key is exported

Agreed. Though one could argument that someone who uses gpg knows the importance of keeping the private key secret, a warning isn't the worst thing to do. I reported this issue upstream, you can track the status and make comments here: http://bugzilla.gnome.org/show_bug.cgi?id=551962

Upstream comment:

Comment #1 from Stef Walter (seahorse developer, points: 20)
2008-09-13 14:09 UTC [reply]

The file is still encrypted with the private key's password. I don't think
there's any more danger than the file sitting on their computer.

Why is this option/action offered to the user at all?

seems useles and dangerous

From gpg man page:
     --export-secret-keys

     --export-secret-subkeys
              Same as --export, but exports the secret keys instead. This is normally not very useful and a security
              risk. The second form of the command has the special property to render the secret part of the primary key
              useless; this is a GNU extension to OpenPGP and other implementations can not be expected to successfully
              import such a key. See the option --simple-sk-checksum if you want to import such an exported key with an
              older OpenPGP implementation.

"The file is still encrypted with the private key's password. I don't think there's any more danger than the file sitting on their computer."

Firstly, by default when you create a new key it is not password protected. I didn't even realise this was something you could do in Seahorse until I saw it mentioned above. This in itself is a bug. Secondly, the kind of passwords used by normal people are eminently hackable once they're in the wrong hands, so yes, it is much more dangerous to have my password-protected key out there in public than having it on my computer.

But in general this cavalier attitude to what is supposed to be important security infrastructure is shocking. In the real world, you just don't put the button to shut down your nuclear reactor's coolant system next to the button that makes the coffee. You don't put it anywhere remotely accessible by anyone not deliberately looking for it, and you hang a big sign on it. I completely disagree with the original poster: one warning is not nearly enough.

As a first step, "Export Complete Key" should be renamed "Export All Private Keys". The file it generates should not be "<Name>.asc" but "<Name>'s Private Key.asc". Then, it should come with a warning that the generated file should be protected. Next, that shouldn't even be a button on the "Details" tab, it should be hidden in a menu somewhere (if it's needed at all). Alternately, make it an option in the "Export Public Key" dialog to include the private key (off by default, obviously). The button on the details tab should be repurposed to do an "Export Public Key". Finally, the icon for "Export All Private Keys" should be redesigned to be completely different to that for "Export Public Key". Probably something along the lines of a big red explosion with body parts flying out.