Description:
The PKGBUILDs of gnubiff and gnubiff-gtk pass the options "--with-password --with-password-string" to configure. There are two problems with this:

1) --with-password-string is supposed to take an argument instead of being passed alone. Without this argument, all saved passwords are encrypted with the same password "FEDCBA9876543210", easily found by reading the configure script. With an argument, that string would be used instead, so that at least Arch users get a different encryption password than the rest of the world.

2) Even with a string being passed in, this is still terribly insecure since a stolen .gnubiffrc file would yield the user's mail password to anyone who can read our PKGBUILDs. Note that this software does not make password saving optional at runtime - as they are built today, it is MANDATORY to save any passwords typed in to disk. The only way to avoid saving them is to disable the capability of password saving entirely at compile time.

My recommendation: stop passing "--with-password --with-password-string" to configure. This will prevent any form of password saving on disk, requiring users to type them in again on each startup. A bit annoying perhaps, but the alternative of being required to save passwords insecurely to disk is worse.

If the previous recommendation is unacceptable, at least start building these packages with an argument passed to --with-password-string, for some minimal security gain.

Additional info:
* package version(s)
gnubiff-gtk 2.2.13-2
gnubiff 2.2.13-1