Comments on https://gist.github.com/shadowhand/873637 state
"ECB mode encryption is a relatively simple method of encryption that provides a high level of obfuscation (or a low level of encryption). This method is not very secure and should not be used for sensitive personal data, but would work well for eg. transmitting source code between private parties in a public channel. For better security, you can switch the mode to CBC at the cost of having every file change completely for every modification. As with all encryption, a strong key is always recommended."
and
"This is kind of (part of) the definition of functionally correct encryption - ECB (click here for an explanation) is a flawed legacy implementation recommended by precisely nobody for current use today, and only supported in OpenSSL because OpenSSL supports some very old and creaky legacy crypto implementations! It's only useful today as a learning tool and should never be used in current systems.
CBC of OFB modes should be the default - please consider changing your gist to use CBC and explain the potential benefits of ECB along with the downsides for those who would like to accept the loss in security for slight convenience in git. Nothing should be insecure by default!"
http://git.661346.n2.nabble.com/Transparently-encrypt-repository-contents-with-GPG-td2470145.html however states that using a fixed-valued salt for CBC is bad crypto practice. If we switched the mode to CBC (for https://gist.github.com/shadowhand/873637 or https://github.com/shadowhand/git-encrypt), would it be using a fixed-value salt, and therefore be bad crypto practice?
(I've also posted this question as a comment on https://gist.github.com/shadowhand/873637 )