The _write_passphrase in src/common/gnupg.py logs a user's passphrase at the debug level. IMHO it shouldn't ever do this ...