<<< Date Index >>>     <<< Thread Index >>>

Re: [PATCH] Remove absolute paths from gpg.rc



On Friday, 16 March 2007 at 00:07, Paul Walker wrote:
> On Thu, Mar 15, 2007 at 05:40:52PM +0100, Christoph Berg wrote:
> 
> > # Parent  5c2f2072a4dbfa69f2db7a93ae52b984f65e165c
> > Remove absolute paths.
> 
> For what it's worth, I don't think this is a good change. The absolute path
> will be correct for most systems, and does guard against rogue gpg's in the
> path.

On my OS X system, gpg lives in /sw/bin. Many others probably have it
in /opt or /usr/local. I don't think /usr/bin is a particularly
foolproof setting, and I also don't think that any person interested
in security should run with garbage in $PATH. I would also guess that
it's just as easy to modify a person's .muttrc as to put a trojan gpg
somewhere in their PATH.

I'd like to hear some more concrete examples of the dangers of looking
up gpg in the path...

Attachment: pgp5mAPOIPVHR.pgp
Description: PGP signature