On Friday, 16 March 2007 at 00:07, Paul Walker wrote: > On Thu, Mar 15, 2007 at 05:40:52PM +0100, Christoph Berg wrote: > > > # Parent 5c2f2072a4dbfa69f2db7a93ae52b984f65e165c > > Remove absolute paths. > > For what it's worth, I don't think this is a good change. The absolute path > will be correct for most systems, and does guard against rogue gpg's in the > path. On my OS X system, gpg lives in /sw/bin. Many others probably have it in /opt or /usr/local. I don't think /usr/bin is a particularly foolproof setting, and I also don't think that any person interested in security should run with garbage in $PATH. I would also guess that it's just as easy to modify a person's .muttrc as to put a trojan gpg somewhere in their PATH. I'd like to hear some more concrete examples of the dangers of looking up gpg in the path...
Attachment:
pgp5mAPOIPVHR.pgp
Description: PGP signature