Re: Remove absolute paths from gpg.rc
On 2007-03-17 08:16:15 +1100, Cameron Simpson wrote:
> On 15Mar2007 20:25, David Champion <dgc@xxxxxxxxxxxx> wrote:
> | I can think of two compromises:
> | * as Thomas Dickey suggested, detect gpg at compile time and insert
> | the correct path into the installed muttrc files;
>
> I would vote for this one. Maybe insert /usr/bin (and other standard
> places, by OS distribution) at the front of the $PATH _during_ the
> detection phase to reduce user $PATH weirdness trouble. And supply a
> configure --with-gpg= to specify a path to override the detector, if
> there's one in configure.
The detector could be wrong. For instance, the user may want to install
a new (more secure) version in /usr/local later (and have /usr/local/bin
before /usr/bin in his $PATH). If Mutt still uses /usr/bin/gpg, this is
bad.
> | * enforce a sane PATH within mutt. This could, perhaps should be
> | limited to stripping out relative paths.
>
> I'd oppose this. I hate apps that screw with my $PATH; they break
> things.
I agree that $PATH shouldn't be screwed, but there can be particular
cases. Stripping out relative paths for gpg only would be a good idea
IMHO (someone who relies on relative paths in his $PATH for gpg has
introduced a security hole).
--
Vincent Lefèvre <vincent@xxxxxxxxxx> - Web: <http://www.vinc17.org/>
100% accessible validated (X)HTML - Blog: <http://www.vinc17.org/blog/>
Work: CR INRIA - computer arithmetic / Arenaire project (LIP, ENS-Lyon)