GnuPG 1.1.90 released

David Shaw dshaw at
Wed Jul 3 02:19:02 CEST 2002

On Tue, Jul 02, 2002 at 05:25:39PM -0500, David Champion wrote:
> * On 2002.07.02, in <20020702214823.GE4624 at>,
> *	"David Shaw" <dshaw at> wrote:
> > On Tue, Jul 02, 2002 at 04:24:09PM -0500, David Champion wrote:
> > > 
> > > Please give us a last call before 1.2 releases -- I'd like to lobby
> > > again for a couple of submitted patches before 1.2 goes out.
> > 
> > Which ones?  I've rolled a few of your patches in already :)
> Ah, I had missed the Solaris DSO checkin -- I only read gnupg-commits
> sporadically.  Thanks. :)
> The other one was the --module-path option. I did this on a whim
> because someone in gnupg-users wanted something like that, but it would
> actually help me out, too -- currently I have to hand-edit g10defs.h
> for every build, since some modules installed at the site are not
> part of the gnupg distribution. (I posted this 6/25 in Message-ID:
> <20020625211733.GC28533 at>.)

--module-path scares me a little as it can be abused in certain cases
on multiuser systems.  For example, say someone sets their module-path
to include a world-writable directory.  All an attacker would need to
do is to drop a bogus "idea" or other module in there to subvert the

There is a similar problem with the photo viewers and keyserver
helpers, but these programs are already assumed to be untrusted and/or
potentially hostile (and if someone has a subverted $PATH, then the
attacker could just replace gpg itself).


   David Shaw  |  dshaw at  |  WWW
   "There are two major products that come out of Berkeley: LSD and UNIX.
      We don't believe this to be a coincidence." - Jeremy S. Anderson

More information about the Gnupg-devel mailing list