gpgme "Locate engine names only at runtime and prefer GnuPG-2" commit break Android

Daniel Kahn Gillmor dkg at
Thu Feb 20 15:40:01 CET 2014

On 02/20/2014 07:44 AM, Werner Koch wrote:
> On Thu, 20 Feb 2014 02:57, hans at said:
>> Using env vars is not a feasible solution on Android.  The hard-coded option
>> that existed worked well.
> The envvar is just PATH if it is missing the standard directories are
> searched:
>   orig_path = getenv ("PATH");
>   if (!orig_path)
>     orig_path = "/bin:/usr/bin:.";

is including the current directory (.) in this path a good idea?  This
implies that in the absence of $PATH, the behavior of gpgme will be
different depending on the directory from which it is invoked.

I could imagine this causing problems or opening vulnerabilities when
gpgme is used (for example) to process user-supplied files from a given


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1010 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20140220/f1a4aeb5/attachment.sig>

More information about the Gnupg-devel mailing list