GnuPG 1.1.90 released
Adrian 'Dagurashibanipal' von Bidder
avbidder at fortytwo.ch
Wed Jul 3 10:45:01 CEST 2002
[ ... module-path ... careful: gpg might be corrupted if malicious
modules are loaded ... ]
While I agree with David Champion's point that this would be the user's
(or admin's) problem, how about gpg verifying extensions before loading?
Assumed the location where the secring is stored is safe, signatures of
the modules could be stored there, too. gpg would then only load
extensions properly signed by a trusted signature.
(Of course gpg binary could be protected that way, too, but you'd have a
hen-egg problem then. Also, this assumes that at least this type of
signatures can be verified without any extensions loaded.).
Just an idea.
cheers
-- vbi
--
secure email with gpg http://fortytwo.ch/gpg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: This is a digitally signed message part
Url : /pipermail/attachments/20020703/559573e6/attachment.bin
More information about the Gnupg-devel
mailing list