New command line language parameter

Robert J. Hansen rjh at sixdemonbag.org
Thu Feb 8 23:37:05 CET 2007


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> The present Windows GnuPG 1.4.X installs assume people [run
> as Administrator].

The installer requires Administrator rights to install to the program  
files directory, just like every other Win32 program that wants to  
install there.  Once installed, GnuPG does not require Administrator  
rights to run.

> All they had to do was to copy and paste, AND THEN ALTER
> SOME VARIABLES.

This is unwise from a security perspective.  Messing up a registry  
file can have terrible consequences.  If you're advocating that  
people make edits to a registry file without understanding the  
registry, what they're looking at, what they're changing, etcetera,  
then disaster is waiting in the wings.

Regular users should not edit the Windows registry.  Ever.

> There are several other things going along with this like the fact  
> that
> without using higher order registry editing tools (not regedit) you
> can't normally dive into anybody else's HKCU hive.

This is by design; it's an important security mechanism.  Alice  
shouldn't be allowed to inspect or modify Bob's registry entries.   
Only the Administrator should have access to everyone's registry  
entries.

Please consider the implications of advocating that people bypass a  
security mechanism so they can install a piece of security software.   
It doesn't make much sense.

> What is being provided in the GnuPG install is only suitable for
> idiots who run as an Administrator, all the time with only one
> account on the system and that one is an Administrator account...

Please do not insult regular users by calling them idiots.

The GnuPG installer is suitable for many kinds of Windows users.   
Speaking for myself, I administer a small XP network with several  
users, all of whom have GnuPG available to them.  Their user accounts  
don't have Administrator privileges.  The installer worked just fine  
for us.

> One of the things that has occurred to me is to ask the question
> "can I make GnuPG say a signed message is okay whether it is or
> not?"  By that I mean, can I by changing just the message strings
> of GnuPG make all signed messages show up as okay?

Sure.  But if you install it as Administrator, then you need  
Administrator privileges to modify the file.  If a malicious attacker  
has Administrator access to your Windows box, then it's a game-over  
condition anyway and there's nothing GnuPG can do to fix this.

> If you don't think that if GnuPG takes off like mad on Windows

According to the Enigmail folks, their number of Windows downloads  
are routinely an order of magnitude larger than their number of UNIX  
downloads.  This strongly suggests more people run GnuPG on Windows  
than run GnuPG on UNIX.

> That is probably more of a flame against Windows users who run their
> systems in a stupid manner than a slam against Microsoft, although
> Microsoft doesn't help very much.

Again, we don't need to insult either users or corporations as being  
"stupid".

> If any of you have information of running GnuPG in a Windows
> environment with some other way of doing it other than as always
> one user with an Administrator account ship it to me.

Get the zip archive, uncompress it to some directory you own, add  
that directory to your own personal PATH.

> On the other hand if you want to flame me and say I am stupid,
> or that I need lessons in writing, or that all I am doing is
> spamming like a University Computer Science Professor recently
> said I was doing (I believe he was the department chair),

I'm not a professor.  I'm a pre-comps Ph.D. candidate in computer  
science.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (Darwin)

iQEcBAEBCAAGBQJFy6YRAAoJELcA9IL+r4EJw1MH/0pbmIf7FiLrt1Q7b7g/udTF
Urg+DxdhmjujowJLg1qIcD6ntmkiItCjp2ww3zff8/We12faktxt72gyXoV+Qgw+
1gLa1EqATXrLVKxighkg/Yw0PT1yGGHnqFvbnTBT48N5sD8RRjxhu71yD5JzuQCJ
mQS8RF2xGArb0qJTCns0QGsPyD5S83+IE4rMVO6Uc16dpAJmFNdEVlKGcnd2EFU3
aiJ5Mv0tJScPyjP7aGVbCN8nx1eHgwfj8KKK/ExdjkyTaj3ZqMyi8F9zjD2oT28y
etHbI2/ifMZlFEvk9FtWwP+Vx/p08F2vMFpP0G4F4iIZnVRJBWKIjbzpyyWx3KY=
=iaCr
-----END PGP SIGNATURE-----



More information about the Gnupg-users mailing list