On Tue, 2002-11-12 at 19:08, Anton Aylward wrote: > On Tue, 2002-11-12 at 17:40, Jeffrey Stedfast <[EMAIL PROTECTED]> wrote: > > > Subject: Re: [Evolution] Evolution-1.2 vs pgp encryption > > To: Stacey Roberts <[EMAIL PROTECTED]> > > Cc: [EMAIL PROTECTED] > > > > Evolution no longer supports anything other than gnupg. > > > > Why not? because I rewrote the pgp backend code to be much more robust > > > [snip] > > > We now just use execvp() and let > > the shell find the pgp binary for us. It makes the UI oh so much simpler > > for the average user. > > Indeed it does for the class of users who don't know about PGP. I would > think that anyone who is smart enough to handle gnupgp - set it up, > handle keyrings and so forth - can use "which". But that's not my > point.
you would *think*, but be proved wrong... unfortunately. > My point is the use of execvp(). this is the same as issuing "gpg" in your shell. > > Take a look in the Vuln-dev or other archives and see how many > vulnerabilities revolve around using execvp() instead of the short-forms > of the exec() system call. Yes, because we all know everyone invokes an application by providing the full path to the binary. I type /usr/bin/gpg *all* the time </sarcasm> sure, maybe it's a risk if you blindly trust your shell environment, but guess what? you can setup your PATH environment to not include directories that you feel are risky (ie, don't include "."). > > The user of Evo may not the the owner or administrator of the machine. this is not assumed. > > has anyone run one of the basic tools for checking the source of Evo for > the plethora of classical security coding risks? no. Jeff -- Jeffrey Stedfast Evolution Hacker - Ximian, Inc. [EMAIL PROTECTED] - www.ximian.com _______________________________________________ evolution maillist - [EMAIL PROTECTED] http://lists.ximian.com/mailman/listinfo/evolution
