Comment 11 for bug 1938442
Revision history for this message
| Till Kamppeter (till-kamppeter) wrote | #11 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0e1f616
(Get the code!)
The public GPG keys here are only to check the integrity of a downloaded proprietary plugin, to prevent that someone could make HPLIP download and install a fake, malware plugin. HPLIP does not load such a key as long as the user does not try to download the plugin and HPLIP dos also not do any other downloads from the internet. The keys are actually only HP's public keys. No keys of the user are stored under ~/.hplip. So wrong permissions should be harmless here.
So what you should do for testing is whether you can still download the proprietary plugin with the stricter permissions (with your patch). If it still works, the stricter permissions could be generally used, but as the keys are only public keys from HP, the stricter permissions are not actually needed.
If my assumptions are correct, I do not see a security issue here.
Can someone from HP tell whether I am right?