From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux 2.4.2-2 i686; en-US; rv:0.9.1) Gecko/20010622 Description of problem: Per the last paragraph in 'man gpg', gpg attempts to allocate locked memory so it can ensure that the memory is not paged to disk. If gpg cannot allocate locked memory, it gives warning about using insecure memory. Package should consider 'chmod +s /usr/bin/gpg' to avoid the insecure memory security risk. It is understood that setuid is a different kind of security risk. :) I'm not sure which way the packager should balance security... the integrity of the machine or the integrity of the user's information. In this case, I personally would favor the integrity of my encrypted information. Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1. Install latest gpg package. Note or ensure no setuid mode on gpg. 2. Use gpg to verify a signature or to encrypt or decrypt data. 3. Note the warning about insecure memory goes away if gpg is setuid root. Actual Results: Without setuid root, gpg complains about having to use insecure (pageable) memory. Expected Results: With setuid root, gpg is able to ensure its allocated memory will not be paged to disk, and gives no warning. Additional info: See 'man gpg', last paragraph.
*** Bug 56846 has been marked as a duplicate of this bug. ***
*** This bug has been marked as a duplicate of 19897 ***