This is a minor security concern. It might also break the ability of "inc" to access the mail spool.
Mail user agents (MUA) were modified in Red Hat 5.2 to depend *only* on fcntl style locking on mail boxes. That means that the old requirement that MUA need write access to the spool directory in order to implement dot-file locking is no longer necessary. So I would claim that setgid mail is not required in nmh. Please reopen this bug with a more complete description of a reproducible problem if I am mistaken.
OK - so maybe sgid mail isn't required. However, the bug is that sgid root is what the program currently has and this _definitely_ isn't required. Having it without needing it is a security concern.
Thanks for reopening -- I noticed that the setgid root created a different problem right after closing the original bug report. The /usr/bin/inc became setgid root (rather than mail) during packaging. The setgid is removed in nmh-0.27-3. The security issues appear minor but are currently being assessed.
Since there are no known exploits of the /usr/bin/inc setgid root anomaly, there will not be a security errata to correct this bug in Red Hat 5.2.