Don't use 0.3.5 !!!

Kirk Fort kfort at
Fri Sep 18 10:16:59 CEST 1998

Hash: SHA1

This is a little off track, but does anyone have any good ideas on how to
check those detached signatures using pine and gpg? If you hit e to export
the msg it copies the headers too and thats no good for a detached
signature.  I guess I could write a program to strip out the headers and
mime stuff if I can figure out where exactly that begin and end.  I also
found it a little humourous that the precedence on werner's message was
'bulk'.  I will look at diffs if it helps out werner and the project. I
know its tough coding encryption stuff. Alot of pressure to do it right.
I also noticed last night that I wasn't able to decrypt messages made with
gpg with pgp.  I didn't test this extensively, but it appeared to be
different then what was happening in 0.3.4 . The message was done using
cast5 and I even tried the -z 0 option.  I guess signatures are still good
since I believe they are just encrypted using the public key scheme.  oh
btw, I was never able to get gpg -c encrypt the multiple files.  I thought
I had it working but it didn't.  I tried about 3 or 4 different ways to do
it and always came up with a bug I couldn't figure out.  So goes
programming I guess.


On Fri, 18 Sep 1998, Werner Koch wrote:

> Please do not use vesion 0.3.5 of GNUPG!
> I have applied a SERIOUS bug while implementing the weak key detection
> code!
> All session keys (not the public keys) and keys for conventional
> encryption are NOT random!
>             DON'T USE THIS VERSION!
> I moved a line of code instead of copying it.  See g10/seskey.c
> function make_session_key() - It is a very stupid bug.
> I apologize for this bad version.
> To avoid such hassle in the future I'd suggest that some of you
> should look over the diffs to see whether there might be serious
> problems.  A complete code-walk would be goog idea anyway.
> Sorry,
>    Werner

Version: GNUPG v0.3.5 (FreeBSD)
Comment: Get GNUPG from


More information about the Gnupg-devel mailing list