Matthew Byng-Maddick gnupg at
Thu Aug 22 10:47:02 CEST 2002

On Thu, Aug 22, 2002 at 06:40:16AM +0900, Eric Krause wrote:
> >  There is also beecrypt and mcrypt but openssl is
> > problematic due to the license incompatibilities (I assume gaim-e is
> > GPLed).
> Yes, I had heard about the license issues, which is why I didn't really
> look into it to deeply before.  Yes, gaim-e is GPL'd.  I've looked into
> libgcrypt, so I think that is what I will work towards. 

This is, IMO, *not* the reason not to use OpenSSL. My reason for not using
it is that the interfaces change with minor versions, and that the code
quality is of an all-round low standard. Many unchecked malloc()s,
realloc()s, fdopen()s and other such bugs exist. A recent bugfix introduced
assert()s to handle buffer overflow possibilities, this has since been
fixed. Its attempt at method dispatch makes the code completely untraceable,
and there are nearly 600 C files to try and audit. (and yes, I've tried to
audit them).

This is not to mention the fact that in general the documentation (when it
actually exists) is so unclear that you basically have to go and read the
source anyway.

The licence is quite a minor problem in comparison.

MBM (not speaking in a work capacity)

Matthew Byng-Maddick         <mbm at> 

More information about the Gnupg-devel mailing list