GnuPG PRNG insecure?

Len Sassaman rabbi at quickie.net
Sat Feb 9 02:20:01 CET 2002


On Fri, 8 Feb 2002, David Shaw wrote:

> On Fri, Feb 08, 2002 at 08:54:04AM +0100, Werner Koch wrote:
>
> > What worries me most is that it needed *4 years* to figure this bug
> > out _and_ report it.  I'd have expected that some more people had a
> > close look at those critical things.  It is a very sad thing that
> > there is so less truth in the claim that bugs in Free Software are
> > figured out very fast - I have seen too many counterexamples :-(
>
> Make it worth their while.  Netscape used to give out money for each
> verified bug report.  We could give them some free beer to go with
> their free software. :)

Exactly. Open source developers who expect free audits of their code
simply because it is open are going to be disappointed, especially if they
don't actively seek them.

The reasons why source code must be available (from a security auditing
perspective) are a) that a user can commission an audit if he wishes, and
b) he is assured that the code he just had audited is the real deal, and
not a "cleaned" version without back doors.


--Len.













More information about the Gnupg-devel mailing list