GnuPG PRNG insecure?

David Shaw dshaw at
Thu Feb 14 20:40:01 CET 2002

On Sun, Feb 10, 2002 at 06:42:51PM +0100, Werner Koch wrote:
> On Fri, 8 Feb 2002 09:41:56 -0500, David Shaw said:
> > I'd be willing to throw some money into a pot for people who find
> > security-related bugs in GnuPG.
> The main problem is that it needs expierenced programmers to find the
> non trivial bugs.  Those programmers are usually writing new code or
> fixing old one and don't have the time to screen other programs and it
> is not so interesting to do audits - especially not on a unpaid or low
> paid basis.  So I don't believe that a little bit money will help.

Perhaps a cash-for-bugs "bounty" isn't the right thing, but in terms
of auditing, a little bit of money doesn't help, but if 20 people all
throw in a little bit of money...


   David Shaw  |  dshaw at  |  WWW
   "There are two major products that come out of Berkeley: LSD and UNIX.
      We don't believe this to be a coincidence." - Jeremy S. Anderson

More information about the Gnupg-devel mailing list