GPGTools GPL compliance (was: generating RSA key sizes > 4096)

Werner Koch wk at
Fri Nov 29 11:08:12 CET 2013

On Fri, 29 Nov 2013 03:24, ido at said:
> Currently, several downstream distributions of GnuPG patch the GPG code in
> their packages to support generating RSA keys larger than 4096 bits large.
> Mac OS X GPGTools, for example, patched to support generating 8192 bit RSA
> keys back in October (23rd?), 2010.

Really?  Of cource they are free to do this but nevertheless this is
annoying given that they have asked to be listed as suggested Mac
package for GnuPG.  I can't help myself but it somehow reminds me of the
Debian RNG problem.

Now for the actual subject:

Checking your website I noticed that some things have changed since
gpgtools has been listed at  For example, I can't find a way
to get the source code for the distributed installer.  There is only a
pointer to some github project but no definitive corresponding source.
This needs to be fixed immediately!

Please actually read the GPL and provide full corresponding source code
and all required tools.  If you don't know how to do that you may want
to checkout the Gpg4win installer to see how this can be achieved.

You should add the source code to the server at and provide a
link to it.  This is the easiest way to comply with section 6d unless
you have a contractual agreement with github.

I'd also appreciate if changes to the code are communicated back so to
discuss on how to get your changes upstream.  This is how all other
major and minor distributions behave.



I am sorry if this sounds a bit harsh.  I have seen too many abuses
of the GPL.  Given that fulfilling the requirements of the GPL is in
particular for a full free software project easy, I can't understand why
it is not being followed.

Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gnupg-devel mailing list