PGP

John Woodman johnwoodman@mindspring.com
Tue, 8 Feb 2000 13:58:39 -0700


Has anyone ever taken the source, compiled it, and compared the result with a
compiled commercial version (say by running a checksum?)

While different results wouldn't necessarily mean back doors, it *would* make me
suspicious...


> > The commercial version *does not* have back doors. Ignore this FUD.
>
> Okay, prove it.
>
> If you look at the source of any good cryptography software you will
> notice that the authors undertake so many precautions and you really
> can say, they are paranoid. One example is the forthcoming Twofish
> algorithm which uses the 256 bit form of it and not the 128 bit one -
> this is really paranoid but done anyway.
>
> And now you say, take this compiled program, believe them that there are
> no backdoors in it and if you want, you can take the source and
> compile it your self - however there is no prove that the usually
> distributed binary version has been build from the known source code.
>
> So tell me the probabilities that you
>
> a) can break the algorithms
> b) find a hole in the implementation
> c) that someone has tampered with the product
>
> IMO, c has a probability which is orders of magnitude higher than b.
>
> Is there a trusted group of persons who did supervise the whole
> production process from the published source, over the tool chain to
> the production of the CDROM up to the distribution channels?
>
> I do trust Debian more than a company which got quite a lot of orders
> from governmental agencies - but okay, this is only my personal
> opinion.
>
> BTW, the Transmeta CPU has a very similar problem, given the huge
> amount of software it relies on.
>
> --
> Werner Koch at guug.de www.gnupg.org keyid 621CC013
>