GnuPG code in Mozilla: GPL issues?
Adam Lock
locka@cork.cig.mot.com
Thu, 10 Feb 2000 14:06:13 +0000
Werner Koch wrote:
> On Thu, 10 Feb 2000, Adam Lock wrote:
>
> > Also, what are the chances that core GPG functionality will become a runtime
> > library? If that happened, then presumably the LGPL (which most libraries use)
>
> There will be no gpg library for security reasons. The fork/exec overhead
> is not that high compared to the cryptograhic operations. And a
> wrapper libray may decided to run gpg in a loop which is already done
> for key managenent tasks.
>
> Werner
I'm not sure I understand the security reasons for not having GPG in a library.
Presumably someone dastardly enough to swap out the library (assuming it's dynamic
shared) for one of their own could easily do the same with the GPG executable. In
which case, where's the increased harm of having a library?
Besides, if this were an issue, then the library could be built and linked
statically. I've seen quite a few libs that can build dynamic or statically via a
configuration switch.
I understand that PGP is available as an SDK. Surely they couldn't do this either if
they were faced with the same issues concerning libraries as GPG is?
--
Adam Lock