GnuPG code in Mozilla: GPL issues?

Adam Lock
Thu, 10 Feb 2000 14:06:13 +0000

Werner Koch wrote:

> On Thu, 10 Feb 2000, Adam Lock wrote:
> > Also, what are the chances that core GPG functionality will become a runtime
> > library? If that happened, then presumably the LGPL (which most libraries use)
> There will be no gpg library for security reasons. The fork/exec overhead
> is not that high compared to the cryptograhic operations. And a
> wrapper libray may decided to run gpg in a loop which is already done
> for key managenent tasks.
> Werner
I'm not sure I understand the security reasons for not having GPG in a library. Presumably someone dastardly enough to swap out the library (assuming it's dynamic shared) for one of their own could easily do the same with the GPG executable. In which case, where's the increased harm of having a library? Besides, if this were an issue, then the library could be built and linked statically. I've seen quite a few libs that can build dynamic or statically via a configuration switch. I understand that PGP is available as an SDK. Surely they couldn't do this either if they were faced with the same issues concerning libraries as GPG is? -- Adam Lock