open source

Michael H. Warfield mhw@wittsend.com
Wed, 25 Oct 2000 09:33:36 -0400 

On Wed, Oct 25, 2000 at 02:24:56PM +0200, Florian Weimer wrote:

> Wesley James Landaker <wjl@mindless.com> writes:



> > Second, if someone wanted to copy PGP, what's to reverse engineer?!

> > PGP's source is freely availible. You can download it and look at it

> > or compile it or whatever. You don't have to "reverse engineer"

> > anything. =)



> Didn't NAI strip all comments before publication?  Is there any

> documentation of the design?  I think a lot of reverse engineering is

> necessary before you can make substantial changes to the code. ;-)


	There is also an OpenPGP working group in the IETF.  Protocols,
message formats, headers, assigned numbers, all that good stuff, has to
be defined for the OpenPGP standard and working documents.  In fact, in
order to become an IETF standard, OpenPGP must have at least TWO
interoperating implimentations (generally implied that those implimentations
are derived from those standards documents).  I would say between that
and the sources for at least one implimentation (NAI), you've got a pretty
good start with negligible need for any reverse engineering.

	I've also just looked at the Unix sources for PGP 6.5.8 (you can
pick them up from www.pgpi.com if you like) and it doesn't look like
they've been through a comment stripper.  Not unless they stripped out
the comments and then went back in a recommented them.  The sources aren't
GREAT on comments (what sources are) but they are there.

	With this level of information (public documents, commented sources,
standards track documents) the need for "reverse engineering" anything is
just plain silly.  Yes, you still need to understand how and why everything
works, but that's not reverse engineering.  Reverse engineering is taking
the final product and working backwords into sources (physical or software)
that you can use to understand how it worked.  Reverse engineering is NOT
reading public sources to understand how something works.  Reverse
engineering is not referencing public standards documents (even draft
documents).

	The fact that the gpg authors are still trying to figure out why
pgp manages to import certain managled keys while gpg fails on them and
the fact that the classes of "flaws and bugs" (pgp ADK fiasco, gpg 1.0.3
signature failure flaw) don't overlap between them certainly indicates
that gpg was not derived from pgp.


> -- 

> Florian Weimer 	                  Florian.Weimer@RUS.Uni-Stuttgart.DE

> University of Stuttgart           http://cert.uni-stuttgart.de/

> RUS-CERT                          +49-711-685-5973/fax +49-711-685-5898


	Mike
-- 
 Michael H. Warfield    |  (770) 985-6132   |  mhw@WittsEnd.com
  (The Mad Wizard)      |  (678) 463-0932   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!

-- 
Archive is at http://lists.gnupg.org - Unsubscribe by sending mail
with a subject of  "unsubscribe"  to gnupg-users-request@gnupg.org