Ben Finney
Sat Aug 2 13:39:02 2003

Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On 01-Aug-2003, Todd wrote:
> Ricardo SIGNES wrote:
> > GnuPG provides a free implementation, so we can consult the source
> > when we find problems.  With PGP8, it's not possible to find bugs
> > that way.
> That's not completely true.  You can download the PGP source code[1]
> and check it out for bugs.

That's only useful if you know that the PGP you use was actually built
from the source that you can inspect.

Is it possible to build a complete working PGP, as provided by the
vendor, from the source code?  (They require "registration" to get the
source code -- for no reason made clear -- so I'm not able to check this

If the answer is "no", then a bundle of source code is useless for
checking the operation of the version of PGP you actually use, since
there's no way to determine if they are in any way related.

Yet another reason to use free software, instead of "look but don't
touch" source code carrots.

 \         "Democracy is the art of running the circus from the monkey |
  `\                                       cage."  -- Henry L. Mencken |
_o__)                                                                  |
Ben Finney <>

Content-Type: application/pgp-signature
Content-Disposition: inline

Version: GnuPG v1.2.2 (GNU/Linux)