PGP8

Ben Finney ben@benfinney.id.au
Sat Aug 2 13:39:02 2003


--MAH+hnPXVZWQ5cD/
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On 01-Aug-2003, Todd wrote:
> Ricardo SIGNES wrote:
> > GnuPG provides a free implementation, so we can consult the source
> > when we find problems.  With PGP8, it's not possible to find bugs
> > that way.
>=20
> That's not completely true.  You can download the PGP source code[1]
> and check it out for bugs.

That's only useful if you know that the PGP you use was actually built
from the source that you can inspect.

Is it possible to build a complete working PGP, as provided by the
vendor, from the source code?  (They require "registration" to get the
source code -- for no reason made clear -- so I'm not able to check this
myself.)

If the answer is "no", then a bundle of source code is useless for
checking the operation of the version of PGP you actually use, since
there's no way to determine if they are in any way related.

Yet another reason to use free software, instead of "look but don't
touch" source code carrots.

--=20
 \         "Democracy is the art of running the circus from the monkey |
  `\                                       cage."  -- Henry L. Mencken |
_o__)                                                                  |
Ben Finney <ben@benfinney.id.au>

--MAH+hnPXVZWQ5cD/
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iEUEARECAAYFAj8rozkACgkQt6wuUb1BcUv76ACg06jwTn0qEke4ULSZSIZ76oLc
KlcAl2zOE26kKQ3DS7MysspzCux4Wl0=
=zxJ3
-----END PGP SIGNATURE-----

--MAH+hnPXVZWQ5cD/--