Johan Wevers
Sat Aug 2 16:36:01 2003

Ben Finney wrote:

>Is it possible to build a complete working PGP, as provided by the
>vendor, from the source code?

No. They provide only the encryption and hashing routines, not the GUI code.
That's the main reason why the "inofficial" Cyber Knights Templar (CKT)
versions of PGP are still numbered as 6.5.8-something, since 6.5.8 was the
last PGP version that had its complete source code published.

>If the answer is "no", then a bundle of source code is useless for
>checking the operation of the version of PGP you actually use, since
>there's no way to determine if they are in any way related.

Well, if you're looking for bugs, and find one in PGP AND in the provided
source, I'd sy it's probably that there is a conenction. As for bugs you
don't know about, that's a completely different story. There the argumens
how much you trust a vendor who doesn't show (complete) source come into

>Yet another reason to use free software, instead of "look but don't
>touch" source code carrots.

If you get complete source code I would find that sufficient to solve the
trust argument.

ir. J.C.A. Wevers         //  Physics and science fiction site:   //
PGP/GPG public keys at