[Announce] GnuPG does not detect injection of unsigned data

Werner Koch wk at gnupg.org
Tue Mar 21 14:10:52 CET 2006

On Fri, 10 Mar 2006 19:40:54 +0100, Jan Luehr said:

> well, this takes me to a difficult question:
> How much more are to come? (Have you begun a code audit? How long will it take 
> then?)

Common wisdoms tells that it is pretty ineffective for a developer to
audit his own code.

Despite that developer prefer writing new code, I would really like to
put more time into quality assurance.  First of all this means writing
regression tests and more tests and still more tests.  Then and only
then we could start cleaning up the code to get rid of stuff required
8 years ago but which is by now mostly obsolete.  Without enough
support contracts or other financial resources we can't really do

David Wheeler's SLOCcount estimates the development effort for
gnupg-1.4 at 30 person years.  And that does not even take into
account that GnuPG can't be estimated using the basic COCOMO; in
reality it will be much higher.  A code audit would be at least that

> I haven't been following the gnupg development so far, but imho the recent 
> development of actions rater is rather disturbing - and these kind of bugs 
> tend to disqualify gnupg from mission critical use. 

Do you really believe it is different with other applications or even
with the Linux, which is the most sensitive part of the OS? I do quick
audits from time to time to figure out what application to use for a
specific task: there is so much horrible flawed software in production
use that I sometimes want to plug out the network cable immediately.
That is not to say that proprietary software is in any regard better;
just to the contrary: all non free mass market software hampers from
the probelm that there is not enough quality checking.  And well, who
is going to do that?



p.s.  Sorry for replying so late to some message; I accidently
unsubscribed from users and didn't noticed.

More information about the Gnupg-users mailing list