Why trust gpg4win?

atair atair04 at googlemail.com
Thu Jul 25 23:17:43 CEST 2013

On 7/25/13, takethebus at gmx.de <takethebus at gmx.de> wrote:
> Hi everybody,
> why should I trust gpg4win? I have doubts since it was ordered by the
> "Bundesamt für Sicherheit in der Informationstechnik (BSI)", which has
> close connections to secret services. Is gunPT any better? Finally, why
> should I trust gunpg?
First of all, it is ok to have doubts.
Basically, your concern is that some German federal institution
implemented a back door in gpg4win (in this case). This is
theoretically and practically possible, but there's one big problem
with this:
gpg4win (as gnupg, too) is _free software_ [1]. "Free" has to be
understood as in "free speech" not "free beer" (although it often
means both).
This basically means, that everyone(!) can access, modify and
redistribute the source code of the program (see [2] if you're
interested). There are lots of people (usually volunteers from all
over the wold) who do peer reviews on the sources (and if you start
with [2], _you_ can be another one). Therefore, changes that look like
back doors are VERY unlikely to find their way in a release, because
hundreds of people are looking how the software evolves and will
reject such a patch.
This is the/a major thing behind the necessity for "free and open"
software, such as the free operating system GNU/Linux. There's nobody
you just have to trust, because _you_ can verify what the program
actually does (as said above, by looking at the code and compiling it

( Besides, I think that, usually, the BSI people are good people. )

> I'm a windows user.
When you're used to gpg4win (or OpenPGP/cryptography in general), I
strongly recommend you to switch from windows to a free operating
system, preferably GNU/Linux. You may also have a look at the various
"Live CDs", e.g. [3] and [4]. You can download and burn an iso-image
to a CD/DVD and then boot a complete GNU/Linux OS without making
actual changes on your hard disk.

[1] http://www.gpg4win.org/about.html
[2] http://www.gpg4win.org/download.html, then look for "source code package"
[3] https://tails.boum.org
[4] http://www.knoppix.org/

-- atair04

More information about the Gnupg-users mailing list