Why trust gpg4win?

Mark H. Wood mwood at IUPUI.Edu
Fri Jul 26 15:22:32 CEST 2013 

On Fri, Jul 26, 2013 at 12:14:08AM +0200, Julian H. Stacey wrote:
> Hi, Reference:
> > From:		atair <atair04 at googlemail.com> 
> > Date:		Thu, 25 Jul 2013 21:17:43 +0000 
> 
> atair wrote:
> ...
> Therefore, changes that look like
> back doors are VERY unlikely to find their way in a release, because
> hundreds of people are looking how the software evolves and will
> reject such a patch.
> ...
> 
> Yes, malign code would have to hide in plain view in source (& most
> likely evil patches wouldn't get past the view of the people commiting
> the `improvement' to the source repository ;-).
> 
> However you missed the point that many MS users are not programmers,
> & will not be compiling their own binaries, so any malign entity
> could regularly hack their nasty extras in, compile & issue binaries
> that dont match published source (sure that would breach licence,
> but irrelevant to an evil doer), & those without access to exactly
> the same set of compiler tools would not easily knowof embedded
> evil extra mods.

But it takes only one person who can and does do this inspection, to
reveal the evil deed.  And that person could be anywhere.  He very
likely won't be identified until he announces his presence by
announcing his discovery of the attack.

> The solution of course is as you urged takethebus at gmx.de , to get
> a free operating system such as Linux or BSD, complete with free
> build tools  & compile your own (even non programmers can do that,
> eg on an OS downloaded from
> 	http://www.freebsd.org
> just type
> 	cd /usr/ports/security/gnupg ; make install
> ) However for some thats too much effort, for them greater risk, their choice.

Well, Windows users who aren't programmers, who switch to e.g. Linux,
will then be Linux users who aren't programmers, so this alone changes
little for the individual.  He is still dependent on others in the
community.  That is quite alright -- an important part of PKC is for
people to find out for themselves who is reliable and form open-eyed
trust relationships.

If one wishes to be more self-sufficient, one must learn a great deal
about work formerly left to others.

-- 
Mark H. Wood, Lead System Programmer   mwood at IUPUI.Edu
Machines should not be friendly.  Machines should be obedient.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: </pipermail/attachments/20130726/7b6a2298/attachment.sig>

More information about the Gnupg-users mailing list