OT: Peer review (was: making a Debian Live CD for managing GnuPG master key and smartcards)

Lachlan Gunn lachlan at twopif.net
Wed Apr 27 03:35:19 CEST 2016

> Well, there's a little bit of a chicken-and-the-egg problem here.  If
> new projects are told "don't evangelize here", how will they let users
> who might be interested in their project know it exists?  Evangelization
> is important.  I don't think we want to adopt a no-evangelization rule,
> but at the same time, we want to keep it within limits, too.

Yep, I think this is important.  I'd also suggest that actively
attempting to lure potential contributors to a project from their own
mailing list is a bit of a no-no as well.

A topic that someone mentioned in this thread was peer-review.  Is there
any venue out there for seeking third-party security review for
open-source code?  I don't mean anything professional, but just
something Stack-Overflow-ey.

A few of my projects involve crypto or some other kind of security
functionality, and I feel a bit uncomfortable evangelising too much
without having had someone else go over them more thoroughly than
Coverity can.  Here wouldn't be a good venue as they tend to range from
unrelated to competing (don't judge, I just need an MIT-licenced way to
check an OpenPGP signature), but given the amount of misguided security
code out there, it seems like somewhere more generally-oriented might be

Even restricting to GnuPG itself, obviously not every one-man-band using
GPG in a script can expect to come here and get a code audit.


More information about the Gnupg-users mailing list