-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tim wrote: > Tim: >>> I've just been reading some rather silly things about gnupg except for >>> one practical point: Who has actually checked the source code for it to >>> see whether it's trustworthy, etc? >>> >>> And, of course, the next thing would be: Who would they be that we >>> could trust them, too? After a bit of Googling around, I'm darned if I >>> can find out, nor think of the right terms to search for. > > Bruno Wolff III: >> gnupg is much less likely to have an intentional back door than anything you >> get from a corporation. > > I tend to think so, too. But with something as important as gnupg, > considering that it, or some pgp-compatible thing, is used in signing > and checking packages, it ought to be verified as safe. Both from > things like backdoors, and just plain old mistakes. From what I've > seen, the mathematics of how to do PGP would seem to be considered as > reliable, but that's just the scheme. You also have to check that the > application is done right. Using gnupg as a subject of speculation is a bad example. If you spend some time looking it's easy to find information about audits of the gnupg codebase, the vetting of new patches, and the work product of those audits in the form of vulnerability discovery and remediation. > One of the points raised was: "What's the point in open source if it > doesn't actually get examined?" We tend to take a lot of things on > faith, and we often have to. How many of us can vet someone else's > source? One argument I see put forward about PGP, et al, is that > anybody who had found a flaw would be proudly crowing about it, but > nobody has so far. sure they have. consider a recent case: http://lists.gnupg.org/pipermail/gnupg-announce/2006q1/000211.html http://lists.gnupg.org/pipermail/gnupg-announce/2006q1/000216.html > Though that's countered by anyone who'd found a flaw > because they wanted to exploit it, would be keeping it to themselves. > - -- - ------------------------------------------------- Joel Jaeggli (joelja@xxxxxxxxxxx) GPG Key Fingerprint: 5C6E 0104 BAF0 40B0 5BD3 C38B F000 35AB B67F 56B2 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFEfxeI8AA1q7Z/VrIRAjvVAJ4ioAUSS8nQJbUwj+n/l4Z/INj0IwCff4E9 JywT8A6ZtfRHhW5Vsx64VE0= =GyRD -----END PGP SIGNATURE-----