Re: the safety of gnupg



Tim:
I've just been reading some rather silly things about gnupg except for
one practical point: Who has actually checked the source code for it to
see whether it's trustworthy, etc?

And, of course, the next thing would be: Who would they be that we
could trust them, too? After a bit of Googling around, I'm darned if I
can find out, nor think of the right terms to search for.

Bruno Wolff III:
gnupg is much less likely to have an intentional back door than anything you
get from a corporation.

I tend to think so, too. But with something as important as gnupg,
considering that it, or some pgp-compatible thing, is used in signing
and checking packages, it ought to be verified as safe. Both from
things like backdoors, and just plain old mistakes. From what I've
seen, the mathematics of how to do PGP would seem to be considered as
reliable, but that's just the scheme. You also have to check that the
application is done right.

One of the points raised was: "What's the point in open source if it
doesn't actually get examined?" We tend to take a lot of things on
faith, and we often have to. How many of us can vet someone else's
source? One argument I see put forward about PGP, et al, is that
anybody who had found a flaw would be proudly crowing about it, but
nobody has so far. Though that's countered by anyone who'd found a flaw
because they wanted to exploit it, would be keeping it to themselves.

--
(Currently running FC4, occasionally trying FC5.)

Don't send private replies to my address, the mailbox is ignored.
I read messages from the public lists.

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list



Relevant Pages

  • Re: Into the Fire
    ... > source code open source too because they may have used some ideas from ... The `original' PGP program /was/ free. ... executable object release package to as many BBS's as possible. ...
    (sci.crypt)
  • Re: For PGP Users-Likes and Dislikes of PGP
    ... That may be true for the public key crypto parts. ... for the PGP Whole Disk part is incomplete. ... He said that the source code is incomplete ... "use executable code versions of PGP software programs ...
    (sci.crypt)
  • Re: Alternative to PGP solutions
    ... My main gripe against GPG is ... designed to be intimidating or inaccessible to the average user. ... Subject: Alternative to PGP solutions ... > believe the CKT builds are based off of the PGPi source code. ...
    (Security-Basics)
  • Re: a couple PGP questions
    ... As I understand it, if it were open source, then others would be ... the only builds that I'm aware of PGP owners ever ... >>versions have complete source code available for review. ...
    (alt.computer.security)
  • Re: the safety of gnupg
    ... Who has actually checked the source code for it to ... see whether it's trustworthy, etc? ... The openbsd guys do security audits of programs. ...
    (Fedora)