PGP source code (fwd)

[Adrian Midgley]

From: John Young <jya@pipeline.com>


>Publicly report a fault, get indicted in the USA, even if discovered
>and reported in another country or on the Internet.

Clearly if I had identified a fault rendering the current version of
PGP unreliable I would be unable safely to say so here or elsewhere.

If the owners of the code did not unreasonably withhold permission to
publish it - requiring that they have a beat on the story for say 24
or 48 hours, in order to confirm it themselves and start patching,
then actually that seems not unreasonable.

If they did, or if their view was that anyone who mentioned that they
had reported a fault was breaching their licence, then such a one
could not remark here upon a supposed fault, or even that it existed.

However, it cannot be a breach of any sort of licence to say that I am
unable to confirm that the current version of PGP is fully reliable,
and should anyone ask me to report what version, and what software I
use out of the available ones which include PGP version 2 and GPG.

Those who know me might say the reason I can't confirm it is safe is
that I don't understand source code, but in the current circumstances
one would only be able to say that they might well think that but I
cannot possibly comment.

And sign it appropriately.

So as far as protection of their reputation and commercial interests
goes, I cannot see any benefit in the licence as expressed, nor any
loss to them in ofering the code for genuine and unrestricted peer
review and comment.

I know programmers can think logically, and I know lawyers can, so who
wrote the licence and planned the fanfare for it?  They should perhaps
rethink some details.

Ross, for instance, are _you_ able having examined the code, to state
that it is free of faults and trapdoors?

--
Midgley