PGP source code

Charles Lindsey Charles Lindsey <chl at clw.cs.man.ac.uk>
Sun, 2 Sep 2001 12:31:33 +0100 (BST) 

	On Sat, 01 Sep 2001 10:25:35 +0100
	Nicholas Bohm <nbohm@ernest.net> said...

> >since one cannot compile it, I cannot see how this statement can be
> >verified :-(
> 
> I read it as saying that you can indeed compile it, but only for Peer
> Review purposes.
> 
Actually, the main reason I would want to compile it would be to verify
that the result was the same binary as I had already obtainrd (legally)
from NAI. (How easy is it to do that check in practice?)

In fact, If I was one of those IT Security thingies we have all been
talking about, I would advise my clients
    "By all means buy a copy of PGP from NAI, but you should also obtain
    the source code for the exact product you have bought, and then
    compile and use that, rather than the binary they sent you."

As to peer review, if I was doing that, and found a bug/trapdoor/trojan
in the source code, then I would announce (in wherever I was publishing
my review)
    "I have reviewed this product, and would advise everyone not to
    use it since it contains a bug/trapdoor/trojan. Unfortunately, the
    License prohibits me from telling you what that bug/trapdoor/trojan
    is".
I reckon that would be DMCA-safe, but it wouldn't do NAI's reputation
much good :-( .

	On Sat, 1 Sep 2001 22:33:52 +0100 (BST)
	Philip Rowlands <phr@doc.ic.ac.uk> said...

> 
> On Sat, 1 Sep 2001, Dave Howe wrote:
> 
> Umm, if you don't have a license, then you have no rights (downloading,
> copying to RAM, creating derivative work (compiling)) at all, surely?
> 
If you have downloaded the source without having seen the License first,
then you are left with whatever the Copyright laws allow. You may not
make copies to pass to others. You may make whatever copies for backup,
execution, etc the Copyright law allows. And, in particular, you MAY
comment on bugs you find in the code, illustrated with such small
fragments of the code as are allowed ubder the Fair Use doctrine.

Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131 Fax: +44 161 436 6133   Web: http://www.cs.man.ac.uk/~chl
Email: chl@clw.cs.man.ac.uk      Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9      Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5