PGP source code
Dave Howe
DHowe at Hawkswing.demon.co.uk
Sun, 2 Sep 2001 17:28:02 +0100
> Actually, the main reason I would want to compile it would be to
verify
> that the result was the same binary as I had already obtainrd
(legally)
> from NAI. (How easy is it to do that check in practice?)
As far as I know, it isn't - I have never seen MS VC++ produce an
identical binary from a recompile....
> In fact, If I was one of those IT Security thingies we have all been
> talking about, I would advise my clients
> "By all means buy a copy of PGP from NAI, but you should also
obtain
> the source code for the exact product you have bought, and then
> compile and use that, rather than the binary they sent you."
Hmm. that was a problem with 6.5.8, as it required an expensive driver
library (numega? can't remember offhand) to compile some bits of it (I
suppose you could just do without those bits - I think PGPdisk and
PGPnet). I don't remember 5.x requiring it (but of course 5.x didn't
have either component)- and there isn't a hope in hell of the source to
THAT being available for review. It also requires a specific compiler,
and the MS platform SDK and DDKs (any of which are as potentially
compromised as PGP binaries themselves are)