PGP source code
Ben Laurie
ben at algroup.co.uk
Sun, 02 Sep 2001 17:38:32 +0100
Charles Lindsey wrote:
>
> On Sat, 01 Sep 2001 10:25:35 +0100
> Nicholas Bohm <nbohm@ernest.net> said...
>
> > >since one cannot compile it, I cannot see how this statement can be
> > >verified :-(
> >
> > I read it as saying that you can indeed compile it, but only for Peer
> > Review purposes.
> >
> Actually, the main reason I would want to compile it would be to verify
> that the result was the same binary as I had already obtainrd (legally)
> from NAI. (How easy is it to do that check in practice?)
In my experience, impossible - the problem being that parts of the
binary (padding, typically) tend to be from uninitialised data.
> In fact, If I was one of those IT Security thingies we have all been
> talking about, I would advise my clients
> "By all means buy a copy of PGP from NAI, but you should also obtain
> the source code for the exact product you have bought, and then
> compile and use that, rather than the binary they sent you."
Indeed.
> As to peer review, if I was doing that, and found a bug/trapdoor/trojan
> in the source code, then I would announce (in wherever I was publishing
> my review)
> "I have reviewed this product, and would advise everyone not to
> use it since it contains a bug/trapdoor/trojan. Unfortunately, the
> License prohibits me from telling you what that bug/trapdoor/trojan
> is".
It probably prohibits you from saying even this.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff