the safety of gnupg

[Tim]

Tim:
>> I've just been reading some rather silly things about gnupg except for
>> one practical point:  Who has actually checked the source code for it to
>> see whether it's trustworthy, etc?
>> 
>> And, of course, the next thing would be:  Who would they be that we
>> could trust them, too?  After a bit of Googling around, I'm darned if I
>> can find out, nor think of the right terms to search for.

Bruno Wolff III:
> gnupg is much less likely to have an intentional back door than anything you
> get from a corporation.

I tend to think so, too.  But with something as important as gnupg,
considering that it, or some pgp-compatible thing, is used in signing
and checking packages, it ought to be verified as safe.  Both from
things like backdoors, and just plain old mistakes.  From what I've
seen, the mathematics of how to do PGP would seem to be considered as
reliable, but that's just the scheme.  You also have to check that the
application is done right.

One of the points raised was:  "What's the point in open source if it
doesn't actually get examined?"  We tend to take a lot of things on
faith, and we often have to.  How many of us can vet someone else's
source?  One argument I see put forward about PGP, et al, is that
anybody who had found a flaw would be proudly crowing about it, but
nobody has so far.  Though that's countered by anyone who'd found a flaw
because they wanted to exploit it, would be keeping it to themselves.

-- 
(Currently running FC4, occasionally trying FC5.)

Don't send private replies to my address, the mailbox is ignored.
I read messages from the public lists.