the safety of gnupg
Ed Greshko
Ed.Greshko at greshko.com
Thu Jun 1 03:32:15 UTC 2006
Tim wrote:
> Tim:
>>> I've just been reading some rather silly things about gnupg except for
>>> one practical point: Who has actually checked the source code for it to
>>> see whether it's trustworthy, etc?
>>>
>>> And, of course, the next thing would be: Who would they be that we
>>> could trust them, too? After a bit of Googling around, I'm darned if I
>>> can find out, nor think of the right terms to search for.
>
> Bruno Wolff III:
>> gnupg is much less likely to have an intentional back door than anything you
>> get from a corporation.
Ahhh...the mailing list. What wonderful fodder for circular
arguments/discussions.
> I tend to think so, too. But with something as important as gnupg,
> considering that it, or some pgp-compatible thing, is used in signing
> and checking packages, it ought to be verified as safe. Both from
> things like backdoors, and just plain old mistakes. From what I've
> seen, the mathematics of how to do PGP would seem to be considered as
> reliable, but that's just the scheme. You also have to check that the
> application is done right.
>
> One of the points raised was: "What's the point in open source if it
> doesn't actually get examined?" We tend to take a lot of things on
> faith, and we often have to. How many of us can vet someone else's
> source? One argument I see put forward about PGP, et al, is that
> anybody who had found a flaw would be proudly crowing about it, but
> nobody has so far. Though that's countered by anyone who'd found a flaw
> because they wanted to exploit it, would be keeping it to themselves.
Think of it this way.... Open source software has a change of being
examined/vetted...close source has 0 chance unless you can get the
vendor to release the source to you. And it matters not if I have the
ability to check the source code myself. Do I have the time? Is that
part of my responsibility?
Anybody can raise arguments to use or not use given software.
Ultimately it is up to you to explore the arguments of both sides and
then make your decision.
Remember closed sourced software can only be attacked. Open source can
be attacked and examined.
Who do your trust more? It is up to you.
Do you follow the announcements on the various security/vulnerabilities
sites like http://secunia.com or http://www.cve.mitre.org? Why not
wander over there and search for gnupg?
FWIW, I sense you are search for an answer to a question for which there
are only opinions.
Is IE7 going to be "safe"? Ask Bill Gates that question and you will
know *his* answer.... :-)
More information about the fedora-list
mailing list