Should you trust any 7.x.x version? (2.50 / 2) (#2)
by jbridges on Wed Sep 05, 2001 at 11:55:10 AM EST
After seeing the notice about this new hotfix for PGP 7.x.x, I went hunting on GoogleGroups for discussion about these sort of hotfixes.
I found this particularly worrying message about the status of all 7.x.x versions of PGP (posted by Anonymous):
31 Jul 2001 in <email@example.com> firstname.lastname@example.org wrote:
> In article <bTl97.email@example.com>, "Floppy" <firstname.lastname@example.org> wrote:
> >i've read that some people are refusing to use it because of security
> >concerns ( no source ) and on principle ( no source ).
> You are correct that many people are. And again, these are valid concerns.
> This also appears to be a major reason for Phil Zimmermann leaving NAI, but
> even he uses 7.0.3,
Dare to confirm ?
PRZ is not using PGP v7.0.3, except for some not important PR times.
How do you know, that PRZ PGP v7.0.3 is the same that is available for download ?
How do you know, that PRZ PGP v7.0.3 is not compiled by him from other source code ?
How do you know, that NAI signed executables are the same that PRZ had access to at
source code level ?
PRZ didn't Sig the PGP v7.0.3, than why do you must trust what he did say ?
Shouldn't PRZ put his hand where his mouth is ?
I think, he should, when he is so sure about his opinions. But he didn't,
and that counts, at least for PGP v7.0.3
> and he gives his personal assurance that it has no
Back door is one think, secure application is another think.
Back door presents or not, is only one part of bigger security issue.
> In the end, you have to rely on who you trust - as important as the
> source code release is, it does not quarantee the absence of a backdoor
Source code release will warrantee that back door may be find.
> - I can think of no one in this who is more trustworthy than PZ.
PRZ didn't program PGP v7.0.3
PRZ didn't test PGP v7.0.3
PRZ did philosophically oversees PGP, like appointed governor will do,
but he didn't physically sink in all that details, about 10 MB of code !!!