-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
David Wade Hagar AKA Cyclops wrote:
> What is a Unices?
Plural of UNIX. Used as a mass noun to describe OS X, FreeBSD, Linux,
NetBSD, OpenBSD, DragonflyBSD, QNX, Cygwin... anything that supports the
major UNIX standards.
>>;> Repeat after me: _there is no open source for PGP._ [*] Anyone
>>> who studies the PGP source in order to learn crypto programming
>>> is opening the door to a huge set of lawsuits. Anyone who creates
>>> their own product using lessons learned from studying PGP is
>>> opening the door to a huge set of lawsuits. Anyone who...
>>> etcetera. This is a huge can of worms. It's best avoided.
>
> I think that sounds... Harsh to say the least, not that you'd trust?
> I think its safe to say that YOU personally wouldn't trust it.
I don't mean to sound caustic, but this is such a total non-sequitur
that I have no idea how I'm supposed to respond to it.
PGP is not open source and hasn't been since PGP 2.3. Bang, period, end
of sentence. That's a factual assertion, and I invite you to prove me
wrong. Look at the licenses for PGP 2.6 or anything since 5.0, and
compare it against the list of open-source licenses at
http://www.opensource.org/licenses/ .
There is nothing 'harsh' about stating a fact. PGP is not open source,
except for one single version which is so old that it ought be
completely abandoned.
> Are you an authority on cryptography?
Don't ever trust what someone says just because they're an authority.
Don't ever disbelieve what someone says just because they lack credentials.
Listen to their arguments, do your own critical thinking, and then
decide whether someone is correct. Ignore all credentials.
> Do you have concrete evidence that any source released for PGP past
> v2.3 (having read your comment below) has a back door or other such
> issue? I think we should be a little more open about people deciding
> their own levels of trust and what they are comfortable with.
<bewildered>
I'm struggling to see where I cast any doubt on the trustworthiness of
PGP. I cast doubt on the wisdom of studying the PGP source in order to
learn how to write a competitor to PGP, since doing so is a clear
violation of the source code licensing agreement. I do not see a single
sentence in my post where I cast doubt on PGP's cryptologic worthiness.
I respectfully suggest that you go back and reread my message. I did
not say the things you want me to have said.
</bewildered>
> That is also assuming that the Office of Homeland Security can't
> already slice through the crypto like butter at will and just hasn't
> told anyone - if you want to be really paranoid. Once again, and
> assuming my information is worth enough to them to go through that
> much effort.
We are now entering the realm of conspiracy theory. There are many good
references on the Web that show why this is very unlikely. Please look
into them.
> If the creator of the software, Phil Z or whoever owns the copyright
> to the software did it, could they not relicense it?
Yes. He didn't relicense it. I know this, because I asked Phil some
years ago if there were any open-source versions of PGP.
> Additionally... What does it being GPL have to do with security? If
> you can read the source code - whatever the license on it - you
> could (in theory) find holes or lack of holes in the code. Or does
> it not being under GPL somehow make flaws or holes less visible?
This question is predicated on me saying something I didn't--namely,
that PGP's disclosed source model is inferior to the open source model.
As such, I'm not going to answer it.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iQEcBAEBCgAGBQJE7xdxAAoJELcA9IL+r4EJMoAH/1I0KsWaoJOoMRlbgRraopN/
4TKN923PvZ98sFyposQm5uHqJOnbSLTpRAK1ItUTMDm60uMNMb5iJ9OQkY/S+sc3
FYhEVaUujNrsc5aKgCExOkR+;AG3Ns2ebWFWKCUG2nutk1arkgVxL5ZOXmPl4cOHV
zPVtKA0tpfkkdPSoP57C9Bgsa8SAi5nQAP4xf6uODWrXKcvUw0PiS2BaOC0nhIqf
vN8JxEmwzcHKjKk/kOZyv1CokV3DD8hA0x3Q9RYNeuzBfx�3;5C8WXf3P/1DmSnXaS
or/uUEtGf20yK4deF3wu7wqp6j/QJrHUivYsctAJ1rCbEEm6tR+5WiL5h02+neA=
=1qJZ
-----END PGP SIGNATURE-----
.