A group of even the most competent reviewers can overlook some problems in the code. It may take a long time before a flaw is discovered. The stamp of approval by some members of this list to a commercial PGP with a secret source code would therefore be little more than a marketing scheme. It would be no different from the expert review marketing scheme used to sell us Clipper, as --I think it was John Gillmore-- has recently explained. No, there is an important difference: you'd be starting from known- good source. That might make the task feasible. That doesn't mean it's easy, of course. A fair number of years ago, I participated in a review of some code which had been developed, in part, by someone who was later convicted of assorted {h,cr,chr}acking- related offenses. There was far too much source code to check it all; however, we knew when this person had first had access, so we could use diff on many modules. That tremendously reduced the scope of the effort. We did find one curious construct -- a combination of two bugs that together constituted a security hole. Either alone was harmless. And to this day, I don't know if they were inserted deliberately.