On Thu, 30 Oct 1997, Anonymous wrote:

...

Where can I find a copy of PGP 5.0 which handles this "SHA1" hash extension, and the new forced incompatabilities? I'm looking for a Linux distribution. All I've found are Windoze versions, really old betas which break *everything* which calls PGP from a script or command line, and betas which have a lame expired timebomb in them. Source is prefered for obvious reasons.

http://www.pgpi.com/

I went and took a look at this. They've broken the PGP functionality into several different psuedo-binaries which are just symlinks which point to the same binary. Invoking just 'pgp' gives this:

PGP is now invoked from different executables for different operations:

pgpe Encrypt (including Encrypt/Sign) pgps Sign pgpv Verify/Decrypt pgpk Key management pgpo PGP 2.6.2 command-line simulator (not yet implemented)

See each application's respective man page or the general PGP documentation for more information.

Now this, of course, breaks all matter of things. Some of this may be wrong, so feel free to correct it: Phil releases PGP. It rapidly becomes a standard for personal privacy and is used all over the world. Various versions come about including several international versions. Finally PGP 5.0 is released. It uses a completely new scheme, including DH keys. The Windows version purposefully excludes RSA key generation, in effect forcing people to generate DH keys. There is no UNIX version released. Weeks or months later, after incompatabilities were introduced into the system, UNIX versions begin to filter out. Instead of keeping command line compatability so scripts and programs which call PGP still work, they decide to break the functions up into several different invocations, all of which point to the same binary anyway. The README-BIN file for the "beta 11" Linux distribution says:

Rest assured, we WILL be releasing a source Unix distribution. Unfortunately, licensing and export issues make this difficult; the beta process for Linux will be completed on a binary basis. We understand the difficulty this causes, and will be working to find a solution in the future.

They also take the liberty of coding in a timebomb: $ ./pgp This beta evaluation version of PGP has expired. $ pwd <censored>/pgp50b11-linux-i386/apps/pgp "lnx-b11" is the version currently handed out by http://www.pgpi.com, by the way. The "PGP 5.0 beta for Linux Intel (US version)" selection on their download page leads to a link to: ftp://ftp.ifi.uio.no/pub/pgp/5.0/usa_only/linux/PGP50-lnx-b11.tgz The current source distribution from that site is b8a. One of the README files from that reads:

Welcome to the PGP beta test program!

Before reporting any bugs, please check the pgp(1) man page to ensure that they are not already known.

Bugs should be reported on the beta test web page at:

http://beta.pgp.com/

However when one goes to http://beta.pgp.com they're confronted with a legal agreement. Of course the link to it from the front page won't work in Lynx 2.7.1 because it uses something called an "https" link, so the user has to type in the URL manually as "http://www.pgp.com/beta/license.cgi". After reading this license and agreeing to it, the user is allowed to reach the "BetaWeb" page. However the "public bug reports" link yields this:

Sorry, the bug report form is not available yet. Please be patient as we get things ready.

Please see the PGP BetaWeb for further information, or contact the Beta Manager with specific questions.

For now, please use the "Back" button in your browser to return to the previous page.

So maybe you can at least get whatever the current beta is and hope it works, right? Wrong. "PGP Personal v5.5.1 BetaHome"'s "Beta Software & ReadMe Download Button" wants a user name and password, but it's doubtful they have a UNIX distribution in there anyway considering the rest of this mess. Well, at least maybe the user can suggest a new "feature" for PGP 6 and that feature be "Release a source distribution which when installed doesn't break anything which calls PGP," right? Wrong. You have to have a username and password for that too. Well, obviously they want you to register as a "Registered PGP Beta Tester" to get this clearance. However "Beta Registration" yields:

Sorry, we are not currently accepting new beta testers. We will be shortly, however, so please check back if you are interested.

Please see the PGP BetaWeb for further information, or contact the Beta Manager with specific questions.

For now, please use the "Back" button in your browser to return to the previous page.

And of course my 2.6.3i breaks on this "Hash: SHA1" stuff. So correct me if I'm wrong but the way I see it is like this: A new version of PGP was released. It was incompatable with previous versions. They release a Windows version but don't release a version which works under UNIX. Of course Windows users now start using the "latest and greatest," sending messages and keys all over the place which are completely incompatable with the version of PGP everybody else is using. They claim to be working on a UNIX version, granted, but that should have been released at the same time as the Windows version and *AFTER* there was an international version of PGP 5.0 available. Their UNIX version of PGP 5.0 also seems to be completely incompatable with anything which calls PGP from a script or program. In addition their UNIX versions are purposefully crippled so that they don't work after a certain time period, don't provide an override for this that I can see, and they insist on releasing binary-only distributions for Linux which prevents people from commenting that out. They have no method to get new up to date versions, nor do they have a method to report bugs like they say they do. Further the "PGP50-lnx-b11-6126098-1.src.rpm" contains the *BINARY* distribution, *not* the source. I've also been informed that PGP 5.0 encrypts to the CMR key without even bothering to ask and there's no way to override that short of hacking the key record. What the hell are these people thinking? Did they get into bed with Microsoft to try to get people to say "screw this" and go use Windows?