HH> Since that doesn't allow us to verify the code If heard that argument quite often, but do you really intend to examine all of the sources? I'd have the possibility to, but to be honest: I didn't. I got them with a signature of my predecessor, and I relied on his word. HH> is there a reason for this? Yes, there is. After I got the sources I've lost contact to the other authors of PGP. I don't know whether they've made changes to the sources as well, so I first didn't release MacPGP at all. But after a while I decided to release at least the executables - if someone take the chance to object I'll merge my sources with his. Otherwise I'll release the next version together with the source code. HH> How did you sign them? Did you sign the binhex file or the Mac HH> executeable, etc.? I put the complete stuff for each language into a Compact Pro archive and signed these archives. Then I gathered them all in another (uncompressed) Compact Pro archive. I'll ask the one who put it into the ftp site where to find it. Ciao, Christoph
Christoph Pagalies) (by way of habs@cmyk.warwick.com (Harry Shapiro) says:
HH> Since that doesn't allow us to verify the code
If heard that argument quite often, but do you really intend to examine all of the sources?
I tend to. I usually only look at diffs between successive versions. In any case, the point is more about the capacity to examine the sources more than anything. Even if one has not personally examined them, the fact that others may examine them is a deterrent to tampering at the release level. I don't believe in releasing cryptography or other security software without sources. Perry
participants (2)
-
Christoph_Pagalies@hh2.maus.de -
Perry E. Metzger