Re: the safety of gnupg

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Tim wrote:
> Tim:
>>> I've just been reading some rather silly things about gnupg except for
>>> one practical point:  Who has actually checked the source code for it to
>>> see whether it's trustworthy, etc?
>>>
>>> And, of course, the next thing would be:  Who would they be that we
>>> could trust them, too?  After a bit of Googling around, I'm darned if I
>>> can find out, nor think of the right terms to search for.
> 
> Bruno Wolff III:
>> gnupg is much less likely to have an intentional back door than anything you
>> get from a corporation.

Ahhh...the mailing list.  What wonderful fodder for circular
arguments/discussions.

> I tend to think so, too.  But with something as important as gnupg,
> considering that it, or some pgp-compatible thing, is used in signing
> and checking packages, it ought to be verified as safe.  Both from
> things like backdoors, and just plain old mistakes.  From what I've
> seen, the mathematics of how to do PGP would seem to be considered as
> reliable, but that's just the scheme.  You also have to check that the
> application is done right.
> 
> One of the points raised was:  "What's the point in open source if it
> doesn't actually get examined?"  We tend to take a lot of things on
> faith, and we often have to.  How many of us can vet someone else's
> source?  One argument I see put forward about PGP, et al, is that
> anybody who had found a flaw would be proudly crowing about it, but
> nobody has so far.  Though that's countered by anyone who'd found a flaw
> because they wanted to exploit it, would be keeping it to themselves.

Think of it this way....  Open source software has a change of being
examined/vetted...close source has 0 chance unless you can get the
vendor to release the source to you.  And it matters not if I have the
ability to check the source code myself.  Do I have the time?  Is that
part of my responsibility?

Anybody can raise arguments to use or not use given software.
Ultimately it is up to you to explore the arguments of both sides and
then make your decision.

Remember closed sourced software can only be attacked.  Open source can
be attacked and examined.

Who do your trust more?  It is up to you.

Do you follow the announcements on the various security/vulnerabilities
sites like http://secunia.com or http://www.cve.mitre.org?  Why not
wander over there and search for gnupg?

FWIW, I sense you are search for an answer to a question for which there
are only opinions.

Is IE7 going to be "safe"?  Ask Bill Gates that question and you will
know *his* answer....  :-)


-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux