[12125] in cryptography@c2.net mail archive
Re: PGPfreeware 8.0: Not so good news for crypto newcomers
daemon@ATHENA.MIT.EDU (Jon Callas)
Sun Dec 8 18:42:18 2002
Date: Sun, 08 Dec 2002 15:34:33 -0800
From: Jon Callas <jon@callas.org>
To: Pete Chown <Pete.Chown@skygate.co.uk>,
Cryptography <cryptography@wasabisystems.com>
In-Reply-To: <3DF39A05.4090707@skygate.co.uk>
On 12/8/02 11:14 AM, "Pete Chown" <Pete.Chown@skygate.co.uk> wrote:
> Is there really any reason to use PGP these days? PGP 2 was solid
> software. I've also tried all the releases from 5 to 7 and they were
> all full of bugs. They also didn't comply properly with the OpenPGP spec.
>
This is a bit unfair. PGP 5 could not comply with the OpenPGP spec, as it
pre-dated it. OpenPGP started with PGP 5, and then made a number of changes
based upon what the IETF working group wanted. RFC 2440 was finalized in
November '98, which was post-PGP 6.
It is, however, true that PGP 6.5 was not been as good as it could have been
in 2440-compliance (but neither was GnuPG in those days, either).
> I particularly remember PGP 6. I was developing something that
> generated OpenPGP packets. Gnupg was happy, PGP would die with a SEGV.
> I started digging into the source code to try to find out what was
> going on, but it was hopeless. The bloat factor had taken over, and it
> was impossible within my deadline to find out what its problem was, and
> whether the SEGV came from an exploitable buffer overrun. (Eventually I
> got things to work by switching encryption algorithms or something like
> that, I forget the details now.)
>
This, I believe to be partial mis-remembering. PGP 6 came out in July 1998,
and I don't think GnuPG existed then.
Nonetheless, thanks for the story. I go on and on myself about how important
software quality is, and your anecdote emphasizes this. Here we are four and
a half years later, and the bad taste left in your mouth by this bug causes
you to still be against the product.
All software developers can learn from this.
Jon
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@wasabisystems.com
