PGPfreeware 8.0: Not so good news for crypto newcomers
Jon Callas
jon at callas.org
Sun Dec 8 18:34:33 EST 2002
On 12/8/02 11:14 AM, "Pete Chown" <Pete.Chown at skygate.co.uk> wrote:
> Is there really any reason to use PGP these days? PGP 2 was solid
> software. I've also tried all the releases from 5 to 7 and they were
> all full of bugs. They also didn't comply properly with the OpenPGP spec.
>
This is a bit unfair. PGP 5 could not comply with the OpenPGP spec, as it
pre-dated it. OpenPGP started with PGP 5, and then made a number of changes
based upon what the IETF working group wanted. RFC 2440 was finalized in
November '98, which was post-PGP 6.
It is, however, true that PGP 6.5 was not been as good as it could have been
in 2440-compliance (but neither was GnuPG in those days, either).
> I particularly remember PGP 6. I was developing something that
> generated OpenPGP packets. Gnupg was happy, PGP would die with a SEGV.
> I started digging into the source code to try to find out what was
> going on, but it was hopeless. The bloat factor had taken over, and it
> was impossible within my deadline to find out what its problem was, and
> whether the SEGV came from an exploitable buffer overrun. (Eventually I
> got things to work by switching encryption algorithms or something like
> that, I forget the details now.)
>
This, I believe to be partial mis-remembering. PGP 6 came out in July 1998,
and I don't think GnuPG existed then.
Nonetheless, thanks for the story. I go on and on myself about how important
software quality is, and your anecdote emphasizes this. Here we are four and
a half years later, and the bad taste left in your mouth by this bug causes
you to still be against the product.
All software developers can learn from this.
Jon
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list