From: Ben.Goren@asu.edu
Date: Mon, 18 Jul 94 13:33:52 PDT
To: jis@MIT.EDU
Subject: Re: PGP bug *NOT* yet fixed
Message-ID: <aa5092810202101e7432@[129.219.97.131]>
MIME-Version: 1.0
Content-Type: text/plain


At 5:58 PM 7/17/94, Jeffrey I. Schiller wrote:
>Chill out friend. We are working on a bugfix release to PGP which will
>fix several important bugs. The bug you mention is fixed in our
>development sources and will be fixed in the next release. Read Colin's
>note carefully. If you do you will realize that this problem is not
>a disaster [. . . .]

It might not be a disaster, but if it was bad enough for Colin to write
that message--it couldn't have been comfortable to admit to such a
mistake--it seems more than worthwhile to fix it at the same time,
especially considering that the fix could be as simple as putting his
message in the release directory.

I certainly thank Colin for having the courage to publicly announce the
mistake; my complaint is that there wasn't any follow-through.

The point is that this is damaging to PGP's reputation--it makes the
programmers look amateurish. You might be amatuers, but you sure haven't
acted like it until this. Any security-related bug serious enough to
announce is serious enough to fix immediately; otherwise, we should take
"Pretty Good" much more literally than most of us do now.

Heck, it would have taken a fraction of the time to fix the code than it
must have for Colin to write the letter.

b&

--
Ben.Goren@asu.edu, Arizona State University School of Music
 net.proselytizing (write for info): Protect your privacy; oppose Clipper.
 Voice concern over proposed Internet pricing schemes. Stamp out spamming.
 Finger ben@tux.music.asu.edu for PGP 2.3a public key.