1993-08-30 - Re: Source Code NOT available for ViaCrypt PGP

Header Data

From: “Christian D. Odhner” <cdodhner@indirect.com>
To: mgream@acacia.itd.uts.edu.au (Matthew Gream)
Message Hash: fe146066029b8ffeb8b9d2187a7213fbcc04dbe49e2516bbedf071ab11e59b44
Message ID: <199308300940.AA17049@indirect.com>
Reply To: <9308300745.AA22452@acacia.itd.uts.EDU.AU>
UTC Datetime: 1993-08-30 09:44:13 UTC
Raw Date: Mon, 30 Aug 93 02:44:13 PDT

Raw message

From: "Christian D. Odhner" <cdodhner@indirect.com>
Date: Mon, 30 Aug 93 02:44:13 PDT
To: mgream@acacia.itd.uts.edu.au (Matthew Gream)
Subject: Re: Source Code NOT available for ViaCrypt PGP
In-Reply-To: <9308300745.AA22452@acacia.itd.uts.EDU.AU>
Message-ID: <199308300940.AA17049@indirect.com>
MIME-Version: 1.0
Content-Type: text/plain

> In a previous life, peter honeyman said ...
> | i disagree.  who will guarantee that viacrypt ships binaries based on
> | the validated code?
> Have your appropriately trusted person watch the code compiled in
> front of him, and take a signature of the completed binary. Although,
> this becomes somewhat of a nightmare, as 'Mr Trusted' will need to 
> oversee all 'release' compilations, and spend time beforehand going
> over code to verify everything. This signature could be signed by
> 'Mr Trusted' and included with the distribution, including s/ware
> to allow the 'pleb' user ensure they match.
> Matthew.
> -- 
> Matthew Gream,, M.Gream@uts.edu.au -- Consent Technologies, 02-821-2043.

Why not just arrange for 'Mr Trusted' to receive a copy of the source code
to examine on a secure system. Then when he/she is sure that it's ok,
compile it on the same trusted system and compare with the release binaries.

Happy Hunting, -Chris.
PGP public key available upon request