Estimated release of GnuPG 1.0.7?
Olivier Mascia
om@mascia.biz
Mon Dec 17 14:17:01 2001
Hello,
Werner Koch wrote:
WK> Olivier Mascia said:
WK>
WK> > Are there licensing or political reasons not to let people compile GnuPG
WK> > with proprietary commercial compilers ? I suppose not.
WK>
WK> The reasons why I don't support native compiling on Windows (well
WK> Cygwin32 basically works) it is far too much work to keep track of all
WK> the toolchain changes MS has done over the last 15 years or more and
WK> you need all these proprietary and buggy software. I used to maintain
WK> a lot of software using my multi-toolchain, multi-target environment
WK> for many years, but later decided that it is a futile exercise. It is
WK> far ebtter to have a regular environment on one machine adn
WK> cross-compile for other targets.
WK>
WK> Another reason is trust. I trust the GNU tool chain much more than
WK> any proprietary one. Using a free toolchain reduces the risk of
WK> introducing backdoors.
WK>
WK> Werner
I see.
But isn't it possible to at least encourage people to use their own
compilers they're accustomed to, to at least help pinpoint porting bugs
in GnuPG ?
I wasn't specifically thinking of using Microsoft compilers anyway. I do
not use those on Windows. There are a lot of other compilers.
Would there be any licensing issue if I took the source code and
compiled it (fixing any required porting issue) with my liking of tools
suite under Windows ?
Also, isn't there some Windows-hosted binaries of GNU tools available ?
You see, I like free software (in the right meaning of the term) and I
even write some. But I start to find things not so free when the
software is locked for _any_ reason to a specific platform or
architecture.
I understand the fear that a proprietary compiler used to compile a
security tool like GnuPG could introduce backdoors, but that's taking
the fear a little bit far in my opinion. Why should I trust more a
windows binary which you provide and which I can't build myself than a
windows binary which I would build under my control with a proprietary
tool ? There is no real difference. Yes the source code of your tool is
available and mine is not. But did you compiled the compiler yourself ?
Or are you using any binary distro of the compiler ? You see my point, I
guess.
There is a very large number of excellent quality free software
engineered to be built successfully on multiple platforms with multiple tools.
In my opinion there is a much greater risk to have, for instance, a
private key captured by a Linux or Win32 key-logger virus or worm than
by a backdoor engineered to be included in gnuPG when compiled by one of
the proprietary compilers available, be it on unixes than on windowses.
I certainly don't want to start any 'guerilla' about these issues. So if
you prefer we can close this discussion here. I would try to find myself my
way around this limitation.
Sincerely,
--
Olivier Mascia <om@mascia.biz>