Ask HN: Is it time for a public GPG audit?

94 points

13 years ago

With GPG being a common destination for those concerned by the recent privacy revelations, it bothers me a little that I can't find any audit or security review of GPG's codebase.

The Wikipedia page says that a German IT ministry funded a windows port, the EU Agency for Network and Information Security list GPG as part of their index of tools and claim it's in use by some related parties [0] but don't go so far as to recommend it. Considering that several governments within the EU are allegedly complicit in the SIGINT scandal, I don't think their word counts for much.

GPG is open source, but while the code is readily available the knowledge and background to determine its security is somewhat rarer. Would you be willing to contribute to a project to fund a public audit of the codebase? If so, what sort of people would you like to see participate.

[0] http://www.enisa.europa.eu/activities/cert/support/chiht/tools/gnupg-the-gnu-privacy-guard

38 comments

38 comments