[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

How to make fixes stick (Was Re: PGP 2.5 Beta Release Over, PGP 2.6 to be released next week)



According to Jeffrey I. Schiller, PGP 2.6 will issue broken messages,
unreadable by earlier legal versions of PGP (Viacrypt's 2.4 in USA and
Canada, and any version outside backward-crypto-land)

In summary, how do we make our fixes to this obvious bug stick?

(Institutional paranoia on)
To me, this change is an obvious step in satisfying the TLA's desire for
a segmented crypto market to slow widespread use of strong crypto.  On
the one side, we have misapplied ITAR regulations preventing export of a
worldwide standard.  On the other side, we have a wrongly-granted patent
preventing use of an imported worldwide standard.  PGP is a de-facto
worldwide standard, and they're trying to break it.
(Institutional paranoia off)

  From the keyboard of:  Adam Shostack <[email protected]>
> 	And 2.4 is legal, if the 2.6 code doesn't recognize that,
> well, then that code is buggy & will need to be fixed.  :)

Adam has the right idea.  The question is, how do we make such a fix
stick?  In order to beat the "canonical release" advantage of the
broken 2.6, we'll need to spread the word widely (at least until a
2.6-compatible PGP is released and ported to the full range of current
platforms by our outside compatriots).

Some suggestions for after we create such patches:

Letters to computer magazines (Infoworld, Wired, PC Week, etc.)
Add entry to PGP FAQ about communicating with non-USA/Canada PGP users
Add entry to PGP WWW pages in UK
Weekly postings of the patches to alt.security.pgp (from outside NA)
Monthly postings of the patches to alt.sources.patches (from outside NA)
Press releases in other appropriate newsgroups, repeated

Come up with others, particularly for the non-net world. :-)


Richard