A sad result

Path: gmd.de!xlink.net!howland.reston.ans.net!noc.near.net!uunet!
news2.uunet.ca!ionews!werewolf
From: were...@io.org (Mark Terka)
Newsgroups: alt.security.pgp
Subject: PGP 2.3a????
Date: 19 Jul 1993 04:49:06 GMT
Organization: Internex Online - Toronto, Canada (416) 363-3783
Lines: 4
Message-ID: <22d942$p3@ionews.io.org>
NNTP-Posting-Host: io.org

Someone told me that there has been a recent rlease of PGP...a version
called 2.3a that allegedly fixes some bugs.

Anyone else know anything about this?

Newsgroups: alt.security.pgp
Path: gmd.de!newsserver.jvnc.net!howland.reston.ans.net!noc.near.net!
uunet!mnemosyne.cs.du.edu!nyx!astrashe
From: astr...@nyx.cs.du.edu (Alex Strasheim)
Subject: Re: PGP 2.3a????
Message-ID: <1993Jul19.142049.18095@mnemosyne.cs.du.edu>
X-Disclaimer: Nyx is a public access Unix system run by the University
	of Denver for the Denver community.  The University has neither
	control over nor responsibility for the opinions of users.
Sender: use...@mnemosyne.cs.du.edu (netnews admin account)
Organization: Nyx, Public Access Unix at U. of Denver Math/CS dept.
References: <22d942$p3@ionews.io.org>
Date: Mon, 19 Jul 93 14:20:49 GMT
Lines: 51

In article <22d942$p...@ionews.io.org> were...@io.org (Mark Terka) writes:

>Someone told me that there has been a recent rlease of PGP...a version
>called 2.3a that allegedly fixes some bugs.

>Anyone else know anything about this?

PGP 2.3a is in the British ftp archive which is mentioned in the docs; 
I'm sorry, but I can't remember its name right now.

But I did grab it last night, and I a couple of comments about the source
code version.

First of all, the makefile still doesn't work for bcc.  The bug is trivial
to fix, so it's not a big deal.  The problem involves the section of the
makefile which creates the file containing the list of object files to be
linked into pgp;  one of the lines is too long, and it produces an error.

I don't know if the pgp developers read this group, or if they are open to
suggestions about how they go about distributing their program.  But I
think that the experience of release 2.3 suggests that they ought to
release official versions of the program more slowly, and that those
offical releases ought to be preceeded by *public* beta copies.

That way things like the bug in the makefile and the more serious clearsig
program could be resolved before an official release is made.

My other comment concerns the relationship between the 2.3a source code
and the executables.  I haven't looked into this in any detail, so I might
just be doing something stupid.  But I compiled 2.3a with bcc 3.1, using
the supplied makefile (with minor changes to solve the problem described
above) and using borland's prjcfg.exe routine to translate the .prj file
into a .cfg file suitable for use by the command-line compiler.  The
result of this was an exe file which was *much* larger -- more than 350k
-- than the one supplied in pgp23A.zip.  On top of that, pklite reported
that pgp.exe (the one I compiled) might contain overlays;  no such warning
was generated when I used the same program to compress the distributed
pgp.exe. 

I have been useing the same techniques to compile 2.2 and 2.3, and I've
always ended up with files that are almost identical to the distribution
exes.

As I said, I haven't gotten the chance to look through the code yet;  I
downloaded the files last night and was only able to do a cursory
inspection.

Has anyone else tried to recreate the exe's?

--
Alex Strasheim | astr...@nyx.cs.du.edu | pgp public key available via finger

Newsgroups: alt.security.pgp
Path: gmd.de!newsserver.jvnc.net!howland.reston.ans.net!darwin.sura.net!
haven.umd.edu!uunet!math.fu-berlin.de!ifmsun8.ifm.uni-hamburg.de!
rzsun2.informatik.uni-hamburg.de!bontchev
From: bont...@news.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: PGP 2.3a????
Message-ID: <CAF73v.KGs@informatik.uni-hamburg.de>
Sender: ne...@informatik.uni-hamburg.de (Mr. News)
Organization: University of Hamburg, Germany
X-Newsreader: TIN [version 1.1 PL9]
References: <1993Jul19.142049.18095@mnemosyne.cs.du.edu>
Date: Mon, 19 Jul 1993 16:28:42 GMT
Lines: 30

Alex Strasheim (astr...@nyx.cs.du.edu) writes:

> PGP 2.3a is in the British ftp archive which is mentioned in the docs; 
> I'm sorry, but I can't remember its name right now.

The "British archive mentioned in the docs" is src.doc.ic.ac.uk.
However, the docs seem to be a bit out-of-date, because the directory
listed there (/computing/security/software/PGP/) doesn't seem to
exist. Instead, one should look in /computing/security/pgp/. The files
are named pgp23A.zip, pgp23srcA.zip, and pgp23sigA.zip - so beware if
you are subject to the 8.3 file name limitation.

> I don't know if the pgp developers read this group, or if they are open to
> suggestions about how they go about distributing their program.  But I
> think that the experience of release 2.3 suggests that they ought to
> release official versions of the program more slowly, and that those
> offical releases ought to be preceeded by *public* beta copies.

Exactly. Also, as soon as a bug is discovered, acknowledged, and a fix
for it is known, a patch should be made available -immediately- (so we
won't have to wait for the next version) and it should be signed by
one of the developpers.

Regards,
Vesselin
--
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bont...@fbihh.informatik.uni-hamburg.de        22527 Hamburg, Germany