On Sun, Jun 08, 2014 at 01:13:27PM -0400, t...@piratemail.se wrote: > And personally, I do not trust google. Enough said in that regard. ;-)
Sorry to hijack this topic, but... Why would you trust the OpenPGP.js developers? At least, you can hold google as accountable for their actions. You cannot for them: perhaps they do not even physically exist, and are just nameholders for a three-letter-agency project, willingly introducing backdoors in this project. Maybe they just fixed the bugs you reported because it made them look less conspicuous. Maybe will bring us all very far away. What's great about open source is that you do not at all have to trust the maintainer of a project. You only have to trust the project -- and by this I mean the fact that at least a developer will have noticed the flaw. I may even distrust Werner, and yet use gpg -- if e.g. I trust another gnupg developer. And even this trust is not strictly required: you can always inspect the source code all by yourself. Sure, this model of "trust the community" is far from perfect, heartbleed being the latest proof of that. But it is better than "trust the maintainer", who is always part of the community. And what's great about google's project is that they are quite likely to be highly audited: if anyone found a willingly placed security flaw in google's end-to-end library, it would mean a lot of prestige. So, even if I trusted google less than OpenPGP.js developers [and who tells us these developers are not disguised google agents?], I would likely, after a period during which security experts will have had their time with this new library, trust it more than OpenPGP.js. Despite the fact that it might have a backdoor while the other does not. Because the opposite is even more likely. Cheers, Leo _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users