• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 728
  • Last Modified:

Is GPG4Win a suitable tool to use for company-confidential files?

I am not so concerned about the application being cracked, but am asking more from a trust perspective. Is it a sensible and reasonable security practice to entrust a companys sensitive data to a program that is developed by a loosely associated group of programmers instead of a traditional company that can be held accountable for its work?

I realize this is more of an opinion question than purely technical, but Id really appreciate your feedback on this issue.
  • 2
3 Solutions
I'm not sure about the integrity of GPG4Win as an open source project, but I would regard open source technologies (such as GnuPG on which it's based) as inherently more secure than their proprietary counterparts, due to the extensive peer review that goes on in the community - it's my experience that when security issues occur within an application they are dealt with quickly and (generally) identified pretty soon, as opposed to covered up and ignored for extended periods of time.

As an update to that, I've just had a look and the source is freely available from the GPG4Win project.,....

Have a look at the following article on the IBM website re: peer review:


The argument is that if anyone puts "anything nasty" in the source code it gets spotted.....with closed source you have to trust the company who sold you the product that their developers haven't put anything in there that shouldn't be.....

Dave HoweSoftware and Hardware EngineerCommented:
There are arguments for and against the "all bugs are shallow" claim, but the real problem is that most people don't use the source themselves, they tend to use a third party binary package (gpg4win) that you have no assurance was compiled against the source that is available.

that said, I have no reason to distrust the gpg4win project - it seems a good, solid group, and I recommend it/use it myself - but as was proved in /reflections on trusting trust/ you can't even guarantee your compiler won't backdoor a binary, so pre-compiled binaries require that you trust those providing them to you - or build your own from scratch.

there is certainly no guarantee the commercial equivalent (pgp) is any less likely to have a backdoor, and possibly even more likely (given their source-disclosure licence explicitly forbids you to use code you compiled yourself, you just have to trust the code they show you is the code they compiled from)
bibleleagueitIT Technical Services ManagerAuthor Commented:
Thank you for taking the time to respond to my question. I am a big fan of experts-exchange and this experience is an example of why.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Microsoft Office 2010

This course will introduce you to the interfaces and features of Microsoft Office 2010 Word, Excel, PowerPoint, Outlook, and Access. You will learn about the features that are shared between all products in the Office suite, as well as the new features that are product specific.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now