Video Screencast Help
Encryption Blog

Published Source Code Does Not Equal "Open Source"

Created: 10 May 2010 • Updated: 05 Nov 2012
Doug McLean's picture
0 0 Votes
Login to vote

In the wake of the announcement last month that PGP Corporation has agreed to be acquired by Symantec, there have been a number of articles questioning what this acquisition means for PGP's "open source" policy.

For clarification, PGP Corporation is not and never has been an open source software provider. The term "Open Source" is correctly applied to companies that provide their product source code under the terms of a license that permit the licensee to use, alter, and redistribute the code. The complete requirements to qualify as an open source vendor are more numerous and complicated than I can cover here, but Wikipedia has a very concisely written summary.

Since PGP Corporation was founded eight years ago, we have made our source code available to anyone who wants to review it to ensure that it is secure and contains no "back doors". The license under which we provide our source code for such review specifically precludes alteration or redistribution of the code.

This isn't exactly an uncommon misunderstanding, but it is an important distinction. Thus, the question isn't really about open source as much as it is about whether Symantec will continue to offer the source code they are acquiring for security review. This and many other related issues are now currently under consideration by Symantec.