This is Debian/GNU Linux's prepackaged version of Pretty Good Privacy,
a public key encryption system written originally by Philip Zimmerman,
version 2.6.2[i]a.

There is a single Debian source tree which generates both the US and
International binary versions, both of which you may have installed at
the same time. [ NOTE: This version only generates the International
version. I will re-integrate RSAREF later. --liw ]

`pgp-us' is the version for use in the United States (using RSA Data
Security, Inc.'s RSAREF library), and was originally released there by
MIT.

`pgp-int' is the International version, derived from MIT-PGP by Stale
Schumacher.

This Debian package was made by Lars Wirzenius <liw@iki.fi>.
[ XXX - where sources came from and when. ]
I got the source code from /mirrors/uunet/pub/security/virus/crypt/pgp
on src.doc.ic.ac.uk.  pgp262is.tar.gz contained the PGP 2.6.2i source
code; the modifications to which Stale Schumacher has done in a way
that allows the building of an RSAREF MIT-PGP as well as a non-RSAREF
International version.

In order to compile the MIT version I also had to get pgp262s.zip from
the same place, and use the `rsaref.zip' inside it.  If you want to do
this yourself be sure to unzip `rsaref.zip' with the `-a' flag, to
ensure that line-endings are translated correctly.

The changes I made were those required to support Debian's package
maintainence and configuration schemes, plus a fix to a buffer overrun
problem which occurred in MIT-PGP when making a certificate using a
key of between 2034 and 2048 bits.

The file /usr/doc/pgp-*/readme.1st.intl describes the origin and
features of the 2.6.2i `International' version.  It was originally
`readme.1st' from the outer `pgp262is.tar.gz' file, and is available
as readme.1st in the Debian source package.

The file /usr/doc/pgp-*/readme.doc.us is the release announcement for
the 2.6.2 MIT US version.  It comes from the pgp262si.zip file - I've
copied it across into the Debian source tree, as readme.doc.


PACKAGE INTEGRITY:

I (Ian Jackson) have verified the signatures on the source archives.
I have NOT made a thorough inspection of the source code.

The signature on rsaref.zip (used only in the US version) was from:
pub  1024/0DBF906D 1994/08/27  Jeffrey I. Schiller <jis@mit.edu>
          Key fingerprint =  DD DC 88 AA 92 DC DD D5  BA 0A 6B 59 C1 65 AD 01

The signature on pgp262ii.tar (used in both binary versions) was from:
pub  1024/CCEF447D 1994/07/05  Stale Schumacher <staalesc@ifi.uio.no>
          Key fingerprint =  B7 02 0B C1 24 FA E0 72  8B 2D 23 F2 CA BA 68 A0

I also read a `diff -u' between the source code in pgp26ii.tar (found
inside pgp262is.tar.gz) and that in pgp262si.zip (found inside
pgp262s.zip), and saw nothing untoward.  However, the diffs were quite
extensive, and I may have missed something.  pgp262si.zip was signed
by Jeffrey Schiller's key, seen above.

I have quite good trust web connections to both keys, involving:
pub  1024/6B39B945 1992/09/11  mathew <mathew@mantis.co.uk>
          Key fingerprint =  B2 41 30 5F 5B 20 B9 D5  7C 8F 75 88 7C DA D8 C5
pub  1024/5BF376A5 1994/08/19  Grant W. Denkinson <G.W.Denkinson@geog.nott.ac.uk>
          Key fingerprint =  B1 10 8D 47 4B 13 94 37  74 58 05 16 27 1F B4 E6
pub  1024/C7A966DD 1993/05/21  Philip R. Zimmermann <prz@acm.org>
          Key fingerprint =  9E 94 45 13 39 83 5F 70  7B E7 D8 ED C4 BE 5A A6
pub  1024/32DD98D9 1992/09/11  Vesselin V. Bontchev <bontchev@fbihh.informatik.uni-hamburg.de>
          Key fingerprint =  E5 FB 30 0C D4 AA AB 44  E5 F7 C3 18 EA 2B AE 4E
pub  1024/CE766B1F 1992/12/17  Paul C. Leyland <pcl@foo.oucs.ox.ac.uk>
          Key fingerprint =  CC 3C AD 64 40 30 AC E6  C1 C6 C5 FC 83 F7 C2 D2
pub  1024/F1C56B4F 1992/09/11  Russell E. Whitaker <whitaker@eternity.demon.co.uk>
          Key fingerprint =  BA E8 D2 F4 DA D5 D1 54  64 2F FB 73 61 50 20 59


EXPORT CONTROLS:

The United States federal government claims that this software is
export controlled, and therefore that if this software is imported
into the United States it may not be reexported; doing so may be a
violation of the International Traffic in Arms Regulations.

It was NOT exported by the Debian package maintainer.


COPYRIGHT:

The copyright licence for PGP itself is in /usr/doc/pgp-i or pgp-us,
as mitlicen.txt.gz (doc/mitlicen.txt in the source package).

The US version of PGP uses the RSAREF library, and so the RSAREF
licence applies.  If you have the US version of Debian's PGP binary
package installed you'll find the RSAREF licence along with other
RSAREF information in /usr/doc/pgp-us as rsaref-readme.txt.gz
(rsaref/README in the source package).

-----BEGIN PGP SIGNATURE-----
Version: 2.6

iQCVAgUBL9HtB8MWjroj9a3bAQFVJQP/RMJcZIqTBZkfeWO5RSUGkTfyKSEmkH7b
NthPoKQv09YRv+ycj9BvBEouaYzvzjCwa58mfCeCyscsMpME88PxsUdB73kJMuHZ
dPQGp4Jfg3nMrF/6Yw4/ivqB9UNzCNN4niY1/TDCfho0VtL0iQl92Ce/I7kdONAt
JwSc8gYeJ/g=
=CpBs
-----END PGP SIGNATURE-----
