Hi Michael, [blast from the past]
On Mon, 12 Sep 2016, Michael J Gruber wrote: > As a side note, I'm wondering why MSYS-gpg version 1 is bundled with > non-MSYS-git. Those are two questions: - an MSYS version of GPG is bundled because it was the stable one available at the time when I had to decide: in summer 2015. - GPG v1.x was bundled because, again, this was the version bundled by MSYS2 (and I have to rely heavily on what is bundled with MSYS2 by default; I could not run Git for Windows if I had to build all of the components from scratch, and maintain them, in addition to Git itself). The good news (ahem, see below) is that GPG v2.x is now bundled in MSYS2. The not-so-good news is that this can break existing setups. My own setup, for example, was broken by this under-announced upgrade. But other things, such as GPG-signing commits in a rebase, should actually be *fixed* by this upgrade, as GPG v2.x has a working GUI even on Windows (in contrast to GPG v1.x, as shipped before). > It's an honest question - there must be good reasons for that, and git > should work with gpg 1, 2 (maybe) and 2.1, of course. I'm just trying > to understand the situation, and the question goes both ways: > > - some Windows user(s) in the Github issue apparantly had wrong > assumptions about which gpg they're using (via git) - why bundle it at > all? It was bundled with Git for Windows v1.x. Skipping it would have meant regressing existing users' setups. I am not willing to do that willfully. > - If bundling it to get a known working setup, why not gpg 2(.1) which > runs gpg-agent automatically, giving a more Windows-like experience for > the passphrase-prompt? Again, this option was not available at the time. > On Fedora, with some things still requiring gpg 1, gpg 2.1 installed in > parallel, things can become confusing quickly because of the 1-time > 1-way migration of the secret key store. It's probably the same on > Windows with those two gpg's used in parallel (and probably answers my > second question). Well, to be quite honest, I am still not convinced that GPG v2.x has a truly Windows-like experience, as it does not integrate e.g. with the Windows Credential Store. But it is understandable: traditionally, Windows and GNU-licensed programs were at odds. I think that changed in the meantime, so who knows? Maybe GPG v2.x will sprout support for the Windows Credential Store after all... Ciao, Dscho
