On 21/05/2018 06:20, Robert J. Hansen wrote: > Here's my own set of suggestions for breaking changes to GnuPG: > > 1. End-of-life 1.4 already. > > Yes, it's the only option for PGP 2.6. Yes, it's the only option for > old and out-of-date stuff. Yes, there will be people who need to > decrypt this stuff. All of that is true, but *we* don't need to be the > people who cater to their needs.
Get real. These people are long-time GnuPG users and now you want to throw them under the bus because... well, because you prefer it that way. No, that's not a fair, it's not reasonable, it's not ethical, or it's even professional. > At this point if you need pre-Web > crypto (which, I remind people, is pretty much what PGP 2.6 is), you > have a specialized need and you need to talk to someone about a custom > solution. Err... the specialised solution surely is GnuPG 1.4. > There are companies that specialize in this sort of thing > (like, say, g10 Code). So you are saying that long-time users should be deprived of an open source ongoing-maintained solution to their entirely valid present day use case to benefit a private company. Isn't that effectively equivalent to commercial sponsors taking previously open source code base private? It's hardly a popular move when it happens. Yes, I know that the scenario you are proposing is not /exactly/ the same but people will, quite understandably, treat it as such. > We should keep the 1.4 source code available, but wash our hands of it > and say it will receive *no* future fixes, not even for security issues > -- and we need to stand on that when people start screaming. Surely if you can recognise that people will start screaming then you must also understand that it is entirely the wrong thing to do. > Rationale: as long as we keep GnuPG 1.4 around and even semi-supported, > people will insist on not upgrading. If you drop maintenance of code that can handle the data that some people need to cope with then they will naturally have to stay with old, unmaintained code anyway. So dropping maintenance of 1.x will only cause a problem in this respect, not cure on. If you are (understandably) concerned about people still use 1.4 for encryption of new data then the sensible choice is surely to do what people have suggested in this thread: That is to produce a decryption-only maintained version that still allows users who need to access archived legacy-encrypted data to do so. Clearly you are concerned with preventing people using legacy encryption for new data and I agree with this concern. But there is no need to throw present day, long-time users who must handle legacy-encrypted data under the bus to do so. -- Mark Rousell PGP public key: http://www.signal100.com/markr/pgp Key ID: C9C5C162
_______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
