On Mon, May 21, 2018 at 9:04 PM, Mark Rousell <[email protected]> wrote: > On 21/05/2018 09:56, Andrew Skretvedt wrote: > > I think Efail has shown now that OpenPGP/GnuPG retains the flexibility to > continue to adapt and maintain a well used and trusted standard for private > and authenticated data and communications, but it won't achieve this if its > evolution is frozen. > > > I agree. But remember that retaining the ability to decrypt legacy-encrypted > data (i.e. continuing to support long-time users) does not require the > GnuPG's evolution be frozen. > > It seems to me that if the pearl-clutchers who would howl too loudly about > breaking backwards compatibility were as concerned as they claim, they would > realize that software evolves. But this evolution doesn't eradicate its > past. GnuPG is open software. It's ganoo-pee-gee! > > If you're a pearl-clutcher with a legacy use-case, perhaps it's time to > really analyze that case. Do you have a darn good reason to want to expose > yourself to creeping insecurity? Because its history won't be eradicated, if > you /do/ have good reasons, you can maintain for yourself a legacy fork. To > do that you may need to have certain skills or be willing to hire-out for > them. > > I think that's fair. It's free as in freedom, not beer, not support. For my > vote, I think persons so situated might have suddenly imposed upon the > larger community long enough, now that Efail has taught us something we may > not have fully appreciated about the present state of OpenPGP and the way > it's been pipelined with other tools. > > > Your point is not helped by using patronising and condescending language > like "pearl-clutcher". What you are attempting to belittle and dismiss here > is surely a perfectly valid use case: That is accessing archived data. > > Sure, I can see that it is not a use case that you like or that matters to > you but that doesn't make it any less of a valid use case right now, today, > and in the future in the real world. This is not a "legacy use-case" as you > chose to name it. The fact that the data is encrypted using legacy > encryption doesn't make it a "legacy use-case". > > There is no "creeping insecurity" whatsoever in continuing to access > archival data but there would be something of an eventual creeping > insecurity if users in this position were required to use unmaintained > software versions. > > So, no, it is not fair to throw these long-time users under the bus, as you > propose. No, it is utterly unreasonable to propose that they maintain their > own "legacy fork". Such users have not "imposed upon the larger community": > They are part of the larger community. > > As I have said in other messages, it is entirely reasonable to expect them > to make some changes (although remember that re-encrypting the data is not > an option) in terms of using new versions of maintained software to be able > to continue decrypting the archived data but to just cut them off such that > they have to use unmaintained software is not what one should have to > expect. It would be reckless. > > And, as I say, continuing to support present day archival use cases does not > mean that the main body of GnuPG cannot move on. It most certainly can > continue to evolve and should do so. But those people who have to handle > legacy-encrypted data are not legacy users. > Stupid question: what is wrong with a "encrypt/decrypt old format" flag/config option? If I have the need to use old stuff, I can turn that on. All I see here is a "do not open old stuff" as a default setting which should solve most issues.
> -- > Mark Rousell > > > _______________________________________________ > Gnupg-users mailing list > [email protected] > http://lists.gnupg.org/mailman/listinfo/gnupg-users > _______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
