On Mon, 2008-04-21 at 09:21 -0500, Robert J. Hansen wrote: > If GnuPG 1.4.x suddenly gets marked "deprecated" and begins to be phased > out, a whole lot of people are going to start asking "why? Official > word on the GnuPG list was that GnuPG 1.4 was still perfectly safe and > would be maintained for some time." And those are the good ones. The > rest will begin to make conspiracy theories. Well I did not ask to mark it deprecated... it's also ok to maintain it for some time (probably one or two years?). But in the end we'll either have two different gpg's (which could lead to a lot of problems, even security related) or one of the two will be phased out.
> As David pointed out, being conservative in cryptography is often a sign > of maturity. There are a _ton_ of PGP 2.6 users out there who never > upgraded because they never saw the need to jump on the bandwagon. If > you mark GnuPG 1.4.x as deprecated, you'll see a lot of users just > quietly ignore the developers' decision. Yes,... but than I'd say, that it's even better to "simply" have two different branches and make some explicit statement like "normally everybody (wo has no specific reason against) could use 2.x, it contains everything the 1.4.x has and even more, it will also contain all features of future developments".. than using two different names. Something like "classic/plus" could even more confuse the average user. On the other hand,... if we actually want to spread the use of 2.x we should perhaps suggest the distributors to use the 2.x branch as default (i.e. the package named gnupg) and provide 1.4.x as something like gnupg14. Current practise (at least in debian) is 1.4.x package: gnupg executable: gpg 2.x package: gnupg2 executable: gpg2 > The question is not whether any OpenPGP changes from 2.0 will be > backported to 1.4. They will. Ok,.. but to backport nearly everything would make little sense,... in that case we could simply add the CMS stuff to gpg 1.4.x and drop 2.x completely ;) What if ECC or V5 keys will finally come? Should they be backported? > GnuPG 1.4 is used in a lot of places. A lot of the installed base > simply can't upgrade on a dime. Ask anyone who's worked in telecom > precisely how many forests had to be cut down just to make the paperwork > involved in making a small change to the deployed software. Healthcare > is another high-bureaucracy field. Banking. Uhm,.. the only problem that I could see here are possible build problems with 2.x (are there any?). Any I never asked to stop security support for the 1.4.x branch, I just suggested to let the main development take place in 2.x and to explicitly state this. Best wishes, Chris. _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
