On 28/09/15 22:00, listo factor wrote: > On 09/28/2015 05:40 PM, Werner Koch - w...@gnupg.org wrote: > > On Mon, 28 Sep 2015 13:23, listofac...@mail.ru said: > > > >> Unless you have specific reasons for transitioning to gpg2, stick > >> with gpg (GnuPG) 1.4.16. It is just as secure, and much easier > > ^^^^^^^^^^ > > > > That is definitely not the case. All improvements go into 2.1 > > and some are backported to 2.0. We only add necessary > > fixes to 1.4. > > Most od 2.x "improvements" have little to do with security.
Even assuming that this is true, there "most" in not all, thus there are some improvements in the 2.0 ad 2.1 release series that are not in the 1.4 one. That alone is a good reason to move to the modern GPG implementations. > I can't offer any conclusive evidence for this, but it is my > honest estimate that more real-world sensitive traffic volume > is generated by 1.4.x than 2.x. Consequently, if 1.4.x is in any > was insecure, this would be of significantly greater benefit to > a whole class of large institutional web-traffic attackers than > if 2.x was insecure. So, if 1.4.x is indeed in any way insecure, > that should merit more serious and immediate attention that if > 2.x was insecure. As much as I like conclusions based on anecdotal evidence, I don't really see what you want to say with that statement. GnuPG 1.4 receives all the bug fixes it needs based on known bugs, however, code improvement and architectural changes that make the system more secure are implemented only in 2.1 and partially in 2.0. I don't see anything wrong or worrisome with that. Cheers, Daniele _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
