Naming of GnuPG

Christoph Anton Mitterer christoph.anton.mitterer at physik.uni-muenchen.de
Mon Apr 21 16:39:57 CEST 2008 

On Mon, 2008-04-21 at 09:21 -0500, Robert J. Hansen wrote:
> If GnuPG 1.4.x suddenly gets marked "deprecated" and begins to be phased 
> out, a whole lot of people are going to start asking "why?  Official 
> word on the GnuPG list was that GnuPG 1.4 was still perfectly safe and 
> would be maintained for some time."  And those are the good ones.  The 
> rest will begin to make conspiracy theories.
Well I did not ask to mark it deprecated... it's also ok to maintain it
for some time (probably one or two years?).
But in the end we'll either have two different gpg's (which could lead
to a lot of problems, even security related) or one of the two will be
phased out.



> As David pointed out, being conservative in cryptography is often a sign 
> of maturity.  There are a _ton_ of PGP 2.6 users out there who never 
> upgraded because they never saw the need to jump on the bandwagon.  If 
> you mark GnuPG 1.4.x as deprecated, you'll see a lot of users just 
> quietly ignore the developers' decision.
Yes,... but than I'd say, that it's even better to "simply" have two
different branches and make some explicit statement like "normally
everybody (wo has no specific reason against) could use 2.x, it contains
everything the 1.4.x has and even more, it will also contain all
features of future developments".. than using two different names.
Something like "classic/plus" could even more confuse the average user.

On the other hand,... if we actually want to spread the use of 2.x we
should perhaps suggest the distributors to use the 2.x branch as default
(i.e. the package named gnupg) and provide 1.4.x as something like
gnupg14.

Current practise (at least in debian) is
1.4.x
package: gnupg
executable: gpg

2.x
package: gnupg2
executable: gpg2


> The question is not whether any OpenPGP changes from 2.0 will be 
> backported to 1.4.  They will.
Ok,.. but to backport nearly everything would make little sense,... in
that case we could simply add the CMS stuff to gpg 1.4.x and drop 2.x
completely ;)

What if ECC or V5 keys will finally come? Should they be backported?


> GnuPG 1.4 is used in a lot of places.  A lot of the installed base 
> simply can't upgrade on a dime.  Ask anyone who's worked in telecom 
> precisely how many forests had to be cut down just to make the paperwork 
> involved in making a small change to the deployed software.  Healthcare 
> is another high-bureaucracy field.  Banking.
Uhm,.. the only problem that I could see here are possible build
problems with 2.x (are there any?).
Any I never asked to stop security support for the 1.4.x branch, I just
suggested to let the main development take place in 2.x and to
explicitly state this.


Best wishes,
Chris.

More information about the Gnupg-users mailing list