Bernd's comments on GPGME

Robert J. Hansen cortana at
Mon Jul 21 22:26:03 CEST 2003

> have not convinced me, that GPG could have repeated the success of 2.6 PGP.

No version of PGP has been either a commercial or a noncommercial
success.  None.

Looking at it purely from a noncommercial angle, very little email is
encrypted nowadays.  Looking over my own maillogs, less than 2% of my
personal correspondence is encrypted or signed.  Part of this is due to
my mail client, undoubtedly--Evolution refuses to do RFC2440 (inline)
OpenPGP, instead insisting on RFC3156 (PGP/MIME) OpenPGP, thus making
crypto a monstrous headache for mailing lists, MTAs, or anything else
which strips off attachments--but even if Evolution were more sane, I'd
still use it rarely.

I have public keys for only three of my regular correspondents.

PGP is not, and never has been, a noncommercial success.

>From a commercial perspective... how many times has PGP changed hands? 
First it was owned by PRZ, then, when they were on the verge of
bankruptcy, he sold it to NAI.  NAI made some profit from it in the
enterprise space by selling their eBusiness Server, but the desktop
editions never sold all that well.  NAI grafted everything and the
kitchen sink onto the side of PGP trying to make it sell--PGPdisk, an
IPsec client, PGPfirewall, etc.--and desktop sales were still stagnant. 
NAI finally had enough and cut the desktop unit loose, which PRZ then
bought back from them.

The new PGP Corporation is trying to make a profit here on the third
go-round.  I can't say I'm optimistic about their chances.

> it even may be due to the tone werner has to help request. 

Speaking from my own experience, Werner is oftentimes short and direct
but I've never seen him be rude.

> I think it is more important to reflect on the success
> (or failure) of the project, without going to deep into details.

How can one reflect on success and failure _without_ going into
details?  It's like saying you want to cure cancer without talking a lot
about the details of biochemistry.

> >From my experience, a GPG interface is most often trivil coded by hand, so
> there is not much sence in going the GPL trouble way.

My experience is one hundred and eighty degrees opposite; that while
it's easy to get a rudimentary interface together, it's very difficult
to get an interface which will be consistent across many different
versions of GnuPG.  This is why Gabber (a GNOME Jabber client) has
abandoned using GnuPG; their hand-rolled GnuPG interface broke when
GnuPG 1.0.7 came out, and while they were working on fixing it, GnuPG
1.2.0 came out and changed the command line again.

If GPGME can fix this problem, I'm all for it.

My biggest concerns with GPGME are:

      * API flux--look at how many functions from 0.3.x are deprecated
        in 0.4.x
      * Glacial pace of development--I released Codebook 0.3.2 on July
        4, 2002, using GPGME 0.3.x (x = 10, I think).  One year later,
        the stable version is 0.3.x (x = 15) and the bleeding-edge is
      * The closed nature of its development.  While GPGME is free
        software, my attempts at volunteering to help out with its
        development to try and speed it up some have mostly been met
        with "we're trying to keep it all in-house".

Robert J. Hansen <cortana at>

More information about the Gnupg-devel mailing list