customizing PGP

Robert J. Hansen rjh at sixdemonbag.org
Tue Feb 10 21:38:17 CET 2015


> I am not talking about users beeing alienated (by not allowing to 
> tuen off SHA1), I am talking about developers beeing patronized on 
> this list.

Okay.  If I were patronizing you I'd find some way to be conciliatory
and to placate you.  If you don't want patronizing, then I'm free to be
blunt:

Get over it.

> This IMHO started way back when GPGME was "enforced" on them.

If I want to interact with GnuPG in the Werner-approved way, I can.  If
I don't, I'm free to compile my own OpenPGP library out of the GnuPG
codebase -- all that happens is Werner won't prepackage it for me in a
convenient form.

And really, why should he?  If he disagrees with what I want to do and
doesn't want to support it, he shouldn't be required to.  And if I
disagree with how he's managing GnuPG, I should be free to start a new
version and steer it in the direction I wish.  As it turns out, we're
both free to do just those things.

How is that 'enforcing' anything?

> And it repeats every time somebody want to contribute something 
> modern (not covered by OpenPGP).

That's because GnuPG implements the OpenPGP and S/MIME RFCs.  No more,
no less.  If you want to extend GnuPG in a way that breaks OpenPGP,
you're free to do so: the code is out there and you can use it as you
wish (subject only to the GPL's requirements on code-sharing).

But it's the height of hubris and arrogance to say, "I want to
contribute something to GnuPG that will break OpenPGP compliance and you
won't accept it, therefore you're alienating developers."  And I say
that as the guy on this list most often accused of having an ego the
size of a small planet.

> Pointing to "SHA-1 is mandatory in the standard" is IMHO really not a
> helpful answer.

The standard requires SHA-1 be present and that it be used in certain
cases.  If GnuPG deviates from that, GnuPG is no longer
OpenPGP-conformant.  GnuPG's entire mission statement is to be a
conformant implementation of the OpenPGP and S/MIME standards.

If that's unhelpful, then -- okay.  I'm unhelpful.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3744 bytes
Desc: S/MIME Cryptographic Signature
URL: </pipermail/attachments/20150210/dd4f608b/attachment-0001.bin>


More information about the Gnupg-devel mailing list