installing gnupg 2.2 as "gpg", vs coexistence with gpg 1.4

Mihai Moldovan ionic at ionic.de
Mon Oct 9 03:56:32 CEST 2017


On 09/30/2017 09:48 PM, Daniel Kahn Gillmor wrote:
> I agree that decryption (asymmetric and symmetric) of legacy encrypted
> messages is the only interesting use case left for gpg1 in the long
> term.  To be clear, means that the following use cases aren't things
> anyone should be doing with gpg 1.4:
> 
>  * keyserver or LDAP access
>  * signature verification
>  * signing data
>  * certifying keys
>  * Web-of-trust identity validation
>  * asymmetric encryption
>  * symmetric encryption
> 
> maybe a deprecate 1.4 could start producing warnings when invoked for
> those operations, if we want to encourage people to move off of it.

Have you considered that 1.4 is widely used on constraint systems that want to
avoid dependencies like the plague for automated tasks that don't require agent
support?

Signature verification would be one of such use cases.


I'm not advocating this, just mentioning that this scheme seems to be widely
deployed.


In my opinion: 1.4 and 2.x coexistence would be nice to have and should be made
the default - breaking the previous behavior explicitly. Installing everything
with a postfix of "1" without making general (e.g., gpg -> gpg1) symlinks sounds
like a good idea. This way, 1.4 can be installed and used if really needed (see
Werners experience), but won't be accidentally used by users and tools that try
to execute gpg. Distributions should not install 1.4 by default or even as a
dependency of other packages, if can be avoided.



Mihai

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 898 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20171009/6bf80ae9/attachment-0001.sig>


More information about the Gnupg-devel mailing list