Naming of GnuPG
Robert J. Hansen
rjh at sixdemonbag.org
Mon Apr 21 16:21:50 CEST 2008
Christoph Anton Mitterer wrote:
> What's the reason?
My reason, or the general reason?
The general reason... pick your poison, really. There are a lot of them.
1. The paranoids.
Read alt.security.pgp sometime and you'll find a bunch of people who are
in critical need of getting their tinfoil hats readjusted. These are
people who continue to use PGP 6.5.8 because "obviously, they closed the
source in PGP 7 so they could put in a back door." And then there are
people who swear by PGP 2.6 because they heard a rumor somewhere that
Phil Z. got off the law-enforcement hook by promising to put a back door
in PGP 5+.
Even on this list, we've seen people who have come really close to
making accusations against Werner of being complicit with
law-enforcement authorities. (See "Using Old PC as Hardware Security
Module" in the archives, from May of 2007.)
If GnuPG 1.4.x suddenly gets marked "deprecated" and begins to be phased
out, a whole lot of people are going to start asking "why? Official
word on the GnuPG list was that GnuPG 1.4 was still perfectly safe and
would be maintained for some time." And those are the good ones. The
rest will begin to make conspiracy theories.
2. The conservatives.
As David pointed out, being conservative in cryptography is often a sign
of maturity. There are a _ton_ of PGP 2.6 users out there who never
upgraded because they never saw the need to jump on the bandwagon. If
you mark GnuPG 1.4.x as deprecated, you'll see a lot of users just
quietly ignore the developers' decision.
The question is not whether any OpenPGP changes from 2.0 will be
backported to 1.4. They will. The only question is who will do the
backporting. The instant the GnuPG developers drop 1.4 support, someone
else will pick it up... and maybe not someone who's especially
competent. We have already seen this happen with PGP 6.5.8 and Imad
Faiad's CKT builds; there is no reason to think the same would not
happen to GnuPG.
3. The installed base.
GnuPG 1.4 is used in a lot of places. A lot of the installed base
simply can't upgrade on a dime. Ask anyone who's worked in telecom
precisely how many forests had to be cut down just to make the paperwork
involved in making a small change to the deployed software. Healthcare
is another high-bureaucracy field. Banking.
... My own reason for pushing back against this idea is #2. However,
don't underestimate #s 1 and 3.
More information about the Gnupg-users