Naming of GnuPG

Mon Apr 21 16:21:50 CEST 2008

Christoph Anton Mitterer wrote:
> What's the reason?

My reason, or the general reason?

The general reason... pick your poison, really.  There are a lot of them.

1.  The paranoids.

Read alt.security.pgp sometime and you'll find a bunch of people who are 
in critical need of getting their tinfoil hats readjusted.  These are 
people who continue to use PGP 6.5.8 because "obviously, they closed the 
source in PGP 7 so they could put in a back door."  And then there are 
people who swear by PGP 2.6 because they heard a rumor somewhere that 
Phil Z. got off the law-enforcement hook by promising to put a back door 
in PGP 5+.

Even on this list, we've seen people who have come really close to 
making accusations against Werner of being complicit with 
law-enforcement authorities.  (See "Using Old PC as Hardware Security 
Module" in the archives, from May of 2007.)

If GnuPG 1.4.x suddenly gets marked "deprecated" and begins to be phased 
out, a whole lot of people are going to start asking "why?  Official 
word on the GnuPG list was that GnuPG 1.4 was still perfectly safe and 
would be maintained for some time."  And those are the good ones.  The 
rest will begin to make conspiracy theories.

2.  The conservatives.

As David pointed out, being conservative in cryptography is often a sign 
of maturity.  There are a _ton_ of PGP 2.6 users out there who never 
upgraded because they never saw the need to jump on the bandwagon.  If 
you mark GnuPG 1.4.x as deprecated, you'll see a lot of users just 
quietly ignore the developers' decision.

The question is not whether any OpenPGP changes from 2.0 will be 
backported to 1.4.  They will.  The only question is who will do the 
backporting.  The instant the GnuPG developers drop 1.4 support, someone 
else will pick it up... and maybe not someone who's especially 
competent.  We have already seen this happen with PGP 6.5.8 and Imad 
Faiad's CKT builds; there is no reason to think the same would not 
happen to GnuPG.

3.  The installed base.

GnuPG 1.4 is used in a lot of places.  A lot of the installed base 
simply can't upgrade on a dime.  Ask anyone who's worked in telecom 
precisely how many forests had to be cut down just to make the paperwork 
involved in making a small change to the deployed software.  Healthcare 
is another high-bureaucracy field.  Banking.

... My own reason for pushing back against this idea is #2.  However, 
don't underestimate #s 1 and 3.