Robert J. Hansen
rjh at sixdemonbag.org
Fri Mar 28 16:33:42 CET 2008
Scott Blystone wrote:
> I've been on the list for some time but have thus far been a
> "lurker", and this is my first post. I have a very basic question.
Well, you sure did pick an excellent one to start off on. :)
> I have seen for quite some time that GPG v2.x has been available. It
> seems to offer some significant advantages according to what I read.
> ... Why does it seem that virtually no one is using it?
You may not get as complete answers as you want here. The GnuPG 2.x
authors are on the list, after all, and they are some scarily competent
people. Some people who haven't migrated might be afraid to voice their
opinions, for fear that people who know more than them will clobber
their opinion mercilessly.
The GnuPG authors are reasonable human beings. They tend not to do
that. In fact, I'm so confident of their willingness to tolerate
sincere and reasoned disagreements that I'll give a very complete answer
to your question, and one I suspect they will emphatically disagree
* * * * *
Computer science, like pretty much any highly technical field, has parts
to it that are formally describable in mathematical terms and parts that
exist mostly as rules of thumb and handed-down wisdom. I use 1.4.x only
because of the latter kind of reasons: particularly, the Small Tools
Principle and the Second System Effect.
* * * * *
The Small Tools Principle: "The more things a program does, the greater
the chance it will fail. Tools should be small and do one thing
GnuPG 1.4.x is purely an OpenPGP application. I didn't like it when it
started integrating smartcard functionality, since it seems likely the
vast majority of users will not need it, and it seemed like a violation
of the Small Tools Principle. When I build my own 1.4.x GnuPG, I
typically turn off all the options I don't need. The smaller my trusted
codebase, the more reliable the final product will be.
GnuPG 2.x is... well, I guess the better question is what is there GnuPG
2.x doesn't do? Its capabilities have expanded significantly. This
doesn't sit well with me. I don't need the new capabilities of 2.x;
why, then, should I migrate to it?
* * * * *
The Second System Effect: "When designing the successor to a relatively
small, elegant and successful system, there is a tendency to become
grandiose in one's success and design an elephantine feature-laden
monstrosity." This is a general rule and may not apply to GnuPG 2.x. I
don't know if it does. I also don't know if it doesn't. This is not a
state of affairs you want in security software.
I know wk has said that he was aware of this general rule during 2.x's
development, but I don't trust Werner to evaluate the quality of his own
code. This is no slight against him. I don't trust _anyone_ to
evaluate the quality of his or her own code.
When GnuPG 1.0 came out, the very first thing I did was sit down and
spend a week going over the code. I wasn't bughunting; I was trying to
understand the architecture and design of the system. As GnuPG 1.0
turned into 1.2 and 1.4, I kept track of the changes. I've not yet had
the time to study GnuPG 2.x. I don't know the architecture and design.
Since I've seen no independent evaluations of 2.x and had no time to
personally inspect the code for myself, I feel that I need to consider
the possibility that 2.x is an example of the second-system effect.
* * * * *
... So what you get to, then, is this. I know GnuPG 1.4.x. It is
trusted code and I have given it the looking-at I feel it deserves. I
have come to the belief that it (a) obeys the Small Tools Principle and
(b) does not suffer from the Second System Effect.
I don't know GnuPG 2.x. It's trusted code but I haven't yet been able
to give it the looking-at I feel it deserves. I have a nagging doubt
about whether it obeys the Small Tools Principle. I do not know whether
it's developing the Second System Effect. If I had a couple of weeks to
study the 2.x code, these concerns might very well get assuaged, but
given I have comps coming up... well, first I have comps, after that I
have a nervous breakdown penciled in, and after that...
Finally, GnuPG 1.4.x does everything I need it to do and does it quite
well. Why should I change?
* * * * *
... As two last (and hopefully unnecessary!) words of warning: first, do
not interpret any of this as an attack on 2.x. It's not. I have
exactly _zero_ evidence of any problems with 2.x. I have questions,
sure, but a question is not the same as a problem, and people should not
interpret my questions as anything other than what they are.
Second, just because I'm this paranoid doesn't mean you should be. Only
you get to decide your own security policy. I don't get a vote in what
your policy should be, and if you were to give me one, the first thing
I'd do after cackling maniacally would be to abstain.
_Do not_ fall into the mistake of thinking "well, Rob has some
articulated some concerns here, so I'd better stay away." I've
articulated some concerns and reasons why I'm staying away. Use your
own judgment--don't substitute mine for yours!
* * * * *
Thank you, Werner, David, and others, for GnuPG 2.x. In time I'll have
the time to look at the code and get my questions answered. Until then,
thank you for all your hard work, even if I'm not leaping on the
bandwagon just yet. :)
More information about the Gnupg-users