show-uid-validity default to yes

Daniel Kahn Gillmor dkg at fifthhorseman.net
Fri Dec 13 21:24:43 CET 2013


On 12/13/2013 02:09 PM, Werner Koch wrote:
> I estimate that not more than 1% of all GnuPG users are using gpg in the shell.

this sounds like an argument for being willing to change the
human-readable output on the shell -- there are not many people looking
at it anyway, and most of those people are sophisticated user.

> I know.  But part of the relative stability of the GPG interface is that
> even we deprecate stuff we keep supporting them for a long long time.

I think for a piece of critical security infrastructure, GPG has been
supporting some insecure practices for far too long.

If we want to support insecure practices as a way to allow people to
deal with outdated, insecure peers, or older, insecure stored data, we
should be expecting those users with those needs to modify the
configuration to make gpg more insecure specifically, rather than
leaving all users insecure by default.

> I
> have suggested hundreds of times to better change a certain script to
> use --with-colons but I doubt that many followed that suggestion.  After
> all it worked for them and why should the spend time changing a running
> system.

If you're referring to a specific script, please point me to it and its
authors; i'll badger them as well; that's not a fun job, and there is no
reason you should do it solo.

If this is a general complaint (which i can easily imagine), then it
presumably relates to people who *do* use gpg from the command line
(they're actually scripting it!), and should know better.   The way to
get people to learn about it is to go ahead and improve the UI.
There's no reason that developers who do not listen to clear,
well-formed suggestions about what kind of commitments are made to an
API should get to hold the rest of the userbase hostage.

>> It is indeed debatable whether this particular improvement is worth it.
> 
> Better add a hint to the FAQ.

Most people do not read FAQs either. :(

thanks as always for your work on GnuPG, and for the discussion.

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1027 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20131213/4c719284/attachment-0001.sig>


More information about the Gnupg-users mailing list