show-uid-validity default to yes

Werner Koch wk at gnupg.org
Fri Dec 13 22:27:15 CET 2013


On Fri, 13 Dec 2013 21:24, dkg at fifthhorseman.net said:

> this sounds like an argument for being willing to change the
> human-readable output on the shell -- there are not many people looking
> at it anyway, and most of those people are sophisticated user.

It is a Unix tool and people want to have it as a Unix tools.  The
separation between a machine readable and the human interface is not a
standard Unix tool property.  Thus admins don't know about it.

> I think for a piece of critical security infrastructure, GPG has been
> supporting some insecure practices for far too long.

Why do you think this is insecure?  Because gpg does not encrypt to a
key and users work around this by using --always-trust?

> If you're referring to a specific script, please point me to it and its
> authors; i'll badger them as well; that's not a fun job, and there is no
> reason you should do it solo.

I can't point you to such scripts.  Most software is not in public use
but used in-house.  Sometimes I receive bug reports or requests for help
and then I notice these problems.  Not much we can do about.  In fact,
too many sites are using outdated versions because they fear things may
break.  Such breaks have been very rare with gpg and that is a good
thing.

> presumably relates to people who *do* use gpg from the command line
> (they're actually scripting it!), and should know better.   The way to

They implemented something and then it is never touched again.

> get people to learn about it is to go ahead and improve the UI.

I am willing to consider a change for 2.1 - that will anyway break
things (no more secring.gpg).


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.




More information about the Gnupg-users mailing list