GnuPG News for February 2015

Werner Koch wk at
Tue Mar 10 19:38:45 CET 2015


Find below the plain text version of



1 GnuPG News for February 2015

  Indeed, very exiting news this month: The financial crisis of The
  GnuPG Project is over.  Due to an unexpected amount of donations
  received in the first days of February we can keep on working for at
  least the next 2 or 3 years.

  How did this happen?  At the [31C3] Nico Josattis arranged an
  Interview with [Julia Angwin] who writes for [ProPublica].  Eventually
  on the 5th her [article] was published and immediately received a lot
  of attention.  Not only at the ProPublica site but at many other news
  site as well.  While checking my mail on that evening, I noticed more
  than thousand notification mails for donations and even better: that
  continuous stream of donations did not stop for the next days.  Alone
  on the first day we received more than 120,000 € and thus more than
  our initial goal.  I even had to fix the script building the donation
  progress bar to not overflow the right margin the same night.  I also
  received a call from one of the Stripe founders who offered yearly
  donations from Stripe and Facebook each at 50,0000 $.  Amazing.

  I like to *thank everyone* for supporting the project, be it small or
  large individual donations, helping users, providing corporate
  sponsorship, working on the software, and for all the encouraging
  words by mail, blogs, and even postcards.

  Due to that new publicity for GnuPG, I received many requests for
  interviews and for several days journalists and photographers visited
  me in my office.  They wrote several articles for German papers and
  radio stations, for example in the [taz], the [Süddeutsche Zeitung],
  and the [Deutsche Welle]. I hope these articles help to keep up the
  awareness for the importance of privacy issues.

  GnuPG does not stand alone: there are many other projects, often
  unknown to most people, which are essential to keep the free Internet
  running.  Many of them are run by volunteers who spend a lot of unpaid
  time on them.  They need our support as well!

  Now what to do with all that money?  Before a final plan can be
  drafted, tax issues need to be resolved.  Given that g10^code (the
  legal entity behind the project) is not a charity, we need to find a
  way to stretch the use of the money beyond this year.  My tax advisor
  is currently looking into this and I will report on the outcome in
  another blog entry.

  Regardless of this I started to look out for a second developer and
  fortunately [Neal Walfield] was searching for a job and accepted my
  offer to work on GnuPG.  Neal is well known for his work on modern
  operating systems and I consider him an excellent hacker.  I am glad
  to have him on board.


  [Julia Angwin]




  [Süddeutsche Zeitung]

  [Deutsche Welle]

  [Neal Walfield]

1.1 Release status

  GnuPG [2.1.2] was released on the 11th, [2.0.27] on the 18th, and
  [1.4.19] on the 27th.

  The 1.4.19 release features a fix for a new side channel attack on the
  Elgamal encryption (which used to be the default public key encryption
  algorithm until 2009).  Go ahead and read how Genkin’s group describes
  the [details] of this attack.  The release also includes a mitigation
  for another SCA to be described in the forthcoming paper /Last-Level
  Cache Side-Channel Attacks are Practical/ by Yarom et al.

  Libgcrypt [1.6.3] was released on the 27th to fix the described SCAs
  for GnuPG 2.0 and 2.1.






1.2 Released and not yet released changes

  Several segfaults due to NULL-derefs and invalid memory reads when
  using garbled keyrings were fixed.  These unlikely exploitable bugs
  were detected by fuzzing instrumented versions of GnuPG; [Hanno Böck's
  report] has some details.  A long standing implementation flaw copying
  memory stored values to integers variables was also found and fixed.
  These bug fixes have been backported to 2.0 and 1.4; Daniel Kahn
  Gillmor was kind enough to help with this.

  The decade old PKA system was modernized.  The formerly used TXT
  records haven been replaced with CERT records of the IPGP type, and
  the local part of the mail address is now hashed and base32 encoded to
  support all valid mail addresses.  This has been backported to 1.4.19.
  The new option `--print-pka-records' for 2.1 can be used to create
  zone files for PKA.

  The removal of the PGP-2 support from 2.1 turned out to be more
  complicated than expected.  Another bug related to this only showed up
  and was fixed after the release of 2.1.2.

  To help people not fluent in the spelling alphabet or when using small
  fonts the option `--with-icao-spelling' has been added to 2.1:
  │ pub   dsa2048/F2AD85AC1E42B367 2007-12-31 [expires: 2018-12-31]
  │       Key fingerprint = 8061 5870 F5BA D690 3336  86D0 F2AD 85AC 1E42 B367
  │                         "Eight Zero Six One  Five Eight Seven Zero
  │                          Foxtrot Five Bravo Alfa  Delta Six Niner Zero
  │                          Three Three Three Six  Eight Six Delta Zero
  │                          Foxtrot Two Alfa Delta  Eight Five Alfa Charlie
  │                          One Echo Four Two  Bravo Three Six Seven"

  The dropped support for LDAP keyserver will be re-introduced with
  2.1.3.  Neal started to work on this and published a detailed
  description on how to setup such an [LDAP server].

  [Hanno Böck's report]

  [LDAP server]

2 About this news posting

  I try to write a news posting every month.  However, other work may
  have a higher priority (e.g. security fixes) and thus I won’t promise
  any fix publication date.  If you have an interesting topic for a news
  posting, please feel free to mail me or gnupg-users at .  A summary of
  the mailing list discussion would be a nice to have.

Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gnupg-users mailing list