Should I be using gpg or gpg2?

listo factor listofactor at
Mon Sep 28 22:00:14 CEST 2015

On 09/28/2015 05:40 PM, Werner Koch - wk at wrote:
 > On Mon, 28 Sep 2015 13:23, listofactor at said:
 >> Unless you have specific reasons for transitioning to gpg2, stick
 >> with gpg (GnuPG) 1.4.16. It is just as secure, and much easier
 >                                       ^^^^^^^^^^
 > That is definitely not the case.  All improvements go into 2.1
 > and some are backported to 2.0.  We only add necessary
 > fixes to 1.4.

Most od 2.x "improvements" have little to do with security.

I can't offer any conclusive evidence for this, but it is my
honest estimate that more real-world sensitive traffic volume
is generated by 1.4.x than 2.x. Consequently, if 1.4.x is in any
was insecure, this would be of significantly greater benefit to
a whole class of large institutional web-traffic attackers than
if 2.x was insecure. So, if 1.4.x is indeed in any way insecure,
that should merit more serious and immediate attention that if
2.x was insecure.

More information about the Gnupg-users mailing list