Should I be using gpg or gpg2?

Daniele Nicolodi daniele at grinta.net
Mon Sep 28 22:29:02 CEST 2015


On 28/09/15 22:00, listo factor wrote:
> On 09/28/2015 05:40 PM, Werner Koch - wk at gnupg.org wrote:
>  > On Mon, 28 Sep 2015 13:23, listofactor at mail.ru said:
>  >
>  >> Unless you have specific reasons for transitioning to gpg2, stick
>  >> with gpg (GnuPG) 1.4.16. It is just as secure, and much easier
>  >                                       ^^^^^^^^^^
>  >
>  > That is definitely not the case.  All improvements go into 2.1
>  > and some are backported to 2.0.  We only add necessary
>  > fixes to 1.4.
> 
> Most od 2.x "improvements" have little to do with security.

Even assuming that this is true, there "most" in not all, thus there are
some improvements in the 2.0 ad 2.1 release series that are not in the
1.4 one. That alone is a good reason to move to the modern GPG
implementations.

> I can't offer any conclusive evidence for this, but it is my
> honest estimate that more real-world sensitive traffic volume
> is generated by 1.4.x than 2.x. Consequently, if 1.4.x is in any
> was insecure, this would be of significantly greater benefit to
> a whole class of large institutional web-traffic attackers than
> if 2.x was insecure. So, if 1.4.x is indeed in any way insecure,
> that should merit more serious and immediate attention that if
> 2.x was insecure.

As much as I like conclusions based on anecdotal evidence, I don't
really see what you want to say with that statement. GnuPG 1.4 receives
all the bug fixes it needs based on known bugs, however, code
improvement and architectural changes that make the system more secure
are implemented only in 2.1 and partially in 2.0. I don't see anything
wrong or worrisome with that.

Cheers,
Daniele




More information about the Gnupg-users mailing list