A postmortem on Efail

Dmitrii Tcvetkov demfloro at demfloro.ru
Sun May 20 10:31:09 CEST 2018


On Sun, 20 May 2018 02:26:47 -0400
"Robert J. Hansen" <rjh at sixdemonbag.org> wrote:

> Writing just for myself -- not for GnuPG and not for Enigmail and
> definitely not for my employer -- I put together a postmortem on
> Efail. You may find it worth reading.  You may also not.  Your
> mileage will probably vary.  :)
> 
> https://medium.com/@cipherpunk/efail-a-postmortem-4bef2cea4c08
> 
Thank you for the postmortem.

I don't know any users of GnuPG who still have to work with non-MDC
OpenPGP messages (frankly, don't know any GnuPG users IRL, but working
on it). But it seems to me that GnuPG is so widely widespread because
it was so stable and there was no breaking upgrades, so users didn't
expect any breaking change at all.

I, as a user, don't need support for non-MDC messages and surely PGP
2.6, but I can imagine how challenging it can be to upgrade a system,
which was state-of-the-art years ago, but right now is obsolete. Really
it's not an upgrade, but rebuild from the scratch. And some parts of
the system are probably proprietary, so cooperation from vendors is
required. And the fact that obsolete features weren't dropped due to
users feedback means that GnuPG upstream understands this too. But
something has to change, it can't go like this forever, we do need
breaking changes to remove outdated parts. 
I trust upstream's judgement.



More information about the Gnupg-users mailing list