Break backwards compatibility already: it’s time. Ignore the haters. I trust you.

Andrew Skretvedt andrew.skretvedt at gmail.com
Mon May 21 10:56:07 CEST 2018


“Break backwards compatibility already: it’s time. Ignore the haters. I 
trust you.”

+1

Efail caused me to run across the criticism that Moxie Marlinespike 
wrote about GnuPG/OpenPGP in early 2015.

https://moxie.org/blog/gpg-and-me/

It felt to me that without naming it, he'd focused on the email use case 
to the exclusion of others, missing those other niches Robert Hansen 
mentioned in his "Efail Postmortem".

Reading the Postmortem, I recalled another article about how being 
"mediocre" can actually be a good thing.

https://www.ribbonfarm.com/2018/04/24/survival-of-the-mediocre-mediocre/

Poor things die for being ill-suited to purpose, cutting-edge things are 
often brittle and fail spectacularly when the problem varies too far 
from the design considerations. OpenPGP has maybe been so begrudgingly 
successful all this time because it's been /mediocre/ enough to remain 
flexible to adapt to changes in cryptography and best practices and 
discoveries about insecurities we weren't aware of in the past.

I think Efail has shown now that OpenPGP/GnuPG retains the flexibility 
to continue to adapt and maintain a well used and trusted standard for 
private and authenticated data and communications, but it won't achieve 
this if its evolution is frozen.

It seems to me that if the pearl-clutchers who would howl too loudly 
about breaking backwards compatibility were as concerned as they claim, 
they would realize that software evolves. But this evolution doesn't 
eradicate its past. GnuPG is open software. It's ganoo-pee-gee!

If you're a pearl-clutcher with a legacy use-case, perhaps it's time to 
really analyze that case. Do you have a darn good reason to want to 
expose yourself to creeping insecurity? Because its history won't be 
eradicated, if you /do/ have good reasons, you can maintain for yourself 
a legacy fork. To do that you may need to have certain skills or be 
willing to hire-out for them.

I think that's fair. It's free as in freedom, not beer, not support. For 
my vote, I think persons so situated might have suddenly imposed upon 
the larger community long enough, now that Efail has taught us something 
we may not have fully appreciated about the present state of OpenPGP and 
the way it's been pipelined with other tools.

I cannot accept that "Pretty Good Privacy" is at risk, through apathy 
and underfunding and WG failures, of becoming "Passivity Guaranteed Peril".

Robert signed off:
> Never forget that we’re on the same side, and the people on the other side include tyrants and murderers. Let’s stick together.

Oh yes! From whatever corner you fear most a bogeyman might be lurking, 
one of the best ways to protect freedom and liberty is by ensuring that 
the general public always has a trustworthy cryptosystem at their 
disposal. Maybe it secures an oppressed group from a tyrant, maybe it 
authenticates a contract that existed after a dispute arises, maybe it's 
simply ensuring your new laptop isn't becoming co-opted to into making 
you an unwitting slave of cryptocoin pirates. These are all good reasons 
to register support.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4004 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20180521/a30e3118/attachment-0001.bin>


More information about the Gnupg-users mailing list