Re: Break backwards compatibility already: it’s time. Ignore the haters. I trust you.

Mark Rousell markr at signal100.com
Tue May 22 03:04:08 CEST 2018


On 21/05/2018 09:56, Andrew Skretvedt wrote:
> I think Efail has shown now that OpenPGP/GnuPG retains the flexibility
> to continue to adapt and maintain a well used and trusted standard for
> private and authenticated data and communications, but it won't
> achieve this if its evolution is frozen.

I agree. But remember that retaining the ability to decrypt
legacy-encrypted data (i.e. continuing to support long-time users) does
not require the GnuPG's evolution be frozen.

> It seems to me that if the pearl-clutchers who would howl too loudly
> about breaking backwards compatibility were as concerned as they
> claim, they would realize that software evolves. But this evolution
> doesn't eradicate its past. GnuPG is open software. It's ganoo-pee-gee!
>
> If you're a pearl-clutcher with a legacy use-case, perhaps it's time
> to really analyze that case. Do you have a darn good reason to want to
> expose yourself to creeping insecurity? Because its history won't be
> eradicated, if you /do/ have good reasons, you can maintain for
> yourself a legacy fork. To do that you may need to have certain skills
> or be willing to hire-out for them.
>
> I think that's fair. It's free as in freedom, not beer, not support.
> For my vote, I think persons so situated might have suddenly imposed
> upon the larger community long enough, now that Efail has taught us
> something we may not have fully appreciated about the present state of
> OpenPGP and the way it's been pipelined with other tools.

Your point is not helped by using patronising and condescending language
like "pearl-clutcher". What you are attempting to belittle and dismiss
here is surely a perfectly valid use case: That is accessing archived data.

Sure, I can see that it is not a use case that you like or that matters
to you but that doesn't make it any less of a valid use case right now,
today, and in the future in the real world. This is not a "legacy
use-case" as you chose to name it. The fact that the data is encrypted
using legacy encryption doesn't make it a "legacy use-case".

There is no "creeping insecurity" whatsoever in continuing to access
archival data but there would be something of an eventual creeping
insecurity if users in this position were required to use unmaintained
software versions.

So, no, it is not fair to throw these long-time users under the bus, as
you propose. No, it is utterly unreasonable to propose that they
maintain their own "legacy fork". Such users have not "imposed upon the
larger community": They are _part_ of the larger community.

As I have said in other messages, it is entirely reasonable to expect
them to make some changes (although remember that re-encrypting the data
is not an option) in terms of using new versions of maintained software
to be able to continue decrypting the archived data but to just cut them
off such that they have to use unmaintained software is not what one
should have to expect. It would be reckless.

And, as I say, continuing to support present day archival use cases does
not mean that the main body of GnuPG cannot move on. It most certainly
can continue to evolve and should do so. But those people who have to
handle legacy-encrypted data are not legacy users.


-- 
Mark Rousell

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20180522/f840a89a/attachment-0001.html>


More information about the Gnupg-users mailing list