Breaking changes

Mark Rousell markr at signal100.com
Tue May 22 03:42:45 CEST 2018


On 21/05/2018 10:46, Ralph Seichter wrote:
> On 21.05.18 07:20, Robert J. Hansen wrote:
>
>> We should keep the 1.4 source code available, but wash our hands of it
>> and say it will receive *no* future fixes, not even for security
>> issues -- and we need to stand on that when people start screaming.
> I agree. In my experience, this stance--publicly documented--will allow
> people to say to their bosses "support has ended, and for security
> reasons we now need a budget to finance a move away from this outdated
> software". I have seen similar situations often enough; nobody would
> spend money as long as the old software horse was still twitching.
>
> Discontinue version 1.4 right away, quoting Efail as a trigger if you
> wish, and set an EOL for version 2.0 in a few months, as you suggested.

It's not that simple. There are more use cases to take into account.
Whilst what you say is true for people still encrypting new data with
1.4 (and I agree that they should be prevented from doing so), there are
other people (perhaps even more people) who have a legitimate need to
access historical/archival encrypted data.

Preventing users from encrypting new data using legacy encryption does
NOT need to mean that other users have to be prevented from (quite
legitimately) accessing archived data using legacy encryption with
maintained software.

-- 
Mark Rousell

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20180522/4d7271c7/attachment.html>


More information about the Gnupg-users mailing list