Breaking changes

Dan Kegel dank at kegel.com
Wed May 23 13:56:46 CEST 2018 

On Tue, May 22, 2018 at 10:24 PM, Fiedler Roman <Roman.Fiedler at ait.ac.at> wrote:
>> https://en.wikipedia.org/wiki/GNU_Privacy_Guard
>> already give an end-of-life date for 2.0, but none for 1.4.
>> And since Ubuntu 16.04 includes 1.4, there are likely
>> to still be a few vocal 1.4 users out there.
>>
>> How about announcing an end-of-life date for 1.4 that
>> is in the future (say, by 3 to 6 months)?
>
> In my opinion, just "announcing" EOL (especially with such a short notice) is quite bad practice for products aiming to be used in production setups also. This quite negatively affects trust into the product as your costs may change quite rapidly. You might argue, that companies should be used to paying for things. They are, but they want to have some planning when they are expected to pay. Would you like your car manufacturer announce, that your car is not secure any more in 6 month and that you have to pay for non-standard maintenance, if you still want to operate it securely?
>
> Apart from that: some companies using open source software are non-profit companies, like mine in research business. If our software strategy is bad - e.g. because upstream forces us suddenly to switch/pay, where we did not expect it - research funding money (mostly from the society) has to be used to keep the projects running.
>
> So when talking about EOL, gpg community should consider writing down a consistent EOL strategy, similar to those of Ubuntu, Linux kernel or others or something like I tried to argue for in the middle of https://lists.gnupg.org/pipermail/gnupg-users/2018-May/060539.html

Yes, exactly!

And taking a look at https://www.ubuntu.com/info/release-end-of-life,
one sees that Ubuntu 12.04 and 14.04 have a final end of life in about
February 2019;
16.04 lives until Feb 2021.

To be kind to enterprise customers, GnuPG could pick one of
those two dates as the EOL for 1.4.  Matching 16.04's EOL
would strand the fewest users, but even just matching 14.04's
would make sense to a lot of people.

Also, gnupg.org should add a web page like
https://www.gnupg.org/release-end-of-life
that lays out the EOL for all released versions;
the only one with a clear EOL is 2.0.x, and that's a bit buried in
text on the front page.
- Dan

More information about the Gnupg-users mailing list