<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
On 21/05/2018 10:46, Ralph Seichter wrote:<br>
<blockquote
cite="mid:e22c0052-acd2-ddd6-c265-d51cb53c1fe1@monksofcool.net"
type="cite">
<pre wrap="">On 21.05.18 07:20, Robert J. Hansen wrote:
</pre>
<blockquote type="cite">
<pre wrap="">We should keep the 1.4 source code available, but wash our hands of it
and say it will receive *no* future fixes, not even for security
issues -- and we need to stand on that when people start screaming.
</pre>
</blockquote>
<pre wrap="">
I agree. In my experience, this stance--publicly documented--will allow
people to say to their bosses "support has ended, and for security
reasons we now need a budget to finance a move away from this outdated
software". I have seen similar situations often enough; nobody would
spend money as long as the old software horse was still twitching.
Discontinue version 1.4 right away, quoting Efail as a trigger if you
wish, and set an EOL for version 2.0 in a few months, as you suggested.
</pre>
</blockquote>
<br>
It's not that simple. There are more use cases to take into account.
Whilst what you say is true for people still encrypting new data
with 1.4 (and I agree that they should be prevented from doing so),
there are other people (perhaps even more people) who have a
legitimate need to access historical/archival encrypted data.<br>
<br>
Preventing users from encrypting new data using legacy encryption
does NOT need to mean that other users have to be prevented from
(quite legitimately) accessing archived data using legacy encryption
with maintained software.<br>
<br>
<pre class="moz-signature" cols="72">--
Mark Rousell</pre>
</body>
</html>