<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
On 21/05/2018 09:56, Andrew Skretvedt wrote:<br>
<blockquote
cite="mid:889ffe9e-c247-e27d-a842-1ab08b1e3d4f@gmail.com"
type="cite">I think Efail has shown now that OpenPGP/GnuPG retains
the flexibility to continue to adapt and maintain a well used and
trusted standard for private and authenticated data and
communications, but it won't achieve this if its evolution is
frozen.
<br>
</blockquote>
<br>
I agree. But remember that retaining the ability to decrypt
legacy-encrypted data (i.e. continuing to support long-time users)
does not require the GnuPG's evolution be frozen.<br>
<br>
<blockquote
cite="mid:889ffe9e-c247-e27d-a842-1ab08b1e3d4f@gmail.com"
type="cite">
It seems to me that if the pearl-clutchers who would howl too
loudly about breaking backwards compatibility were as concerned as
they claim, they would realize that software evolves. But this
evolution doesn't eradicate its past. GnuPG is open software. It's
ganoo-pee-gee!
<br>
<br>
If you're a pearl-clutcher with a legacy use-case, perhaps it's
time to really analyze that case. Do you have a darn good reason
to want to expose yourself to creeping insecurity? Because its
history won't be eradicated, if you /do/ have good reasons, you
can maintain for yourself a legacy fork. To do that you may need
to have certain skills or be willing to hire-out for them.
<br>
<br>
I think that's fair. It's free as in freedom, not beer, not
support. For my vote, I think persons so situated might have
suddenly imposed upon the larger community long enough, now that
Efail has taught us something we may not have fully appreciated
about the present state of OpenPGP and the way it's been pipelined
with other tools.
<br>
</blockquote>
<br>
Your point is not helped by using patronising and condescending
language like "pearl-clutcher". What you are attempting to belittle
and dismiss here is surely a perfectly valid use case: That is
accessing archived data.<br>
<br>
Sure, I can see that it is not a use case that you like or that
matters to you but that doesn't make it any less of a valid use case
right now, today, and in the future in the real world. This is not a
"legacy use-case" as you chose to name it. The fact that the data is
encrypted using legacy encryption doesn't make it a "legacy
use-case".<br>
<br>
There is no "creeping insecurity" whatsoever in continuing to access
archival data but there would be something of an eventual creeping
insecurity if users in this position were required to use
unmaintained software versions.<br>
<br>
So, no, it is not fair to throw these long-time users under the bus,
as you propose. No, it is utterly unreasonable to propose that they
maintain their own "legacy fork". Such users have not "imposed upon
the larger community": They are <u>part</u> of the larger
community.<br>
<br>
As I have said in other messages, it is entirely reasonable to
expect them to make some changes (although remember that
re-encrypting the data is not an option) in terms of using new
versions of maintained software to be able to continue decrypting
the archived data but to just cut them off such that they have to
use unmaintained software is not what one should have to expect. It
would be reckless.<br>
<br>
And, as I say, continuing to support present day archival use cases
does not mean that the main body of GnuPG cannot move on. It most
certainly can continue to evolve and should do so. But those people
who have to handle legacy-encrypted data are not legacy users.<br>
<br>
<br>
<pre class="moz-signature" cols="72">--
Mark Rousell</pre>
</body>
</html>