Break backwards compatibility already: it’s time. Ignore the haters. I trust you.
Andrew Skretvedt
andrew.skretvedt at gmail.com
Mon May 21 10:56:07 CEST 2018
“Break backwards compatibility already: it’s time. Ignore the haters. I
trust you.”
+1
Efail caused me to run across the criticism that Moxie Marlinespike
wrote about GnuPG/OpenPGP in early 2015.
https://moxie.org/blog/gpg-and-me/
It felt to me that without naming it, he'd focused on the email use case
to the exclusion of others, missing those other niches Robert Hansen
mentioned in his "Efail Postmortem".
Reading the Postmortem, I recalled another article about how being
"mediocre" can actually be a good thing.
https://www.ribbonfarm.com/2018/04/24/survival-of-the-mediocre-mediocre/
Poor things die for being ill-suited to purpose, cutting-edge things are
often brittle and fail spectacularly when the problem varies too far
from the design considerations. OpenPGP has maybe been so begrudgingly
successful all this time because it's been /mediocre/ enough to remain
flexible to adapt to changes in cryptography and best practices and
discoveries about insecurities we weren't aware of in the past.
I think Efail has shown now that OpenPGP/GnuPG retains the flexibility
to continue to adapt and maintain a well used and trusted standard for
private and authenticated data and communications, but it won't achieve
this if its evolution is frozen.
It seems to me that if the pearl-clutchers who would howl too loudly
about breaking backwards compatibility were as concerned as they claim,
they would realize that software evolves. But this evolution doesn't
eradicate its past. GnuPG is open software. It's ganoo-pee-gee!
If you're a pearl-clutcher with a legacy use-case, perhaps it's time to
really analyze that case. Do you have a darn good reason to want to
expose yourself to creeping insecurity? Because its history won't be
eradicated, if you /do/ have good reasons, you can maintain for yourself
a legacy fork. To do that you may need to have certain skills or be
willing to hire-out for them.
I think that's fair. It's free as in freedom, not beer, not support. For
my vote, I think persons so situated might have suddenly imposed upon
the larger community long enough, now that Efail has taught us something
we may not have fully appreciated about the present state of OpenPGP and
the way it's been pipelined with other tools.
I cannot accept that "Pretty Good Privacy" is at risk, through apathy
and underfunding and WG failures, of becoming "Passivity Guaranteed Peril".
Robert signed off:
> Never forget that we’re on the same side, and the people on the other side include tyrants and murderers. Let’s stick together.
Oh yes! From whatever corner you fear most a bogeyman might be lurking,
one of the best ways to protect freedom and liberty is by ensuring that
the general public always has a trustworthy cryptosystem at their
disposal. Maybe it secures an oppressed group from a tyrant, maybe it
authenticates a contract that existed after a dispute arises, maybe it's
simply ensuring your new laptop isn't becoming co-opted to into making
you an unwitting slave of cryptocoin pirates. These are all good reasons
to register support.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4004 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20180521/a30e3118/attachment-0001.bin>
More information about the Gnupg-users
mailing list