Re: Break backwards compatibility already: it’s time. Ignore the haters. I trust you.

Tue May 22 03:16:37 CEST 2018

On Mon, May 21, 2018 at 9:04 PM, Mark Rousell <markr at signal100.com> wrote:
> On 21/05/2018 09:56, Andrew Skretvedt wrote:
>
> I think Efail has shown now that OpenPGP/GnuPG retains the flexibility to
> continue to adapt and maintain a well used and trusted standard for private
> and authenticated data and communications, but it won't achieve this if its
> evolution is frozen.
>
>
> I agree. But remember that retaining the ability to decrypt legacy-encrypted
> data (i.e. continuing to support long-time users) does not require the
> GnuPG's evolution be frozen.
>
> It seems to me that if the pearl-clutchers who would howl too loudly about
> breaking backwards compatibility were as concerned as they claim, they would
> realize that software evolves. But this evolution doesn't eradicate its
> past. GnuPG is open software. It's ganoo-pee-gee!
>
> If you're a pearl-clutcher with a legacy use-case, perhaps it's time to
> really analyze that case. Do you have a darn good reason to want to expose
> yourself to creeping insecurity? Because its history won't be eradicated, if
> you /do/ have good reasons, you can maintain for yourself a legacy fork. To
> do that you may need to have certain skills or be willing to hire-out for
> them.
>
> I think that's fair. It's free as in freedom, not beer, not support. For my
> vote, I think persons so situated might have suddenly imposed upon the
> larger community long enough, now that Efail has taught us something we may
> not have fully appreciated about the present state of OpenPGP and the way
> it's been pipelined with other tools.
>
>
> Your point is not helped by using patronising and condescending language
> like "pearl-clutcher". What you are attempting to belittle and dismiss here
> is surely a perfectly valid use case: That is accessing archived data.
>
> Sure, I can see that it is not a use case that you like or that matters to
> you but that doesn't make it any less of a valid use case right now, today,
> and in the future in the real world. This is not a "legacy use-case" as you
> chose to name it. The fact that the data is encrypted using legacy
> encryption doesn't make it a "legacy use-case".
>
> There is no "creeping insecurity" whatsoever in continuing to access
> archival data but there would be something of an eventual creeping
> insecurity if users in this position were required to use unmaintained
> software versions.
>
> So, no, it is not fair to throw these long-time users under the bus, as you
> propose. No, it is utterly unreasonable to propose that they maintain their
> own "legacy fork". Such users have not "imposed upon the larger community":
> They are part of the larger community.
>
> As I have said in other messages, it is entirely reasonable to expect them
> to make some changes (although remember that re-encrypting the data is not
> an option) in terms of using new versions of maintained software to be able
> to continue decrypting the archived data but to just cut them off such that
> they have to use unmaintained software is not what one should have to
> expect. It would be reckless.
>
> And, as I say, continuing to support present day archival use cases does not
> mean that the main body of GnuPG cannot move on. It most certainly can
> continue to evolve and should do so. But those people who have to handle
> legacy-encrypted data are not legacy users.
>
      Stupid question: what is wrong with a "encrypt/decrypt old
format" flag/config option? If I have the need to use old stuff, I can
turn that on. All I see here is a "do not open old stuff" as a default
setting which should solve most issues.

> --
> Mark Rousell
>
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>