GnuPG 2.4.4 still using legacy packets?

Loup Vaillant loup at loup-vaillant.fr
Wed Nov 12 19:17:14 CET 2025 

> No preference is expressed at all in RFC-2440. So it appears that
> RFC-9580 is simply incorrect.

See my response about the various dictionary meanings of "obsolete" 
(here as a transitive verb), as to why it actually might be correct, 
even if RFC 2440 did not explicitly express a preference.

I won't die on that hill though, I know there's wiggle room.


>  From RFC-4880:
> 
>> PGP 2.6.x only uses old format packets. Thus, software that
>> interoperates with those versions of PGP must only use old format
>> packets.  If interoperability is not an issue, the new packet format
>> is RECOMMENDED.
> 
> So RFC-9580 is also incorrect for RFC-4880 as well. I don't know the
> reasoning behind RFC-9580 changing this to "SHOULD NOT" and why the
> incorrect language was used.

That's where it is so useful to look up the official definition of the 
capital words from the RFCs.  You would have known that in this 
particular instance, RFC 9580 means the exact same thing as RFC 4880.

 From RFC 2119:

"" *SHOULD*  This word, or the adjective "RECOMMENDED", mean that there
"" may exist valid reasons in particular circumstances to ignore a
"" particular item, but the full implications must be understood and
"" carefully weighed before choosing a different course.
""
"" *SHOULD NOT*  This phrase, or the phrase "NOT RECOMMENDED" mean that
"" there may exist valid reasons in particular circumstances when the
"" particular behavior is acceptable or even useful, but the full
"" implications should be understood and the case carefully weighed
"" before implementing any behavior described with this label.

So when RFC 4880 says:

"" If interoperability is not an issue, the new packet format
"" is RECOMMENDED.

It means the exact same thing as:

"" If interoperability is not an issue, the old packet format
"" is NOT RECOMMENDED.

Which means the exact same thing as:

"" If interoperability is not an issue, the old packet format
"" SHOULD NOT be used.

Which (from those who output data) means the exact same thing as:

"" The Legacy packet format SHOULD NOT be used to generate new data,
"" unless the recipient is known to only support the Legacy packet
"" format.

So as you can see, the legal meaning of RFC 9580 here is exactly the 
same as that of RFC 4880.


> LibrePGP introduces no changes from RFC-4880 with respect to this. So
> in the world of GnuPG the new packet format is only "RECOMMENDED" for
> cases where interoperability is not an issue.

Let's be honest, interoperability has not ben an issues for likely more 
than a decade.  Given that, and the legal argument above, in GnuPG word 
you SHOULD output the new format, and you SHOULD NOT output the old format.

And now the real funny part.  The latest version of LibrePGP states:

"" If interoperability is not an issue, the new packet format
"" is RECOMMENDED

Same as RFC 4880.  So not only GnuPG is in clear violation of the legal 
equivalent of a "SHOULD NOT" from a 18 year old RFC, the recommendation 
(and associated violation) persists even through the very draft it 
promotes.

Loup.

More information about the Gnupg-users mailing list