gpg 1.4; yes if you configured it correctly
Andrew Gallagher
andrewg at andrewg.com
Thu Jan 15 15:19:40 CET 2026
On 15/01/2026 11:19, Nutchanon Wetchasit via Gnupg-users wrote:
>
> I'm specifically using GPG 1.4 [1] and I have recently instructed someone
> with vintage system (Windows XP) to install GPG 1.4 because software
> he uses doesn't work with newer GPG series; so I have some pointers to give.
If that Windows XP machine is connected to the internet, running gnupg
on it is pure security theatre. You should assume that it is pwned
already, that any secret keys are leaked, and that it's part of at least
one botnet.
> Software do not rot like milk and meat do; old software means it's
> time-tested, and timeless software that work through ages are good software.
Software does not need to rot, because it is already broken. All code of
any nontrivial complexity is broken in some way - the only variables are
a) how exactly it is broken and b) who finds out first, you or the bad
guys. If you don't upgrade your software regularly, the likelihood that
an attacker knows a security vulnerability that you have not fixed
approaches 1 *very fast*, and anything connected to the internet will be
subject to multiple hacking attempts *per minute* by multiple attackers
in parallel. Even an airgapped system can't fully protect you if you're
copying untrusted files across the gap and using outdated security
software to check them.
> In my eyes, ideal version of software is the version that is good enough
> for me to continue using it for the rest of my life.
I understand your frustration, because many software vendors don't offer
bugfix support for older versions and force you through painful UX
changes and compatibility breaks just to get security fixes. But it is
also unreasonable to ask software vendors to support every old version
of their code in perpetuity. You *must* upgrade your software, no matter
how painful it is.
> GnuPG: 1.4.12 (Debian)
> System: Debian GNU/Linux 7.0 "Wheezy" i386
You connected a Wheezy machine to the internet as well? Please, *please*
upgrade your OS right now. Ten years out-of-date operating systems are
*not secure*. Until you're running a fully-patched system, any
discussion of cryptography is a waste of your time.
A
More information about the Gnupg-users
mailing list