gpg 1.4; yes if you configured it correctly

Robert J. Hansen rjh at sixdemonbag.org
Thu Jan 15 15:43:41 CET 2026 

> I'm specifically using GPG 1.4 [1] and I have recently instructed someone
> with vintage system (Windows XP) to install GPG 1.4 because software
> he uses doesn't work with newer GPG series; so I have some pointers to give.

I would be hard pressed to find any legitimate purpose for WinXP today. 
I wouldn't even want to use it in an airgapped environment.

> Software do not rot like milk and meat do; old software means it's
> time-tested, and timeless software that work through ages are good software.

Yes... and no. Mostly 'no'.

Look, I'm a big fan of ancient COBOL code that's thunking along on Big 
Iron that three people in the world still understand, and they're paid 
well to sit around in case someone reports the first bug in thirty 
years. That stuff makes me happy. But you need to look at the 
environment in which that software exists: it has almost nothing in 
common with the every day consumer software experience.

In the consumer software world, software *absolutely* rots. Today's "I 
want to punch someone in the face really hard" moment came courtesy of 
discovering some ancient Java code relied on an internal API that the 
latest JVM long-term release has now closed off. It isn't that software 
rots, per se: it's that the environment in which software operates 
undergoes constant Lamarckian evolution. William Gibson once described 
it as being like an evolutionary experiment where the researcher kept a 
thumb mashed down on the fast forward button -- a very good metaphor.

Also, no, old software doesn't mean it's time-tested. If you think 
that's true I have some code I wrote when I was an undergrad that you 
should see. Old software is time-tested *only if there is intense 
ongoing use and an accompanying investment in software lifecycle 
maintenance*, and those two conditions amount to a really big if.

GnuPG 1.4 is not seeing intense ongoing use, and there's almost no 
investment in ongoing maintenance.

> The problem being: GPG 1.4 was released in the days and age when SHA-1
> hash algorithm was still considered cryptographically-secure
> (marginally secure, but nonetheless still secure back then),

SHA-1 was the Rock of Gibraltar for twenty years. It was never 
"marginally secure".


-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 236 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20260115/34d35a2f/attachment.sig>

More information about the Gnupg-users mailing list