Here's my own set of suggestions for breaking changes to GnuPG: 1. End-of-life 1.4 already.
Yes, it's the only option for PGP 2.6. Yes, it's the only option for old and out-of-date stuff. Yes, there will be people who need to decrypt this stuff. All of that is true, but *we* don't need to be the people who cater to their needs. At this point if you need pre-Web crypto (which, I remind people, is pretty much what PGP 2.6 is), you have a specialized need and you need to talk to someone about a custom solution. There are companies that specialize in this sort of thing (like, say, g10 Code). We should keep the 1.4 source code available, but wash our hands of it and say it will receive *no* future fixes, not even for security issues -- and we need to stand on that when people start screaming. Rationale: as long as we keep GnuPG 1.4 around and even semi-supported, people will insist on not upgrading. 2. End-of-life 2.0. 2.2 is the replacement branch for 2.0, and it's been around for ten months. Yes, some major distros have incorporated 2.0 into their long-term support releases. That's on them, *not* us. State, "we're going to continue to give security fixes to 2.0 but that will end December 31, 2018." Rationale: 2.3 will be coming out soon. I can understand supporting 2.2 and 2.3 simultaneously, but 2.0, 2.2, and 2.3 simultaneously seems like we're dropping 1.4 just to pick up another boat anchor. 3. In 2.3, make RFC4880bis04 the default. There's a lot of good stuff in bis04. Unfortunately, until the WG restarts there's little in the way of implementations of it. But it still exists, and it's the safest thing we've got so far, so let's make the cutover. Include an --rfc4880 option for interoperability with clients that aren't -bis04 compliant. Rationale: we may only get one chance to make serious breaking changes, so let's go big or go home. Let me make it clear: these changes are extreme. Some knowledgeable people will say they're too extreme. I disagree. Let's get all the breaking pain over at once, and put GnuPG on track for the future. And if defaulting to -bis04 puts pressure on other implementations to support it, and/or puts pressure on the WG to approve it, well -- I'm fine with that. _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users