On 21/05/2018 10:46, Ralph Seichter wrote: > On 21.05.18 07:20, Robert J. Hansen wrote: > >> We should keep the 1.4 source code available, but wash our hands of it >> and say it will receive *no* future fixes, not even for security >> issues -- and we need to stand on that when people start screaming. > I agree. In my experience, this stance--publicly documented--will allow > people to say to their bosses "support has ended, and for security > reasons we now need a budget to finance a move away from this outdated > software". I have seen similar situations often enough; nobody would > spend money as long as the old software horse was still twitching. > > Discontinue version 1.4 right away, quoting Efail as a trigger if you > wish, and set an EOL for version 2.0 in a few months, as you suggested.
It's not that simple. There are more use cases to take into account. Whilst what you say is true for people still encrypting new data with 1.4 (and I agree that they should be prevented from doing so), there are other people (perhaps even more people) who have a legitimate need to access historical/archival encrypted data. Preventing users from encrypting new data using legacy encryption does NOT need to mean that other users have to be prevented from (quite legitimately) accessing archived data using legacy encryption with maintained software. -- Mark Rousell
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users