Bug#982258: [pkg-gnupg-maint] Bug#982258: gpgv1: Consider removing parts of the tools which aren't recommended to be used

2021-02-23 Thread Russ Allbery 
Daniel Kahn Gillmor  writes:

> for (a) and (c), do we have a sample of a usenet control message

The last articles in:

http://ftp.isc.org/usenet/control/rec/rec.ponds.moderated.gz

are generated in essentially the same way Big Eight control messages are
still currently being generated.  (I've been trying to find time to switch
over, but haven't yet.)

> and key that are in use today?

http://ftp.isc.org/usenet/news.announce.newgroups/PGP.PUBLICKEY

and more generally nearly all of the keys in:

https://git.eyrie.org/?p=usenet/control-archive.git;a=tree;f=keys;hb=HEAD

Only a few have been converted to modern keys.

> Is there an estimate of how many of those keys are still relied upon?

Among those still actively issuing control messages (a lot of these
hierarchies have stopped), my guess would be around 5-10.

> Here are some features that it sounds to me like we could "safely"
> remove or disable in gpg1, while encouraging users who needed that
> specific functionality to migrate to modern gpg:

>  - secret key generation
>  - encryption
>  - keyserver and other network access (including auto-key-locate?)
>  - certification (aka "keysigning")
>  - trust models other than direct (and always)?

None of this is used by the Usenet machinery.

-- 
Russ Allbery (ea...@eyrie.org)

Bug#982258: [pkg-gnupg-maint] Bug#982258: gpgv1: Consider removing parts of the tools which aren't recommended to be used

2021-02-23 Thread Daniel Kahn Gillmor 
On Sun 2021-02-07 20:19:19 +, Dominic Hargreaves wrote:
> In the discussion at [1] it was suggested that perhaps gnupg1 could be
> updated to explicitly remove support for operations other than
> decrypting old messages.

that discussion suggests that the only two things that people are likely
to still use GnuPG for are:

 a) signing with old keys that gpg2 thinks are too weak to consider using
 b) decrypting old messages

Surely from (a) it follows that there are others who need:

 c) verifying signatures from those old keys(?)

For (b), do we have a sample of an old message that modern gpg is unable
to decrypt, along with a sample key?

for (a) and (c), do we have a sample of a usenet control message and key
that are in use today?  Is there an estimate of how many of those keys
are still relied upon?

Here are some features that it sounds to me like we could "safely"
remove or disable in gpg1, while encouraging users who needed that
specific functionality to migrate to modern gpg:

 - secret key generation
 - encryption
 - keyserver and other network access (including auto-key-locate?)
 - certification (aka "keysigning")
 - trust models other than direct (and always)?

Any thoughts?

--dkg


signature.asc
Description: PGP signature

Bug#982258: gpgv1: Consider removing parts of the tools which aren't recommended to be used

2021-02-07 Thread Dominic Hargreaves 
Package: gpgv1
Version: 1.4.23-1.1
Severity: wishlist

In the discussion at [1] it was suggested that perhaps gnupg1 could be
updated to explicitly remove support for operations other than
decrypting old messages.

[1]