I'm specifically using GPG 1.4 [1] and I have recently instructed someone with vintage system (Windows XP) to install GPG 1.4 because software he uses doesn't work with newer GPG series; so I have some pointers to give.
I would be hard pressed to find any legitimate purpose for WinXP today. I wouldn't even want to use it in an airgapped environment.
Software do not rot like milk and meat do; old software means it's time-tested, and timeless software that work through ages are good software.
Yes... and no. Mostly 'no'.Look, I'm a big fan of ancient COBOL code that's thunking along on Big Iron that three people in the world still understand, and they're paid well to sit around in case someone reports the first bug in thirty years. That stuff makes me happy. But you need to look at the environment in which that software exists: it has almost nothing in common with the every day consumer software experience.
In the consumer software world, software *absolutely* rots. Today's "I want to punch someone in the face really hard" moment came courtesy of discovering some ancient Java code relied on an internal API that the latest JVM long-term release has now closed off. It isn't that software rots, per se: it's that the environment in which software operates undergoes constant Lamarckian evolution. William Gibson once described it as being like an evolutionary experiment where the researcher kept a thumb mashed down on the fast forward button -- a very good metaphor.
Also, no, old software doesn't mean it's time-tested. If you think that's true I have some code I wrote when I was an undergrad that you should see. Old software is time-tested *only if there is intense ongoing use and an accompanying investment in software lifecycle maintenance*, and those two conditions amount to a really big if.
GnuPG 1.4 is not seeing intense ongoing use, and there's almost no investment in ongoing maintenance.
The problem being: GPG 1.4 was released in the days and age when SHA-1 hash algorithm was still considered cryptographically-secure (marginally secure, but nonetheless still secure back then),
SHA-1 was the Rock of Gibraltar for twenty years. It was never "marginally secure".
OpenPGP_signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list [email protected] https://lists.gnupg.org/mailman/listinfo/gnupg-users
