[pkg-gnupg-maint] Bug#982258: Bug#982258: gpgv1: Consider removing parts of the tools which aren't recommended to be used

[Daniel Kahn Gillmor]

On Sun 2021-02-07 20:19:19 +0000, Dominic Hargreaves wrote:
> In the discussion at [1] it was suggested that perhaps gnupg1 could be
> updated to explicitly remove support for operations other than
> decrypting old messages.

that discussion suggests that the only two things that people are likely
to still use GnuPG for are:

 a) signing with old keys that gpg2 thinks are too weak to consider using
 b) decrypting old messages

Surely from (a) it follows that there are others who need:

 c) verifying signatures from those old keys(?)

For (b), do we have a sample of an old message that modern gpg is unable
to decrypt, along with a sample key?

for (a) and (c), do we have a sample of a usenet control message and key
that are in use today?  Is there an estimate of how many of those keys
are still relied upon?

Here are some features that it sounds to me like we could "safely"
remove or disable in gpg1, while encouraging users who needed that
specific functionality to migrate to modern gpg:

 - secret key generation
 - encryption
 - keyserver and other network access (including auto-key-locate?)
 - certification (aka "keysigning")
 - trust models other than direct (and always)?

Any thoughts?

        --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-gnupg-maint/attachments/20210223/137f9a86/attachment.sig>