[pkg-gnupg-maint] What do we do about GnuPG 1.4 in debian?

Russ Allbery rra at debian.org
Sat Apr 30 01:04:30 BST 2022

Paul Wise <pabs at debian.org> writes:
> On Fri, 2022-04-29 at 17:33 -0400, Daniel Kahn Gillmor wrote:

>> I expect some people who who keep GnuPG 1.4 around for handling some
>> weird legacy archival data to be upset by this.  If there are specific
>> needs, perhaps we can find other ways that they can meet them safely.
>> Or, perhaps they want to adopt the package to keep it available for
>> their own use.

> Are there any things that can be done with GnuPG 1.4 that cannot be
> done with GnuPG 2 or one of the other OpenPGP implementations? 
> For example decrypting files using old OpenPGP keys.

Yes, verifying signatures using obsolete keys or obsolete algorithms which
are no longer supported in GnuPG 2.  One can, of course, debate the merits
of the continued existence of such signatures, but they're still
relatively common for managed Usenet hierarchies because a lot of Usenet
is now running on autopilot (although we're slowly pushing people to

For example, running import on the list of currently known keys for Usenet
hierarchies (many of which are admittedly dormant) says:

gpg: Total number processed: 101
gpg:     skipped PGP-2 keys: 84
gpg:              unchanged: 17

(I'm not intending this to be an argument for keeping GnuPG 1.x.  The
forcing factor of Debian dropping support for the old keys may even be
useful.  But it may be helpful for judging the impact.)

Russ Allbery (rra at debian.org)              <https://www.eyrie.org/~eagle/>

More information about the pkg-gnupg-maint mailing list