[pkg-gnupg-maint] What do we do about GnuPG 1.4 in debian?

Davide Prina Davide.Prina at null.net
Sat Apr 30 10:53:43 BST 2022


Russ Allbery writes:

> Paul Wise writes:
>> On Fri, 2022-04-29 at 17:04 -0700, Russ Allbery wrote:
>
>>> Yes, verifying signatures using obsolete keys or obsolete algorithms
>>> which are no longer supported in GnuPG 2.
>
>> and nothing other than GnuPG 1 supports these keys?
>
> I'm personally not aware of anything other than the even more obsolete
> commercial PGP implementations, but maybe the package maintainers know
> more.

Interesting.
So if I have, for example, old e-mails encrypted with this old and no more
supported ciphers I will not be able anymore to read the content if I
don't install manually an old and unmaintained package (if I will be able
to do that... dependencies also can be unavailable or uninstallable)...
is that correct?

I think that probably the best solution can be a package that can only
decrypt and verify with obsolete ciphers and not encrypt using them.
The use of this must alert the user that the stuff was encrypted with old
and not more reliable ciphers...
Naturally this is a general problem not Debian specific.

Ciao
Davide



More information about the pkg-gnupg-maint mailing list