Any guidance for gnupg-2.0 -> gnupg-2.1 (archived encrypted email)?

David Wood david at wood2.org.uk
Tue May 26 05:53:32 UTC 2015 

I would strongly encourage FreeBSD not to switch security/gnupg back to the 2.0 branch now that it has been 2.1 for a while, as that will break people's keyrings and configurations.


2.1 is undoubtedly very different to earlier versions. Support for PGP 2.x keys has been completely removed in 2.1 after being strongly deprecated for a while owing to known security weaknesses. If you need to decrypt or signature check legacy PGP 2.x material, keep a copy of 1.4 and associated configuration/keyrings to hand (though I don't know if the FreeBSD ports support 1.4 and 2.1 being installed simultaneously).

2.1 has refactored various code - for example, the code that interacts with keyservers is now in dirmngr and associated configuration goes in dirmngr.conf, unlike with earlier branches of GnuPG. https pool key servers are fixed from 2.1.3 onwards - I know, because I contributed that fix.

However, the biggest compatibility issue with reverting security/gnupg from 2.1 to 2.0 are the use of .kbx keyrings and support for elliptic curve keys. You can export all your non elliptic curve keys from your .kbx keyring on an intentional downgrade from 2.1 to 2.0 and import them to a traditional keyring after downgrading, but it is hard to see how this could be handled cleanly if the port was switched from 2.1 to 2.0. It would be a big POLA breach for your public keyring to revert to the state it was in before you upgraded to 2.1 - or become blank if you had only ever used 2.1.


I believe Werner Koch's intention is to drop the 2.0 branch at some point, on the basis that once the bugs have been shaken out of 2.1 there is little justification to keep supporting 2.0. 1.4 is useful for deployments where minimum dependencies are needed.

I hope we are close to the point where major bugs have been shaken out of 2.1, meaning there is little need to revert to 2.0 as a work round. There are undoubtedly compatibility issues in moving from 2.0 to 2.1, but I don't see how making people change back to 2.0 configuration and keyrings by reverting the port to 2.0 (or making them choose to stick with 2.1) is anything other than retrograde.


With best wishes,


David

More information about the freebsd-ports mailing list