On Wed, Dec 17, 2014 at 1:46 PM, "P. A. López-Valencia" <vorbote@outlook.com> wrote:
On 17/12/14 13:04, Ido Rosen wrote:
Did you read the rest of that paragraph? You disregarded my points as a red herring, then made a straw man argument that we should donate instead of downgrading (and leave Arch users vulnerable). In the same paragraph, you quote Arch policy which agrees with the downgrade... I guess you are just trolling. Happy holidays, either way. :-)
I did read the rest of the paragraph but considered it not relevant to the discussion. The donation was not a strawman argument but rather a statement of fact about the actual situation with the gnupg.org project and its higher relevance to your concerns about security of the software. I did use the opportunity to try and have the discussion go outside the box and not focus completely on your arguments, which as presented might cause panic in some users. I do understand your concerns about stability but, honestly, using Arch is a guarantee to be bitten sooner or later.
Your comment about stability in Arch is yet another straw man. I'm concerned about continuity and security against distribution channel being hijacked: Arch has no continuity if it can't reliably verify the authenticity of its distribution channel (i.e. if database and package signatures stop working properly, or someone compromised them). If it were any other piece of Arch, like libc or even the kernel, I wouldn't care as much, but this is the piece of Arch that is responsible for telling an Arch user that he is really getting Arch and not some backdoored malicious lookalike. The correct response is indeed for users to panic and demand that Arch devs be more responsible about reading release notes before upgrading such important core components of the system.
Also, I agree that gnupg would have been better kept at 2.0.x for sometime and have 2.1.x in community or AUR even for at least 2 or 3 point releases. But considering the changes in keyring management and the higher security (like disabling all pgp keys with md5 hashes), I can live with the changes. Those same changes make downgrading a painful process.
As for downgrading being painful: I just downgraded that way and it was painless (and pacman, all pacman keys, keyring, etc. still work for me).
Addressing your observations in the follow up message to the one I'm responding to, notice that nowhere in the release message says that you must not use gpg "modern", only that gpg "stable" is what most users use and perhaps the one with less bugs. As Arch uses current software in most cases, we the users are QA testers for more upstream projects that we can believe, so I wasn't surprised by the move to gnupg, but see above.
This is what the 2.1.1 point release says, verbatim: """ - GnuPG "modern" (2.1) is the latest development with a lot of new features. This announcement is about the first release of this version. - GnuPG "stable" (2.0) is the current stable version for general use. This is what most users are currently using. """ So, it does directly imply that you should not use gpg "modern" (not stable) yet for general use, as opposed to development. It goes as far as calling "modern" a development release, and to draw the distinction between it and the "stable" release. It also implies that "modern" is not yet suited for general use, by saying that "stable" is for general use. Whether or not we parse these words verbatim or add some interpretation, the meaning is clear: 2.0 is for general use and is stable, 2.1.1 is not stable and is a development release.