[arch-general] gnupg 2.1 not stable

["P. A. López-Valencia"]

On 17/12/14 13:04, Ido Rosen wrote:
> Did you read the rest of that paragraph? You disregarded my points as 
> a red herring, then made a straw man argument that we should donate 
> instead of downgrading (and leave Arch users vulnerable). In the same 
> paragraph, you quote Arch policy which agrees with the downgrade... I 
> guess you are just trolling. Happy holidays, either way. :-) 

I did read the rest of the paragraph but considered it not relevant to 
the discussion. The donation was not a strawman argument but rather a 
statement of fact about the actual situation with the gnupg.org project 
and its higher relevance to your concerns about security of the 
software. I did use the opportunity to try and have the discussion go 
outside the box and not focus completely on your arguments, which as 
presented might cause panic in some users. I do understand your concerns 
about stability but, honestly, using Arch is a guarantee to be bitten 
sooner or later.

Also, I agree that gnupg would have been better kept at 2.0.x for 
sometime and have 2.1.x in community or AUR even for at least 2 or 3 
point releases. But considering the changes in keyring management and 
the higher security (like disabling all pgp keys with md5 hashes), I can 
live with the changes. Those same changes make downgrading a painful 
process.

Addressing your observations in the follow up message to the one I'm 
responding to, notice that nowhere in the release message says that you 
must not use gpg "modern", only that gpg "stable" is what most users use 
and perhaps the one with less bugs. As Arch uses current software in 
most cases, we the users are QA testers for more upstream projects that 
we can believe, so I wasn't surprised by the move to gnupg, but see above.

Happy Holidays to you too. :-)

-- 
Pedro Alejandro López-Valencia
http://about.me/palopezv/

Every nation gets the government it deserves. -- Joseph de Maistre