On 17/12/14 13:04, Ido Rosen wrote:
Did you read the rest of that paragraph? You disregarded my points as a red herring, then made a straw man argument that we should donate instead of downgrading (and leave Arch users vulnerable). In the same paragraph, you quote Arch policy which agrees with the downgrade... I guess you are just trolling. Happy holidays, either way. :-)
I did read the rest of the paragraph but considered it not relevant to the discussion. The donation was not a strawman argument but rather a statement of fact about the actual situation with the gnupg.org project and its higher relevance to your concerns about security of the software. I did use the opportunity to try and have the discussion go outside the box and not focus completely on your arguments, which as presented might cause panic in some users. I do understand your concerns about stability but, honestly, using Arch is a guarantee to be bitten sooner or later.
Also, I agree that gnupg would have been better kept at 2.0.x for sometime and have 2.1.x in community or AUR even for at least 2 or 3 point releases. But considering the changes in keyring management and the higher security (like disabling all pgp keys with md5 hashes), I can live with the changes. Those same changes make downgrading a painful process.
Addressing your observations in the follow up message to the one I'm responding to, notice that nowhere in the release message says that you must not use gpg "modern", only that gpg "stable" is what most users use and perhaps the one with less bugs. As Arch uses current software in most cases, we the users are QA testers for more upstream projects that we can believe, so I wasn't surprised by the move to gnupg, but see above.
Happy Holidays to you too. :-) -- Pedro Alejandro López-Valencia http://about.me/palopezv/ Every nation gets the government it deserves. -- Joseph de Maistre