

GnuPG 2.1.2 released - Sami_Lehtinen
https://lists.gnupg.org/pipermail/gnupg-announce/2015q1/000361.html

======
acqq
What is different from the previous 2.1 is not clear.

The most interesting part is:

"Since the start of the funding campaign in December several thousand people
have been kind enough to donate a total of 250000 Euro to support this
project. In addition the Linux Foundation gave a grant of $ 60000 for 2015,
Stripe.com and Facebook.com each pledged $ 50000 per year.

I am amazed by this superb and unexpected support for the GnuPG project. This
will not only allow us to continue the project and hire at least a second full
time developer but gives us also the resources to improve things which have
been delayed for too long."

I think everybody agrees that the most of the success of the campaign is due
to this single article:

[http://www.propublica.org/article/the-worlds-email-
encryptio...](http://www.propublica.org/article/the-worlds-email-encryption-
software-relies-on-one-guy-who-is-going-broke)

~~~
HSO
And to my delight, the article was written by Julia Angwin whose book

[1] J. Angwin. Dragnet Nation: A Quest for Privacy, Security, and Freedom in a
World of Relentless Surveillance. Times Books, 2014.

I recently finished and recommend. It's one of those few "books" written these
days (quotation marks because they`re really more like stretched-out magazine
articles) that actually make sense, come from the right place in terms of
sentiment and tone, and most important are logical or coherent. I was curious
about the author because I was so surprised and saw in her bio that she
studied mathematics in college. Go figure ;-)

~~~
icebraining
Yeah, without taking any credit away from the donors (or from the GPG authors,
of course), we should be grateful to her and ProPublica for bringing this to
light.

It kinda bothers me that, while I can make a donation to ProPublica, there's
no way to express _why_ I'm doing so. On the other hand, maybe there's a
danger in becoming too donation-focused.

EDIT: After donating, they say: _" Please consider sending a note to
thoughts@propublica.org or tweeting @ProPublica sharing your reason for
donating. We’ll use some of these messages to encourage others to donate."_

Which I think is fair enough.

~~~
microempathy
Why cryptocurrency/cryptoempathy needs fields for attaching messages for
meaning to value and account why we give.

Giving sharing significance and expressivity by allowing message passing for
basic help as a fundamental part of currency.

------
kerkeslager
A quick PSA for those using Mac OSX with homebrew or a Linux variant with apt-
get:

There are two versions of gpg on homebrew. If you're like me, you installed
gpg with:

    
    
        brew install gpg
    

or

    
    
        sudo apt-get install gpg
    

However this gives you:

    
    
        $ gpg --version
        gpg (GnuPG) 1.4.18
        ...
    

What you probably want is:

    
    
        brew install gpg2
    

or

    
    
        sudo apt-get install gnupg2
    

This gives you:

    
    
        $ gpg2 --version
        gpg (GnuPG) 2.0.26
        libgcrypt 1.6.2
        ...
    

This is probably what you want, as it's the stable version.

There's no harm in using gpg 1.4.x; the docs indicate that this is maintained
because of its use on older and embedded systems, and AFAIK there's no reason
to suspect gpg 1.4.x's security if you trust 2.0.x. It's just that the 1.4.x
version has fewer features.

I haven't tried other package managers, but I suspect they also have this
minor pitfall.

~~~
isomorphic
It's worth noting that Homebrew has "gpg" and "gpg2" as aliases for the
"gnupg" and "gnupg2" formulae, respectively. This might be confusing to some
people wondering why there are two versions of the same thing.

------
zx2c4
If anyone here is a `pass` [1] user, and you're using 2.1.1, or 2.1.0, I
encourage you to upgrade. These two older versions of GnuPG had some nasty
bugs, fixes for which the pass community sent upstream where they were
accepted.

The result is that pass 1.6.5 and GnuPG 2.1.2 work nicely together.

[1] [http://www.passwordstore.org/](http://www.passwordstore.org/)

~~~
Fastidious
Interested on those nasty bugs too, as I am on pass mailing list and have not
read anything about them. This sounds more like a plug to pass, from a
throwaway account.

~~~
zx2c4
Um, no. This isn't a throwaway account. This is my account - the username I
use for everything. Type it into google. It's been my handle since I was super
young. Whois the .com of it - I registered it in 2000.

IN FACT the mailing list archives of the pass mailing list happen to be at
that domain. Here's the relevant post:
[http://lists.zx2c4.com/pipermail/password-
store/2015-January...](http://lists.zx2c4.com/pipermail/password-
store/2015-January/001336.html) This is from a CC that went to the GnuPG
mailing list.

~~~
Fastidious
I said "it sounds...", not that it was from a throwaway account. The "nasty"
bugs you referred were never a problem for me, and the way you wrote sounded
sensationalist.

~~~
zx2c4
I'm glad to hear you didn't have trouble with those bugs. They actually
prevented new packages from building in Debian and Fedora, due to our unit
tests catching the bugs, and we had to do a double-release on one day to fix
them -- quite stressful for us. Anyway, it's a nice thing you weren't directly
affected.

------
bostik
I've been wondering if there was anything like "proper" forwarding in gnupg-
agent, and thus at least signature support over SSH connections for remote
mail clients.

My use-case: I have a shell server which receives my emails. I use a local
client (mutt) to read my mails, but I do _not_ want to save my private key on
the server, because it is not 100% under my control. The idea is that my
physically local box would hold my private keys, and the agent would simply
forward the to-be-signed data from the remote host to my local system, and
transmit the signed data back.

When I send encrypted emails, at least those I can easily do on my physical
box and send the file over first. It's a bit of an inconvenience, but I can
live with that. Being able to sign my mails on that remote shell box without
actually putting my keys there is the one thing I'm looking for.

I found some kind of hack for this a year or so back, but now I can't even
remember what google-fu I had to employ.

------
gtirloni
Is there any work being done to formally prove GnuPG' algorithms correctness?
Just curious since there are other topic around Coq in the front page and I
couldn't find much by searching.

~~~
gsnedders
Algorithmic correctness is probably less interesting than the presence of
side-channels nowadays, and that's far, far, far harder to model.

~~~
xnull2guest
I do know of one researcher working on this: Julian Bangert at MIT out of
Dartmouth has modeled x86 family processors in SMT, and is able to prove that
all paths through a particular piece of code compile so that all cache hits
are identical, CPU ticks are identical, etc. Brilliant young man - I expect
we'll be seeing a lot more from him.

------
jmgrosen
Does anyone know when Curve25519 (encryption, not signing, I know Ed25519 is
already there) will be implemented? I'm waiting until that happens to generate
my new long-term keypair.

------
hackuser
It's very generous of them to do this work and give it away, but consider
paying for what you are getting.

