Re: Many vulnerabilities in GnuPG

[Sam James <sam () gentoo org>]

Henrik Ahlgren <pablo () seestieto com> writes:

> "Lexi Groves (49016)" <contact () gpg fail> writes:
>
> > Yes. We found this advice in [The GNU Privacy Handbook, Chapter 1.
> > Getting Started, Making and verifying
> > signatures](https://www.gnupg.org/gph/en/manual/x135.html):
>
> I'd just like to point out that the GNU Privacy Handbook (GPH) was
> published in 1999, and I have not encountered any more recent revisions.

I got this impression but couldn't find anything specifically saying it
was archived.

I filed a bug earlier and included https://dev.gnupg.org/T7993#210212
for one issue in it, but if it's not been revised since, perhaps it
should be archived with a banner on each page or something, as it's
readily found via search engines at the moment.

> I believe GnuPG did not even support RSA until version 1.0.3 and
> AES/Rijndael until version 1.0.4, which were released in 2000, meaning
> the handbook exclusively addresses DSA and ElGamal, making it 25 years
> out of date.

The GnuPG versions in the output got me suspicious enough ;)

> The GnuPG Manual (https://gnupg.org/documentation/manuals/gnupg/) is
> much more current, but sadly it is not structured as a user guide that
> would introduce a new user to PGP concepts and best practices, etc.

sam