From 157d4479aa1406418344fd80fb4534dc403f0503 Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Thu, 20 Dec 2007 08:52:40 +0000 Subject: [PATCH] Preparing a release. --- ChangeLog | 7 +- NEWS | 27 +++--- README.maint | 4 +- configure.ac | 2 +- doc/a-decade-of-gnupg.txt | 198 ++++++++++++++++++++++++++++++++++++++ 5 files changed, 223 insertions(+), 15 deletions(-) create mode 100644 doc/a-decade-of-gnupg.txt diff --git a/ChangeLog b/ChangeLog index 21d84e9f8..59de910d1 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +2007-12-20 Werner Koch + + Released 2.0.8. + 2007-12-17 Werner Koch * configure.ac: Add treatment for HAVE_LDAP_START_TLS_SA. @@ -1018,7 +1022,8 @@ * configure.ac (HAVE_JNLIB_LOGGING): always define it. - Copyright 2001, 2002, 2004 Free Software Foundation, Inc. + Copyright 2001, 2002, 2003, 2004, 2005, 2006, + 2007 Free Software Foundation, Inc. This file is free software; as a special exception the author gives unlimited permission to copy and/or distribute it, with or without diff --git a/NEWS b/NEWS index 28a31a93f..415c81ecb 100644 --- a/NEWS +++ b/NEWS @@ -1,21 +1,17 @@ -Noteworthy changes in version 2.0.8 +Noteworthy changes in version 2.0.8 (2007-12-20) ------------------------------------------------ - * Make sure that under Windows the file permissions of the socket are - taken into account. This required a change of our socket emulation - code; thus old GnuPG modules can't be used anymore. - - * Fixed a crash in gpgconf. - * Enhanced gpg-connect-agent with a small scripting language. * New option --list-config for gpgconf. - * The envvars XAUTHORITY and PINENTRY_USER_DATA are now passed to the - pinentry. + * Fixed a crash in gpgconf. - * Allow encryption with legacy Elgamal sign+encrypt keys with option - --rfc2440. + * Gpg-agent now supports the passphrase quality bar of the latest + Pinentry. + + * The envvars XAUTHORITY and PINENTRY_USER_DATA are now passed to the + Pinentry. * Fixed the auto creation of the key stub for smartcards. @@ -26,6 +22,15 @@ Noteworthy changes in version 2.0.8 * New option --extra-digest-algo for gpgsm to allow verification of broken signatures. + * Allow encryption with legacy Elgamal sign+encrypt keys with option + --rfc2440. + + * Windows is now a supported platform. + + * Made sure that under Windows the file permissions of the socket are + taken into account. This required a change of our socket emulation + code and changed the IPC protocol under Windows. + Noteworthy changes in version 2.0.7 (2007-09-10) ------------------------------------------------ diff --git a/README.maint b/README.maint index 3621fda11..1cbfdd5da 100644 --- a/README.maint +++ b/README.maint @@ -7,7 +7,7 @@ Release Planning: ================= If you are planning a new release and strings have changed you should -send a notification to all tyranslators, so that they have time to +send a notification to all translators, so that they have time to update their translations. scripts/mail-to-translators is useful for this. It might need some tweaking and it needs to be armored for actual sending. Running it as is to see what will happen is a good @@ -34,7 +34,7 @@ Release process: * Run "make distcheck". * Build and test the new tarball (best on a different machine). * Build and test the W32 version. - * Using the final test build run a "make -C doc online". + * [2.x only] Using the final test build run a "make -C doc online". * Sign the tarball * Get the previous tarball and run "mkdiff gnupg". You might need to set a different signature key than mine. mkdiff diff --git a/configure.ac b/configure.ac index 2212e7511..1823ac678 100644 --- a/configure.ac +++ b/configure.ac @@ -25,7 +25,7 @@ min_automake_version="1.10" # Set my_issvn to "yes" for non-released code. Remember to run an # "svn up" and "autogen.sh" right before creating a distribution. m4_define([my_version], [2.0.8]) -m4_define([my_issvn], [yes]) +m4_define([my_issvn], [no]) m4_define([svn_revision], m4_esyscmd([echo -n $( (svn info 2>/dev/null \ diff --git a/doc/a-decade-of-gnupg.txt b/doc/a-decade-of-gnupg.txt new file mode 100644 index 000000000..a42d741d8 --- /dev/null +++ b/doc/a-decade-of-gnupg.txt @@ -0,0 +1,198 @@ + A Short History of the GNU Privacy Guard + ======================================== + +It's been a decade now that the very first version of the GNU Privacy +Guard [0] has been released. This very first version was not yet +known under the name of GnuPG but dubbed "g10" as a reference on the +German constitution article on freedom of telecommunication +(Grundgesetz Artikel 10) and as a pun on the G-10 law which allows the +secret services to bypass these constitutional guaranteed freedoms. + +Version 0.0.0 released on December 20th 1997 [1], was a barely working +replacement of PGP avoiding all patented algorithm by using Elgamal +and Blowfish instead of RSA and IDEA. It was prominently marked as a +test version but nevertheless included most of the features of the +current GnuPG. The data format however was not compatible with +OpenPGP but oriented towards the PGP 2 format with a few extensions +(e.g. to allow streaming of data). The OpenPGP working group was +founded back in fall 1997 and I learned a bit to late about it to +build "g10" according to the then existing draft. For copyright +reasons it was practically not possible to reverse engineer the format +used by PGP-5, so the establishment of the OpenPGP WG was the right +thing at the right time. + +Before talking about GnuPG we need to go some more years back in +history: To help political activists Phil Zimmermann published a +software called Pretty Good Privacy (PGP) in 1991. PGP was designed +as an easy to use encryption tool with no backdoors and disclosed +source code. PGP was indeed intended to be cryptographically strong +and not just pretty good; however it had a couple of inital bugs, most +of all a home designed cipher algorithm. With the availability of the +source code a community of hackers (Branko Lankester, Colin Plumb, +Derek Atkins, Hal Finney, Peter Gutmann and others) helped him to fix +these flaws and a get a solid version 2 out. + +Soon after that the trouble started. As in many counties the use or +export of cryptographic devices and software was also strongly +restricted in the USA. Only weak cryptography was generally allowed. +PGP was much stronger and due to the Usenet and the availability of +FTP servers and BBSs, PGP accidently leaked out of the country and +soon Phil was sued for unlicensed munitions export. Those export +control laws were not quite up to the age of software with the funny +effect that exporting the software in printed form seemed not to be +restricted. MIT Press thus published a book with the PGP source code +which was then scanned outside the USA to form the base of PGP-2i ("i" +for international). Since then that version was used widely. + +The criminal investigations against Phil ended in 1996 and he founded +PGP Inc to write PGP-5. The first public release was done in spring +1997. The same year at the 39th IETF meeting at Munich in August Phil +Zimmermann and Jon Callas asked the IETF to setup a working group to +publish a standard for the protocol used by PGP-5 under the name +OpenPGP. The main drive behind this was to allow widespread use of +strong encryption even if at some point the new company would decide +to stop selling and supporting PGP. As it turned out PGP Inc was +acquired by Network Associates just a few months later and in 2002 +this company actually ceased support and development of PGP (though +the PGP product was later continued by the new PGP Corporation). + +Also often claimed to be Free Software, PGP has never fulfilled the +requirements for it: PGP-5 is straight proprietary software; the +availability of the source code alonedoes not make it free. PGP-2 has +certain restrictions on commercial use [2] and thus puts restrictions +on the software which makes it also non-free. Another problem with +PGP-2 is that it requires the use of the patented RSA and IDEA +algorithms. The patent on RSA was only valid in the USA but the +patent on IDEA was and is still valid [3] in most countries. + +Although the GNU project listed a requirement for a PGP replacement +for some years on its task list, it was not possible to start +implementing it as long as patents on all public key algorithms were +valid. That changed when in April 1997 the basic patent on public key +algorithms expired (the Diffie-Hellman US patent 4200770) and finally +in August when the broader Hellman-Merkle patent (4218582) expired. + +A month later, at the Individual-Network Betriebstagung at Aachen [4], +Richard Stallman continued his talk with a BoF session where he asked +the European hackers to start implementing public key software. The +arms trafficker laws of the USA prohibited the GNU project to write +such software in their country or even by US citizens working abroad. +Thus he told the European hackers that they are in the unique position +to help the GNU with crypto software. + +Being tired of writing SMGL conversion software and without a current +fun project, I soon found my self hacking on PGP-2 parsing code based +on the description in RFC-1991 and the pgformat.txt file. As this +turned out to be easy I continued and finally came up with code to +decrypt and create PGP-2 data. After I told the GNU towers that I +will take up the PGP replacement implementation I spend the rest of +the year replacing IDEA by Blowfish, RSA by Elgamal, implementing +streaming encryption, adding some key management and getting the code +into a reasonable shape. + +There used to be a plan for a free version of Secure Shell called PSST +(later known as LSH) with a somewhat populated mailing lists +maintained by Martin Hamilton. Martin was the so kind to setup a +mailing list for g10 too and announced it on that list. This way we +got the first subscribers. Eventually I made the first tarball, put +it up to ftp.guug.de, the FTP server of the German Unix User Group, +and wrote an announcement [5]. + +Right the next day Peter Gutmann offered to allow the use of his +random number code for systems without a /dev/random. This eventually +helped a lot to make GnuPG portable to many platforms. The next two +months were filled with code updates and a lengthly discussion on the +name; we finally settled for Anand Kumria's suggestion of GnuPG and +made the first release under this name (gnupg-0.2.8) on Feb 24 [6]. +Just a few days later an experimental version with support for Windows +was released. (That release also fixed an alignment problem on Alpha +boxes which was detected due to kernel log files filling up the hard +disk and an admin asking whether they really need to be backed up. ;-) + +In July 1998 the first more or less OpenPGP draft compliant version +was released. Matthew Skala had contributed Twofish code done cleanly +from scratch (Twofish was at that time a promising AES candidate and +suggested by Schneier as a Blowfish replacement; however we had some +copyright concerns with the reference code). Michael Roth contributed +a Triple-DES implementation later the year and thus completed the +required set of OpenPGP algorithms. Over the next year the usual +problems were solved, features discussed, complaints noticed and +support for gpg in various other software was introduced by their +respective authors. + +Finally, on September 7, 1999 the current code was released as version +1.0.0 with the major update of including Mike Ashley's GNU Privacy +Handbook [7]. A year later the RSA patent was to expire on September +20; the patent holder placed the patent into the public domain 3 weeks +earlier and thus we could release 1.0.3 with RSA support already on +September 18. One of the major obstacles on widespread use public +cryptography had gone (far too late of course). + +Also in 1999 the German government decided that strong encryption will +not be regulated in any way and that its use is recommended for +everyone. To publicly support this statement the Ministry of +Economics funded the porting of GnuPG and related software to +Microsoft Windows [8]. The US government was not keen to see that and +tried to urge the German government to revise the decision to allow +unregulated distribution of crypto software [9]. That did not work +out and to the end the USA had no other way than to weaken their own +export rules. + +Although we still develop GnuPG using servers located in Europe the +new US export controls eventually allowed US hackers to contribute to +GnuPG development. In 2001 David Shaw joined the project and since +then he is one of the most active GnuPG hackers and the co-maintainer. + +It's now a long time since GnuPG could be managed as a fun project and +thus I spend most of my professional life maintaining and extending +GnuPG. In 2001 I founded g10 Code, a Free Software company for the +development and support of GnuPG and related software. The most known +project is probably GnuPG-2 which started under the name NewPG as part +of the broader Aegypten project. The main goal of Aegypten was to +provide support for S/MIME under GNU/Linux and integrate that cleanly +with other mail clients, most notably KMail. Although having been +actively used since 2004, we released 2.0.0 only one years ago. + +It was not that much fun writing X.509/CMS (commonly named S/MIME) +software compared to the elegant and very interoperable OpenPGP +protocol. Having mastered that we meanwhile achieved to provide a +software which is really useful and works nicely with almost any other +S/MIME implementation. It also turned out that we could port GnuPG-2 +to Windows - despite my original claim that a modern POSIX platform +will be needed for GnuPG-2. This development also showed that it is +viable to develop Free Software as a business. + +With the new tools and from a user's perspective S/MIME and OpenPGP +will soon not make much of a difference anymore. However I had to +smile when I today read a report on the last RSA Europe conference +where a quick poll during a talk showed that OpenPGP is the mostly +used encryption protocol. + +Recall that GnuPG is just one tool; there are numerous other tools out +to solve related privacy problems. Kudos to all who worked on writing +and deploying privacy tools over all these years! + + +Happy Hacking, + + Werner + + +[0] http://www/gnupg.org +[1] ftp://ftp.gnupg.org/gcrypt/historic/g10-0.0.0.tar.gz +[2] from pgpdoc2.txt: "Finally, if you want to turn PGP into a + commercial product and make money selling it, then we must agree + on a way for me to also make money on it. [...] Under no + circumstances may PGP be distributed without the PGP + documentation, including this PGP User's Guide." +[3] "valid" is meant in the sense the patent holders use it and does + not imply that I regard patents on software a valid concept. See + http://www.fsfeurope.org/projects/swpat/background.en.html . +[4] http://www.dascon.de/IN-BT97/programm.html +[5] http://lists.gnupg.org/pipermail/gnupg-devel/1997-December/014131.html + There are just a few mails in December mainly discussing patent things. +[6] http://lists.gnupg.org/pipermail/gnupg-devel/1998-February/014208.html +[7] http://lists.gnupg.org/pipermail/gnupg-announce/1999q3/000037.html +[8] http://partners.nytimes.com/library/tech/99/11/cyber/articles/19encrypt.html +[9] http://www.heise.de/tp/r4/artikel/5/5124/1.html +