cleartext problems known for 30 years

Posted Jan 22, 2026 13:36 UTC (Thu) by yourfate (subscriber, #175466)
In reply to: cleartext problems known for 30 years by dd9jn
Parent article: Responses to gpg.fail

It seems like it should have been fixed / removed within the last 30 years then.

to post comments

cleartext problems known for 30 years

Posted Jan 22, 2026 15:07 UTC (Thu) by dd9jn (✭ supporter ✭, #4459) [Link] (1 responses)

30 years ago it could not be removed because PGP/MIME did not yet exist or was only implemented by Mutt and not by the back then more common MUAs (e.g. Pine). Or think of IRC and BBS.

20 years ago PGP/MIME was widely used but cleartext was still in active use. Also at that time it was common to sign manifest files using cleartext signatures. If verified properly, this is no problem. However, still today not everyone implementing such a scheme gets it right. I have doubts that this will get better by switching to detached signatures.

OTOH, we should be glad that meanwhile most projects know about the importance of signatures for the software ecosystem. Well, most - when I need to update supporting libraries used by Gpg4win, I stumble upon projects with no way to verify that the download is authentic (e.g. libpng). As an attacker I would start there, updating image libraries is often required due to their complexity and thus bug proneness.

cleartext problems known for 30 years

Posted Jan 25, 2026 17:06 UTC (Sun) by SLi (subscriber, #53131) [Link]

I think if Fedora gets it wrong in their release process, that should demonstrate that there's way too much confidence in people knowing to not use it this way.