Preparing a release.gnupg-2.0.8

1 files changed, 198 insertions, 0 deletions

diff --git a/doc/a-decade-of-gnupg.txt b/doc/a-decade-of-gnupg.txt
new file mode 100644
index 000000000..a42d741d8
--- /dev/null
+++ b/doc/a-decade-of-gnupg.txt
@@ -0,0 +1,198 @@
+               A Short History of the GNU Privacy Guard
+               ========================================
+
+It's been a decade now that the very first version of the GNU Privacy
+Guard [0] has been released.  This very first version was not yet
+known under the name of GnuPG but dubbed "g10" as a reference on the
+German constitution article on freedom of telecommunication
+(Grundgesetz Artikel 10) and as a pun on the G-10 law which allows the
+secret services to bypass these constitutional guaranteed freedoms.
+
+Version 0.0.0 released on December 20th 1997 [1], was a barely working
+replacement of PGP avoiding all patented algorithm by using Elgamal
+and Blowfish instead of RSA and IDEA.  It was prominently marked as a
+test version but nevertheless included most of the features of the
+current GnuPG.  The data format however was not compatible with
+OpenPGP but oriented towards the PGP 2 format with a few extensions
+(e.g. to allow streaming of data).  The OpenPGP working group was
+founded back in fall 1997 and I learned a bit to late about it to
+build "g10" according to the then existing draft.  For copyright
+reasons it was practically not possible to reverse engineer the format
+used by PGP-5, so the establishment of the OpenPGP WG was the right
+thing at the right time.
+
+Before talking about GnuPG we need to go some more years back in
+history: To help political activists Phil Zimmermann published a
+software called Pretty Good Privacy (PGP) in 1991.  PGP was designed
+as an easy to use encryption tool with no backdoors and disclosed
+source code.  PGP was indeed intended to be cryptographically strong
+and not just pretty good; however it had a couple of inital bugs, most
+of all a home designed cipher algorithm.  With the availability of the
+source code a community of hackers (Branko Lankester, Colin Plumb,
+Derek Atkins, Hal Finney, Peter Gutmann and others) helped him to fix
+these flaws and a get a solid version 2 out.
+
+Soon after that the trouble started.  As in many counties the use or
+export of cryptographic devices and software was also strongly
+restricted in the USA.  Only weak cryptography was generally allowed.
+PGP was much stronger and due to the Usenet and the availability of
+FTP servers and BBSs, PGP accidently leaked out of the country and
+soon Phil was sued for unlicensed munitions export.  Those export
+control laws were not quite up to the age of software with the funny
+effect that exporting the software in printed form seemed not to be
+restricted.  MIT Press thus published a book with the PGP source code
+which was then scanned outside the USA to form the base of PGP-2i ("i"
+for international).  Since then that version was used widely.
+
+The criminal investigations against Phil ended in 1996 and he founded
+PGP Inc to write PGP-5.  The first public release was done in spring
+1997.  The same year at the 39th IETF meeting at Munich in August Phil
+Zimmermann and Jon Callas asked the IETF to setup a working group to
+publish a standard for the protocol used by PGP-5 under the name
+OpenPGP.  The main drive behind this was to allow widespread use of
+strong encryption even if at some point the new company would decide
+to stop selling and supporting PGP.  As it turned out PGP Inc was
+acquired by Network Associates just a few months later and in 2002
+this company actually ceased support and development of PGP (though
+the PGP product was later continued by the new PGP Corporation).
+
+Also often claimed to be Free Software, PGP has never fulfilled the
+requirements for it: PGP-5 is straight proprietary software; the
+availability of the source code alonedoes not make it free.  PGP-2 has
+certain restrictions on commercial use [2] and thus puts restrictions
+on the software which makes it also non-free.  Another problem with
+PGP-2 is that it requires the use of the patented RSA and IDEA
+algorithms.  The patent on RSA was only valid in the USA but the
+patent on IDEA was and is still valid [3] in most countries.
+
+Although the GNU project listed a requirement for a PGP replacement
+for some years on its task list, it was not possible to start
+implementing it as long as patents on all public key algorithms were
+valid.  That changed when in April 1997 the basic patent on public key
+algorithms expired (the Diffie-Hellman US patent 4200770) and finally
+in August when the broader Hellman-Merkle patent (4218582) expired.
+
+A month later, at the Individual-Network Betriebstagung at Aachen [4],
+Richard Stallman continued his talk with a BoF session where he asked
+the European hackers to start implementing public key software.  The
+arms trafficker laws of the USA prohibited the GNU project to write
+such software in their country or even by US citizens working abroad.
+Thus he told the European hackers that they are in the unique position
+to help the GNU with crypto software.
+
+Being tired of writing SMGL conversion software and without a current
+fun project, I soon found my self hacking on PGP-2 parsing code based
+on the description in RFC-1991 and the pgformat.txt file.  As this
+turned out to be easy I continued and finally came up with code to
+decrypt and create PGP-2 data.  After I told the GNU towers that I
+will take up the PGP replacement implementation I spend the rest of
+the year replacing IDEA by Blowfish, RSA by Elgamal, implementing
+streaming encryption, adding some key management and getting the code
+into a reasonable shape.
+
+There used to be a plan for a free version of Secure Shell called PSST
+(later known as LSH) with a somewhat populated mailing lists
+maintained by Martin Hamilton.  Martin was the so kind to setup a
+mailing list for g10 too and announced it on that list.  This way we
+got the first subscribers.  Eventually I made the first tarball, put
+it up to ftp.guug.de, the FTP server of the German Unix User Group,
+and wrote an announcement [5].
+
+Right the next day Peter Gutmann offered to allow the use of his
+random number code for systems without a /dev/random.  This eventually
+helped a lot to make GnuPG portable to many platforms.  The next two
+months were filled with code updates and a lengthly discussion on the
+name; we finally settled for Anand Kumria's suggestion of GnuPG and
+made the first release under this name (gnupg-0.2.8) on Feb 24 [6].
+Just a few days later an experimental version with support for Windows
+was released.  (That release also fixed an alignment problem on Alpha
+boxes which was detected due to kernel log files filling up the hard
+disk and an admin asking whether they really need to be backed up. ;-)
+
+In July 1998 the first more or less OpenPGP draft compliant version
+was released.  Matthew Skala had contributed Twofish code done cleanly
+from scratch (Twofish was at that time a promising AES candidate and
+suggested by Schneier as a Blowfish replacement; however we had some
+copyright concerns with the reference code).  Michael Roth contributed
+a Triple-DES implementation later the year and thus completed the
+required set of OpenPGP algorithms.  Over the next year the usual
+problems were solved, features discussed, complaints noticed and
+support for gpg in various other software was introduced by their
+respective authors.
+
+Finally, on September 7, 1999 the current code was released as version
+1.0.0 with the major update of including Mike Ashley's GNU Privacy
+Handbook [7].  A year later the RSA patent was to expire on September
+20; the patent holder placed the patent into the public domain 3 weeks
+earlier and thus we could release 1.0.3 with RSA support already on
+September 18.  One of the major obstacles on widespread use public
+cryptography had gone (far too late of course).
+
+Also in 1999 the German government decided that strong encryption will
+not be regulated in any way and that its use is recommended for
+everyone.  To publicly support this statement the Ministry of
+Economics funded the porting of GnuPG and related software to
+Microsoft Windows [8].  The US government was not keen to see that and
+tried to urge the German government to revise the decision to allow
+unregulated distribution of crypto software [9].  That did not work
+out and to the end the USA had no other way than to weaken their own
+export rules.
+
+Although we still develop GnuPG using servers located in Europe the
+new US export controls eventually allowed US hackers to contribute to
+GnuPG development.  In 2001 David Shaw joined the project and since
+then he is one of the most active GnuPG hackers and the co-maintainer.
+
+It's now a long time since GnuPG could be managed as a fun project and
+thus I spend most of my professional life maintaining and extending
+GnuPG.  In 2001 I founded g10 Code, a Free Software company for the
+development and support of GnuPG and related software.  The most known
+project is probably GnuPG-2 which started under the name NewPG as part
+of the broader Aegypten project.  The main goal of Aegypten was to
+provide support for S/MIME under GNU/Linux and integrate that cleanly
+with other mail clients, most notably KMail.  Although having been
+actively used since 2004, we released 2.0.0 only one years ago.
+
+It was not that much fun writing X.509/CMS (commonly named S/MIME)
+software compared to the elegant and very interoperable OpenPGP
+protocol.  Having mastered that we meanwhile achieved to provide a
+software which is really useful and works nicely with almost any other
+S/MIME implementation.  It also turned out that we could port GnuPG-2
+to Windows - despite my original claim that a modern POSIX platform
+will be needed for GnuPG-2.  This development also showed that it is
+viable to develop Free Software as a business.
+
+With the new tools and from a user's perspective S/MIME and OpenPGP
+will soon not make much of a difference anymore.  However I had to
+smile when I today read a report on the last RSA Europe conference
+where a quick poll during a talk showed that OpenPGP is the mostly
+used encryption protocol.
+
+Recall that GnuPG is just one tool; there are numerous other tools out
+to solve related privacy problems.  Kudos to all who worked on writing
+and deploying privacy tools over all these years!
+
+
+Happy Hacking,
+
+  Werner
+
+
+[0] http://www/gnupg.org
+[1] ftp://ftp.gnupg.org/gcrypt/historic/g10-0.0.0.tar.gz
+[2] from pgpdoc2.txt: "Finally, if you want to turn PGP into a
+    commercial product and make money selling it, then we must agree
+    on a way for me to also make money on it. [...] Under no
+    circumstances may PGP be distributed without the PGP
+    documentation, including this PGP User's Guide."
+[3] "valid" is meant in the sense the patent holders use it and does
+    not imply that I regard patents on software a valid concept.  See
+    http://www.fsfeurope.org/projects/swpat/background.en.html .
+[4] http://www.dascon.de/IN-BT97/programm.html
+[5] http://lists.gnupg.org/pipermail/gnupg-devel/1997-December/014131.html
+    There are just a few mails in December mainly discussing patent things.
+[6] http://lists.gnupg.org/pipermail/gnupg-devel/1998-February/014208.html
+[7] http://lists.gnupg.org/pipermail/gnupg-announce/1999q3/000037.html
+[8] http://partners.nytimes.com/library/tech/99/11/cyber/articles/19encrypt.html
+[9] http://www.heise.de/tp/r4/artikel/5/5124/1.html
+