From c9387e41db7520d176edd3d6613b85875bdeb32c Mon Sep 17 00:00:00 2001
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Date: Thu, 4 Aug 2016 16:58:13 -0400
Subject: gpg: Avoid publishing the GnuPG version by default

* g10/gpg.c (main): initialize opt.emit_version to 0
* doc/gpg.texi: document different default for --emit-version

--

The version of GnuPG in use is not particularly helpful.  It is not
cryptographically verifiable, and it doesn't distinguish between
significant version differences like 2.0.x and 2.1.x.

Additionally, it leaks metadata that can be used to distinguish users
from one another, and can potentially be used to target specific
attacks if there are known behaviors that differ between major
versions.

It's probably better to take the more parsimonious approach to
metadata production by default.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
---
 g10/gpg.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'g10/gpg.c')

diff --git a/g10/gpg.c b/g10/gpg.c
index 35d350eb6..b33b61b7c 100644
--- a/g10/gpg.c
+++ b/g10/gpg.c
@@ -2269,7 +2269,7 @@ main (int argc, char **argv)
     opt.def_cert_expire = "0";
     gnupg_set_homedir (NULL);
     opt.passphrase_repeat = 1;
-    opt.emit_version = 1; /* Limit to the major number.  */
+    opt.emit_version = 0;
     opt.weak_digests = NULL;
     additional_weak_digest("MD5");
 
-- 
cgit