gpg: Avoid publishing the GnuPG version by default
authorDaniel Kahn Gillmor <dkg@fifthhorseman.net>
Fri, 5 Aug 2016 14:46:43 +0000 (10:46 -0400)
committerJustus Winter <justus@g10code.com>
Tue, 9 Aug 2016 10:33:44 +0000 (12:33 +0200)
commit61539efc2bc4ba9a9faceaced12660d588c1be7a
tree7f27ad244cd7381d811313fd69a94e78d6a716ab
parent15d13272344fa0d8753a321c087b30a6d5115dfb
gpg: Avoid publishing the GnuPG version by default

* g10/gpg.c (main): initialize opt.emit_version to 0
* doc/gpg.texi: document different default for --emit-version

--

The version of GnuPG in use is not particularly helpful.  It is not
cryptographically verifiable, and it doesn't distinguish between
significant version differences like 2.0.x and 2.1.x.

Additionally, it leaks metadata that can be used to distinguish users
from one another, and can potentially be used to target specific
attacks if there are known behaviors that differ between major
versions.

It's probably better to take the more parsimonious approach to
metadata production by default.

(backport of master commit c9387e41db7520d176edd3d6613b85875bdeb32c)

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
doc/gpg.texi
g10/gpg.c