Comment 1 Alon Bar-Lev (RETIRED) 2014-08-08 09:06:34 UTC

I prefer to wait for 1.6.2

Comment 2 Kristian Fiskerstrand (RETIRED) 2014-08-08 10:30:52 UTC

A good argument to not wait too long to stabilize 1.6 is http://lists.gnupg.org/pipermail/gnupg-users/2014-August/050440.html: If you are using
a GnuPG version with a *Libgcrypt version < 1.6.0*, it is possible to
mount the described side-channel attack on Elgamal encryption subkeys.

I've been using both 1.6 and 1.7 (master branch) as the main provider on my computer for quite a while and not experiencing issues at least.

Comment 3 Alon Bar-Lev (RETIRED) 2014-08-08 10:41:00 UTC

using master tells nothing... especially in g10 projects, this is the reason we did not add pre-releases so far.

I do expect a version of 1.6.2 be released soon with the stable queue[1], including the x32 fix.

if you have a reason not to wait, please proceed, but stabilizing too frequent is something I try to avoid.

notes for bugs that should be addressed during stabilization: bug#497654, bug#501284

[1] http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=shortlog;h=refs/heads/LIBGCRYPT-1-6-BRANCH

Comment 4 Kristian Fiskerstrand (RETIRED) 2014-08-08 10:43:33 UTC

Yeah, I just re-read and 1.5.4 should also contain the necessary fixes. I opened an own bug for this as bug 519396