I appreciate the time you spent on the project (and on this thread!). However, I don't see this issue specifically addressed: The following was posted on TrueCrypt's SourceForge page [1]; I don't see how it's not a 'canary' (well, technically it's not because it's a direct message) and how users can trust TrueCrypt. Until this is resolved, every other discussion of TrueCrypt's future seems moot.
WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues.
The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP. Windows 8/7/Vista and later offer integrated support for encrypted disks and virtual disk images. Such integrated support is also available on other platforms (click here for more information). You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform.
Seconded. I was quite puzzled by this whole issue when it happened and surprised to see that there hasn't been much clarification since. The developers who posted this message are real people whom others have been in contact with since, correct? (such as https://www.grc.com/misc/truecrypt/truecrypt.htm ). There was a very unambiguous claim of _existing_ security vulnerabilities in the EOL announcement. Have the developers explicitly refused to elaborate on this? Is there no reference to these concerns in the dev mailing list or elsewhere? Have they refused to take ownership for the statement?
People involved in the TC audit project have talked to the developers. They developers do not have an ideological investment in Truecrypt. They're just developers. They built Truecrypt to scratch an itch, found that supporting it was a largely thankless task, and then watched their software get at least 80% obsoleted by modern operating systems.
They don't owe anyone on HN or anywhere else any kind of "ownership of statements" or explanation. The published some source code. They got sick of it. They've moved on. It's over.
I understand the urge people have to synthesize a soap opera narrative out of things on message boards --- that's fun, after all, and the alternative is boring. But that's all the conversation about the TC project abandonment really is: a synthesized soap opera.
As I re-read your response it is seeming stranger and stranger. It seems you, too, are refusing to answer the straightforward question put forward. If no-one has asked the devs to explain this claim of potential vulnerabilities, so be it. But if everyone related to the project is recusing themselves from this question I think it's quite reasonable for observers to be interpreting that as a red flag.
(Also to clarify, when I said 'take ownership of this statement' I was referring to the earlier conjecture that the message was written by people other than the original developers.)
I appreciate your response, but I think also you are misrepresenting the events here. If the developers simply moved on that would be one thing, but what actually happened is they also made this claim:
Using TrueCrypt is not secure as it may contain unfixed security issues.
I don't think the developers owe anyone anything, in terms of supporting this project or even justifying their decision not to support it. But they did make this claim, which they didn't need to, which casts the entire project in doubt. You're saying they are refusing to elaborate on this claim? Or has no-one asked them to? Because I think this thread is evidence enough that plenty of people want to know.
I don't see anything wrong with that quote. They're simply saying it's no longer being developed, and therefore security issues could arise in the future and go unfixed.
However, I still use TrueCrypt because I'm familiar with it, don't believe it has been compromised, and I trust a random pickpocket will be unable to break it.
I read your other comments on the project. And most of what you are conveying seems to be about the audit project specifically, which you're involved in.
My particular curiosity is about that announcement, and whether or not it was a government attempt to discredit a likely very effective product.