On 2025-08-10 14:35:20 +0000 (+0000), fosres@posteo.de wrote:
Since Debian is a major Linux distribution I want to ask why software developers continue to digitally sign their code an software packages with GNUPG when there are simpler alternatives such as minisign (https://jedisct1.github.io/minisign/), signify, or age (https://github.com/FiloSottile/age).
[...]While I can't speak authoritatively on the matter, you hint at the reason already when you use the word "continue." The other solutions you cite are mere infants compared to the ages of Debian (1993) and PGP (1991). Change takes time, and supplanting things that are already working well enough requires that the benefit and interest needed to overcome the inertia of the status quo must exceed any related effort and disruption that implies. In short, the alternatives have to be way, way, way superior for an existing system to get replaced.
Newer communities and ecosystems are more likely to use the things you mentioned primarily because they too are new enough that they can adopt them from the start, without incurring replacement costs.
-- Jeremy Stanley
Attachment:
signature.asc
Description: PGP signature