Re: Why Do Developers Continue to Sign with GNUPG

To: fosres@posteo.de
Cc: debian-security@lists.debian.org
Subject: Re: Why Do Developers Continue to Sign with GNUPG
From: Malte <ml@enteig.net>
Date: Sun, 10 Aug 2025 20:28:39 +0200
Message-id: <[🔎] dbyibxtqm6qosxfuht634w2a4aptqy6ckjdj22lk2oa6rvzjnp@hppisthdjlgi>
Reply-to: ml@enteig.net
In-reply-to: <[🔎] d3aba6cdf64e395e7a1238783f6282e8@posteo.de>
References: <[🔎] d3aba6cdf64e395e7a1238783f6282e8@posteo.de>

I think that with the gnupg developer having left the development of the
OpenPGP standard, and Debian switching to the sequoia, there will be a
graceful shift away from gnupg, and towards the newer versions of
OpenPGP that deprecate a lot of the convoluted and insecure parts that
old versions of gnupg/openpgp were rightfully criticized for.

fosres@posteo.de transcribed 0.5K bytes on 10-Aug-2025 14:35:
> Hello Debian Security Team,
> 
> Since Debian is a major Linux distribution I want to ask why
> 
> software developers continue to digitally sign their code an
> 
> software packages with GNUPG when there are simpler alternatives
> 
> such as minisign (https://jedisct1.github.io/minisign/), signify, or age
> (https://github.com/FiloSottile/age).
> 
> PGP has been criticized for its being difficult to use by other
> 
> cryptographers:
> 
> https://blog.cryptographyengineering.com/2014/08/13/whats-matter-with-pgp/
> 
> I thank all responses in advance!
> 
> Best,
> 
> Tanveer Salim
>

Reply to:

References:
- Why Do Developers Continue to Sign with GNUPG
  - From: fosres@posteo.de

Prev by Date: Re: Why Do Developers Continue to Sign with GNUPG
Next by Date: Re: Why Do Developers Continue to Sign with GNUPG
Previous by thread: Re: Why Do Developers Continue to Sign with GNUPG
Next by thread: Re: Why Do Developers Continue to Sign with GNUPG
Index(es):
- Date
- Thread