fosres@posteo.de dijo [Sun, Aug 10, 2025 at 02:35:20PM +0000]:
Hello Debian Security Team, Since Debian is a major Linux distribution I want to ask why software developers continue to digitally sign their code an software packages with GNUPG when there are simpler alternativessuch as minisign (https://jedisct1.github.io/minisign/), signify, or age (https://github.com/FiloSottile/age).
There are many cryptographic implementations that get part of the benefits
of OpenPGP, but don't get fully there. OpenPGP is an IETF standard, that
was recently (one year ago) updated with newer algorithms, practices and
usages.
As Malte said in this thread, the developers of the tool most of our
fingers know best, GnuPG, has chosen to follow a different path and fork
the standard -- of course, only time will tell if their "LibrePGP" gains
any traction, but I am betting it will be marginal.
Most Free Software projects (there are many!) that base parts of their
infrastructure in OpenPGP are considering switching away from GnuPG towards
newer alternatives, such as the already mentioned Sequoia. There are
various other implementations, but my personal opinion is that Sequoia is
the most serious, better thought out, user-friendlier — and, yes, most
secure. I'm betting my chips on us gradually switching over our
infrastructure to be based on Sequoia.
Greetings,
– Gunnar.
Attachment:
signature.asc
Description: PGP signature