I have been dragged into the rabbit hole of GnuPG/LibrePGP VS Sequoia/OpenPGP and, boy it is ugly. Yeah, yeah, I know, PGP is bad, but of all the ugly things that could have happened to the FOSS crypto space, this is really unwelcome. I wish people would just sit at a table and talk.
#pgp #gpg #sequoia #crypto #cryptography #security #foss #floss #libre #drama #ietf #privacy #openpgp #librepgp
#OpenPGP #LibrePGP #GnuPG
昨年の記事だが,よいまとめ発見
>OpenPGPとLibrePGP―GnuPGとそれ以外の実装での対立
https://kris.fail/posts/opgpvslpgp/
Post-quantum defaults and GnuPG
@andrewg email is a very insightful overview of where the standards, implementations, and openness of the community.
After years of using OpenPGP, the PQC discussions are a good opportunity to rethink what we should prepare for next and especially which community we should work with.
#pgp #librepgp #openpgp #opensource
#community #cybersecurity
🔗 https://lists.gnupg.org/pipermail/gnupg-users/2026-April/068280.html
@ber @GnuPG @rob Thanks! I'll point the lurkers to the mailing list for my full response, which I agree is better in long form: https://lists.gnupg.org/pipermail/gnupg-users/2026-April/068288.html
The tl;dr though is simple: the burning issue is a power struggle between a collective governance model (#OpenPGP) and a BDFL governance model (#LibrePGP). There isn't room for both. And while we can all try to be more civil, calling out bad behaviour will always have the appearance of incivility.
Da möchte man sich in #E2EE für #eMail einlesen, schon entdeckt man das neue Tech-Drama zwischen #OpenPGP und #LibrePGP.
Unabhängig von der inhaltlichen Diskussion: Nutzerfreundlich ist anders.
Fragmentierte Standards, opinionated und zu technische Dokumentationen, viel Deep-Tech-Talk, ...
Dass sich das Thema E2EE noch nicht großflächig etabliert hat, liegt meiner Meinung nach in erster Linie an dieser unschönen #UX - und das gilt leider für viele andere #OpenSource-Projekte auch. Schade.
When looking at the changes towards the new 2.5.19 version of #GnuPG, there are many small things; like a way to use OCB for symmetric-only encryption, a few defect fixes and improvements.
Not that exciting, but maintenance of the well known #LibrePGP, OpenPGPv4 and CMS capable crypto engine.... you may want to know anyhow. ;)
https://lists.gnupg.org/pipermail/gnupg-announce/2026q2/000504.html
https://dev.gnupg.org/T7998
Dear GnuPG packagers and builders, please upgrade libgcrypt to v1.12.2 to remove a denial of service vulnerability (estimated CVSS 3.1: AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H -- 7.5 (HIGH)) Releases of other stable versions of libgcrypt are available as well.
(GnuPG versions >= 2.5.7 are not affected due to the use of a different encryption API.)
See https://lists.gnupg.org/pipermail/gnupg-announce/2026q2/000503.html for details.
Details about the (ongoing) response to https://gpg.fail/ from GnuPG's side:
* https://www.gnupg.org/blog/20251226-cleartext-signatures.html
* https://dev.gnupg.org/T7906 Memory Corruption in ASCII-Armor Parsing
* https://dev.gnupg.org/T7900 (overview)
Please upgrade to GnuPG 2.5.16, 2.4.9 or #Gpg4win 5.0.0-beta479 which already have the fix for what (currently) is seen to be the only major defect: T7906.
(Researchers - Thanks! - found defects in GnuPG, Sequoia-PG, Minisign and age.)
#GnuPG v2.5.14 is here to try.
A no-brainer upgrade for those who use the 2.5 series already. You'd get some defects fixed and a new secret key export-import for the Post quantum cryptography (#PQC) algorithm "Kyber". RCF8332 for ssh is now supported.
For others: the 2.5 series is good for Windows 64 and PQC. #LibrePGP #OpenPGPv4 #EndtoEndCrypto
https://lists.gnupg.org/pipermail/gnupg-announce/2025q4/000499.html
Tommaso Gagliardoni
Spiegel@ナナシビト
Spiegel@がんばらない
Alexandre Dulaunoy
Andrew Gallagher
Paul Hölscher
GnuPG