The #39C3 “To sign or not to sign” (https://gpg.fail) talk is excellent. 👏
IMHO: Avoid PGP altogether, especially #GnuPG. Avoid memory unsafe programming languages, wherever feasible.
It is mind boggling, that the gpg team / g10 Code GmbH refuses to fix all vulnerabilities, given that their @bsi certification and thus their business model being at risk.
Also goes to show, that BSI certifications are worthless. Quel surprise?
GnuPG having opinions on #Rust: https://www.gnupg.org/blog/20250117-aheinecke-on-sequoia.html
> In my view, GnuPG and OpenPGP are extremely mature and basically done.
> After collectively quitting their jobs at g10 Code […] former employees […] began inventing new problems and features to justify competition [by creating sequoia]
> *But we don't want to change*
> At GnuPG, we understood that unnecessary changes to a secure system pose risks that in our case nearly always outweigh the benefits.
Hey, GnuPG: You’re wrong! Grow tf up!
Sequoia – being written in Rust – isn’t nearly as affected as GnuPG, mostly because it isn’t written in C.
I know this is gonna offend people, but I think, that all GNU C software should be rewritten in Rust (or any other mem-safe language). 😅
Flüpke
Carlos Solís