The #39C3 “To sign or not to sign” (https://gpg.fail) talk is excellent.
-
The #39C3 “To sign or not to sign” (https://gpg.fail) talk is excellent.
IMHO: Avoid PGP altogether, especially #GnuPG. Avoid memory unsafe programming languages, wherever feasible.
It is mind boggling, that the gpg team / g10 Code GmbH refuses to fix all vulnerabilities, given that their @bsi certification and thus their business model being at risk.
Also goes to show, that BSI certifications are worthless. Quel surprise?
-
The #39C3 “To sign or not to sign” (https://gpg.fail) talk is excellent.
IMHO: Avoid PGP altogether, especially #GnuPG. Avoid memory unsafe programming languages, wherever feasible.
It is mind boggling, that the gpg team / g10 Code GmbH refuses to fix all vulnerabilities, given that their @bsi certification and thus their business model being at risk.
Also goes to show, that BSI certifications are worthless. Quel surprise?
GnuPG having opinions on #Rust: https://www.gnupg.org/blog/20250117-aheinecke-on-sequoia.html
> In my view, GnuPG and OpenPGP are extremely mature and basically done.
> After collectively quitting their jobs at g10 Code […] former employees […] began inventing new problems and features to justify competition [by creating sequoia]
> *But we don't want to change*
> At GnuPG, we understood that unnecessary changes to a secure system pose risks that in our case nearly always outweigh the benefits.Hey, GnuPG: You’re wrong! Grow tf up!
-
GnuPG having opinions on #Rust: https://www.gnupg.org/blog/20250117-aheinecke-on-sequoia.html
> In my view, GnuPG and OpenPGP are extremely mature and basically done.
> After collectively quitting their jobs at g10 Code […] former employees […] began inventing new problems and features to justify competition [by creating sequoia]
> *But we don't want to change*
> At GnuPG, we understood that unnecessary changes to a secure system pose risks that in our case nearly always outweigh the benefits.Hey, GnuPG: You’re wrong! Grow tf up!
@fluepke Not going to happen. If you want to see more instances of GnuPG trying hard to be on the wrong side of history, look up the OpenPGP vs LibrePGP shitshow.
At least this helps make PGP less relevant, which is good.
-
@fluepke Not going to happen. If you want to see more instances of GnuPG trying hard to be on the wrong side of history, look up the OpenPGP vs LibrePGP shitshow.
At least this helps make PGP less relevant, which is good.
@neverpanic I do honestly think, PGP in general and GnuPG in particular are dead by now. They’ve made mistakes, which is fine and may happen, but they had sufficient time to fix, yet didn’t. There isn’t anything to discuss about the vulns. There’s no room for “you’re holding it wrong”. Anything else than a patch is a: Please avoid our software!
OpenPGP RFC standardization is also a mess with GnuPG refusing to adopt improvements.
-
@neverpanic I do honestly think, PGP in general and GnuPG in particular are dead by now. They’ve made mistakes, which is fine and may happen, but they had sufficient time to fix, yet didn’t. There isn’t anything to discuss about the vulns. There’s no room for “you’re holding it wrong”. Anything else than a patch is a: Please avoid our software!
OpenPGP RFC standardization is also a mess with GnuPG refusing to adopt improvements.
@fluepke @neverpanic Are there any *widespread* alternatives nowadays? 'cause most of what I have heard is extremely niche audience or not general-purpose.
-
@fluepke @neverpanic Are there any *widespread* alternatives nowadays? 'cause most of what I have heard is extremely niche audience or not general-purpose.
@crystalmoon @neverpanic it depends
on the use case.Email is fundamentally broken, because it requires third-party software for security. Signal messenger seems wide spread.
-
@crystalmoon @neverpanic it depends
on the use case.Email is fundamentally broken, because it requires third-party software for security. Signal messenger seems wide spread.
@fluepke
Signal is not decentralized. You can't use your own server. You are stuck with their AWS Google Azure shit stack.
@crystalmoon @neverpanic -
@fluepke
Signal is not decentralized. You can't use your own server. You are stuck with their AWS Google Azure shit stack.
@crystalmoon @neverpanic@bohwaz @crystalmoon @neverpanic widespread adoption and newbie friendly <-> ethically sourced, bio-degradable, home-grown, decentralized.
-
@bohwaz @crystalmoon @neverpanic widespread adoption and newbie friendly <-> ethically sourced, bio-degradable, home-grown, decentralized.
@fluepke
There is nothing more widespread than email, it's decentralized and it works. There is no reason we cannot do something widespread ethical and decentralised (and encrypted). We don't have to compromise.
@crystalmoon @neverpanic -
@fluepke
There is nothing more widespread than email, it's decentralized and it works. There is no reason we cannot do something widespread ethical and decentralised (and encrypted). We don't have to compromise.
@crystalmoon @neverpanic@bohwaz @crystalmoon @neverpanic email stopped working, when Microsoft and t-online entered the game.
Hosting your own mail server is hard and we shouldn’t expect anyone to host their own server.
The standard solution for mail encryption is S/MIME. PGP standardization is broken.
-
S skorpy@chaos.social shared this topic
