top | item 46408046

(no title)

talideon | 2 months ago

Let's not conflate GPG and PGP-in-general. RPM doesn't use GPG, it uses Sequoia PGP.

GPG is what GP is referring to as a lost cause. Now, it can be debated whether PGP-in-general is a lost cause too, but that's not what GP is claiming.

discuss

ghickPit|2 months ago

> it can be debated whether PGP-in-general is a lost cause too, but that's not what GP is claiming

It is though what both the fine article, and tptacek in these comments, are claiming!

Avamander|2 months ago

They are also correct, but that's indeed not what the person you replied to said.

> then why haven't alternatives ^W replacements been produced for decades?

Actually we do have alternatives for it.

For example Git supports S/MIME and could absolutely be used to sign commits and tags. Even just using self-signed certificates wouldn't be far off from what PGP offers. However if people used their digital IDs like many countries offer, mission-critical code could have signatures with verifiable strong identities.

Though there are other approaches as well, both for signing and for encrypting. It's more that people haven't really considered migrating.

talideon|2 months ago

But it's not what cpach was writing about, is it?

Also no, the gpg.fail site makes no such claims. Now, tptacek, has said that, but he didn't write the comment you were replying to.