Hi there,
I recently had to prepare slides for a talk on Web of Trust for a local group
and one of the introductory points was having them understand the difference
between OpenPGP and GnuPG: one is the standard, the other is the implementation.
While I don’t know the whole backstory to what is going on with Sequoia-PGP, I
can say that when it comes to things like this, my recommendation will always
default to staying truest to form (or standard). This implies a bias towards
products with longevity and reputation in the field, that follows a reasonable
cadence of continuous improvement.
So, I have no problem continuing to recommend GnuPG to my clients and peers for
the simple fact that it implements the standard, fulfills the purpose of
upholding supply chain security, and has a reputable history. But we also have
to remember that it’s ultimately the standard we’re most concerned with and
need to be conformed to, not a specific implementation.
Matt
On Wed, Sep 10, 2025 at 19:39, Tanveer Salim via Gnupg-devel
<[[email protected]](mailto:On Wed, Sep 10, 2025 at 19:39, Tanveer Salim
via Gnupg-devel <<a href=)> wrote:
> Hello,
>
> I am now aware there has been a split between the GNUPG and Sequoia-PGP
> developers.
>
> I read Andre's post here:
> https://www.gnupg.org/blog/20250117-aheinecke-on-sequoia.html
>
> When I discussed the Sequoia-PGP developer's motivations for what they did
> they said
>
> it was for technical reasons which are described here as explained by Neal in
> an email he sent me:
>
> https://archive.fosdem.org/2024/schedule/event/fosdem-2024-3297-sequoia-pgp-rethinking-openpgp-tooling/
>
> Apparently they wanted GNUPG to be more secure, robust, and usable in a way
> the GNUPG
>
> developers did not agree with.
>
> It seems there is a disagreement between GNUPG and Sequoia-PGP about the
> security
>
> of GNUPG. GNUPG claims making the changes the Sequoia-PGP developers wanted
> would
>
> risk people's safety in using it--especially the crypto-refresh.
>
> Despite GNUPG's disagreements Phil Zimmermann, Micheal Rysiek-Wozniak (former
> GNUPG
>
> endorser), and Debian now are using Sequoia-PGP.
>
> Why would these people side with Sequoia-PGP despite the GNUPG team's
> reservations.
>
> What I am confused about is whether I can trust my privacy with the Sequoia
> Developers.
>
> Whether we like it or not Sequoia-PGP is used by Debian, SecureDrop, and even
> journalists
> such as Rysiek. These people /organizations do have a major influence in how
> security
>
> and privacy is practiced by important people such as software developers
> (Debian) and
>
> journalists / whisteblowers (Rysiek).
>
> What do the GNUPG developers think of this change in direction in the
> community?
> I still use GNUPG to protect my privacy when communicating to my friends and
> family I have
>
> no plans to change that but I cannot help but wonder how this shift to
> Sequoia-PGP will affect
>
> my ability to keep using PGP.
> I thank the GNUPG developers in advance for any responses.
>
> Best,
> Tanveer Salim
>
> _______________________________________________
> Gnupg-devel mailing list
> [email protected]
> https://lists.gnupg.org/mailman/listinfo/gnupg-devel
_______________________________________________
Gnupg-devel mailing list
[email protected]
https://lists.gnupg.org/mailman/listinfo/gnupg-devel
