On Thu, 15 Jan 2026 07:10, Jakob Bohm said: > I don't know what List O'Rama is thinking of, but gnupg 2.x is clearly and > obviously bloated, with even the most basic operation invoking multiple extra
In case you consider support for CMS/X.509 (aka S/MIME), ssh-agent, and several more smartcard types, bloat that this is correct. For everyone else these are new features beyond PGP support. Nobody needs to use them and the architecture does not increase the attack surface. In fact, the modularization improves the security and allows to share matured code for other purposes. Using a separate and crypto library (Libgcrypt) actually decreases the code size and improves code and audit sharing. Libgcrypt is more widely used and audited than gpg1 ever was. > Similarly the output is neither suited for humans nor machines to reliably > parse, often outputting phrases that don't apply to the action taken or its Well, gpg-1 uses exactly the same output (machine and human interface). We might have lost a few translations; that's right. > In contrast, gnupg 1.x was a single executable that did the requested > operation within the confines of a single run of a single process except And does not utilize the process barrier to avoid potential leaking of private key material due to minor coding errors. > where needed for potentially dangerous tasks such as JPEG decompression of > untrusted data and/or talking to graphical display systems. And gpg-2 delegates sensible task like private key operations to a dedicated process. Salam-Shalom, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein
openpgp-digital-signature.asc
Description: PGP signature
_______________________________________________ Gnupg-users mailing list [email protected] https://lists.gnupg.org/mailman/listinfo/gnupg-users
