On 12/28/25 05:00, Sam James wrote: > Demi Marie Obenour <[email protected]> writes: > >> https://gpg.fail lists many vulnerabilities in GnuPG, one of which >> allows remote code execution. > >> All are zero-days to the best of my knowledge. > > In 2.5.14:
Fedora isn't running 2.5.14 even in Rawhide. It's a zero-day for Fedora users at least. Upstream GnuPG is increasingly unwilling to collaborate with other OpenPGP implementations, and distros are having to patch GnuPG just to restore interoperability. If possible, it would be best for distros to either outright fork the project and create a new upstream, or stop packaging GnuPG entirely in favor of Sequoia's compatibility layer. -- Sincerely, Demi Marie Obenour (she/her/hers)
OpenPGP_0xB288B55FFF9C22C1.asc
Description: OpenPGP public key
OpenPGP_signature.asc
Description: OpenPGP digital signature
