On Sun, Dec 28, 2025 at 9:51 PM Demi Marie Obenour <[email protected]> wrote: > > On 12/28/25 05:00, Sam James wrote: > > Demi Marie Obenour <[email protected]> writes: > > > >> https://gpg.fail lists many vulnerabilities in GnuPG, one of which > >> allows remote code execution. > > > >> All are zero-days to the best of my knowledge. > > > > In 2.5.14: > > Fedora isn't running 2.5.14 even in Rawhide. It's a zero-day for > Fedora users at least. > > Upstream GnuPG is increasingly unwilling to collaborate with other > OpenPGP implementations, and distros are having to patch GnuPG just to > restore interoperability. If possible, it would be best for distros > to either outright fork the project and create a new upstream, or stop > packaging GnuPG entirely in favor of Sequoia's compatibility layer.
The Fedora Linux family of distributions already doesn't use GnuPG in the critical path anymore. RPM and DNF have been switched to SequoiaPGP for quite some time. That change was inherited by Red Hat Enterprise Linux 10 as well. This is why we have PQC support in our PGP stuff. -- 真実はいつも一つ!/ Always, there's only one truth!
