Hi! Daniel thanks for all your work on the OpenPGP working group, and on SOP! :)
On Wed, 2023-12-20 at 22:16:28 -0500, Daniel Kahn Gillmor wrote: > # What Can Debian Do About This? > > I've attempted to chart one possible path out of part of this situation > by proposing a minimized, simplified interface to some common baseline > OpenPGP semantics -- in particular, the "Stateless OpenPGP" interface, > or "sop", as documented here: > > https://datatracker.ietf.org/doc/draft-dkg-openpgp-stateless-cli/ > If your part of Debian's infrastructure depends on GnuPG, consider > making it depend on a sop implementation instead, so we don't end up > stuck on a single OpenPGP implementation in the future. If the sop > semantics are insufficient for your purposes, please report your needs > at https://gitlab.com/dkg/openpgp-stateless-cli ! I think this is the way to go, and to try to support that goal I started a wiki page to track what might need to be switched: https://gitlab.com/dkg/openpgp-stateless-cli/-/wikis/Stateless-OpenPGP-status I listed there some potential issues I could come up with for such migrations. Also at the time, something that felt like a soft blocker was that the schism was not widely known, so having to give that full context first for every contacted project seemed a bit awkward, which now should be out of the way, and a reference to some of the published articles should be enough. Time and energy permitting, I'd like to start at least filing issues for these projects, and ideally provide patches. Help with any of that would be highly appreciated! Including how to best integrate SOP into a distribution (I'll be updating one of the tickets for a potentially better «alternatives» usage pattern). Also if a project uses perl, and using the Dpkg::OpenPGP modules would make sense there, please reach out so that we can see what might be missing so that they can be stabilized to make them public interfaces. Thanks, Guillem