Dear Julian, thank you very much for your fast response.
On Sun, 02 Nov 2025 18:55:10 +0100 Julian Andres Klode <[email protected]> wrote: > Thank you for your bug report. > > Unfortunately GnuPG has decided to abandon the OpenPGP standard and is > therefore being phased out as it's no longer compatible with standards > compliant implementations. I fully support relying on standards, but could you point out examples, please? How can it be that GnuPG supported a standard for decades and then suddenly abandoned it? As far as I can tell GnuPG has compliance options which allow it to operate in compliance with the OpenPGP standard/RFCs or even ancient PGP implementations. https://www.gnupg.org/documentation/manuals/gnupg-devel/Compliance-Options.html Do these not work for APT? > This means some repositories simply might not work with it anymore. At this point, actually, quite the opposite seems to be true. sqv is having problems working with existing repositories, e.g. from just a very brief web search: https://lists.debian.org/deity/2025/03/msg00008.html https://github.com/flacon/flacon/issues/242 https://github.com/go-gitea/gitea/issues/33400 > It also does not implement safe coding practices, leading to command line > options that are silently ignored in some cases because they were only meant > to be used in some special modes, for example. > > GnuPG also does not implement a safe interface for clients to verify files > against. It returns successful exit codes for failed verifications, failing > exit codes for successful verifications, and as a result requires parsing a > very complex status fd protocol that is very easy to get wrong and I'm sure > we still have bugs lurking there. > > On the other side, sqv implements the OpenPGP standard, implements safe > coding practices, and sensible default choices, allowing us to simply rely on > it's exit status to be correct. > > I hope you understand that given the startling security properties of GnuPG > and their desire to abandon the common standard leaves us little choice. When you are making accusations at GnuPG I think it's fair so also hear their opinion on this apparent GnuPG vs Sequoia fight going on: https://gnupg.org/blog/20250117-aheinecke-on-sequoia.html I think Andre does have some valid points. I cannot follow how you come to the conclusion that GnuPG does not have safe coding practices? Checking the CVEs I tend to conclude otherwise. Whereas Sequoia, being written in Rust, has had three CVEs in the last two years. If there are issues with the GnuPG interface, I'm pretty sure those could've been worked out together with GnuPG. In any case, gpgv is still supported by APT and even pre-installed on all architectures. But it will receive a lot less testing now, because for mere mortals it's almost impossible to use it. Its use is restricted to users of niche ports which by definition get less testing. To me the whole situation leaves the impression that Debian (or Ubuntu?) unfortunately thinks it has to impose its will on users. Fixing something which isn't broken. When there are different groups who cannot agree on things, I would've prefered that APT supports them all and the user can pick which one they prefer; Debian picking a sensible default and/or leaving existing systems function as they have been. Regards, Dennis
