Take it as a ranty blog interspaced with some furry art.
You can just ignore the furry art if it’s not your style because helpfully all of the important content is in the text.
Soatok links to the same Latacora blog on the first line and says that they’re only really going to reword what’s said there.
I’m not here to litigate the demerits of PGP. The Latacora article I linked above makes the same arguments I would make today, and is a more entertaining read.
PGP/GPG maintainers have had many years to fix the problems that have been identified but they haven’t. Is it safe when used “properly”? Yes! It’s absolutely safe when used properly but the problem is it’s hard to use full stop.
I’m not saying modern solutions are perfect, because they’re not but the alternates that Latacora ( and Soatok ) suggest are better. Do you want to encrypt a file? Use age. Use minisign/signify for signing. They do do one thing and do it well. Signal is easy to use and sorts all of the key management for you. Most people don’t know what a private key is. They just know they want encrypted messaging because of the NSA or Snowden or whatever his name was on the news, they can’t remember and they don’t really care.
PGP has legitimate use cases but the vast majority of people don’t have those cases and should just use Signal. Signal and the Signal protocol is the centralised tool you’re looking for.
Can signify and minisign integrate with git for commit signing? Would anyone be able to verify it with a glance in web ui like it works right now ootb with gpg and every git forge? Which one supports working with fido keys? Which one for e-mail encryption? (That’s law requierement around here for some types of jobs jUsT UsE sIgNaL won’t work and signal breaks every month because you didn’t update it frequently enough for no reason?)
Take it as a ranty blog interspaced with some furry art.
You can just ignore the furry art if it’s not your style because helpfully all of the important content is in the text.
Soatok links to the same Latacora blog on the first line and says that they’re only really going to reword what’s said there.
PGP/GPG maintainers have had many years to fix the problems that have been identified but they haven’t. Is it safe when used “properly”? Yes! It’s absolutely safe when used properly but the problem is it’s hard to use full stop.
I’m not saying modern solutions are perfect, because they’re not but the alternates that Latacora ( and Soatok ) suggest are better. Do you want to encrypt a file? Use age. Use minisign/signify for signing. They do do one thing and do it well. Signal is easy to use and sorts all of the key management for you. Most people don’t know what a private key is. They just know they want encrypted messaging because of the NSA or Snowden or whatever his name was on the news, they can’t remember and they don’t really care.
PGP has legitimate use cases but the vast majority of people don’t have those cases and should just use Signal. Signal and the Signal protocol is the centralised tool you’re looking for.
Can signify and minisign integrate with git for commit signing? Would anyone be able to verify it with a glance in web ui like it works right now ootb with gpg and every git forge? Which one supports working with fido keys? Which one for e-mail encryption? (That’s law requierement around here for some types of jobs jUsT UsE sIgNaL won’t work and signal breaks every month because you didn’t update it frequently enough for no reason?)