[tptacek]

They would not; you're either drastically underestimating the number of messages modern secure messengers handle, or overestimating the number of packages verified every day. But PGP is also an archaic way to sign packages, and there is no network effect to package signature schemes; all of them can, and should, be replaced with modern schemes like minisign/signify.

[ifmpx]

Our disagreement here is on your claim that PGP has virtually no adoption. I brought up the monstrous amount of packages that get verified by CI/containers/OSs as an example where PGP is widely adopted. No one is claiming that dedicated tools can't do the job better.

People use PGP because it is standard, widely-adopted, and does what people need it to do. From where I'm standing, people who argue against these three facts are underestimating PGP or overestimating their own favored solutions.

[tptacek]

No, people use PGP because at the times these systems were designed, there weren't better options; in some cases, there literally wasn't materially better cryptography, and in others, the better cryptography wasn't suitably enabled by good libraries. None of that is true anymore, nobody should be using the archaic PGP format for anything new, and, in most cases, people should be investigating how to replace PGP with modern alternatives.

[ifmpx]

This discussion was about your false assertion that PGP "has virtually no adoption".

If you want to change our discussion to be about replacing PGP instead, then I completely agree that people should replace PGP with modern properly-standardized alternatives if such exist.

[pvg]

Fundamentally, the discussion is about your (and others') claims that PGP is some key part of security infrastructure and that its wide adoption and importance in such infrastructure shows that. It probably got a little stuck on broad terms like 'adoption' and 'standard' instead of looking more specifically at the type of use you're holding up as an example.

Here's what happens in the super-common, basic case of 'installing a third party (i.e. not from the distro repos) package on some debiansy Linux':

You access the the developer's webpage (via a browser and https) and read the installation instructions. They tell you to curl in (over https) some pgp key and some (https) endpoints for finding and downloading the package.

You apt-whatever and the package is installed.

The PGP part of this can be replaced with NOPs and this is no less secure. All the heavy lifting here is done elsewhere using infrastructure that actually has wide adoption and standardization and does useful things.

[aborsy]

If a modern alternative existed, it would have been invented.

Email is hard to secure for obvious reasons. The PGP itself is fine, even though it could be updated.