[tptacek]

No, people use PGP because at the times these systems were designed, there weren't better options; in some cases, there literally wasn't materially better cryptography, and in others, the better cryptography wasn't suitably enabled by good libraries. None of that is true anymore, nobody should be using the archaic PGP format for anything new, and, in most cases, people should be investigating how to replace PGP with modern alternatives.

[ifmpx]

This discussion was about your false assertion that PGP "has virtually no adoption".

If you want to change our discussion to be about replacing PGP instead, then I completely agree that people should replace PGP with modern properly-standardized alternatives if such exist.

[pvg]

Fundamentally, the discussion is about your (and others') claims that PGP is some key part of security infrastructure and that its wide adoption and importance in such infrastructure shows that. It probably got a little stuck on broad terms like 'adoption' and 'standard' instead of looking more specifically at the type of use you're holding up as an example.

Here's what happens in the super-common, basic case of 'installing a third party (i.e. not from the distro repos) package on some debiansy Linux':

You access the the developer's webpage (via a browser and https) and read the installation instructions. They tell you to curl in (over https) some pgp key and some (https) endpoints for finding and downloading the package.

You apt-whatever and the package is installed.

The PGP part of this can be replaced with NOPs and this is no less secure. All the heavy lifting here is done elsewhere using infrastructure that actually has wide adoption and standardization and does useful things.

[aborsy]

If a modern alternative existed, it would have been invented.

Email is hard to secure for obvious reasons. The PGP itself is fine, even though it could be updated.