| GPG is an ancient bit of tech with numerous problems: * An extremely complex, byzantine packet format with security problems of its own. * Decades of backwards compatibility, which also harms security. * Extreme unfriendliness towards automation. * Way too many features. * Encouragement of bad security practices like extremely long lived keys. * Moribund and flawed ecosystem. Lots of cryptographers agree that PGP has outlived its usefulness and it's time to put it out of its misery. And really there's little need for GPG when package signing can be done more reliably and with less work without it. I was a fan of PGP since the early days, but I agree that at this point it's best to abandon it. |