|
|
Log in / Subscribe / Register

"Staggeringly complex"

"Staggeringly complex"

Posted Jan 22, 2026 9:57 UTC (Thu) by hailfinger (subscriber, #76962)
Parent article: Responses to gpg.fail

One thing which is a bit counter-intuitive is that GnuPG had a much longer time to mature than the other OpenPGP implementations, but it still has the majority of the bugs found here.

Possible explanations:
- GnuPG had more bugs to begin with
- The other implementations chose a language less prone to bugs (but most of the bugs here seem to be logic bugs)
- The other implementations are easier to understand and their code is easier to read
- GnuPG was mostly implemented before people knew how to do secure programming
- The other implementations make it easier to contribute fixes or refactoring

None of the explanation attempts above are particularly reassuring.
I prefer running battle-tested code, but here apparently the length of the battle-testing didn't matter as much as the overall code quality. If that means most GnuPG usage should be replaced by less error-prone implementations, maybe following the lead of Debian is a good idea. https://wiki.debian.org/OpenPGP/Sequoia https://lwn.net/Articles/1017315/

to post comments

"Staggeringly complex"

Posted Jan 22, 2026 12:16 UTC (Thu) by kevincox (subscriber, #93938) [Link]

Another very possible explanation is that GnuPG is the most notable implementation so that was the main focus of the researchers. When they found an issue that worked against GnuPG they mostly tried that issue and minor variations against the other implementations, or otherwise just spent less time focusing on them.


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds