1. 17
  1. 2

    I think skeeto have a good point here: Do not ship a policy of how to use the tool along with it. Just ship the tool.

    That is why we see debian creating a temporary GnuPG profile in /tmp for its apt-key, (even though /tmp has 777 permissions!).

    Wrapping GnuPG under yet another layer (of shell script) is all we can do with its titanic code base.

    1. 3

      The only thing I like about GPG is Snowden leaks said it was a nightmare for NSA. All I need to know. From there, simplify it down to just encrypting and decrypting files so its attack surface and usability problems mostly go away. Then, if someone would just wrap it to make that less manual. Naturally, I love the submission. :)

      1. 3

        Snowden has, presumably, not received any more information since he left the NSA several years ago. I would be surprised if it was still a headache for them, but we won’t know until there’s another Snowden to give us more up to date info on their capabilities.

        1. 3

          You would be surprised if the NSA can’t crack well audited implementations of RSA and AES?

          I think you have that backwards. It would be very surprising if they had developed quantum computers or otherwise broken standard algorithms.

          I think probably the NSA makes lots of progress in the margins — they are likely excellent at attacking the laptop you’re using to run GPG.

          1. 2

            You would be surprised if the NSA can’t crack well audited implementations of RSA and AES?

            The comment thread is not about RSA/AES, it’s about GnuGPG. I would not be surprised if they are able to exploit GnuGPG in some meaningful way. The codebase is massive and the attack surface is large.

          2. 1

            That’s true. Thing is, they had a $200+ million budget they had been spending at that point with no success. They always had to use TAO. That’s a group with more limited resources that presumably just hacked folks OS’s, browsers, PDF readers, etc to bypass things like GPG. I think encrypting and decrypting text/zip files probably has similar risk to then.

      2. 2

        Yes please. OpenPGP is best thought as interoperable format for signing and encryption.