We should talk about Werner Koch's response https://gpg.fail on the oss-security mailing list.
Uncategorized
3
Posts
2
Posters
0
Views
-
We should talk about Werner Koch's response https://gpg.fail on the oss-security mailing list.
https://www.openwall.com/lists/oss-security/2025/12/29/9
Yes, and actually the only serious bug from their list.
Koch either didn't watch the talk, he is in such defense of his own ego that he can't see how serious the bugs were, or he's tacitly admitting that PGP is not a serious recommendation.
Can you distinguish between these three explanations?
Could it be all of them are true?
Impact
While this may allow remote code execution (RCE), it definitively causes memory corruption.Good research.
I think this sarcastic quip is what reveals Werner Koch's opinion about the security researchers and their work.
The rest of his email is measured (and partly responding to other mailing list participants rather than the disclosure directly).
-
We should talk about Werner Koch's response https://gpg.fail on the oss-security mailing list.
https://www.openwall.com/lists/oss-security/2025/12/29/9
Yes, and actually the only serious bug from their list.
Koch either didn't watch the talk, he is in such defense of his own ego that he can't see how serious the bugs were, or he's tacitly admitting that PGP is not a serious recommendation.
Can you distinguish between these three explanations?
Could it be all of them are true?
Impact
While this may allow remote code execution (RCE), it definitively causes memory corruption.Good research.
I think this sarcastic quip is what reveals Werner Koch's opinion about the security researchers and their work.
The rest of his email is measured (and partly responding to other mailing list participants rather than the disclosure directly).
I think 2026 should be the year that we make PGP irrelevant.
Not just GnuPG (Koch's implementation), but the entire OpenPGP ecosystem.
Most cryptographers I talk to gave up on PGP over a decade ago.
(After seeing the arrogance and dismissiveness that bled through Koch's oss-security email, who can blame them?)
If you're a country whose government mandates the use of PGP, even in obscure places, let's talk about how to replace PGP.
-
I think 2026 should be the year that we make PGP irrelevant.
Not just GnuPG (Koch's implementation), but the entire OpenPGP ecosystem.
Most cryptographers I talk to gave up on PGP over a decade ago.
(After seeing the arrogance and dismissiveness that bled through Koch's oss-security email, who can blame them?)
If you're a country whose government mandates the use of PGP, even in obscure places, let's talk about how to replace PGP.
@soatok
Since OS repositories rely on gpg for validating package signatures I took the liberty to forward the talk to my support contact at SUSE. He called me half an hour later stating that he's half through the talk and had already forwarded it to their internal security maillist because it's like a bad car accident you know you shouldn't stare at but you just can't stop watching... and I'm pretty sure Red Hat is watching, too. -
undefined oblomov@sociale.network shared this topic on
Feed RSS
Gli ultimi otto messaggi ricevuti dalla Federazione
-
@lauramassera Hai assolutamente ragione, ma diciamo anche che nel 2025 è impossibile non riconoscere che la malvagità antisociale è il tratto distintivo di quelle Big Tech che spesso si presentavano eticamente candide.
L'unica eccezione è probabilmente quella di Apple che effettivamente ha deciso, sia anche solo per questioni di marketing e narrativa aziendale, di opporsi alle nuove tendenze del cattivismo trumpiano
-
@mattwiebe.blog what a journey!
I’m really impressed by your plans... I don’t think I’d ever have enough courage to pull something like that off. I hope I’ll get the chance to try your pizza someday!
Would be a great reason to visit Mexico 🙂
...and thanks for all your work on the ActivityPub plugin, I really miss your contributions ❤️
-
@OpenSoul era quello che mi stavo chiedendo anch'io. Il guaio è che è difficile fare una discussione seria, perché la maggior parte dei commenti che si leggono sono a tesi...
-
@stefano I think, it had been like this for a while. Sites for lots of more or less big projects, especially if they have paid version of a product, are marketing and buzzwords. That why I usually go straight to Documentation->How to get started for some simple overview and examples.
Looks like they just added those AI buttons without changing a site much.
-
The Mechanically Perfect Lie
A loud noise outside my window brings back a memory from 2002. The night I truly could have died.
https://my-notes.dragas.net/2026/01/11/the-mechanically-perfect-lie/
-
La battaglia per la libertà cognitiva nell'era dell'intelligenza artificiale aziendale
La libertà di pensiero non è solo uno scudo contro le intrusioni, è il terreno su cui costruiamo tutto il resto: il diritto di esprimersi, dissentire, credere, imparare, amare. Richiede sia libertà negative (da manipolazione, sorveglianza, coercizione) sia positive (di immaginare alternative, di cercare la verità, di plasmare le nostre opinioni e preferenze).
https://www.techpolicy.press/the-battle-for-cognitive-liberty-in-the-age-of-corporate-ai/
-
@Elizafox when I first saw the original post, I snickered*, but thought it wasn't worth boosting. Then I saw it a second time because of Mastodon timeline reset shenaningans, I snickered again, but this time I boosted it, because I felt that something that could make me snicker two times in a row was definitely worth boosting.
(* not sure if this is the right word?)
-
@NocturneGames https://arxiv.org/abs/2504.17033 here's the paper for the algorithm, i didn't spot a link to it in the article
