We should talk about Werner Koch's response https://gpg.fail on the oss-security mailing list.
Uncategorized
3
Posts
2
Posters
0
Views
-
We should talk about Werner Koch's response https://gpg.fail on the oss-security mailing list.
https://www.openwall.com/lists/oss-security/2025/12/29/9
Yes, and actually the only serious bug from their list.
Koch either didn't watch the talk, he is in such defense of his own ego that he can't see how serious the bugs were, or he's tacitly admitting that PGP is not a serious recommendation.
Can you distinguish between these three explanations?
Could it be all of them are true?
Impact
While this may allow remote code execution (RCE), it definitively causes memory corruption.Good research.
I think this sarcastic quip is what reveals Werner Koch's opinion about the security researchers and their work.
The rest of his email is measured (and partly responding to other mailing list participants rather than the disclosure directly).
-
We should talk about Werner Koch's response https://gpg.fail on the oss-security mailing list.
https://www.openwall.com/lists/oss-security/2025/12/29/9
Yes, and actually the only serious bug from their list.
Koch either didn't watch the talk, he is in such defense of his own ego that he can't see how serious the bugs were, or he's tacitly admitting that PGP is not a serious recommendation.
Can you distinguish between these three explanations?
Could it be all of them are true?
Impact
While this may allow remote code execution (RCE), it definitively causes memory corruption.Good research.
I think this sarcastic quip is what reveals Werner Koch's opinion about the security researchers and their work.
The rest of his email is measured (and partly responding to other mailing list participants rather than the disclosure directly).
I think 2026 should be the year that we make PGP irrelevant.
Not just GnuPG (Koch's implementation), but the entire OpenPGP ecosystem.
Most cryptographers I talk to gave up on PGP over a decade ago.
(After seeing the arrogance and dismissiveness that bled through Koch's oss-security email, who can blame them?)
If you're a country whose government mandates the use of PGP, even in obscure places, let's talk about how to replace PGP.
-
I think 2026 should be the year that we make PGP irrelevant.
Not just GnuPG (Koch's implementation), but the entire OpenPGP ecosystem.
Most cryptographers I talk to gave up on PGP over a decade ago.
(After seeing the arrogance and dismissiveness that bled through Koch's oss-security email, who can blame them?)
If you're a country whose government mandates the use of PGP, even in obscure places, let's talk about how to replace PGP.
@soatok
Since OS repositories rely on gpg for validating package signatures I took the liberty to forward the talk to my support contact at SUSE. He called me half an hour later stating that he's half through the talk and had already forwarded it to their internal security maillist because it's like a bad car accident you know you shouldn't stare at but you just can't stop watching... and I'm pretty sure Red Hat is watching, too. -
undefined oblomov@sociale.network shared this topic on
Feed RSS
Gli ultimi otto messaggi ricevuti dalla Federazione
-
@macfranc @lauramassera @eticadigitale beh, attenzione perché la Apple deve assolutamente garantire (quasi per contratto) ai suoi clienti la privacy e la protezione dei loro dati. Tanto da avvisare loro stessi diversi clienti che nemmeno si erano accorti di aver subito intrusioni e controlli attivi sui propri dispositivi offrendo persino assistenza legale. Difendono semplicemente il loro "feudo" dando protezione (finché conviene) ai loro protetti che continuano semplicemente a consumare gadget e giochini digitali. Della libertà e della privacy in sé non gliene importa nulla a nessuno, né a chi si lascia possedere né tantomeno alle grandi aziende come Apple.
-
Lavoratore muore per il freddo nei cantieri delle olimpiadi a cortina. “lo specchio del lavoro tossico e nocivo dei grandi eventi”
@anarchia
È morto per il freddo all’età di 55 anni Pietro Zantonini, originario di Brindisi, durante un turno di vigilanza notturna nel cantiere delle olimpiadi Milano-Cortina.
-
@lauramassera Hai assolutamente ragione, ma diciamo anche che nel 2025 è impossibile non riconoscere che la malvagità antisociale è il tratto distintivo di quelle Big Tech che spesso si presentavano eticamente candide.
L'unica eccezione è probabilmente quella di Apple che effettivamente ha deciso, sia anche solo per questioni di marketing e narrativa aziendale, di opporsi alle nuove tendenze del cattivismo trumpiano
-
@mattwiebe.blog what a journey!
I’m really impressed by your plans... I don’t think I’d ever have enough courage to pull something like that off. I hope I’ll get the chance to try your pizza someday!
Would be a great reason to visit Mexico 🙂
...and thanks for all your work on the ActivityPub plugin, I really miss your contributions ❤️
-
@OpenSoul era quello che mi stavo chiedendo anch'io. Il guaio è che è difficile fare una discussione seria, perché la maggior parte dei commenti che si leggono sono a tesi...
-
@stefano I think, it had been like this for a while. Sites for lots of more or less big projects, especially if they have paid version of a product, are marketing and buzzwords. That why I usually go straight to Documentation->How to get started for some simple overview and examples.
Looks like they just added those AI buttons without changing a site much.
-
The Mechanically Perfect Lie
A loud noise outside my window brings back a memory from 2002. The night I truly could have died.
https://my-notes.dragas.net/2026/01/11/the-mechanically-perfect-lie/
-
La battaglia per la libertà cognitiva nell'era dell'intelligenza artificiale aziendale
La libertà di pensiero non è solo uno scudo contro le intrusioni, è il terreno su cui costruiamo tutto il resto: il diritto di esprimersi, dissentire, credere, imparare, amare. Richiede sia libertà negative (da manipolazione, sorveglianza, coercizione) sia positive (di immaginare alternative, di cercare la verità, di plasmare le nostre opinioni e preferenze).
https://www.techpolicy.press/the-battle-for-cognitive-liberty-in-the-age-of-corporate-ai/
