We should talk about Werner Koch's response https://gpg.fail on the oss-security mailing list.
Uncategorized
3
Posts
2
Posters
0
Views
-
We should talk about Werner Koch's response https://gpg.fail on the oss-security mailing list.
https://www.openwall.com/lists/oss-security/2025/12/29/9
Yes, and actually the only serious bug from their list.
Koch either didn't watch the talk, he is in such defense of his own ego that he can't see how serious the bugs were, or he's tacitly admitting that PGP is not a serious recommendation.
Can you distinguish between these three explanations?
Could it be all of them are true?
Impact
While this may allow remote code execution (RCE), it definitively causes memory corruption.Good research.
I think this sarcastic quip is what reveals Werner Koch's opinion about the security researchers and their work.
The rest of his email is measured (and partly responding to other mailing list participants rather than the disclosure directly).
-
We should talk about Werner Koch's response https://gpg.fail on the oss-security mailing list.
https://www.openwall.com/lists/oss-security/2025/12/29/9
Yes, and actually the only serious bug from their list.
Koch either didn't watch the talk, he is in such defense of his own ego that he can't see how serious the bugs were, or he's tacitly admitting that PGP is not a serious recommendation.
Can you distinguish between these three explanations?
Could it be all of them are true?
Impact
While this may allow remote code execution (RCE), it definitively causes memory corruption.Good research.
I think this sarcastic quip is what reveals Werner Koch's opinion about the security researchers and their work.
The rest of his email is measured (and partly responding to other mailing list participants rather than the disclosure directly).
I think 2026 should be the year that we make PGP irrelevant.
Not just GnuPG (Koch's implementation), but the entire OpenPGP ecosystem.
Most cryptographers I talk to gave up on PGP over a decade ago.
(After seeing the arrogance and dismissiveness that bled through Koch's oss-security email, who can blame them?)
If you're a country whose government mandates the use of PGP, even in obscure places, let's talk about how to replace PGP.
-
I think 2026 should be the year that we make PGP irrelevant.
Not just GnuPG (Koch's implementation), but the entire OpenPGP ecosystem.
Most cryptographers I talk to gave up on PGP over a decade ago.
(After seeing the arrogance and dismissiveness that bled through Koch's oss-security email, who can blame them?)
If you're a country whose government mandates the use of PGP, even in obscure places, let's talk about how to replace PGP.
@soatok
Since OS repositories rely on gpg for validating package signatures I took the liberty to forward the talk to my support contact at SUSE. He called me half an hour later stating that he's half through the talk and had already forwarded it to their internal security maillist because it's like a bad car accident you know you shouldn't stare at but you just can't stop watching... and I'm pretty sure Red Hat is watching, too. -
undefined oblomov@sociale.network shared this topic on
Feed RSS
Gli ultimi otto messaggi ricevuti dalla Federazione
-
I have NO sympathy for #authoritarianRegimes, NOR with #regimeChange.
If you've legit access to #RestrictedInformationabout Italy's possible involvement in a U.S. attack on #Iran, through our military bases, please share it SAFELY HERE:
-
@ClayAdventuresontheShelf
Un momentaccio oggi , eeeeeehh
-
Premesso:NON simpatizzo assolutamente con nessun regime,ma neppure con regime change
Invito chiunque abbia informazioni ristrette su eventuale coinvolgimento Italia in attacco all'#Iran,attraverso nostre basi militari,a condividerle in modo sicuro QUI:
-
#Iran,#Venezuela,#Gaza,#Ucraina. Abbiamo dovere lavorare su gravissima situazione internazionale,ma senza mai abbandonare ultimi e penultimi in Italia: un lavoratore è morto dal freddo e quasi 2,4 milioni di famiglie non possono permettersi riscaldamento
-
-
@esilvia
Mi sta venendo il dubbio che non sia l'ennesimo amichetto dei piani alti...
-
@pfefferle @liaizon Then I’ll do it in my spare time. Thanks 😊
-
✨ 28 anni di Xena: La Principessa Guerriera su Italia 1! ✨
Il 12 gennaio 1998, il grido di battaglia di Xena ha risuonato per la prima volta sui nostri schermi italiani, portando avventura, forza e amicizia nelle nostre case. Oggi celebriamo 28 anni di coraggio, epiche battaglie e l'indimenticabile duo formato da Xena e Olimpia!
