On Fri, Jan 2, 2026 at 4:53 AM Jakub Jelen <[email protected]> wrote: > > We are keeping the Fedora version of GnuPG on the 2.4 branch as said above > intentionally. The 2.5 started as mostly experiment implementing the LibrePGP > standard, which is not compatible with anything else (IETF's OpenPGP) and > would likely result in users shooting themselves into their feet. I also > synced couple of patches over the last years with FreePG project, which is > trying to maintain the version 2.4 in a compatible manner: > > https://gitlab.com/freepg/gnupg > > Updating to 2.5 would result in new users generating incompatible LibrePGP > keys, which I do not think is a good idea to do now for all Fedora users. I > am hoping we will have some better solution by the time the 2.4 version will > reach EOL, but I can not anticipate what it is going to be. >
This is a huge problem. Right now, the critical path packages (the RPM stack) use Sequoia-PGP, which doesn't support the incompatible LibrePGP specification (it implements the IETF OpenPGP standard instead) while GnuPG and RNP (both in Fedora and actively used) only support LibrePGP and refuse to implement the IETF OpenPGP standard. People generally create and manage their PGP keys with GnuPG right now, and we can't hold off on upgrading to GnuPG 2.5 forever if people need to be using it as the primary method of interacting with PGP keys. Fabio and I were discussing this in Matrix earlier this week, and I think this is a problem that's only going to continue to get worse. This situation might be bad enough that we need to consider discussing with upstream (hi other Neal!) a true plan to be able to replace all the GnuPG interfaces with Sequoia-PGP's Chameleon, including the GnuPG Agent process. Of course, it's not just the incompatible PGP specs, it's also that Sequoia-PGP supports newer algorithms too. PQC-based signing for RPMs is done through rpm-sequoia. This splinter based on accepted features and specifications is going to lead to more pain like this down the road. So, what *should* we do, and what *can* we do? -- 真実はいつも一つ!/ Always, there's only one truth! -- _______________________________________________ devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
