Question on Integrity of Sequoia-PGP Developers
Tanveer Salim
gnupg at securecryptohub.com
Thu Sep 11 04:37:03 CEST 2025
Hello,
I am now aware there has been a split between the GNUPG and Sequoia-PGP developers.
I read Andre's post here: https://www.gnupg.org/blog/20250117-aheinecke-on-sequoia.html
When I discussed the Sequoia-PGP developer's motivations for what they did they said
it was for technical reasons which are described here as explained by Neal in an email he sent me:
https://archive.fosdem.org/2024/schedule/event/fosdem-2024-3297-sequoia-pgp-rethinking-openpgp-tooling/
Apparently they wanted GNUPG to be more secure, robust, and usable in a way the GNUPG
developers did not agree with.
It seems there is a disagreement between GNUPG and Sequoia-PGP about the security
of GNUPG. GNUPG claims making the changes the Sequoia-PGP developers wanted would
risk people's safety in using it--especially the crypto-refresh.
Despite GNUPG's disagreements Phil Zimmermann, Micheal Rysiek-Wozniak (former GNUPG
endorser), and Debian now are using Sequoia-PGP.
Why would these people side with Sequoia-PGP despite the GNUPG team's reservations.
What I am confused about is whether I can trust my privacy with the Sequoia Developers.
Whether we like it or not Sequoia-PGP is used by Debian, SecureDrop, and even journalists
such as Rysiek. These people /organizations do have a major influence in how security
and privacy is practiced by important people such as software developers (Debian) and
journalists / whisteblowers (Rysiek).
What do the GNUPG developers think of this change in direction in the community?
I still use GNUPG to protect my privacy when communicating to my friends and family I have
no plans to change that but I cannot help but wonder how this shift to Sequoia-PGP will affect
my ability to keep using PGP.
I thank the GNUPG developers in advance for any responses.
Best,
Tanveer Salim
More information about the Gnupg-devel
mailing list