Question on Integrity of Sequoia-PGP Developers

Thu Sep 11 05:54:44 CEST 2025

Hi there,

I recently had to prepare slides for a talk on Web of Trust for a local group and one of the introductory points was having them understand the difference between OpenPGP and GnuPG: one is the standard, the other is the implementation.

While I don’t know the whole backstory to what is going on with Sequoia-PGP, I can say that when it comes to things like this, my recommendation will always default to staying truest to form (or standard). This implies a bias towards products with longevity and reputation in the field, that follows a reasonable cadence of continuous improvement.

So, I have no problem continuing to recommend GnuPG to my clients and peers for the simple fact that it implements the standard, fulfills the purpose of upholding supply chain security, and has a reputable history. But we also have to remember that it’s ultimately the standard we’re most concerned with and need to be conformed to, not a specific implementation.

Matt

On Wed, Sep 10, 2025 at 19:39, Tanveer Salim via Gnupg-devel <[gnupg-devel at gnupg.org](mailto:On Wed, Sep 10, 2025 at 19:39, Tanveer Salim via Gnupg-devel <<a href=)> wrote:

> Hello,
>
> I am now aware there has been a split between the GNUPG and Sequoia-PGP developers.
>
> I read Andre's post here: https://www.gnupg.org/blog/20250117-aheinecke-on-sequoia.html
>
> When I discussed the Sequoia-PGP developer's motivations for what they did they said
>
> it was for technical reasons which are described here as explained by Neal in an email he sent me:
>
> https://archive.fosdem.org/2024/schedule/event/fosdem-2024-3297-sequoia-pgp-rethinking-openpgp-tooling/
>
> Apparently they wanted GNUPG to be more secure, robust, and usable in a way the GNUPG
>
> developers did not agree with.
>
> It seems there is a disagreement between GNUPG and Sequoia-PGP about the security
>
> of GNUPG. GNUPG claims making the changes the Sequoia-PGP developers wanted would
>
> risk people's safety in using it--especially the crypto-refresh.
>
> Despite GNUPG's disagreements Phil Zimmermann, Micheal Rysiek-Wozniak (former GNUPG
>
> endorser), and Debian now are using Sequoia-PGP.
>
> Why would these people side with Sequoia-PGP despite the GNUPG team's reservations.
>
> What I am confused about is whether I can trust my privacy with the Sequoia Developers.
>
> Whether we like it or not Sequoia-PGP is used by Debian, SecureDrop, and even journalists
> such as Rysiek. These people /organizations do have a major influence in how security
>
> and privacy is practiced by important people such as software developers (Debian) and
>
> journalists / whisteblowers (Rysiek).
>
> What do the GNUPG developers think of this change in direction in the community?
> I still use GNUPG to protect my privacy when communicating to my friends and family I have
>
> no plans to change that but I cannot help but wonder how this shift to Sequoia-PGP will affect
>
> my ability to keep using PGP.
> I thank the GNUPG developers in advance for any responses.
>
> Best,
> Tanveer Salim
>
> _______________________________________________
> Gnupg-devel mailing list
> Gnupg-devel at gnupg.org
> https://lists.gnupg.org/mailman/listinfo/gnupg-devel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20250911/9485a60a/attachment-0001.html>