Usability of OpenSSL vs GNUPG

Robert J. Hansen rjh at
Tue Dec 17 15:55:21 CET 2019

> Having such experiences more than once reduced trust and sympathy
> for GnuPG, thus also willingness to contribute to testing or
> development. But maybe just my expectations of GnuPG as open
> source software are wrong and my limited communication skills
> do not allow me to sort it out in a more positive manner.

One of my repeated complaints about GnuPG is that nobody can agree on 
what it is.  Is it a toolkit for building bespoke cryptographic 
solutions?  Is it an RFC4880 implementation meant for end-users?  Is it 
an RFC4880 implementation meant for MUAs?  Is it...

A lot of the things you're (rightly, I think) criticizing are the result 
of this clouded vision of what GnuPG is meant to do.  In the course of 
trying to be all things to all people it's occasionally being very 

You're using it as a toolkit for bespoke solutions.  You want your tools 
to work consistently across versions.

Other people are using it as an end-user tool.  They want the end-user 
experience to be continuously refined.

This leads to things like gpg-agent ignoring s2k iteration counts in 
order to give a positive end-user experience, at the risk of frustrating 
people who are wondering why their bespoke solutions with custom s2k 
iteration counts no longer work.

More information about the Gnupg-users mailing list