Usability of OpenSSL vs GNUPG
Robert J. Hansen
rjh at sixdemonbag.org
Tue Dec 17 15:55:21 CET 2019
> Having such experiences more than once reduced trust and sympathy
> for GnuPG, thus also willingness to contribute to testing or
> development. But maybe just my expectations of GnuPG as open
> source software are wrong and my limited communication skills
> do not allow me to sort it out in a more positive manner.
One of my repeated complaints about GnuPG is that nobody can agree on
what it is. Is it a toolkit for building bespoke cryptographic
solutions? Is it an RFC4880 implementation meant for end-users? Is it
an RFC4880 implementation meant for MUAs? Is it...
A lot of the things you're (rightly, I think) criticizing are the result
of this clouded vision of what GnuPG is meant to do. In the course of
trying to be all things to all people it's occasionally being very
You're using it as a toolkit for bespoke solutions. You want your tools
to work consistently across versions.
Other people are using it as an end-user tool. They want the end-user
experience to be continuously refined.
This leads to things like gpg-agent ignoring s2k iteration counts in
order to give a positive end-user experience, at the risk of frustrating
people who are wondering why their bespoke solutions with custom s2k
iteration counts no longer work.
More information about the Gnupg-users