What do LLMs mean for GnuPG?

Jacob Bachmeyer jcb62281 at gmail.com
Mon Mar 30 06:36:56 CEST 2026 

On 3/29/26 22:28, Robert J. Hansen via Gnupg-users wrote:
> I am not a GnuPG developer. I am, at best, some sort of semiofficial 
> GnuPG mascot. Please don't mistake this for anything official. :)
>
> I've heard a lot of people talking about the advent of LLM-assisted 
> coding. There seem to be as many ways to approach this as there are 
> individual developers. I've read a great number of whitepapers on this 
> (and have talked with some genuine Ph.Ds in artificial intelligence: 
> thanks, Dr. Ezra Sidran of Riverview AI) and recently had cause to put 
> them to the test for a piece of code that needed to be, if not 
> bulletproof, hardened. From this, we can hopefully learn some lessons 
> about LLMs in security-sensitive code.
>
> Werner and the rest of g10 Code can (and will!) do what they want, of 
> course. I'm talking about my experiences only and what, based on those 
> experiences, I imagine g10 Code would consider reasonable. If you have 
> strong thoughts on the matter, here is the thread to comment on.
>
> 1. SO WHERE DO WE BEGIN?
>
> I needed to change my UNIX password.
>
> As I've done for the last quarter-century (yes, I'm old), I broke out 
> Ted Ts'o's excellent pwgen tool. One invocation of 'pwgen -s 8 1' 
> later and I had a new password. Bam, eight random characters, I'm done.
>
> [...]
>
> pwgen is a good tool. It also deserves new eyes and maybe an overhaul. 
> So I decided to use it as an excuse to teach myself Rust.
>
> [...]
>
> [...] there are significantly fewer points by which sensitive memory 
> can be returned to the system in a non-zeroed state, [...]

This is a red herring on all modern systems, given the overall 
architecture of this tool.  The entire process virtual space will be 
wiped when the process exits, and the kernel is responsible for zeroing 
*every* physical page before reassigning it to another virtual space.

The generator state may be gone, but the generated passwords are still 
sitting wherever you put them; your terminal emulator and window system 
are very unlikely to take the same precautions as your password 
generator, for example.  The generator would never be further used 
anyway, but the output is the actual valuable data.

Put simply, for a "one-shot" tool that uses only a short-lived process, 
there is no need to be concerned about this issue.  There *are* good 
reasons for these concerns in long-running processes or modules linked 
into larger programs, but not for a tool this simple.

>
> 7. SO WHAT'S THE UPSHOT FOR GNUPG?
>
> Well, based on my experience with Claude so far, here's what I suspect 
> about the future of GnuPG development:
>
> * At some point LLMs will be used as part of GnuPG development. Used 
> wisely, they offer real gains.
>
> * I am very much opposed to letting LLMs write even one line of code 
> in GnuPG.

I very strongly agree on this point.  This policy also avoids the 
potential copyright quagmires.  (Which are extra "fun" because different 
jurisdictions have different rules...)

> * If you have any strong feelings about whether GnuPG development 
> should embrace LLMs, and if so then how it should embrace them, the 
> time to speak up is now. Sooner or later, and I'm betting on sooner, 
> GnuPG will need to decide its LLM strategy, and it would be best if we 
> all had a discussion about them before the decision needed to be made.

You can use them to navigate, you can use them to analyze, but 
absolutely do not put code from an LLM into anything important!


I do not have the citation close at hand but I remember seeing studies 
done that found that developers believed that using LLMs made them about 
25% faster, but the actual data showed that LLM usage made them about 
19% slower.  (Numbers retrieved from personal human memory, may not be 
exactly accurate.)

Alarmingly, attempts to replicate the study in later years found that 
LLM-assisted programming appears to be *addictive*:  the researchers 
could not find enough developers willing to program without LLM 
assistance to have solid data, even when they offered to pay $50 an hour.


This last point suggests to me that perhaps a strict prohibition on the 
use of LLMs to develop for GnuPG might be appropriate.


-- Jacob

More information about the Gnupg-users mailing list