What do LLMs mean for GnuPG?
Robert J. Hansen
rjh at sixdemonbag.org
Mon Mar 30 12:58:17 CEST 2026
> I am a user of tools like Cursor,- and my personal opinion is that LMM
> is not perfect. But for those who cannot program because of
> neurological conditions, it is a valuable tool.
As a hacker who deals with mental illness, I am massively in favor of
creating a community that is welcoming to people with psychological,
psychiatric, and/or neurological troubles. But I draw the line at
thinking we should lower our professional standards to accommodate these
conditions.
I do not believe LLMs should be authoring security-sensitive code, ever.
> If the programming follows programming standards like PEP 8, |rustfmt|,
> clippy etc..
None of these verify quality code. The version of pwgen that Claude.ai
created passed the normal clippy checks.
> tested against Wycheproof test vectors, RFC 5639, and BSI specifications
Having implemented more cryptographic algorithms in my life than I ever
want to think about, "it passes the test vectors" does not create in me
very much faith in the overall quality of the implementation.
Circa 2008 at USENIX/EVT we gave a round of applause to a team of nerds
who had implemented AES in Java, and given rigorous Floyd-Hoare proofs
of correctness. It took them two and a half years of work.
I once had to implement a highly reliable Galois counter mode. I yearned
for the sweet release of death.
> But,- who can write 100% perfect code ?
It's hard but it's been done. The provably-correct AES implementation
comes to mind, as does the RSRE VIPER processor. The IBM System 360
minicomputers that controlled the Space Shuttle never suffered a
life-threatening bug, ever: even as _Challenger_ and _Columbia_ came
apart the HAL/S software stack continued functioning correctly.
https://en.wikipedia.org/wiki/VIPER_microprocessor
https://en.wikipedia.org/wiki/HAL/S
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 236 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20260330/11042c23/attachment.sig>
More information about the Gnupg-users
mailing list