[pkg-gnupg-maint] gnupg stable 2.5.x

[Daniel Kahn Gillmor]

Hi Chris--

On Mon 2026-01-05 19:02:12 +0100, chris at anthum.com wrote:
> Please consider updating package "gnupg
> <https://packages.debian.org/search?keywords=gnupg&searchon=names>" to 2.5,
> which was officially declared as stable last week
> <https://lists.gnupg.org/pipermail/gnupg-announce/2025q4/000500.html> and
> introduces post-quantum cryptography. Full details and related tests at
> https://gitlab.alpinelinux.org/alpine/aports/-/issues/17867

On debian systems, GnuPG is typically used to exchange OpenPGP messages
with other people or systems.

GnuPG 2.5 introduces a novel and non-standardized post-quantum
cryptography scheme that is (apparently deliberately) incompatible with
the OpenPGP post-quantum cryptography standard:

   https://datatracker.ietf.org/doc/draft-ietf-openpgp-pqc/

It seems pretty problematic to inject this sort of material into the
ecosystem when other OpenPGP implementations won't be able to
interoperate with it.

Meanwhile, GnuPG appears to *not* be implementing the PQC standard that
all other OpenPGP implementations are prepared to interoperate with as
soon as the standard is released.

Also, while GnuPG upstream is declaring 2.5 "stable", they are actually
doing ongoing stable release work on the 2.2 branch, despite having
declared it end-of-lifed over a year ago, around the time that we were
pressured into moving to 2.4 because 2.2 was supposedly EOL.

This makes it hard to trust upstream's claims about which branches will
be supported.

I think it is prudent for Debian to avoid inflicting additional
divergent artifacts into the OpenPGP ecosystem at the moment.

If GnuPG were to add the standardized PQC algorithms to the codebase, i
would be more inclined to consider switching for that particular
benefit, but given the lack of interoperability it's not a compelling
argument at the moment.

          --dkg, tired and frustrated as a maintainer