Hacker News new | past | comments | ask | show | jobs | submit login

Yeah, I'll certainly follow recomendation from someone who starts it with calling a well known successful FOSS project "shit". /s



Dodge K-cars were well known and succesful. They were also utter shit. Plenty of FOSS projects are of low quality but get adopted because they fulfil a need. Some dont age well. Some have poor docs. Some have insufferable interfaces. It's ok to call them shit. All code is shit anyway. Its just the smell ratio that varies.


Yeah, sequoia certainly doesn't shine here either, unless you call a dump of sq https://docs.sequoia-pgp.org/sq/ help screens a useful user facing documentation.

I guess it's a nice library, but it's no replacement for GnuPG. At least GnuPG has an actual user guide, FAQ, etc. with important concepts explained step by step.

As a GnuPG user, it would not be hard to switch for simplistic use cases without any specialized HW, I guess. I already know most of the concepts, but for new users,... I wish them luck with sq, lol. Documentation is pretty much nonexistent, and the web page for sq tool just links to library documentation.

Rust codebase is not everything.


It is a giant aging and super buggy C codebase. I found a serious CVE in it myself on accident any basic test suite would have caught.

It was very successful but it is nowhere near the security, documentation, testing, or UX standards of what we would call quality software today.


Looks like a typical GNU style C codebase with a few CVEs over the years.

https://ubuntu.com/security/cves?q=&package=gnupg

Not sure what's the grumbling about UX. Common tasks signing/verifying/encrypting are simple. Key export/import is also straightforward. So for common tasks you learn a few (~6) CLI --options by osmosis.

Web of trust/key management stuff is mostly done via interactive UI where you're prompted for what's needed after you invoke some action. Not too bad I guess. Certainly easier to be prompted for what's needed than remembering a ton of random CLI options or fishing through manpages, for tasks that you'll do very infrequently.


Yes. GNU C codebases are not written defensively or with strong test suites (if any) and tend to have piles of serious bugs that take years to spot. I use such tools heavily on a personal basis but I avoid running such things in production I high risk environments at almost all costs.

I also thought the same and argued the same about UX until I had to train several large teams to use it, and found myself making piles of shell script wrappers to pacify the majority of modern devs who are intimidated by any CLI commands that do not start with npm or git.

PGP is the right spec, IMO. It is just time to shift to more mature implementations that are easier to trust the defaults of and program against.

The majority of Sequoia devs are former GnuPG devs btw. They realized the shortest path to a broadly library-first testable codebase, a memory safety, secure default ciphers, etc was starting over.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: