@neverpanic@chaos.socialOuch:
"I stumbled upon a bug in RNP that has been introduced when refactoring. Namely, session keys generated for PKESK are not randomized but always zero."
#RNP is #Thunderbird's implementation of #OpenPGP
@mgorny@social.treehouse.systemsOkay, so please correct me if I'm wrong about the state of #OpenPGP right now.
So first there's the former #RFC4880bis which is now pursued as "#LibrePGP", used by #GnuPG (and #rnp?), with a "v5" key format, that everyone else seem to looks "politely" at.
Then there's #RFC9580 with a "v6" key format, used by #OpenPGPjs, #SequoiaPGP (and more) but explicitly rejected by GnuPG. However, it seems to be pushed forward under the assumption that GnuPG will yield to pressure.
So we effectively have two incompatible standards, with a "common denominator" of ancient #RFC4880, some tools pursuing one of them with disregard for the other, and a few supporting both for the sake of the users. And #Gentoo is effectively stuck with whatever GnuPG supports, because we need working crypto on all supported platforms, not just the "Rust subset".
https://bugs.gentoo.org/963069