> On May 27, 2026, at 10:36 PM, Trevor Blum <trevor.d.blum@???> wrote:
>
> Just an inquiry as to when GnuPG will be updated to include support for Kyber keys?
I presume that will happen on the first Tails release after Debian (Tails' upstream)
does this update. However, my understanding is that things are complicated,
involving some fundamental disagreements over the direction of standards in this space.
GnuPG series 2.5.* introduces Kyber (aka ML-KEM or FIPS-203) as its PQC encryption
algorithm:
https://lists.gnu.org/archive/html/info-gnu/2026-04/msg00010.html
However, Debian has not switched to the 2.5.* series; Debian is still on the 2.4.* series.
Fedora is also on 2.4.*; it has not switched to 2.5.* either last I checked,
and it is considering switching away from GnuPG entirely towards Sequoia instead.
https://discuss.privacyguides.net/t/replace-gnupg-with-sequoia-pgp-actively-warn-against-gnupg/38238
As noted in LWN.net, "The 2.5 branch was originally an experimental branch that implemented LibrePGP. Jelen noted that LibrePGP is not compatible with anything else and would likely result in users shooting themselves in the feet."
https://lwn.net/Articles/1055053/
https://lwn.net/Articles/1056039/
In short, my understanding is that this is a disagreement over whether to support IETF RFC9580 (new spec) or the "LibrePGP" spec, which are not compatible with each other. Here's what rigel_xvi said as a summary:
"At a very high level, discussions towards a refresh of the OpenPGP standard (RFC 4880) stalled without a clear consensus about the necessary changes.
I think the main parties were Sequoia-PGP and Proton on one side and Werner Koch, the maintainer of gnupg, on the other. In the end Werner published a competing proposal for a standard. This competing proposal is called LibrePGP. The other side (who remained in the OpenPGP working group of the IETF) published a proposed standard as RFC 9580.
While I use both gnupg and Proton, I have neither the qualifications nor the information to form an educated opinion. That's why I asked if someone from the community had any updates or opinions.
I will paste two links here, one from each side of the discussion.
https://librepgp.org/
https://blog.pgpkeys.eu/critique-critique.html
"
https://www.reddit.com/r/GnuPG/comments/1fcmu2r/librepgp_and_the_future/
--- David A. Wheeler
