Rely On
I don't know that rely on is quite the right word, it's not like there aren't other options if GPG didn't exist; it'd probably help if companies that *directly* profit from selling stuff that uses chipped in a bit though..
Werner Koch is looking at a big payday after pulling in over $150,000 to fund the continuing development of his crucial open-source GNU Privacy Guard encryption tools. Koch, 53, is a leading light in the free software movement: in 1999, he released GPG, which uses the OpenPGP standard to safeguard the communications of …
Actually - for PGP compatible key formats and PGP compatible options there is not. The old PGP 2.x series which is available as software is obsolete by all standards. As far as using it all - ALL Linux distros and nearly all other free software uses distribution mechanisms based on PGP formats for signing implemented via GPG.
While it is theoretically possible to move them to x509, doing so will require a considerable amount of effort. Additionally, x509 is centralized trust anchor, while PGP is a trust mesh. So you completely change the trust model. IMHO the mesh is more appropriate for free software development as there is no center and even Ubuntu or RHAT do not have the means to maintain a CA with all the associated security and trust procedures.
It's fairly easy to argue that 509 is a better model for what PGP is used for in the linux environment - the only difference is the stack and an authority can revoke keys on behalf of people they certify keys for; which actually if you're say debian isn't necessarily a bad thing. If you're signing packages with a key signed signed by the debian project's trust anchor and that key goes awol and the dev themselves are awol debian can revoke the key on behalf of that developer - this isn't actually a bad thing. With PGP packages are signed by a central package key which if compromised in some way (more likely because more people have access) the key for the entire repo needs replacing on everybody's system rather than a revoke->reissue->re-sign process for the affected packages.
Also I wasn't arguing it wouldn't be a major task, I was simply stating that we could probably live without it.
Apologies if my reader missed it (I have found the new layout considerably less "accessible" than the old one.), but I would have appreciated donation details (or links to} in the article.
Credit card: https://gnupg.org/donate/index.html
or
Bank transfer, tax certificate, etc: https://www.wauland.de/en/donation.html#61
Strictly speaking that's true but I've always viewed it a bit more like shareware - if you really get genuine utility out of it you should really help out the person who wrote it such that the project can continue to thrive. After all, you'll benefit from any future improvements and you've been able to fully kick the tyres on it. I'll be perfectly honest in that I don't apply this to every little script and utility I've found/used but more-so those where I'd be pissed if they were discontinued.