Comment by jwgarber

Yes signatures would prevent that, but as you noted it isn't enabled by default so most people don't use it. Optional security features don't count in my book :)

For the rebuttal you posted, I'll respond to one thing:

> The entire rant is basically about how OpenPGP is old and therefore bad and how new things, sometimes only vaguely defined, are good. So let's address this first.

> If someone, while trying to sell you some high security mechanical system, told you that the system had remained unbreached for the last 20 years you would take that as a compelling argument. You would be unlikely to demand a newer design. Normally old designs that have stood the test of time are valued. Cryptography is based on mathematical/logical principles. Such principles don't age out on any sort of a schedule and are valued in some cases for thousands of years.

The "unbreached for the last 20 years" conclusion about mechanical security systems does not immediately apply to mathematical ones, and we can indeed see that it is empirically incorrect. The cryptographic world is littered with the corpses of cryptographic algorithms that were secure for decades and are now broken (MD5, SHA1, DES, small RSA keys, TLS 1.0), and their C implementations that had horrible vulnerabilities (HeartBleed, etc). Mathematical proofs will not help us here either, since e.g. there is no proof that GPG is IND-CCA. (Which is unlike new systems, which do have proofs!) GPG had its day, and now it should be retired.

Also, the quantum threat is a reasonable one in the "store now, decrypt later" model. A lot of people presumably use git to store their password store online and would be vulnerable to this. The passwords in the files would probably not be important anymore once quantum computers are created, but any other long term data or other personal information that people store in there could be decrypted.