I don’t think it’s that silly, and I don’t think email is that different from packages is that different from files. They’re all data with some attributes, and pgp handles them nicely, if you can write the interface for it.

They're very different.

Take forward secrecy. This is a property that means that if your key is compromised, it doesn't allow breaking everything you've done with it. This is a very desirable property for email or messaging because you don't want somebody reading all your conversations if somebody ever gets their hands on your key.

Or take non-repudiation. This means that when you sign a message you say "John Smith did this", and John Smith can't deny having done it.

For email or IM we want forward secrecy. You don't want all your conversations to become readable if anyone ever gets their hands on your keys. If you're caught, you don't want the authorities to be read your entire conversation about obtaining drugs, you want a system such that even if they get your phone, they still can't decrypt your captured encrypted messages. GPG isn't capable of this.

For email or IM we don't want non-repudiation a lot of the time. If you're caught, you don't want every message being "Signed, John Smith". GPG provides non-repudiation, which is undesirable.

On the other hand, we don't want this for package signing. We want to know that John Smith released this thing. We want to hold John Smith to account if he signs a malicious package, that's the very point of John Smith signing it.

I don't want forward secrecy for my email. I actually want to keep my archived emails for an indefinite period. PGP allows me to do this in relative safety, the email is encrypted once at creation time an then stays encrypted. In general, forward secrecy does not work for the case where someone keeps the message. If the attacker can own a user well enough to get their secret key material, they will also get any messages that user still has access to.

Things might be different for a relatively insecure medium like IM but the same principle applies. Most IM users keep their old messages around thus negating the value of forward secrecy.

>For email or IM we don't want non-repudiation a lot of the time.

We might not, but the people we send our messages to will want to prove we sent it. Otherwise you open yourself to harassment and general abuse. If you don't want to sign your emails then you don't have to. Deniability through claimed forgery doesn't really work anyway:

* https://articles.59.ca/doku.php?id=pgpfan:repudiability

The lack of forward secrecy in PGP means that you can't protect your secrets long term; having forward secrecy, meanwhile, wouldn't prevent you from machine arrangements to securely archive. This is so straightforwardly obvious that it's hard to believe this response is made in good faith.

> They’re all data with some attributes, and pgp handles them nicely, if you can write the interface for it.

This apparently almost wilful ignorance of the context of the "data with some attributes" is (specifically, how it's used), arguably, part of the problem.

It's been how many years, and still no-ones' written a good interface?

Nobody has written a good interface because PGP gets the primitives wrong. Most notably, the notion of long-term identifying keys you encrypt to directly as the most important service model.

I think it's a strong suggestion that should be ignored.

Using PGP with disposable keys.

These things take a while sometimes.