Fedora distributions have been handling package keys and signatures by their own OpenPGP parser for the past 20 years. However, in the upcoming Fedora 38 release, the development team plans to switch to “Sequoia” written in Rust as the RPM package manager.
In the announcement, the development team stated that it does not make much sense to continue to maintain its own OpenPGP parser after a better parser is available. Upstream RPMs have been working to deprecate the internal parser in favor of Sequoia PGP. Sequoia PGP is an OpenPGP library, written in Rust, which focuses on safety and correctness in its design principles.
Fedora developers are eager to port Sequoia PGP to this RPM and hope to see it already in Fedora 38. Switching to this correct OpenPGP parser should result in better security and standards compliance.
