Password Store might be tiny but GPG itself is a huge attack surface - that's the problem.
Maintained, yes, well... I'd question that. I don't think it's very heavily reviewed or anything, and vulnerabilities pop up in it quite frequently, enough that I'm uncomfortable using it for serious purposes.
Many of these vulnerabilities have to do with very important cryptographic code... If you're comfortable with it, that's fine, it's not a bad solution. But personally I'd honestly be more comfortable with plain text files and TrueCrypt, which has no real cryptographic problems even after quite heavy review, the best we've found is a privesc bug in the Windows driver.
Don't get me wrong, I love to take a dump on GPG as much as the next guy, but this argument is a little misguided. If you're decrypting password files that come from a malicious party, you have a pretty big hole in your security model.
Cloud synchronization is a very common use of a password manager. Many people load their password manager files onto Dropbox, GDrive, etc. Assuming authenticated encryption is properly used and care is taken to avoid leaking metadata, this should be a non-issue.
You have linked a list of vulnerabilities dating back to 2006, 10 of which are worth talking about. That's just over 1 per year. Only one allows arbitrary code execution.
Privesc is bigger than all of these combined, especially in a kernel driver.
Getting root or SYSTEM on my machine is no big deal when all the valuable data you can have is already available as my user. Privesc is minor to me, but it depends on your threat model of course. If you're in a shared environment without VM isolation, it could be a much bigger issue for you. I don't mean to downplay it as you're right, kernel mode privesc is bad, it just happens that it's a minor effect on my threat model for personal systems.
Arbitrary code execution that say, a cloud storage provider could modify would be a far bigger problem. Some of the cryptographic issues are also arguably bigger problems for practical usage. As such, to me, GPG is not nearly as worthy of trust as other, far simpler platforms.
> Snowden can use GPG so can you
This just doesn't make sense as an argument to me - one guy who needed strong encryption used it once therefore you should use it forever and ignore or don't try to develop simpler alternatives?
1 vulnerability that's "worth talking about" per year is enough to make me want to run the other direction, especially on something as sensitive as a password manager.
Maintained, yes, well... I'd question that. I don't think it's very heavily reviewed or anything, and vulnerabilities pop up in it quite frequently, enough that I'm uncomfortable using it for serious purposes.
https://www.cvedetails.com/vulnerability-list/vendor_id-4711...
Many of these vulnerabilities have to do with very important cryptographic code... If you're comfortable with it, that's fine, it's not a bad solution. But personally I'd honestly be more comfortable with plain text files and TrueCrypt, which has no real cryptographic problems even after quite heavy review, the best we've found is a privesc bug in the Windows driver.