The Guardian isn't saying PGP passwords are temporary. They're saying they had assumed the PGP-encrypted file they were provided was single-use, intended only for them and removed after they copied it.
That's a reasonable assumption. Why wasn't it single-use? Aren't people's lives presumably at stake here? How many lives do you need to risk before it becomes worth it to re-encrypt a data set? Why, after disclosing the encryption key to a journalist, did Assange retain the (now tainted) file?
Even if those at the Guardian believed the password only applied to their copy, publishing the password amounts to the Guardian making their copy a target to be copied/stolen. Why should the Guardian think they have better protection against copying their copy than the U.S. gov did in not allowing the cables to be copied in the first place?
This is a good reason for not simply giving The Guardian a giant encrypted dump of all the data. Either way, The Guardian's lack of opsec doesn't set the bar for Wikileaks.
Wasn't the whole idea behind Wikileaks supposed to be that it was run by people with the greatest possible opsec/tradecraft crediblity? How does it make sense for that group to literally delegate all their security to a news publishing organization?
And having done that, by their own admission, how does pointing the finger at The Guardian's lack of opsec capability exonerate Wikileaks?
That's a reasonable assumption. Why wasn't it single-use? Aren't people's lives presumably at stake here? How many lives do you need to risk before it becomes worth it to re-encrypt a data set? Why, after disclosing the encryption key to a journalist, did Assange retain the (now tainted) file?