[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: HEADS UP: upcoming change to libgcrypt and other gnupg libraries for Enigmail backport

On Tue 2018-12-18 14:34:06 +0100, Emilio Pozuelo Monfort wrote:
> FWIW I see that Ubuntu added OpenPGP.js back, and is using gnupg 2.0.x
> in trusty.

sounds fairly dubious to me, see below:

> We ruled that out because supporting gnupg 2.0.x is unfeasible or

GnuPG 2.0.x is unsupported upstream, has been entirely EOL for a couple
weeks short of a year now.  Enigmail claims to work with it
(package/gpg.jsm claims MINIMUM_GPG_VERSION = 2.0.14), but i don't
recommend trying to use something that far outside of GnuPG upstream's

> because we are missing some dependencies for OpenGPG.js ?

I tried getting OpenPGP.js packaged for debian properly, and failed.
Perhaps someone with more node/npm knowledge and/or stomach for the task
could succeed:  https://bugs.debian.org/787774

I would welcome it if someone could pick up this work -- we really
should have more implementations of OpenPGP in debian.  But i'm not
convinced that it's the answer for jessie, given the ongoing struggles
around npm/gitlab/node in stretch-backports itself.

> Can't we just use the bundled code inside enigmail?

If you want to use the bundled code inside enigmail, you should be aware
that enigmail upstream is not even building the bundle -- they're just
copying it raw from whatever OpenPGP.js is shipping in their git
repository (apparently in npm-land it's common practice to commit your
generated output files to revision control).  I've asked upstream
whether they'd ever built OpenPGP.js from source, and the last answer i
got was that they'd tried it, but had failed, and it was more
straightforward just to copy in the bundle.

This doesn't sound like a DFSG-compliant situation to me, but i'd be
open to listening to an argument for it.  Regardless of DFSG-compliance,
i'm particularly concerned about responsible maintenance a pre-generated
blob, particularly one that sits close to protected material like
encrypted messages.

All the best,


Attachment: signature.asc
Description: PGP signature

Reply to: