On Tue 2018-12-18 14:34:06 +0100, Emilio Pozuelo Monfort wrote: > FWIW I see that Ubuntu added OpenPGP.js back, and is using gnupg 2.0.x > in trusty.
sounds fairly dubious to me, see below: > We ruled that out because supporting gnupg 2.0.x is unfeasible or GnuPG 2.0.x is unsupported upstream, has been entirely EOL for a couple weeks short of a year now. Enigmail claims to work with it (package/gpg.jsm claims MINIMUM_GPG_VERSION = 2.0.14), but i don't recommend trying to use something that far outside of GnuPG upstream's attention. > because we are missing some dependencies for OpenGPG.js ? I tried getting OpenPGP.js packaged for debian properly, and failed. Perhaps someone with more node/npm knowledge and/or stomach for the task could succeed: https://bugs.debian.org/787774 I would welcome it if someone could pick up this work -- we really should have more implementations of OpenPGP in debian. But i'm not convinced that it's the answer for jessie, given the ongoing struggles around npm/gitlab/node in stretch-backports itself. > Can't we just use the bundled code inside enigmail? If you want to use the bundled code inside enigmail, you should be aware that enigmail upstream is not even building the bundle -- they're just copying it raw from whatever OpenPGP.js is shipping in their git repository (apparently in npm-land it's common practice to commit your generated output files to revision control). I've asked upstream whether they'd ever built OpenPGP.js from source, and the last answer i got was that they'd tried it, but had failed, and it was more straightforward just to copy in the bundle. This doesn't sound like a DFSG-compliant situation to me, but i'd be open to listening to an argument for it. Regardless of DFSG-compliance, i'm particularly concerned about responsible maintenance a pre-generated blob, particularly one that sits close to protected material like encrypted messages. All the best, --dkg
signature.asc
Description: PGP signature
