On 25.05.18 00:17, Daniel Kahn Gillmor wrote:
> hi patrick and other enigmail folks--
>
> modern enigmail (2.0+) includes a copy of openpgp.js. It does not
> appear to be built from source, but is instead a straight copy of a
> generated block of javascript from the OpenPGP.js git repo (the
> node/javascript community appears to have a common pattern of committing
> their post-compilation artifacts).
>
> Debian requires code to be built from the preferred form of
> modification, so this blob isn't really appropriate in debian.
>
> The obvious fix ("plan A", as it were) would be to build OpenPGP.js from
> source in debian, and then make enigmail depend on that. however, i've
> had a very difficult time getting that to happen cleanly. the
> dependency trees in that ecosystem are quite deep, and i don't have the
> bandwidth to package (and retain responsible maintainership for) the
> dozen (or moreā½) node/javascript packages i would need to add to debian
> in order to get OpenPGP.js packaged for debian.
>
> So i'm leaning toward plan B, which is to remove OpenPGP.js from
> enigmail when shipped with debian, and to figure out how to minimize the
> harm/damage.
>
> One advantage we have in this context is that in debian we can
> explicitly set hard dependencies on versions of GnuPG. so if we need a
> feature only available in GnuPG 2.2.3 or later, we can just make that
> dependency explicit.
>
> If anyone has a proposal for other ways to deal with this, or an
> argument why this is a problematic approach, i would be happy to hear
> it. I would also welcome any help in packaging OpenPGP.js for debian,
> if anyone is interested in doing so.
>
> I just wanted to give folks a heads-up of where i'm at in this
> frustrating process; to apologize for the delay in dealing with this;
> and to solicit any constructive feedback i can get.I cannot see a way out of this. Moreover, it's likely that OpenPGP.js will be used more in the future, because the native JavaScript API is _much_ simpler than calling Gnupg. Enigmail currently relies on OpenPGP.js for quite a number of things where either output from GnuPG is insufficient, or the operation is much more complicated to perform with GnuPG than with OpenPGP.js, or the operation is not supported by GnuPG at all. OpenPGP.js is currently involved in the following functions (I'm not sure that this is a complete list): - importing public and secret keys - interpreting keys in Autocrypt headers - creating minified keys for Autocrypt headers - creating and processing Autocrypt Setup Messages A possible workaround could be to offer downloading a prepared version of OpenPGP.js from a web service (obviously in a way that is acceptable for Debian, i.e. first ask the user for consent). -Patrick
signature.asc
Description: OpenPGP digital signature
_______________________________________________ enigmail-users mailing list [email protected] To unsubscribe or make changes to your subscription click here: https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net
