Binarus wrote on 16.10.2019 17:37: > > > On 16.10.2019 13:07, Patrick Brunschwig wrote: >> worry for me. The main problem is the additional complexity that it >> brings if you require an external component that you cannot *fully* >> control. This covers topics like different behavior of different >> versions, but also configuration issues, users rights to install >> something on their PC and more. Gpgme may handle some of these issues, >> but the fact remains: an external component makes things a lot more >> complex, especially for support. > > I think this is the usual trade-off. One has to put time > > - either in understanding the APIs and command line parameters of a > library / utility, and to keep up with changes, or > > - in re-inventing the wheel, which in this case for sure will cost much > more time and eventually produce catastrophic security breaches and > software which is drastically inferior compared to what we have now. > > After all, everybody uses libraries and utilities. It is just reasonable > to have an expert work on a library or utility which uses techniques and > mathematical stuff which non-specialists never will understand in > detail, and have the non-specialists use that library or utility, > instead of letting them re-develop the same stuff, probably introducing > all sorts of security flaws and producing inferior software. > > When I have a bash script under Linux which invokes a compiler using a > complicated command line, I wouldn't come to the idea to re-develop that > compiler and integrate it directly into bash because that compiler's > command line switches could change in the next version ... > > I am still convinced that re-writing GnuPG (including all functions like > hardware tokens, subject encryption etc.) in a secure manner is a > hundred times more complex and a million times more error-prone than > tracking a few changes to its command line switches or error codes ever > could be. Apart from that, there is GpgME, as already has been stated.
In all cases, we certainly won't re-write GnuPG or similar. The question on the table is: do we continue to use GnuPG (be it directly or via gpgme), or do we use a different OpenPGP implementation (and if yes which one). There are certainly good arguments for both. -Patrick _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
