Hi, > Totally cristal clear analysis, it's worth find the right way to > maximize the energies being put in place by Google and Yahoo. > > If i can just add some questions / consideration: > > Did you evaluated how much effort would require to use E2E as a "kernel > lib" ?
No. But I have looked over the E2E code. It's very modular and cleanly implemented using the google closure library (which offers type annotation... very useful for js crypto code). To get a taste, here's the ecc code: https://code.google.com/p/end-to-end/source/browse/javascript/crypto/e2e#e2e%2Fecc In terms of using it as a kernel lib, I would propose adding a minified build of E2E as a dependency to OpenPGP.js and call their public api behind ours (which looks very familiar if you compare the two): E2E public api: https://code.google.com/p/end-to-end/source/browse/javascript/crypto/e2e/openpgp/context.js Usage examples are here: https://code.google.com/p/end-to-end/source/browse/javascript/crypto/e2e/openpgp/contextimpl_test.html > Is it worth doing now "3" for the current stage of E2E? ( or do it at a > later stage when the library will be more mature, now doing "2"?) That's a good question. Last I checked they're still calling it alpha and there is no clear timeline. So 2 might indeed be the better option for the short term. > Are there "licenses incompatibilities" between the two projects? GPL v2 is not compatible with the Apache license used by E2E: http://www.apache.org/licenses/GPL-compatibility.html But I don't know if this applies to LGPL v2.1. Although I doubt that using two JS libs together would create problems, since there is no linking like in C code. Only runtime dependencies. The fourth option would obviously just be for projects using OpenPGP.js to switch to E2E. > Are E2E project's team willing to share their roadmap and/or accept > patches from outside with a community based approach? I haven't seen any outside contributions to E2E, so it's hard to say if they accept pull requests. When talking to Thomas about this, we agreed that this would probably be the biggest risk. If something doesn't work in OpenPGP.js, we can find a solution quickly and fix it ourselves. Whereas if we relied on E2E, we would be dependent on them. Tankred _______________________________________________ http://openpgpjs.org Subscribe/unsubscribe: http://list.openpgpjs.org
