Mozilla, License (again), PPG, GPGME

Ben Bucksch ben.bucksch.news@beonex.com
Sat Mar 9 16:02:01 2002


Hi,

sorry for reopening the old, annoying question [1], but...

Mozilla is MPL, GnuPG is GPL, MPL and GPL are not compatible. Mozilla 
wants PGP, GnuPG wants to have an interface in Mozilla (at least Werner 
and the German gov't says so).
The Mozilla relicensing is not necessarily of much help, because a GPL 
lib would force all of Mozilla under the GPL, which would make other 
inclusions impossible (e.g. Macromedia Flash).
GnuPG is a separate executable, so there doesn't have to be a problem, 
if Mozilla communicates with GnuPG via pipes. Enigmail does this, for 
example.
The most sane method is to have a standard library, which can be linked 
from other apps (like MUAs) and which wraps the communication with GnuPG 
into a nice API. That's what GPGME [5] and PPG [4] try to achieve.
However, because that lib is then linked directly with the using program 
(e.g. Mozilla), the lib license must be compatible with the license of 
the using program. I.e. the lib cannot be GPL, if it wants to be used by 
Mozilla and other programs. "Other programs" might include Microsoft 
Outlook [Express], now that the future of the commercial PGP is unclear. 
(Outlook has such a large market share that OpenPGP needs to have a nice 
UI for it, if it ever wants to be a widely used standard. I know the 
security concerns, but I think they are not really relevant.)
The author expressed intend to open the PPG license specifically so that 
Mozilla could use it. (Thanks!) [2]
GPGME, however, is GPL.
PPG, however, seems to be dormant (last release 2 years ago), and GPGME 
is actively developed (last checkin 2 days ago).
I found a diary entry [3] of Werner Koch, reading:

> /Monday, October 30 /
>
> Worked on *GPGME*, which may translate to GPG Made Easy. This the 3rd 
> attempt to write a usable wrapper libary around GPG. Why? While 
> playing with Evolution and Mozilla, I figured out that we should not 
> duplicate gpg access code (which is pretty obvious) but have a good 
> library to do that once and bulletproof.
>
> I looked at GPAPA but it actually is too strong bound to GPA and the 
> design is not very flexibel. Looked again at *PGG* but this thing is 
> too complicated and too much OOed. So, what to do? I stared out of the 
> window for a long time before I decided that this 3rd attempt is worth 
> a try. The goals of *gpgme* are: Should be able to run asyncronously, 
> take filenames or memory areas, design must allow a better integration 
> with OO systems, easy to read (at least for me), easy to build, limit 
> use of resources.
>
So far for the facts, as I understood them.

My questions:

    * What's the state of PGG? I guess it's unusable by now?
    * (What's wrong with OO? - no answer required :). )
    * Why GPL for GPGME? Werner, you say you want to use the lib for
      Mozilla, but you are surely aware of the license problems. What
      was your plan, or did you just "default" to GPL :), planning to
      think about the problem later?

Ben Bucksch

P.S. In case you didn't hear of:

    * Mozilla has now partial S/MIME support, and Netscape claims that
      the underlying stuff is general enough for OpenPGP. As usual, they
      have no docs whatsoover. I haven't looked at it myself.
    * NAI worked on a Mozilla plugin last year, but the code was
      rejected. IMHO, it looked better than the Netscape S/MIME stuff.

[1] <http://www.google.com/search?q=+site:lists.gnupg.org+GPG+Mozilla>
[2] <http://lists.gnupg.org/pipermail/gnupg-users/2000-February/004990.html>
[3] <http://www.guug.de/~werner.koch/diary.html>
[4] <http://www.nessie.de/mroth/pgg/>
[5] <http://www.gnupg.org/gpgme.html>