Future OpenPGP Support in Thunderbird

Binarus lists at binarus.de
Wed Oct 16 17:37:51 CEST 2019

On 16.10.2019 13:07, Patrick Brunschwig wrote:
> worry for me. The main problem is the additional complexity that it
> brings if you require an external component that you cannot *fully*
> control. This covers topics like different behavior of different
> versions, but also configuration issues, users rights to install
> something on their PC and more. Gpgme may handle some of these issues,
> but the fact remains: an external component makes things a lot more
> complex, especially for support.

I think this is the usual trade-off. One has to put time

- either in understanding the APIs and command line parameters of a
library / utility, and to keep up with changes, or

- in re-inventing the wheel, which in this case for sure will cost much
more time and eventually produce catastrophic security breaches and
software which is drastically inferior compared to what we have now.

After all, everybody uses libraries and utilities. It is just reasonable
to have an expert work on a library or utility which uses techniques and
mathematical stuff which non-specialists never will understand in
detail, and have the non-specialists use that library or utility,
instead of letting them re-develop the same stuff, probably introducing
all sorts of security flaws and producing inferior software.

When I have a bash script under Linux which invokes a compiler using a
complicated command line, I wouldn't come to the idea to re-develop that
compiler and integrate it directly into bash because that compiler's
command line switches could change in the next version ...

I am still convinced that re-writing GnuPG (including all functions like
hardware tokens, subject encryption etc.) in a secure manner is a
hundred times more complex and a million times more error-prone than
tracking a few changes to its command line switches or error codes ever
could be. Apart from that, there is GpgME, as already has been stated.

Regarding the user rights to install software: That was the reason why I
thought about bundling the installers and installing both parts in the
same directory. Even updates to GnuPG then could be handled by TB's
update system (this is only an educated guess - I don't know if the
licenses would allow this). If TB would use GpgME, this problem even
would not exist in the first place. GpgME would just be another library
lying around in TB's installation directory (under Windows, probably a
DLL) and for sure could be updated via TB's update system.

Just my 2 cents ...



More information about the Gnupg-users mailing list