[pkg-gnupg-maint] Bug#911189: Bug#911189: gpgme-json packaging
Sébastien Noel
sebastien at twolife.be
Thu Aug 8 19:49:42 BST 2024
Le 2024-08-08 18:50, Daniel Kahn Gillmor a écrit :
> Hi Sébastien--
>
> On Thu 2024-08-08 00:53:04 +0200, Sébastien Noel wrote:
> [...]
>> except for the part where you ask for an analysis, i'm sure I can
>> answer
>> to everything else. I will do that promptly.
>
> I hope we can work on the analysis part as well, there are several
> questions that i've asked on the MR. Perhaps we can address some of
> them, even if not all. I appreciate that some security analysis has
> been done by upstream already. Maybe there are pointers to that work
> that could be a useful start?
>
> I also note in https://mailvelope.com/en/faq#gnupg that mailvelope
> doesn't depend on GnuPG specifically -- by default it uses OpenPGP.js,
> but *may* communicate with GnuPG for the secret key material.
>
> If you're using Mailvelope, can you confirm that this is the case? Do
> you currently use it without GnuPG?
Mailvelope has 2 "backends", one is OpenPGP.js, where it works without
interacting with the local GnuPG install and the keys are stored in the
browser's local folder. This just works, today, without change in any
gnupg component.
But I'm more interested in the second backend where it use the local
GnuPG install, so I can access keys stored on hardware token. But to
communicate with GnuPG the Mailvelope browser plugin needs the
gpgme-json binary (+ a json manifest that tells the browser "open the
gates, it's ok"). That's what i'm using, and trying to push to
src:gpgme1.0, so that i can stop to maintain my own "fork"
br,
Sébastien
> Regards,
>
> --dkg
More information about the pkg-gnupg-maint
mailing list