Mailing List Archive

gpgme-json chromium/firefox packaging
Hi,
I have been tasked to prepare "debian packages" for the gpgme-json browser
integration, to ease installation of native messaging between gnupg and browser
extensions.

I'm working on a patch for salsa.debian.org/debian/gpgme/, as I think this is
probably the best place for it.

Basically, the two packages (chromium-gpgme and firefox-gpgme) just need to
ensure that the gpgme-json binary ships, and that a configuration file is
present at paths the browsers like.

My question:
Is it okay and maintainable to add "approved" extension ids (in this case,
mailvelope) to these configuration files?

In the end, it is an authorization between the extension(s) and the browser
(based on ids assigned by the browser publisher).
gpgme-json itself does not care who communicates with them (as long as it stays
the same actor). Still, I have the feelings that some link between worlds is
created that may not be desired.

Maximilian
--
Maximilian Krambach | http://www.intevation.de/
Intevation GmbH, Neuer Graben 17, 49074 Osnabr?ck | AG Osnabr?ck, HR B 18998
Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
Re: gpgme-json chromium/firefox packaging [ In reply to ]
Hi Maximilian--

On Wed 2019-07-10 10:12:37 +0200, Maximilian Krambach wrote:
> I have been tasked to prepare "debian packages" for the gpgme-json browser
> integration, to ease installation of native messaging between gnupg and browser
> extensions.

great, thanks for working on this! I assume you're aware of
https://bugs.debian.org/911189 (in cc as well). That's the best place
to talk about the debian packaging for this stuff.

> I'm working on a patch for salsa.debian.org/debian/gpgme/, as I think this is
> probably the best place for it.

Sounds reasonable to me.

> Basically, the two packages (chromium-gpgme and firefox-gpgme) just need to
> ensure that the gpgme-json binary ships, and that a configuration file is
> present at paths the browsers like.
>
> My question:
> Is it okay and maintainable to add "approved" extension ids (in this case,
> mailvelope) to these configuration files?
>
> In the end, it is an authorization between the extension(s) and the browser
> (based on ids assigned by the browser publisher).
> gpgme-json itself does not care who communicates with them (as long as it stays
> the same actor). Still, I have the feelings that some link between worlds is
> created that may not be desired.

This is an excellent question, and one that i did not figure out the
answer to when i was briefly researching the situation.

I wonder whether it makes more sense (and whether it's possible) to ship
the gpgme-json binary and wrapper files in one package, without any
"approved" extension IDs. And then in the extension-specific package
(e.g. the "mailvelope" package), include the approved extension IDs.
Does that even make sense? I don't remember the exact layouts expected.

Thanks for stepping up to do this work!

--dkg