Bug 1212259

Summary:	MozillaThunderbird: bundled rnp/Botan, and supporting pluggable OpenPGP providers
Product:	[openSUSE] openSUSE Distribution	Reporter:	Andreas Stieger <Andreas.Stieger>
Component:	Firefox	Assignee:	Factory Mozilla <factory-mozilla>
Status:	IN_PROGRESS ---	QA Contact:	E-mail List <qa-bugs>
Severity:	Enhancement
Priority:	P5 - None	CC:	adam, martin.sirringhaus, meissner, sebix+novell.com, wolfgang
Version:	Leap 15.5	Flags:	martin.sirringhaus: needinfo? (meissner)
Target Milestone:	---
Hardware:	Other
OS:	Other
Whiteboard:
Found By:	---	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---

Description Andreas Stieger 2023-06-12 21:05:42 UTC

Mozilla Thunderbird bundles a number of libraries for OpenPGP support:

* rnp: https://github.com/rnpgp/rnp   and openSUSE:Factory/rnp
* (bundled in rnp) https://github.com/rnpgp/sexp
* Botan (rnp has an experimental OpenSSL backend too)

We should look into un-bundling here due to:

* general packaging policy - avoiding bundled libs
* especially for crypto routines: 
  shared crypto policy, and maybe to use OpenSSL FIPS?
* incorrectly attributed bugs, e.g. bug 1212253 (CVE-2023-29479) considered against MozillaThunderbird and missed for rnp.
* there are other compatible and pluggable providers of the Thunderbird plugin:
  https://gitlab.com/sequoia-pgp/sequoia-octopus-librnp

Background:
RH dropping Botan
https://bugzilla.redhat.com/show_bug.cgi?id=1837512

FC splitting plugin:
https://src.fedoraproject.org/rpms/thunderbird/c/edf3b30dbedcb43be087001509711b481dfce8f8?branch=rawhide

FC system rnp:
https://src.fedoraproject.org/rpms/thunderbird/c/0a585f45242a8fc024dfc1761acbe64e3473b2e5?branch=rawhide

Comment 1 Andreas Stieger 2023-06-12 21:17:11 UTC

Martin, what do you think?

Comment 2 Martin Sirringhaus 2023-06-13 06:44:13 UTC

Should be doable in principle. Thunderbird seems to have the build-options to use system-rnp, and also to choose the backend for it (botan or openssl).

However, this also means more potential problems with version-mismatches etc.

And librnp is not yet available at all in SLE, as far as I can see, and botan is not even in Factory.

We'd probably also need to involve security, hence cc-ing Marcus.

Comment 3 Martin Sirringhaus 2023-06-13 06:57:51 UTC

Addendum: Using sequoia-octupus would be an interesting option, actually.
It would fix the somewhat annoying "Split brain" regarding keyrings.
Not sure, if this would be more work or the same amount, as getting librnp to SLE.

Comment 4 Wolfgang Rosenauer 2023-06-13 07:20:02 UTC

Just for completeness: In mozilla:experimental there is a slightly differently packaged Thunderbird with an -openpgp subpackage which can be replaced with sequoia-octopus-librnp since two years.
I'm running it (but only rarely use PGP) by default.

But that is only partially covering the request here I assume since it only covers the case for external components providing a full drop in replacement for librnp (as sequoia-octopus does).

Comment 5 Andreas Stieger 2023-06-14 20:49:32 UTC

sexp: https://build.opensuse.org/request/show/1093171
rnp: https://build.opensuse.org/package/rdiff/home:AndreasStieger/rnp?opackage=rnp&oproject=security%3Aprivacy&rev=2

Comment 6 OBSbugzilla Bot 2023-06-14 21:45:02 UTC

This is an autogenerated message for OBS integration:
This bug (1212259) was mentioned in
https://build.opensuse.org/request/show/1093176 Factory / rnp
https://build.opensuse.org/request/show/1093177 Factory / sexp

Comment 7 Sebastian Wagner 2024-03-24 17:25:21 UTC

The split of the package MozillaThunderbird into MozillaThunderbird-openpgp-librnp is now also in project mozilla (work done by Adam Mizerski)