Bug 1212259 - MozillaThunderbird: bundled rnp/Botan, and supporting pluggable OpenPGP providers
Summary: MozillaThunderbird: bundled rnp/Botan, and supporting pluggable OpenPGP provi...
Status: IN_PROGRESS
Alias: None
Product: openSUSE Distribution
Classification: openSUSE
Component: Firefox (show other bugs)
Version: Leap 15.5
Hardware: Other Other
: P5 - None : Enhancement (vote)
Target Milestone: ---
Assignee: Factory Mozilla
QA Contact: E-mail List
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-06-12 21:05 UTC by Andreas Stieger
Modified: 2024-03-24 17:25 UTC (History)
5 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---
martin.sirringhaus: needinfo? (meissner)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2023-06-12 21:05:42 UTC 
Mozilla Thunderbird bundles a number of libraries for OpenPGP support:

* rnp: https://github.com/rnpgp/rnp   and openSUSE:Factory/rnp
* (bundled in rnp) https://github.com/rnpgp/sexp
* Botan (rnp has an experimental OpenSSL backend too)

We should look into un-bundling here due to:

* general packaging policy - avoiding bundled libs
* especially for crypto routines: 
  shared crypto policy, and maybe to use OpenSSL FIPS?
* incorrectly attributed bugs, e.g. bug 1212253 (CVE-2023-29479) considered against MozillaThunderbird and missed for rnp.
* there are other compatible and pluggable providers of the Thunderbird plugin:
  https://gitlab.com/sequoia-pgp/sequoia-octopus-librnp

Background:
RH dropping Botan
https://bugzilla.redhat.com/show_bug.cgi?id=1837512

FC splitting plugin:
https://src.fedoraproject.org/rpms/thunderbird/c/edf3b30dbedcb43be087001509711b481dfce8f8?branch=rawhide

FC system rnp:
https://src.fedoraproject.org/rpms/thunderbird/c/0a585f45242a8fc024dfc1761acbe64e3473b2e5?branch=rawhide
Comment 1 Andreas Stieger 2023-06-12 21:17:11 UTC 
Martin, what do you think?
Comment 2 Martin Sirringhaus 2023-06-13 06:44:13 UTC 
Should be doable in principle. Thunderbird seems to have the build-options to use system-rnp, and also to choose the backend for it (botan or openssl).

However, this also means more potential problems with version-mismatches etc.

And librnp is not yet available at all in SLE, as far as I can see, and botan is not even in Factory.

We'd probably also need to involve security, hence cc-ing Marcus.
Comment 3 Martin Sirringhaus 2023-06-13 06:57:51 UTC 
Addendum: Using sequoia-octupus would be an interesting option, actually.
It would fix the somewhat annoying "Split brain" regarding keyrings.
Not sure, if this would be more work or the same amount, as getting librnp to SLE.
Comment 4 Wolfgang Rosenauer 2023-06-13 07:20:02 UTC 
Just for completeness: In mozilla:experimental there is a slightly differently packaged Thunderbird with an -openpgp subpackage which can be replaced with sequoia-octopus-librnp since two years.
I'm running it (but only rarely use PGP) by default.

But that is only partially covering the request here I assume since it only covers the case for external components providing a full drop in replacement for librnp (as sequoia-octopus does).
Comment 6 OBSbugzilla Bot 2023-06-14 21:45:02 UTC 
This is an autogenerated message for OBS integration:
This bug (1212259) was mentioned in
https://build.opensuse.org/request/show/1093176 Factory / rnp
https://build.opensuse.org/request/show/1093177 Factory / sexp
Comment 7 Sebastian Wagner 2024-03-24 17:25:21 UTC 
The split of the package MozillaThunderbird into MozillaThunderbird-openpgp-librnp is now also in project mozilla (work done by Adam Mizerski)