Use GPGME - or not?

[BjarniRunar]

This is a discussion bug, to capture the pros- and cons of dropping our GPG wrapper in favour of something based on GPGME, most likely the GnuPG team's official SWIG bindings.

Relates to #733.

[BjarniRunar]

I am not currently in favour of moving to GPGME, for the following reasons:

1. I would like to keep Mailpile's external dependencies to a minimum, and make sure that the dependencies we do have are either widely available on Mac OS X, Linux distributions and Windows, and/or from the Python Package Index. If a simple apt-get install and/or pip install isn't enough to get up and running, then I'm not comfortable with adding the dependency. The official bindings for GPGME have not reached this point yet; pip install doesn't work and you cannot apt-get install unless you pull in the Debian testing repository.

2. I don't like GPGME from a design/security point of view. It is a large amount of C code which is doing pretty much the same thing as our Python wrapper, only in a more complex way. Given the choice between relatively simple logic in a memory-safe language (Python) and more complex/abstract logic written in C, I prefer the Python code.

3. We will still have to wrap the GPGME bindings with our own code to translate to our own internal data structures, Kai's initial port (Use GPGME #1621) was not noticeably smaller than our original wrapper.

4. It is unknown and somewhat opaque how GPGME behaves if both GnuPG 1.4 and GnuPG 2.0 are installed, and unclear from the documentation if a recent version of GPGME will work correctly with GnuPG 1.4. If it defaults to 2.0, that will cause Mailpile to malfunction, badly. Until 2.1 is everywhere, this is a concern.

5. Kai's patch ended up discarding Mailpile's internal obfuscation of the passphrase storage; if we switch to GPGME then user's passphrases will have to be kept in the clear in Mailpile RAM, at least temporarily. This is an inevitable result of the GPGME API. This is not a major problem; the value of our passphrase obfuscation is limited: it cannot protect against strong adversaries with access to Mailpile's RAM - it's more of value in keeping passphrases from being accidentally revealed during debugging (strings on a Mailpile core dump will not reveal the passphrases, for example) or written in the clear to swap.

[BjarniRunar]

Devil's advocate; the benefits of switching to GPGME:

1. GPGME is the preferred interface as recommended by the GnuPG team. They know what they're doing.

2. GPGME may make it easier for us to support S/MIME at some point in the future.

3. GPGME is documented and used by other projects. This may lower the barrier to entry for some new contributors to Mailpile, in particular for the GnuPG team itself.

[loidor]

Just need to put this somewhere - Debian Stretch will ship with gpg 2.1.

[BjarniRunar]

@loidor yep, we are aware and this is being tracked in #1133. I've started work on 2.1 support in my local tree.