Replies: 7 comments 27 replies
-
Hey dkg 👋 Thanks for the comments and questions. I'll try to answer some of the questions and then give some high-level thoughts at the end. First of all, some of the upstream projects do have open PRs, that weren't merged for one reason or another: e.g. asmcrypto/asmcrypto.js#155, indutny/elliptic#144, and jsdoc/jsdoc#1770. Then, some others have mostly build-time-related changes, that make them more suitable for use in OpenPGP.js, but don't have much value for upstreaming. For example, the changes to tweetnacl.js are just about making the resulting bundle smaller, by removing stuff we don't need. Some of these are also only important for the browser bundle, which might not be important for Debian, if the intended use case is to run OpenPGP.js on Node.js? Not that I'd necessarily recommend using the upstream version instead, but - some of these packages aren't used at runtime at all; for example, jsdoc is used to generate documentation. Perhaps it would be possible to get away without packaging some of these? (More on this below.) Finally, Regarding the versioning scheme, please note that we consider the versions published on npm as "authoritative", rather than the git tags. On npm, the versions are specific to the package, while in git, the fork initially also contains the tags of upstream, so the namespace is shared to some extent, which could make looking at git tags confusing. Also, normally the git tags are the same as the npm versions (but in the forks we don't create them to avoid confusion) - of course we could do something different manually, but I would prefer to look at the (npm package, version) tuple rather than use git tags to specify that the version is the fork (since the repo and package name already indicate that). Then, my philosophy for the versioning is: for any upstream package For Debian, I'm not sure what the usual syntax for a prerelease would be, but maybe it can be converted to that? Or Regarding elliptic: we only use it for curves that aren't supported by the native crypto API nor by tweetnacl.js. On Node.js, that should be none of them. On the web platform, that's the brainpool curves and secp256k1, and since elliptic isn't constant-time, we warn against using those curves. But you're right that we should update the fork, regardless. If a vulnerability affects OpenPGP.js, you can open an issue here, but even if not (or we're not sure), it can be discussed in this repo. As I alluded to, not all of the dependencies are actually used at runtime. That's especially true for the Node.js build, which can use Node.js Crypto API, which is more extensive than the Web Crypto API. We check at runtime whether certain algorithms are available, but if the Node.js runtime is known (as it might be in Debian?) then perhaps some of the dependencies aren't needed. For the web build, we've done quite a lot of work to ensure that code that isn't needed, isn't included in the build. For the Node.js build, we haven't done that work, on the assumption that disk space is cheaper than bandwidth. But, if it's valuable for Debian, it might be worth looking into which dependencies are actually used, as part of the packaging process. Another thought: is there any chance the dist build could be published as a binary package (either as-is, or after trimming the unused dependencies contained within it)? That one has very few external dependencies, basically only Node.js core libraries and asn1.js. Finally - I've been thinking separately that we should at some point aim to reduce our number of dependencies a bit. In an ideal world, Web Crypto would provide all the cryptographic primitives we need, and it would be supported everywhere (Node.js does have an experimental implementation now) - simplifying our build and packaging story. We can probably also remove some of the polyfills, such as those for Web Streams and BigIntegers, at some point, and tell applications to polyfill them if they need to support old browsers. Perhaps we can push for that in v6, although - if you want to package OpenPGP.js now - that won't help you, of course. Out of curiosity, can I ask what's the concrete impetus, at the moment? Is there an application using OpenPGP.js that you want to package? |
Beta Was this translation helpful? Give feedback.
-
Thanks for the prompt and thoughtful replies, @twiss! You've already cleared up a lot for me. A few replies here:
My understanding is that packaging here for debian would be reliant on node.js. If that's right (hopefully @pravi can help clarify this). If that's right, i think what you're saying is that we could drop the dependency on elliptic for debian packaging entirely.
Ah! I didn't know that semver used
My understanding is that this would be against debian policy -- we want only free software in debian, that is buildable from source by the toolchains already in debian. To ensure that we meet that goal, we need to actually build from the preferred form of modification, which is the source code, not the
This would be great, from my perspective, though i don't know enough about how the different parts of the ecosystem are moving at this point to know how plausible it is for the near term. If the work we're doing to get OpenPGP.js into debian helps push that kind of simplifying transition along, i think that would be an overall win, both for Debian and for OpenPGP.js.
At the moment, i'm most interested in getting sop-openpgpjs into debian, because i'm in the process of trying to convert various tools that don't need anything more than SOP to using SOP instead of bits and pieces of GnuPG or arbitrary perl code. We already have three SOP implementations in debian (sqop, gosop, and pgpainless-cli), but having more compatible tooling from the leading implementations ensures a healthier ecosystem. Long term, if we can land these cleanly in a maintainable way in debian and its derivatives, it'll make it possible to run things like the OpenPGP interoperability test suite against widely-distributed versions, which can help the ecosystem determine inflection or transition points (e.g., it is reasonable to generate SEIPDv2 encrypted data by default, regardless of the Feature flags subpacket in recipient keys). That kind of thing is probably more than a year off (if that), but we need to get the pieces in place now if we want it to be feasible to do in the future. |
Beta Was this translation helpful? Give feedback.
-
I'm looking at the divergence between The "modernize" changes look like they might already be handled upstream (e.g. 505e36d9f021a27f14e02d46a84db307a2f8150f, "Move to es6"), but i'm not sure why OpenPGP.js might need 7d389f04d6334d96dcd6cd2f6171864177039640 ("Export constants individually instead of as an object") or f38f7368a5fa511e54b95add2f04444c3a9d803f ("Switch back from class properties to instance properties"). |
Beta Was this translation helpful? Give feedback.
-
@dkg for command line usage we will be using nodejs and sid currently has nodejs 18.11. @twiss providing rollup.config.js to build would help us a lot. Sticking to widely adopted build tools will be appreciated, instead of trying to use the latest tool in town. So if there is a rollup.node.config.js and rollup.browser.config.js that does node and browser builds separately, that would be awesome. Also if you document dependencies that is only needed for browser build, that saves us some time and effort too. May be down the road some apps might need the browser build too, but as a start I think we can focus on nodejs. |
Beta Was this translation helpful? Give feedback.
-
Also we want corresponding source code to any generated files we ship, so tags matching the npmjs.com releases will help us a lot. Alternatively if you include the source in the npmjs dist tarballs, we can just remove the generated files and regenerated them during the deb creation. But that will increase size of your modules. Adding tags would be the efficient and convenient option here. or if you just provide source tar balls corresponding to npmjs releases somewhere else, that can work too. |
Beta Was this translation helpful? Give feedback.
-
reviewing other scoped modules : jsdocjsdoc/jsdoc#1770 looks like something that we might not want or need in terms of debian packaging. To the extent that our packaging builds documentation with The only other difference is openpgpjs/jsdoc@ff7cb39 (which just lists global functions first in the generated doc navigation), which doesn't appear to be submitted upstream at all, and also doesn't seem critical. Seems like maybe this should be submitted upstream as a configuration option. So for debian, if we do plan to generate documentation from the package, we might prefer to just patch out the configuration bits that use seek-bzipThe main differences here are:
Neither of these changes appear to be in any PR upstream -- are they not relevant for upstream? Assuming that we're working with Node, we probably don't need the first change; and the second change appears to be intended specifically to improve code minimization, which again isn't the top priority for debian packaging (though it would be nice if SummaryFor Debian packaging assuming a node-based deployment, it looks to me like:
|
Beta Was this translation helpful? Give feedback.
-
Hello, I am trying to build asmcrypto.js package for Debian, but I am currently encountering an error after making modifications to leverage nodejs' esm support rather than use esm library. Best case scenario, could you please add esm support to openpgpjs packages, particularly asmcrypto.js :)? |
Beta Was this translation helpful? Give feedback.
-
I've been looking at the dependencies OpenPGP,js as i'm trying to help people get OpenPGP.js into Debian for wider distribution. I would really like to make it easy for any Debian (or Ubuntu or other downstream) user to just use the system package manager to get OpenPGP.js tooling available locally, in particular for utility-style interfaces like
sop-openpgpjs
. I'm basing this report on OpenPGP.js v5.5.0 and the currentmain
branch.I'm concerned that OpenPGP.js's reliance on forked versions of other modules via scoped modules makes it more difficult to package and cleanly redistribute, and might hide some security problems. At a minimum, i'd hope that we could have useful/clear version numbering and tagging schemes, but i'm also wondering what work needs to be done to get any changes from scoped modules upstreamed to the original modules, so that OpenPGP.js can go back to relying on the standard global modules instead of scoped modules.
Some concrete suggestions that are hopefully useful:
Looking at the
devDependencies
inpackage.json
, i think that the following scoped modules are effectively forked by OpenPGP.js (if i'm wrong, please correct me, my understanding of the javascript ecosystem is limited):I'll address the rest of my comments and examples to
asmcrypto.js
andelliptic
, which i've looked into more, but similar concerns likely apply to the other scoped/forked modules.asmcrypto.js
Looking concretely at
@openpgp/asmcrypto.js
, i think that's referring to https://github.com/openpgpjs/asmcrypto.js (i'll call that "forked asmcrypto"), which is a fork of the originalasmcrypto.js
, https://github.com/asmcrypto/asmcrypto.js (i'll call this one "upstream asmcrypto") -- but reviewing the git history of both projects, i surmise a few things:v2.3.2
, but it was released back in 2018. Maybe it is abandoned? there are a handful of commits on upstream'smain
branch after v2.3.2 (including several from protonmail's own @danrr)v2.3.2
(commit 62f097803ae0d3885ca011d5caf96adc66090388) is different from upstream'sv2.3.2
(commit 62f097803ae0d3885ca011d5caf96adc66090388). there is no git tag for the forkedv2.3.2
v2.3.3-0
, released by @larabr, which includes a few changes on top ofv2.3.2
.One simple concern here is the version numbering:
v2.3.3-0
is odd and challenging for debian. In particular, Debian assumes that the upstream version number does not have a hyphen (-
) in it, because Debian uses the hyphen (-
) to distinguish the upstream version from the debian revision. Technically, debian can handle having a hyphen in the upstream version, but it makes the rest of the tooling quite awkward to have an upstream version number like this. Is there a reason to use2.3.3-0
instead of just using2.3.3
?Another concern is git tag names -- if the project tag naming scheme is identical (i.e. they both tag version x.y.z with
vx.y.z
, then any git repo that tracks both projects will have tag collisions, since there can't be two tags both namedvx.y.z
. if the forked project issued tags with a different prefix (e.g.openpgp/vx.y.z
) that might make it easier to track the work. That said, i don't see any tags related toelliptic
Looking at
@openpgp/elliptic
, i'm comparing the forked version with the upstream version. I note:6.4.1
,6.5.0
, and6.5.1
v6.5.2
,v6.5.3
, andv6.5.4
) which do not have a corresponding release in the scoped module, including what appear to be security-related fixes regarding signature malleability and point validation.What kind of expectations should we have about the scoped module pulling in security fixes from upstream? There's no issue tracker at https://github.com/openpgpjs/elliptic so it's unclear how to report the lack of a new version with the corresponding fixes.
Beta Was this translation helpful? Give feedback.
All reactions