> Why the heck don't they just run gpg the way enigmail did? Three major reasons:
1. License incompatibility. GnuPG is GPLv3, and Mozilla uses the Mozilla Public License. They're not compatible. Arguably (and I believe _correctly_) distributing GnuPG with Moz wouldn't be a dealbreaker, as mere aggregation is different from actually linking, but lawyers are by nature conservative. Moz has already said their lawyers won't let them do this. 2. Dependencies. Mozilla will not accept responsibility for users doing foolish things with their gpg.conf files, because those users will expect Mozilla to fix it for them. It's a dealbreaker. This is also why Mozilla has declared they won't even support using GnuPG keyrings -- they're going to insist on running their own keyring internal to Thunderbird which isn't shared with anything else. (I imagine *importing* from a GnuPG keyring will be supported, but *sharing* a keyring is right out.) 3. Enigmail has shown them the limitations of GnuPG. The Efail attack on Enigmail was very real. It was created by an ambiguity in how GnuPG returns error states: just because GnuPG says "decryption OK" doesn't mean it was decrypted okay. (Whether Enigmail should've understood this, or whether GnuPG should have not returned such an ambiguous message, is an open question and not one I'm interested in discussing.) Rather than repeat Enigmail's interface, which historically had its fair share of security problems, Mozilla has decided to go a different route. More power to 'em. I love Enigmail, but it's the nature of all software that at some point we learn how to do things better. When we learn how to do things better, we should elect to do them better rather than stay mired in the past. (... and that principle, applied to OpenPGP, suggests throwing out a whole lot of cruft. Which is another open question I'm not interested in discussing, except to throw it out there for people to think about.) _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users