merge with python-gnupg

Imported from bugseverywhere, created on 2013-10-20

This software has a primitive GPG Python API that duplicates the work of at least two other libraries. The pythong-gnupg library is particularly similar and communication was started to consider the possibility of merging. This section details how we should deal with this.

• decide to merge or split from pythong-gnupg (done: we merge)
  • for merge arguments:
    • gnupg has more history and authors
    • has more features (see below)
    • avoid project proliferation (already 4 python APIs to gpg)
    • may be less work
  • against merge arguments:
    • needs to rewrite monkeysign again (fairly easy)
    • i just spend about 20 hours in two days on this project
    • python-gnupg doesn't seem to have a VCS
    • hosted on code.google.com, BSD license (minor)
• apply those improvements to python-gnupg
  • add key signing support
  • split the "context" and "keyring" classes
  • port monkeysign to python-gnupg
  • make sure python-gnupg is secure (ie. that it doesn't use popen([...], shell=True), see below

It seems that we have a new upstream for python-gnupg that resolves most problems documented here:

https://github.com/isislovecruft/python-gnupg

We are in contact with upstream and they are open to merging in changes, so we will go in that direction.

(authored by @anarcat on 2013-10-20)

Added Priority: Normal label

note that in #8 (closed), we noticed that geysigning have started implementing their own library on top of GPGME, which I find questionable, but it has the merits of making the library much smaller (300 lines instead of our 850 lines or 1000 lines for python-gnupgng).

also note that it seems that development on python-gnupg has slowed down: last commit on the master branch was in march 2015, and although there's been some activity in the dev branch 6 months ago, a lot of pull requests are sitting in the backlog (19), including key functionality like search_keys and bugfixes. it still doesn't have keysigning support (issue #29).

so i am not sure this is worth it right now...

On Fri 2016-09-02 13:09:15 -0400, anarcat wrote:

@dkg sorry, say again?

I wrote (in e-mail):

On Fri 2016-09-02 13:09:15 -0400, anarcat wrote:

note that in #8 (closed), we noticed that geysigning have started implementing their own library on top of GPGME, which I find questionable, but it has the merits of making the library much smaller (300 lines instead of our 850 lines or 1000 lines for python-gnupgng).

fwiw, GnuPG upstream has recently been talking about making a more formal attempt at supporting a stock python binding for libgpgme. I'm not sure whether that'll pan out, but if it does it would be nice to have that team take responsibility for maintaining such a thing.

libgpgme just drives me up the wall, to be honest. first off it doesn't support stuff that we need like key signatures. second, why on earth do we need a C wrapper around a commandline tool? libgpg, if it exists in C, should call the GnuPG internals, and GnuPG should be its primary consumer.

libgpgme is just a recipe for disaster. and there are python bindings for gpgme already. i would love for upstream to provide a proper C library that we could hook into, not some obscure, hard-to-parse set of commandline interfaces that are prone to deadlocks.

anyways, at this point i'm taking the approach of postponing all this... python-gnupgng seems more or less stalled, and i'm curious to see what will happen with gpgme. in the meantime, we're fixing our library because it's (STILL!) the Python only library out there that actually does what we want.

Milestone changed to %Monkeysign 3.0.0

apparently, upstream gpg will use https://pypi.python.org/pypi/pyme/0.9.0, and GPGME supports keysigning since last week in the 1.7.0 release.

The GNOME Keysign signer builds on top of gpgme: https://github.com/gnome-keysign/gnome-keysign/blob/85fc0c70451f26696e2dc11904aff2a9015bd458/keysign/gpgmeh.py

It's not using gpg's more modern quick_sign just yet, but it still seems to be doing things we want reasonably well.

mentioned in issue #21