On Wed 2019-07-10 10:12:37 +0200, Maximilian Krambach wrote:
> I have been tasked to prepare "debian packages" for the gpgme-json browser
> integration, to ease installation of native messaging between gnupg and browser
great, thanks for working on this! I assume you're aware of
https://bugs.debian.org/911189 (in cc as well). That's the best place
to talk about the debian packaging for this stuff.
> I'm working on a patch for salsa.debian.org/debian/gpgme/, as I think this is
> probably the best place for it.
Sounds reasonable to me.
> Basically, the two packages (chromium-gpgme and firefox-gpgme) just need to
> ensure that the gpgme-json binary ships, and that a configuration file is
> present at paths the browsers like.
> My question:
> Is it okay and maintainable to add "approved" extension ids (in this case,
> mailvelope) to these configuration files?
> In the end, it is an authorization between the extension(s) and the browser
> (based on ids assigned by the browser publisher).
> gpgme-json itself does not care who communicates with them (as long as it stays
> the same actor). Still, I have the feelings that some link between worlds is
> created that may not be desired.
This is an excellent question, and one that i did not figure out the
answer to when i was briefly researching the situation.
I wonder whether it makes more sense (and whether it's possible) to ship
the gpgme-json binary and wrapper files in one package, without any
"approved" extension IDs. And then in the extension-specific package
(e.g. the "mailvelope" package), include the approved extension IDs.
Does that even make sense? I don't remember the exact layouts expected.