[Gpg4win-devel] Gpg4win and Claws Mail

Andre Heinecke aheinecke at intevation.de
Mon Jul 13 14:39:32 CEST 2015 

Hi,

On Friday, July 10, 2015 08:36:07 PM Andrej Kacian wrote:
> after being slightly disappointed by yet another Gpg4win release with
> an ancient Claws Mail version (3.9.1 is over 2 years old), and after
> reading the remarks at http://wiki.gnupg.org/Gpg4win/Roadmap, I would
> like to open a discussion about the way forward.
> 
> Keeping 3.9.1 is not really acceptable from security point of view, if
> for nothing else, then because of the recent SSL/TLS vulnerabilities,
> and mail servers ceasing to support SSLv3 en masse, making Claws Mail
> 3.9.1 unable to even talk to most of them.

Yes, in our current Release mode we basically don't maintain the Claws Mail we 
ship. This is indeed a bad situation. Thanks for starting a discussion on 
this. We really should do something here.

> After some time of neglect, we are currently preparing an updated
> Windows release, and things look good for keeping it reasonably
> supported for the foreseeable future.

Great to hear. (Which makes Option A even more preferable)

> As I see it, there are two options:
> 
> a) You drop Claws Mail from Gpg4win, and we drop GnuPG, GPGME and GPA
>    from our Windows package, like the mentioned Roadmap wiki page
>    suggests.
> 
> b) Claws Mail stays in Gpg4win, and we work together to keep it
>    updated.
> 
> Personally, I would prefer option A, not because I don't like to work
> with others, but because it would make things simpler - we could drop
> lot of dependency libraries, and so could you. It would also allow both
> projects to provide new releases without waiting for the other one.

Option A also has my strong preference. We should just add Page / Link on our 
website pointing to "MUAs that play nice with Gpg4win".

Still we should ensure that a user with Gpg4win and claws installed can still 
use GnuPG. How are you planning to interface with GnuPG if you are dropping 
gpgme from your Package?

I'd suggest that you keep gpgme and use it to interface with an existing GnuPG 
installation. I did it that way back when I packaged KMail / Kontact for 
Windows. The package had it's own Gpgme library but relied on an installed 
Gpg4win for all other components.


Regards,
Andre

-- 
Andre Heinecke |  ++49-541-335083-262  |  http://www.intevation.de/
Intevation GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 18998
Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.wald.intevation.org/pipermail/gpg4win-devel/attachments/20150713/4305586f/attachment.sig>

More information about the Gpg4win-devel mailing list