https://bugzilla.suse.com/show_bug.cgi?id=1212259 Bug ID: 1212259 Summary: MozillaThunderbird: bundled rnp/Botan, and supporting pluggable OpenPGP providers Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.5 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Firefox Assignee: factory-mozilla@lists.opensuse.org Reporter: Andreas.Stieger@gmx.de QA Contact: qa-bugs@suse.de Target Milestone: --- Found By: --- Blocker: --- Mozilla Thunderbird bundles a number of libraries for OpenPGP support: * rnp: https://github.com/rnpgp/rnp and openSUSE:Factory/rnp * (bundled in rnp) https://github.com/rnpgp/sexp * Botan (rnp has an experimental OpenSSL backend too) We should look into un-bundling here due to: * general packaging policy - avoiding bundled libs * especially for crypto routines: shared crypto policy, and maybe to use OpenSSL FIPS? * incorrectly attributed bugs, e.g. bug 1212253 (CVE-2023-29479) considered against MozillaThunderbird and missed for rnp. * there are other compatible and pluggable providers of the Thunderbird plugin: https://gitlab.com/sequoia-pgp/sequoia-octopus-librnp Background: RH dropping Botan https://bugzilla.redhat.com/show_bug.cgi?id=1837512 FC splitting plugin: https://src.fedoraproject.org/rpms/thunderbird/c/edf3b30dbedcb43be0870015097... FC system rnp: https://src.fedoraproject.org/rpms/thunderbird/c/0a585f45242a8fc024dfc1761ac... -- You are receiving this mail because: You are the assignee for the bug.