Category Archives: Open Source

#ILoveFS: How Free Software Shapes my Day

Today is valentines day, but, much more importantly, it is also I love Free Software Day. That’s the day we show appreciation to all the Free Software (Free as in Freedom, but also often Free as in beer) Developers out there, who are working, mostly in their spare time, mostly unpaid, to make the tools we use every day work. This blog post is an experiment. I will try to list all the free software I use every day, and I will probably fail, just because it is all around us.

In the morning, when I start my Laptop, it boots into Linux Mint, which uses a plethora of Free libraries and programs like Grub, the Linux Kernel, and so on. After logging in, Tor, Pidgin with the OTR plugin, and the OwnCloud client automatically start up. I launch Thunderbird (which encrypts eMails using GnuPG) and Firefox (with a number of plugins) and go about my day.

When I need to do something on my server, I use OpenSSH or Mosh in a bash shell. The shell also runs Z (a handy little tool that makes navigating your computer much easier). On the server, I run the usual suspects (A server version of Ubuntu, Apache, MySQL, PHP, WordPress with some plugins, Mediawiki, OwnCloud, Piwik, OpenSSL, …) and some more specialized software like Ejabberd (a very nice jabber server), gitolite, and a Tor relay.

When I want to make short notes, I use gedit. For slightly longer texts, I have LibreOffice. And if I have to take notes or write texts in university, I use LaTeX with Texmaker and a bunch of extra packets. When editing images, I use Gimp or Inkscape, and for Audio, there’s Audacity. I watch videos using VLC and listen to music with Banshee. My passwords are securely stored using the KeePassX password manager, and the whole disk is encrypted with ecryptfs.

When I develop software, I use Git for versioning and, if possible, Python for my programming language (my code editor, Sublime Text, is one of the few pieces of non-free software I run on a regular basis). I also use a large number of command line utilities like grep, find, htop, wget, netcat, and so on.

On my android phone, I run CyanogenMod, a modified version of Android. I use TextSecure, CSipSimple, K9 Mail and APG for encrypted communication. Podcasts are retrieved using AntennaPod, I navigate using OsmAnd and Liberario, and use Twitter with Twidere. I own a couple of Raspberry Pi’s running Linux and an APU-Board running IPCop. In my window, I have a router running a Freifunk node with the Gluon Firmware.

Every single piece of software I just mentioned is Free Software (and I am sure I have forgotten some of the tools I use every day). Every single one of them is provided to me (and the rest of the world) free of charge. They are supported by communities of developers working on them in their spare time. In return, they expect nothing from us.

This is awesome.

These people do not get enough appreciation for their hard work, let alone donations. The developer of the single most important piece of technology for encrypted eMails, used by millions, almost went broke. This should be an indicator that something is wrong. Free Software is the only thing I know of where people seem to think that it is okay to use it, expect it to work and be updated, and not give anything in return.

It’s true that many developers work on Free Software because they believe in it, and because they like doing it, and that they don’t expect to be able to make a living from it. But you cannot expect people to give their full attention to these projects if they need to worry about getting food on the table. These people are donating their free time to these projects, and they deserve our thanks and support, instead of being sneered at because they would like to continue doing what they are doing and still be able to eat.

So, I love Free Software, and I try to do my part as best I can. There are too many great projects to donate to them all, but I regularily donate to some of them. If I encouter bugs, I report them. If I write my own software, I put it online under a Free Software license so others can benefit from it (as much as you can benefit from my terrible code at least). And I try to raise awareness.

Free software is awesome. Let’s help keep it awesome by keeping the developers motivated. Be it with a donation, a contribution of code, or even just a quick “thank you”. Give back to the community that gives you the things you use every day. To the developers of Free Software, whereever you may be: Thank you. Thank you for being awesome.

Note: Since it was published, this post was edited in the following way: I replaced Öffi with Liberario, as Öffi isn’t Free Software (thanks to @FSFE for pointing that out).

Using Anonymity for good, or Why Tor Matters

During the last years, there has been a disturbing trend of law enforcement agencies (both european and american) demonizing the Tor project and anonymity in general, and Tor Hidden Services specifically. Recently, during 31c3, Jacob Appelbaum (a Tor developer and generally awesome person) put out a call to the community to start conversations about anonymity in order to inform people about why anonymity is important and how it is useful not only to (perceived or actual) criminals, but also to regular people. This is my (public) contribution.

First, I will briefly explain how Tor in general and hidden services specifically work. If you are familiar with Tor and hidden services, feel free to skip ahead.

What is Tor?

“Tor” stands for “The Onion Router”. It is a program that can be used to browse the internet anonymously (the websites you visit cannot identify you unless you provide them with identifying information yourself, e.g. by logging in). It also hides which websites you are visiting from your internet company. This is achieved (slightly simplified) by sending your internet traffic through a number of servers all over the globe before delivering it to the website you are visiting.

Tor also supports a system called “hidden services“. A hidden service is a website (or any other type of service, like a mail or chat server) that can only be reached over the Tor network. When used properly, the server never knows the identity of users connecting to it, and the users never know the location of the server they are talking to.

The usual caveats apply: Tor cannot protect your identity if you use it incorrectly. For example, you will obviously not be anonymous if you log into facebook via Tor. Read the warnings on the download site.

Why use Tor?

There are many reasons why you may want to use Tor, and the overwhelming majority of them do not involve anything that you may find questionable. For example, Tor is used…

  • …by dissidents who want to get around state censorship (e.g. in China, Syria, …)
  • …by whistleblowers and journalists alike to protect themselves and their sources
  • …by privacy-concious people who want to avoid the omnipresent tracking on many websites
  • The list goes on. The Tor project has a nice list of potential uses and users of their software.

But I was told criminals use Tor!

Yes, there are people who are using Tor to hide their identities when extorting money, or to buy and sell drugs. It is in the nature of an anonymity system that it is impossible to prevent malicious use while still allowing those with “legitimate” (however you would define that) interests to use it. In the end, it all comes down to a tradeoff between the good and the bad that Tor does. How many drug smuggling rings equal one Edward Snowden? How many chinese dissidents equal one criminal using Tor to extort money?

In my personal opinion, Tor does more good than it does bad. You may think differently. Just keep in mind that Tor does save lifes under oppressive regimes, and that it enables people like Edward Snowden to come forward with at least a small measure of safety. You will have to decide if it is worth loosing all of that to cut off a channel for drug trade. In the end, there will always be ways to more-or-less-securely trade drugs, but there may not be any way for dissidents to safely use the internet.

And what about those hidden services?

Hidden services enjoy a particularily bad reputation as a place where only drug traders and pedophiles hang out, and it is true that there is a lot of awful stuff hosted on hidden services. But again, there are a lot of different ways these hidden services can be used. Here are two ways in which I personally use hidden services:

  • I have my own Server for instant messaging using Jabber / XMPP, and I connect to it using a Tor hidden service. That way, my server does not know my current IP address (which is good, in case it ever gets taken over by criminals), and it also prevents anyone watching the network from identifying that I am using it at all. Additionally, it gives the other users of my server a way to use it and still be sure that I cannot track them. I would obviously never even try to track them, but I firmly believe in minimizing the amount of damage any one party can do, no matter how trustworthy.
  • I also have a seperate hidden service I use to access my server using the SSH protocol (a protocol used to remotely administrate my server), as lately, doubt has been cast on the security of the SSH protocol. By using hidden services, I am adding another layer of security to the connection, which helps keep my server secured against the aforementioned criminals.

In both cases, I am not interested in hiding the location or identity of my server (as that is trivial to determine using the protocols themselves), but more interested in hiding myself from my server, and hiding the fact that I am talking to the server. This makes it slightly harder to identify me, and much harder to identify which channels I am using to communicate (another case of minimizing the information available to any single party). And, most importantly, it adds another layer of protection to the information I am sending.

Closing notes

I hope that this article helped you understand that there are many different ways people use anonymity tools like Tor, and many of them are completely acceptable by every sane person. So, what I am asking of you is simple: Keep this in mind when you next hear politicians railing against anonymity: For every criminal, pedophile and “terrorist” using Tor, there is at least one dissident, activist, journalist, or server operator using the same software for good.

Life is not as easy as people make it sound. Why should the issue of anonymity be any different?

Tricking your inner lizzard into productivity using gamification

This is going to be a slightly different article than usual. Usually, I write about politics, or programming. Today, I’ll write about productivity. Or, to be more precise, about getting your inner lizzard to be reasonable and get working already, using gamification. This is based on my experience with HabitRPG, a pretty sweet, open source, task management role playing game. Yes, you read that right. A task management role playing game. If you know me, you know that I could not resist trying this out.

They do a pretty good job of explaining what that is all about on their homepage, so I’ll just give you a short overview. Your tasks are split into three categories:

  • Habits are positive (e.g. “cook instead of ordering a pizza”) or negative (e.g. “smoke a cigarette”) habits you want to improve or get rid of, respectively.
  • Dailies are things you want to do every day, e.g. “run two miles”, “read for 30 minutes”, …
  • To-Do’s are one-off tasks (“Write a blog post about HabitRPG”)

HabitRPG operates under the principle of rewards and punishments:

  • Do something for a positive habit? Finish a daily? Finish a To-Do? You get Experience and Gold. Also, after a while, you start to get random drops, like eggs and potions for pets you can raise. The Gold is used to purchase equipment and user-defined rewards. For example, I set up a reward for 5 gold which says “play videogames for an evening”. This way, I have to work to be able to “afford” things that make me less productive or healthy (although I should increase the gold cost, as I gain gold very quickly right now)
  • Do something for a negative habit? Miss a daily? You loose health. If your health drops to zero, you loose a level and some equipment.

There are also some advanced things like streaks (Finish a daily N days in a row, similar to seinfeld chains), perfect days (finish all dailies) and so on, which I will not go into here. The important part is:

  • You get rewarded for following through on your commitments or forming good habits.
  • You get punished for bad habits (although the punishments are not severe enough for my taste, as you can take quite a bit of damage and still not have any problems with your health)
  • You get a noticable effect from building up streaks, leading to motivation to not break the streaks (seriously, this has already kept me from skipping university once).

One of the best things about the game / productivity tool is the community. There are challenges where you will get a few new habits, tasks or whatever, and you compete with others in order to complete the most dailies. This has led to me adopting a few new dailies (“Don’t skip university”, “drink 3 glasses of water in the morning and in the evening” (as I have some problems remembering to stay hydrated), and a meta-daily “check off all other dailies”). You can also organize in parties and guilds, leading to more peer-pressure to do better (although all of the community features could use some more polish in order to make it easier to see how well the others are following through on their commitments). There is also a quest system, which I have yet to explore.

In general, there are some rough edges to the project, but it is being actively developed by a quite large and dedicated community of devs, and I have a lot of hope for the future of this project. There is, of course, the inevitable subscription and premium item model, but it is among the most fair of them I have seen so far, and since the game isn’t really competitive, everything is cosmetic in one way or another.

So, yeah, if you like RPGs and being productive, give this one a try. And if you are still not entirely sold on it, here are some videos about it, and here’s the wiki.

The sorry state of attribution in education

Lately, I’ve been dealing a bit with attribution and licensing, in part thanks to the people at Commons Machinery / elog.io. Since I started on this, I have noticed all the places where attribution is done poorly or even not at all. Be it on flyers (“Pictures: Wikipedia / something / somethingelse”, without any indication which picture is from where, or which license they are under), websites (often no attribution at all) and even on the slides at university.

It just boggles my mind that academic researchers in computer science, who will meticulously enter citations and go into a frenzy if they are done incorrectly by students (seriously. A slightly wrong formatting cost me several points once), think nothing of just slapping a few pictures they found somewhere onto their slides, probably without checking their license, and definitely without attributing the artist (which is almost always required by licenses, by the way). And it somewhat makes me feel like an idiot for spending the time properly attributing the two xkcd comics I used in my presentation (yes, I use xkcd in my slides. Judge me).

This is wrong. I shouldn’t feel like an idiot for spending 1 minute getting the attribution right if the artist spent a few hours creating the thing I’m using. And if the artist was nice enough to pick a license for his / her work, and if he / she was also awesome enough to pick a license that actually allows me to use their work, and all they ask in return is that I credit them while doing so, I should damn well do so. Everything else would, in my opinion, be disrespectful to both the artist and the art.

So, why is no-one attributing properly? Because it’s hard. It’s annoying. First, you have to find out if the artist even picked a license (some do not). Then, if the license allows usage, you have to find out the name of the artist. You have to write up a boilerplate text, something like “‘Like I’m five’ by Randall Munroe / xkcd.com // CC BY-NC 2.5 // Source: xkcd.com/1364“. You have to fit it into your design somehow. And then, for all you know, no one will even notice that you took the time to do so. And this assumes that you even know that you are supposed to attribute under a specific license, and how. Even professional writers like my favourite author, Patrick Rothfuss, can get this wrong. Pat wrote a blogpost and used an image from xkcd.com, without attribution. After he was notified about the missing attribution by a reader, he promptly added some attribution (which is good), but the attribution itself was still not properly done (“Comic lovelyness from the brilliant XKCD, of course” is sweet and a nice thought. It is also better than nothing. But it is not entirely correct as per the license).

Don’t get me wrong. This is not about me pointing out what my favourite author did wrong. I’m just using this as an example. Attribution is hard, and while I have some hope for the work by Commons Machinery / elog.io, it’ll probably be another year at least until there is something working, moderately bug-free and usable, and adoption by the general public may never come. This is because people are not aware of the attribution problem.

And why are people not aware of it? Because almost no one is doing it right! If, for example, in university, all slides would only carry properly attributed images, people may start to wonder “what is it with all those CC BY-NC-SA’s on the slides?”. People may even start to notice if those CC BY-NC-SA’s go missing. Right now, almost no one is doing this, because almost no one is thinking about it, because almost no one is doing it. Do you see the problem?

What can you do? A few ideas:

  • Practise proper attribution. Seriously. Yes, it’s annoying, but just imagine other people using your stuff without attributing you as the original artist. Would that feel good?
  • Pick a License for your stuff. Don’t just throw it out there, pick a license and stick it on your website. Here’s a license picker for Creative Commons, which is used mostly for texts and media, and here’s a license picker for open software licenses. Choose a license, stick it on your work, and you make the life of people like me easier (This work is licensed CC BY 4.0, by the way, as you can see in the sidebar). Bonus points if you inform youself about the advantages and drawbacks of the different licenses. For example, choosing “Non-Commercial use only” licenses may have unintended consequences, like keeping others, including non-profits, from using your work on their pages.
  • Get involved with Commons Machinery, and register as a beta-tester for elog.io. They can always use more hands and brains, and it looks like their stuff is going in the right direction.
  • Ask questions. Tell your regional newspaper that “Picture: Wikipedia” is not a proper attribution. Ask your professor why the images are not attributed. Raise some awareness.
  • Practise proper attribution. Did I already mention this? Oh, well, it bears repeating.

So, that’s it for todays semi-rant. I’m looking forward to seeing proper attribution from all of you, and I will probably send an email to my professors about this tomorrow.

An interesting experience: Writing to 400 candidates

During the last week, I worked on an interesting project. But instead of programming, this time it involved politics: I wrote a message to 403 german candidates to the European Parliament in the upcoming european elections, on the topic of “digital rights”.

It all started when I heard of WePromise.eu. In a nutshell: Candidates can promise to follow a charter of basic digital rights, supporting laws that strengthen these rights and opposing those that seek to reduce them. The charter contains a lot of very obvious, sensible points, and some less obvious but also very sensible points like export controls for surveillance / censorship equipment. Voters, in return, can promise to vote in the elections, and vote for a party whose candidates support these rights.

Now, my original plan was to write a physical letter to some candidates from my area, but when I asked the people behind WePromise for some material, they also supplied me with a list of all german candidates, including their eMail addresses. And since tools like Mail Merge make sending a lot of personalized eMails very easy, I decided to just write to each and every single candidate from that list. I quickly removed all candidates that had already pledged their support to the project, and all candidates without a known mail address, leaving me with 403 candidates, ranging from people almost guaranteed a spot in the european parliament to people on the 88th spot of a tiny party that may or may not get one or two candidates into the parliament. I quickly wrote up a message detailing the project, the aims, why I support it, and asking them to support it as well (or, alternatively, write me a quick mail detailing why they do not want to support it). I fed the message and the spreadsheet to Mail Merge, waited two minutes, and the mails were sent.

I received a bunch of autoreplies and some error messages concerning incorrect eMail addresses (which I tried to correct and update in my spreadsheet, sending the corrected addresses back to WePromise). Then I waited. That was one week ago.

Until today, I have received replies from over 25 candidates, ranging from the aforementioned 88th spot on the ÖDPs list to current members of the european parliament. The number of german candidates has jumped from 22 to 37, with a few more candidates having promised their signature and not yet appeared on the website. I had some very interesting discussions concerning the advantages and disadvantages of online anonymity, during which I convinced at least one candidate to change his views (two more discussions are ongoing). I also received three replies from parties that are generally not considered to be very pro-internet (all of them stating that they would not sign the pledge, but would “continue to fight for data protection”, and all of them from supporters of data retention laws. I’ll leave you to figure out how the hell that is supposed to work, because I have no idea).

So, some statistics from one week into the project:

  • 15 new signatures (6x Die Grünen, 4x ÖDP, 3x SPD, 2x FDP)
  • 4 signatures pledged that have not yet appeared on the website (2x Linke, 2x SPD, 1x ÖDP)
  • 6 refusals for different, mostly acceptable reasons (2x CSU, 2x AfD, 1x CDU, 1x SPD)

As you can see, a large majority of candidates has never replied. That was to be expected. Still, it has been quite an interesting experience, interacting directly with people that may, in the near future, be called upon to represent my interests in the european parliament.

I can only recommend contacting (some of) your candidates. Ask them their opinion on a cause close to your heart, maybe even have a (civil!) discussion on the matter if they have a different opinion. My experience has shown me that, at least in the smaller parties, you can actually change someones opinion on some matters. And who knows, maybe the candidate will actually be elected to the european parliament. And maybe, just maybe, your discussion will change their vote on a crucial issue… And wouldn’t that be worth the 10 minutes it takes you to write up a mail?

Introducing the SMTP GPG Proxy

I frequently encounter software that allows me to send mails, but has no GPG support out of the box (sometimes not even using plugins). This annoys me greatly, especially if it is software like FusionInvoice, which may transport sensitive information in its mail messages. Since FusionInvoice (and many other programs) support SMTP for sending their mail, and since I had a few spare hours, I decided to see if I could hack something together to add GPG support to those programs. And the result was…

…the SMTP GPG Proxy

The SMTP GPG Proxy, besides having an awful name (name proposals welcome), is a Python program. It provides an SMTP Server and will accept incoming mail messages, encrypt / sign them according to its settings and magic strings in the mail subject, and then forward them to the upstream SMTP server.

Since the basic python smtpd-Module does not support encrypted connections, I used the modified “secure-smtpd”-Module by bcoe. It extends the basic smtpd with support for SSL-encrypted connections while providing an almost identical interface. For the encryption itself, I used the standard “python-gnupg”-wrapper, which isn’t ideal but gets the job done most of the time.

Setup

Setting up the SMTP GPG Proxy is quite easy. Just grab the latest version from the GitHub-Repository, install the dependencies, rename the config.py.example to config.py and fill in the settings (everything should be documented in there), and then launch the main program. Next, point your SMTP-speaking program at the IP and port you just configured (it is highly recommended to do this via localhost only, as incoming connections into the Proxy are, as of right now, not encrypted), and mail away.

Usage

To get the SMTP Proxy to encrypt a message, just send the mail and add the KeyIDs (including the “0x”) to the subject line, seperated by whitespaces. They will be automatically parsed and removed from the subject, so if you want to send a message with the subject “Invoice #23”, encrypted with 0x12345678 and 0x13374242, you would choose the subject “Invoice #23 0x12345678 0x13374242”. KeyIDs can be in short (8 characters) or long (16 characters) form, as well as full fingerprints (without whitespaces and prefixed by “0x”).

Depending on the settings, missing public keys will either lead to the message being rejected, sent unencrypted, or keyservers may be polled before rejecting or sending unencrypted if no public keys are found. You can also configure the program to GPG-sign all messages, or only encrypted messages, or no messages at all.

Development status

The program is currently in alpha, but it works very well for me. Still, as of right now there are some open issues with it, which I may or may not be working on. If you set up everything correctly, you should not encounter any problems. It is the border cases like incorrect SMTP passwords that are currently not dealt with very well.

Roadmap

If I find the time, I will keep developing the program, removing bugs, making it more stable, and adding more features like opportunistic encryption. However, I may not have the time to fully fix everything, and bugs that are annoying me will obviously be fixed faster than those I will never encounter in my usage.

However, as the program is open source and on GitHub, feel free to fork and submit pull requests. The code is, as of right now, shamefully undocumented, but as it has only about 200 lines, it should still be fairly easy to understand.

License

Like almost all my projects, I am releasing this program under the BSD 2-Clause License.

Introducing IssueBot, a Jabber MUC notification bot for GitHub

As part of a development team working on improving Enigmail, I recently found myself in need of a bot sending notifications to a Jabber multi-user chat (MUC) when the Issues of a GitHub-project receive an update (we already had a similar program for new commits in place, called commitbot). I searched for a while and did not find anything that fulfilled our requirements.

So, being a CS student and all that, I decided to write one.

Introducing IssueBot

IssueBot is a Python / Twisted bot, using the GitHub API to fetch information about the issues of a GitHub project. Those are then sent to a Jabber MUC. It can monitor multiple repositories at the same time, authenticate itself using an OAuth token (if you generate one manually) to increase the rate limit on the GitHub API, and will generate Notifications in the following conditions:

  • New ussue
  • Issue closed
  • One of the following has changed about the issue:
    • Title
    • State (open -> closed or vice versa)
    • Assignee
    • New comments

Development is still actively going on, with new features being planned and bugs being fixed, so keep an eye on the GitHub-Repository.

Configuration is done using a .tac-file (an example file is provided with the program). Just update the variables in it and you should be good to go. Instructions on how to use it can be found in the README.

As parts of the code are derived from the aforementioned commitbot, the Code is licensed under the GNU GPLv3. Feel free to fork, improve and send pull requests on the project page on GitHub.

The making of IssueBot

As it turns out, it is actually really easy to query the GitHub API. You send a request to a specific URL (for example, https://api.github.com/repos/octocat/hello-world/issues) and get a response with some JSON and some headers telling you how many requests you have remaining for the current hour (the API limit for unauthenticated users is 60 requests per hour).

Since it is pretty easy to do this in Python, and it has some nice support for JSON built-in using the standard json module, it was pretty easy to query the API, parse the result into a Python dictionary, and parse that into the local database. Then, the changes could be determined and notification messages generated. The only thing missing was the interface to Jabber.

For that, I decided to reuse some code from the commitbot project. This blew up the list of dependencies, but made it possible to somewhat painlessly work with Jabber MUCs. As an added bonus, one of the dependencies, Twisted, deamonizes the process automatically, saving me the trouble.

In the end, it took me about three hours to hack together the current version of the program. Most of the time was spent trying to figure out how to get Twisted to work with my main loop, which was actually non-trivial until I stumbled upon the LoopingCall-Instruction provided by Twisted.internet.task. As Twisted has some rather… interesting views on how it should be used, and my use case did not quite fit into that pattern, I found documentation on how to use it hard to find.

The program is now happily running on my server, spitting out the occasional notification into our chat, and works like a charm.

Results from the inofficial Enigmail “Night of Code”

Yesterday, we had a small “Night of Code” in Hamburg. Basically, five hackers met up in the rooms of the CCC Hamburg and tried to improve Enigmail, the Thunderbird extension for PGP-encrypting Mails. It was a hell of a lot of fun, and we actually made quite a bit of progress on several improvements.

It all started with a discussion on the mailing list of the computer science department of the University of Hamburg. We had a lengthy discussion on what is wrong with Enigmail and PGP, and some of us decided to do something about it. Someone organized a room, called for a “Night of Code”, and a few people responded, me among them.

We started with a short introduction on the architecture of Enigmail and what the important files are. Afterwards, we discussed what needed improvements (the consensus being “basically everything about the UI”) and everyone chose one of the proposed improvements and started working.

I don’t want to spoil the surprise on what the others have been working (although all of it will come in pretty handy, once it is finished and hopefully merged into the main project), but I can say a bit about what I worked on.

So, one of the important things when using PGP is to manage your Web of Trust. This includes the signing of the keys of other people (after you validated that they are, in fact, the person they are saying they are). For that purpose, there are Key-signing parties. And one of the major annoyances about those parties is the distribution of freshly signed keys.

On Linux, there is a neat command line tool called caff. It takes any number of Key-IDs, downloads the public keys, signs each ID seperately and mails it (encrypted) to the provided eMail address. The problem is that caff is pretty annoying to set up, and only works on Linux.

The Feature I am working on is something along those lines. I added a new checkbox on sigining keys…

The second checkbox is new, in case you were wondering.
The second checkbox is new, in case you were wondering. And the keys are totally legit, I checked. 😉

If you select the checkbox and sign a key (and no error occurs during the signing process), a new Message composition window will open:

The new Message

It will contain some sort of preset text and have the signed public key attached.

Now, this is all working great already, but there are still some things to do:

  • Save the last decision on whether to mail the key or not (currently, due to some weird behaviour of the Enigmail preferences function that I still need to figure out, it is not saved)
  • Automatically set the mail to be encrypted and signed, regardless of the settings.
  • Perhaps encrypt the public key before attaching it, to make sure the recipient needs his private key to get the new signatures?
  • Perhaps choose the sending account based on the private key that was used to sign the public key?

Now, the experience to work on Enigmail has been interesting and somewhat cool, but not without its problems.

  • To say the documentation of Enigmail is bad would be misleading, as it implies that there actually is a documentation, which is not the case. Everything you want to use, you need to figure out yourself, possibly by using the addon with debug output active and seeing which functions are used in what order.
  • Thunderbird isn’t much better. Many of the important functions (adding an attachment!) had to be reverse engineered from other addons or from the very helpful thunderbird-stdlib-Project on GitHub, as the documentation has some pretty big holes in significant places.

If you are an Enigmail dev and reading this: Please provide at least some documentation on what is done where in the code, and what APIs can be used for new features. I know you probably understand the code, but it makes the entry barrier for new devs very high.

If you are a Thunderbird dev: See above. The current docs are not enough, and the function names are in parts weird enough to make it almost impossible to find out how to actually use them without checking the source files, which takes time and is extremely annoying.

All in all, I enjoyed my time hacking on Enigmail. But it could have been a lot more productive if there was some form of documentation one could use. As for the new feature: I will try to get it to work properly and then submit a patch to the devs, but I do not know how long that will take, as my time is currently pretty limited because of other things I need to take care of (my bachelors thesis among them).

As for the others: I don’t know when their features will be finished, but we already have a bunch of ideas on what to do next, and if we find the time, we’ll create some more new features. Some of our ideas have the potential to vastly increase usability, so I am very curious as to the reactions of the devs. Let’s hope for the best.