By Neal | December 13, 2021
I’m pleased to announce a new release of the Octopus, an alternative OpenPGP backend for Thunderbird. This release brings several compatibility improvements with newer versions of Thunderbird, a few bug fixes, and some documentation improvements. And, it changes the Octopus' license from the GPL to the LGPL to be consistent with our recent relicensing of the Sequoia libraries.
The Octopus is an alternative OpenPGP backend for Thunderbird. By default, Thunderbird uses rnp. The Octopus is a drop-in replacement for rnp. It implements the same interface as rnp, but includes a number of enhancements.
The most obvious difference is that the Octopus uses Sequoia instead of rnp. Using Sequoia offers a number of advantages. For instance, SHA-1’s collision resistance is known to be broken. Sequoia includes several mitigations to defend against attacks that could exploit this weakness.
The Octopus also includes a number of additional features. By
default, the Octopus is tightly integrated with GnuPG. In
particular, it makes all of the public and private keys managed by
GnuPG available to Thunderbird without any additional configuration.
Note: private keys are not actually exported to Thunderbird; they are
transparently accessed via gpg agent. This also means that if GnuPG
has been configured to use a key on a smart card, no additional
configuration is required to use it from Thunderbird. The Octopus
also automatically checks for key updates on WKD and
keys.openpgp.org using a privacy
preserving update algorithm.
The Octopus includes several non-functional improvements. For instance, messages generated by Thunderbird are vulnerable to surreptitious forwarding, an attack that has been known about for 20 years. The Octopus rewrites these messages on the fly to use a safer message format.
We are grateful to our users who have found and reported a number issues in the Octopus. In particular, testers have alerted us to changes in how Thunderbird uses rnp, which required updates to the Octopus. If you find any issues, please report them in our issue tracker.
If you are using a 64-bit version of Thunderbird on Windows, you can download v1.2. Fedora users should find an update available from their package repository soon. Other users will need to build the Octopus manually.
Since the start of the project four and a half years ago, the p≡p foundation financially supports the six people who work on Sequoia. In 2021, the NLnet foundation awarded us four grants as part of the NGI Assure program.
We are actively looking for additional financial support to diversify our funding.
You don’t need to directly use Sequoia to be positively impacted by it. We’re focused on creating tools for activists, lawyers, and journalists who can’t rely on centralized authentication solutions. So, consider donating. Of course, if your company is using Sequoia, consider sponsoring a developer (or two). Note: if you want to use Sequoia under a license other than the LGPLv2+, please contact the foundation.