|
|
Subscribe / Log in / New account

Development

A beta release and a new license for Mailpile

By Nathan Willis
July 22, 2015

Mailpile is a free-software webmail client that has been designed from the start to provide top-notch security and privacy features. The project recently released its third beta, which improves setup and encryption-key discovery as well as streamlining the user interface. In addition, the project recently held a public discussion about the license under which Mailpile should be released, eventually settling on the Affero GPL (AGPL).

[Mailpile inbox]

To recap, Mailpile offers a somewhat unusual take on the traditional email program. It is designed to run as a web application (thus making it cross platform with a minimum of fuss), but it is a single-user application and is designed primarily to run on the local machine. Because each user runs a separate copy of Mailpile, it offers isolation. Also noteworthy is that Mailpile is a mail user agent (MUA), so a separate server is required to actually send and receive mail. But, because Mailpile downloads all messages locally, it can function offline and (at least in theory) offer better safeguards against security breaches of the server.

The project also puts a strong emphasis on integrating cryptography into the webmail experience. We examined the first beta release in September 2014, at which point its GnuPG integration was rather awkward in places. The team made a second beta release in January 2015, but withdrew it from the site in March after beta testers complained about IMAP and GnuPG issues (although the release is still available from the project's GitHub repository). The team subsequently scaled back their planned feature set.

Beta three

The third beta was pushed out on July 19, and is available in a source-code bundle for Linux and as installers for Windows and Mac OS X. Mailpile is a Python 2.7 application, though, so installation for the source is trivial. The dependencies are fairly standard and the required Python packages can be installed through pip. Of the other dependencies, the only worthy of note is that Mailpile still uses the GnuPG 1.x branch.

[Mailpile setup]

Among the significant changes in beta 3 is a simplified setup and first-run configuration process. All that the user has to do is select a language and pick a password that will be used to decrypt the local mail storage (i.e., a separate password from those needed to access email accounts). Email account setup has been simplified as well; the program attempts to detect the correct IMAP and POP settings based on the email address entered, and the setup process includes a GnuPG key-generation step.

The server-settings-detection step uses Mozilla's ISP database, so it should be as reliable as Thunderbird's detection (and similarly limited to public email providers). Local mailboxes are also supported by the account-setup tool, so users who already get their mail in mbox or Maildir format can make use of this release as well.

There are even more noticeable changes to the mail-reading interface—most are, again, simplifications. Previous Mailpile releases included a sometimes-confusing array of tagging and contact-management features that, as the release announcement put it, "seemed like good ideas but never quite worked." For instance, there used to be three separate buttons linked to the user's tag collection, plus separate "flag" and "favorite" features. The resulting interface is easier to navigate and the clutter is not missed.

[Key creation in Mailpile]

The new release also significantly improves the multiple-email-account experience, which was among the complaints with previous releases. There is now a "home page" that shows a summary of the configured accounts. Last but certainly not least, the GnuPG support now includes key discovery. The program will attempt to detect which email recipients use encryption or PGP signatures and try to fetch the corresponding keys from public keyservers. This is in addition to manually importing keys, which was already supported.

The program still has a ways to go before it is ready for production usage. Most notably, it lacks the security hardening required to make it usable from a remote server. Despite Mailpile's original design as a local client, this is evidently a feature that users repeatedly ask for.

License one

The other significant development from the past month is that the Mailpile team has finally decided on the license under which it will make releases. This is not an insignificant choice for any project, and the team took the unusual step of asking its users to weigh in on the choice.

In May, project lead Bjarni Einarsson posted an appeal to the community asking for its input. The options presented were the AGPL (version 3) and the Apache 2.0 license—which, at least in some respects, constitute opposite ends of the free-software license spectrum. Apache is renowned for its permissiveness, while AGPL is held up for doing the most to preserve copyleft. The preceding alpha and beta releases of Mailpile had been offered under both licenses while the team debated their merits.

In the initial post, Einarsson reiterated the usual arguments heard from proponents of each side: the risk of "marginalizing" the project by choosing the strong-copyleft AGPL, versus the risk of proprietary Mailpile forks by choosing the Apache license. In June, he summarized the feedback the team had received, quoting several blog posts and emails. Supporters of the project (in the financial sense) were encouraged to vote on the web site.

On July 2, the project announced the final decision: AGPL. Einarsson noted that AGPL "won" on a straight vote tally, albeit by a slim margin, and that Apache won when the results were adjusted by the dollar amounts of the supporters. But that latter result was skewed significantly by one voter's large donation; without it, AGPL won the dollar-adjusted vote by a slim margin, too.

Ultimately, Einarsson said, the slim margins and low turnout concerned him greatly, but he chose to go with the AGPL because he felt it was better aligned with the project's goals:

Mailpile is a project about freedom. It is not a popularity contest or a startup, it's not "industry infrastructure", nor does it aim to be. Mailpile is a political project which aims to improve the privacy and digital independence of individuals everywhere.

The Apache License is a wonderful thing, an open, generous, pragmatic, apolitical license. The AGPLv3 on the other hand, is a political and ethical line in the sand.

And so is Mailpile.

For now, it has not been announced whether or not additional beta releases of Mailpile will be made. For the time being, Einarsson plans to make incremental updates to the current beta release every two weeks or so, but he is also re-examining the roadmap. The final release could still take a while, but Mailpile has made clear progress in recent months, and now has a clear licensing plan going forward.

Comments (20 posted)

Brief items

Quotes of the week

To me this gets in the "crazy ideas" list. Please add it to the TODO page in the wiki, so that we're sure we never implement it.
Alvaro Herrera (hat tip to Catalin Iacob)

The bug wasn't ours. It was in an open source project we use, but do not fund or contribute to in any way.
— "Vendor Excuses" on Twitter.

Make no mistake, sustainable open source development is a *genuinely hard problem*. We're in a much better position than most projects (being one of the top 5 programming languages in the world has its benefits), but we're still effectively running a giant multinational collaborative software development project with close to zero formal management support. While their are good examples we can (and are) learning from, improving the support structures for an already wildly successful open source project without alienating existing contributors isn't a task that comes with an instruction manual :)
Nick Coghlan

Comments (none posted)

dgit 1.0 released

Ian Jackson has announced the availability of dgit 1.0. "dgit allows you to treat the Debian archive as if it were a git repository, and get a git view of any package. If you have the appropriate access rights you can do builds and uploads from git, and other dgit users will see your git history."

Full Story (comments: 2)

Kubernetes 1.0 released

Google has released version 1.0 of its container-orchestration system Kubernetes. As the announcement explains, the 1.0 milestone designates Kubernetes as "production ready" for deploying and managing a variety of container workloads, coordinating related containers in "pods," and managing live clusters.

Comments (none posted)

Mozilla Winter of Security is back

At the Mozilla Blog, Julien Vehent announces that Mozilla will be conducting a second round of its "Winter of Security" mentoring program. Aimed at college students, the program allows participants to work on security-related free software for university credit, with guidance provided by Mozilla project members. This year's targeted project list includes some high-profile projects like Let's Encrypt and Mozilla's digital forensics tool MiG. Applications are due August 15.

Comments (none posted)

PyQt v5.5 Released

PyQt 5.5 has been released. PyQt is a set of Python bindings for Qt; the 5.5 release updates the bindings for Qt 5.5 compatibility. This includes support for the new QtLocation and QtNfc modules. Python 2.6, 2.7, and 3 are all supported.

Full Story (comments: none)

Synfig Studio 1.0 released

Version 1.0 of the 2D vector-animation suite Synfig Studio has been released. The latest release is actually numbered 1.0.1, due to a packaging problem with the original 1.0.0 upload. The list of changes includes bugfixes for working with animation keyframes, several new icons, and UI improvements when selecting bounding boxes on the canvas.

Comments (none posted)

Newsletters and articles

Development newsletters from the past week

Comments (none posted)

Calculating the "truck factor" for GitHub projects

The idea of a truck or bus factor (or number) has been—morbidly, perhaps—bandied about in development projects for many years. It is a rough measure of how many developers would have to be lost (e.g. hit by a bus) to effectively halt the project. A new paper [PDF] outlines a method to try to calculate this number for various GitHub projects. Naturally, it has its own GitHub project with a description of the methodology used and some of the results. It was found that 46% of the projects looked at had a truck factor of 1, while 28% were at 2. Linux scored the second highest at 90, while the Mac OS X Homebrew package manager had the highest truck factor at 159.

Comments (27 posted)

Webber: Why I Am Pro-GPL

At his blog, Chris Webber has written a response to Shane Curcuru of the Apache Software Foundation, who delivered a "Why I don’t use the GPL" lightning talk at this year's OSCON. In particular, Webber takes issue with Curcuru's assertion that he rejects the GPL because he "cares about the users." Writes Webber:

My jaw dropped open at that point... wait a minute... that's our narrative. I've written on this before (indeed, at the time I thought that was all I had to say on this subject, but it turns out that's not true), but the most common version of anti-copyleft arguments are a "freedom to lock down" position (see how this is a freedom to remove freedoms position?), and the most common form of pro-copyleft arguments are a "freedom for the end-user" position.

Webber proceeds to respond to several arguments raised in the talk, and concludes: "I have heard a mantra many times over the last number of years to "give away everything but your secret sauce" when it comes to software development. But I say to you, if you really care about user freedom: give away your secret sauce."

Comments (4 posted)

Page editor: Nathan Willis
Next page: Announcements>>


Copyright © 2015, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds