PGP has three relevant interaction points with Phabricator:
- See PHI764. When sending "Must Encrypt" email, we could encrypt it and send the actual mail content instead of a simple link to the web UI.
- See T8962, somewhat. When receiving inbound mail, we could decrypt PGP messages and verify PGP signatures.
- Git supports PGP signing, and we could verify PGP signatures on commits.
All three use cases are fairly niche and relatively low-value, so it's likely that there are two possible futures here based mostly on how much of a mess PGP is:
- If PGP validation, encryption, and decryption are reasonably easy to implement and verify these features likely make sense to bring upstream. There's at least some interest from users, including customer interest in PHI764.
- If PGP is a giant mess that no normal person can hope to understand without first compiling Gentoo nine times, the value of these features is probably not worth their overhead.
The existence of alternate mail encryption, mail signing, or code signing standards would motivate exposing these as modular hooks. However, I'm not aware of any real alternatives to PGP in any of these areas. If more reasonable alternatives existed, we could provide hooks and leave PGP to third parties who are great at compiling Gentoo, but I'm hesitant to add the hooks if we have zero upstream implementations.
The next step here is to evaluate PGP:
- How difficult is encrypting mail with PGP?
- How difficult is decrypting and verifying PGP mail?
- How difficult is verifying Git commit signatures?
- Can we do this stuff in PHP, or do we need to depend on an external?
- Would the interface for adding PGP keys look mostly like the interface for adding SSH keys, or are there additional considerations?
- As a normal user, how hard is configuring PGP mail?
- As a normal user, how hard is configuring PGP in Git?
If the answers here are mostly "it's pretty straightforward", we can add hooks and PGP support.
If the answers here are mostly "compile Gentoo nine times", this may be a dead end, at least for now.