NH:STA S01E02 OpenPGP.js

Source: Dev.to

Introduction

This post is part of a series on our work for the Sovereign Tech Agency (STA). Our first post in the series explains why and how we are contributing to various open source projects.

About the project

OpenPGP.js is a pure, open‑source OpenPGP implementation written in JavaScript. Its main use‑case is enabling PGP workflows in web‑based email systems, but because JavaScript runs on almost all devices today, its utility is universal.

Our contributions

We started by introducing a fuzz testing suite to the project. Fuzz testing generates a near‑infinite number of input permutations to uncover rare implementation bugs, which is crucial for security‑related software.

We then focused on making the project more approachable for new contributors by:

• improving the documentation for first‑time contributors
• adding a high‑level description of the project’s architecture
• enhancing the general contribution guidelines

Finally, we began migrating certain core modules from JavaScript to TypeScript to increase type safety in critical parts of the codebase.

Reflections from the team

What was the most surprising thing working on this project?

Alba: I’m not sure if it’s “surprising,” but I found their user documentation pleasantly thorough. I’d like to see more projects pay this level of attention to docs.

What was especially challenging about this project?

OpenPGP.js has been planning to release v6 for a long time, and our work got stuck in the middle because they asked us to base our contributions on the v6 branch. We needed to accommodate the project’s timelines.

Conclusion

In summary, we were able to play to our strengths, help a web‑based project, and build upon our work with Sequoia‑PGP. There is still a lot to be done on the OpenPGP.js project, and we hope to have another opportunity to contribute.

Find out more about the work we do by visiting the Neighbourhoodie Blog.