neighbourhoodie-nnh-logo

NH:STF S01E01 Sequoia-PGP posted Wednesday, August 7, 2024 by The Neighbourhoodie Team

This post is part of our series on our work for the Sovereign Tech Fund (STF). Our introduction post explains why and how we are contributing to various Open Source projects.

Sequoia-PGP is an OpenPGP (Open Pretty Good Privacy) implementation in Rust. Its focus is on safety and correctness by using a memory-safe language. PGP has been the backbone for many encryption tasks for decades and this Rust implementation takes this ecosystem into the future.

While work on the core library is progressing with sufficient speed, the lead maintainers are responsible for many ancillary tasks that are important to help the rest of the world to get on board. By relieving them of these tasks, we created space for the project to concentrate on what they do best: write security software without distractions.

Our first task was to review the sequoia-git subproject. Sequoia-git builds on top of git and allows you to cryptographically make sure that code changes you might incorporate into your software come from a trusted set of developers. We gave it a spin and presented the team with a comprehensive report where we believe the tool could be improved in terms of setup, first run, documentation, error handling and overall useability.

Secondly, we developed from scratch a contributing guide for Sequoia-PGP. Open Source projects thrive on the contributions they receive and constantly recruiting and onboarding new developers is a core requirement for any Open Source project maintainer. To make this easier on everybody, we ourselves became first-time contributors and wrote up everything we had to learn to get started. Now anyone who’d like to get started helping out the project can walk in our footsteps and won’t require as much direct help from the current maintainers, so they can focus on other important tasks.

Next, we provided Sequoia-PGP with a modern Frontend Design and Reusable Styling. Our prime goal here was to produce a system that was easy to maintain for many years by people who are not primarily web developers. This led us to eschew many of the modern best-practices designed for folks who do web development day in and day out, but these projects often come with a high learning curve and have to receive regular updates. By going back to web development foundations and minimal tooling, we achieved a modern, better maintainable and better looking website for Sequoia-PGP. This again removed significant time away from the core maintainers while making the project more approachable for newcomers.

In addition to the successful completion of these milestones, this was also our very first project with the Sovereign Tech Fund and aside from working on the project itself we also established the project blueprint for all following projects. We thank the Sequoia-PGP team for their patience while we worked out the system as we went along.

Conclusion

In summary, we are very happy we managed to help Sequoia-PGP on a more sustainable path for their very important mission. We learned a lot about the OpenPGP ecosystem as a result, and as it turned out, not a moment too soon. Tune in next time when we cover our work on the OpenPGP.js project.