Big picture

sett - Characteristics

• End-to-end encryption (OpenPGP)
• Trust: (meta)data signing (OpenPGP)
• Data compression (gzip)
• Data integrity validation (sha256)
• Packaging: a single, self-contained file (zip)
• Transfer (sftp, s3)
• Cross-platform support
• CLI and GUI
• Interoperability with other tools

UX: Keep it easy!

Package structure

                  YYYYMMDDThhmmss.zip
                  ├── metadata.json
                  ├── metadata.json.sig
                  └── data.tar.gz.gpg
                      └── data.tar.gz
                          ├── content/
                          |   ├── [file1]
                          |   ├── [file2]
                          |   └── ...
                          └── checksum.sha256
                

                  {
                      "transfer_id": 42,
                      "sender": "AAABFBC698539AB6CE60BDBE8220117C2F906548",
                      "recipients": ["D99AD936FC83C9BABDE7C33E1CF8C1A2076818C3"],
                      "timestamp": "2020-01-29T15:31:42+0100",
                      "checksum": "...36da5d98a1dc6dceee21d62f694d71c4cf184",
                      "checksum_algorithm": "SHA256",
                      "compression_algorithm": "gzip",
                      "purpose": "PRODUCTION",
                      "version": "0.7"
                  }
                

                  ...d80a840a190ca997ad8044a67c4c1683f7b63 file1.csv
                  ...790a4f481bb49805e2d1f380df0c636792ff6 folder1/file.txt
                  ...6ef658502c9d0b05dd4a2185d0f94ccf165cf folder1/folder2/file.txt
                

Python 🐍

Support

• Linux (including CentOS 7 🤯 - EOL 2024-06-30), MacOS, Windows
• Python 3.7-3.11
• GnuPG 2.0.22 (EOL 2017-12-31 💣) - latest (with gpg-lite)

Lessons learned

• Cross-platform support is difficult, especially if none of the developers uses a given platform.
• Relying on packages installed separately (Python, GnuPG, Qt, glibc) adds a significant development cost and you'd better master them!
• App installation/upgrade is challenging to end users.

What can we do? 🤷‍♀️

1. Reduce the number of dependencies: GnuPG is the most problematic one!
2. Rewrite everything from scratch in JavaScript! Everything is a browser and the browser is the new OS.
3. Surgical replacement of specific workflows (encryption, transfer, decryption, OpenPGP key management) and/or user interfaces (CLI, GUI) in Rust.

Let's rewrite it in 🦀!

Reasons

• Portability
• Security
• Correctness: capture bugs earlier
• Ecosystem
• SequoiaPGP
• PyO3

Challenges

• Steep learning curve: you need an expert and a lot of motivation!
• In the transition period, both 🦀 and 🐍 codebases need maintenance.

SequoiaPGP

• A new OpenPGP implementation (GnuPG replacement)
• v1.0.0 released on 16th December 2020
• Library-first approach
• Active community, ready to help and attentive
• An ecosystem, e.g. sq, keys.openpgp.org

Python bindings

PyO3

Rust bindings for Python, including tools for creating native Python extension modules. Running and interacting with Python code from a Rust binary is also supported.

Maturin

Build and publish crates with pyo3, rust-cpython, cffi and uniffi bindings as well as rust binaries as python packages.

Repository Structure

• sett - the main lib+bin crate
• sett-rs - Python bindings to the main library

High-level API

Python bindings (sett-rs)

Maintenance

CI/CD 🦾

Releases 🚀

git-cliff can generate changelog files from the Git history by utilizing conventional commits as well as regex-powered custom parsers. The changelog template can be customized with a configuration file to match the desired format.

Separate releases for sett and sett-rs crates automated with a simple script.

Stay up-to-date

Renovate bot

What's next?

Performance improvements

Packaging and distribution 📦

• Easy (native) installer
• Self updater
• CLI and GUI in one executable

GUI

Tauri + Yew?

sett in a browser with WebAssembly?