Your message dated Fri, 11 Apr 2025 18:04:42 +0000
with message-id <[email protected]>
and subject line Bug#1076963: fixed in dino-im 0.5.0-1
has caused the Debian Bug report #1076963,
regarding dino-im: (security) defaults to insecure, padlock waaaay to subtle,
people are getting stung by this!
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1076963: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1076963
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: dino-im
Version: 0.4.2-1
Severity: normal
Tags: upstream
X-Debbugs-Cc: [email protected]
Control: forwarded -1 https://github.com/dino/dino/issues/971
Dino-im defaults to insecure. This is a terrible security issue
because users are being setup to expose sensitive information. The
padlock is grey, and when it’s unlocked there is only a very tiny gap
between the shank and the body, so it’s very hard to notice the
unlocked state before sending a message.
Then after sending a message, sometimes there is a red padlock and
sometimes just a grey checkmark. The red unlocked padlock has the same
problem as the grey unlocked padlock: very hard to notice that it’s
unlocked. It’s so hard to notice that I only discovered the problem
after *months* of unintentionally exposed chatter.
I am gutted. I’m also not the only one. Lots of people are getting
stung by this. The bug was reported upstream *4 years* ago. I am
reporting it here to make this bug loud and clear for other Debian
users in an effort to try to mitigate more people getting burnt.
These changes are essential:
① the default should be OMEMO or OpenPGP. Does not matter which, but
/unencrypted/ is a reckless default.
② there needs to be an option to force a loud popup warning that
interrupts all unencrypted transmission attempts. It should also
default to ENABLED. The pop-up should have a “don’t show me this
again” button so security ambivalent users only see the nag once.
③ the padlock icon in the message entry field should be bigger.
④ the unlocked state should not just be a tiny gap between the shank
and the body; it should be rotated 180° so it’s more clear that it’s
in the open state.
⑤ the open state should never be red, green, blue, or grey. Yellow is
probably best, perhaps with a “☣” or “⚠” as well.
⑥ in fact, the unlocked padlock icon should be blinking. This would be
quite annoying for people who intend to have insecure comms, so the
blinking should probably be tied to the toggle option described in ②
above.
⑦ fix the inconsistent indicator on insecure messages. It should not
be a just a checkmark sometimes and sometimes both a checkmark and an
unlocked padlock. In fact, the open padlock is should be paired with
the word “unencrypted” spelled out next to it.
-- System Information:
Debian Release: 12.5
APT prefers stable-updates
APT policy: (990, 'stable-updates'), (990, 'stable-security'), (990,
'stable'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.10.0-28-amd64 (SMP w/2 CPU threads)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages dino-im depends on:
ii dino-im-common 0.4.2-1
ii libadwaita-1-0 1.2.2-1
ii libc6 2.36-9+deb12u7
ii libcairo2 1.16.0-7
ii libgcc-s1 12.2.0-14
ii libgcrypt20 1.10.1-3
ii libgdk-pixbuf-2.0-0 2.42.10+dfsg-1+b1
ii libgee-0.8-2 0.20.6-1
ii libglib2.0-0 2.74.6-2+deb12u2
ii libgnutls30 3.7.9-2+deb12u2
ii libgpgme11 1.18.0-3+b1
ii libgraphene-1.0-0 1.10.8-1
ii libgstreamer-plugins-base1.0-0 1.22.0-3+deb12u1
ii libgstreamer1.0-0 1.22.0-2
ii libgtk-4-1 4.8.3+ds-2+deb12u1
ii libgtk-4-media-gstreamer 4.8.3+ds-2+deb12u1
ii libicu72 72.1-3
ii libnice10 0.1.21-1
ii libpango-1.0-0 1.50.12+ds-1
ii libqrencode4 4.1.1-1
ii libsignal-protocol-c2.3.2 2.3.3-3
ii libsoup-3.0-0 3.2.2-2
ii libsqlite3-0 3.40.1-2
ii libsrtp2-1 2.5.0-3
ii libstdc++6 12.2.0-14
ii libwebrtc-audio-processing1 0.3-1+b1
Versions of packages dino-im recommends:
ii ca-certificates 20230311
ii dbus 1.14.10-1~deb12u1
ii fonts-noto-color-emoji 2.042-0+deb12u1
ii network-manager 1.42.4-1
dino-im suggests no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: dino-im
Source-Version: 0.5.0-1
Done: Martin <[email protected]>
We believe that the bug you reported is fixed in the latest version of
dino-im, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Martin <[email protected]> (supplier of updated dino-im package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 11 Apr 2025 17:07:22 +0000
Source: dino-im
Architecture: source
Version: 0.5.0-1
Distribution: unstable
Urgency: medium
Maintainer: Debian XMPP Maintainers <[email protected]>
Changed-By: Martin <[email protected]>
Closes: 1076963 1093999
Changes:
dino-im (0.5.0-1) unstable; urgency=medium
.
* New upstream version
- defaults to OMEMO now (Closes: #1076963)
- does support webrtc-audio-processing >= 1 (Closes: 1093999)
* Move build system from cmake+ninja to meson
* Fix VERSION in About dialog
* Do not rename binary "dino" to "dino-im" anymore
* Use new set-install-rpath option
* Recommend webp-pixbuf-loader
* Use libomemo-c instead of libsignal-protocol-c
[ Pirate Praveen <[email protected]> 2024-04-10 ]
* Bump Standards-Version to 4.7.0 (no changes needed)
Checksums-Sha1:
56133028e0d5c6e120396b8f8d521bd7f464f6ac 1951 dino-im_0.5.0-1.dsc
6f4543766da4f69facd03c7e8310ea426896e80e 1002577 dino-im_0.5.0.orig.tar.gz
99480e94f8bfa9b2123d51c651906819c8d1c0ec 866 dino-im_0.5.0.orig.tar.gz.asc
5d747f958003adfb2ff3f46a0c42778ccbf7a714 8888 dino-im_0.5.0-1.debian.tar.xz
7e4028bb6387acbbb2d0f0a09a04b23c97a630cc 19322 dino-im_0.5.0-1_amd64.buildinfo
Checksums-Sha256:
49b7bbea3fed762bbeb6c19d22a9514b0d1057e069cba778a80be3651d04bf2b 1951
dino-im_0.5.0-1.dsc
914e265faf56a5ff4ffc3b957df181222e5cacab6b5a744ed72696041bf5f0c1 1002577
dino-im_0.5.0.orig.tar.gz
39f1019ca0ad55d4d6f500aa842b5ef9f8c0f301188324c76d28538f428d8938 866
dino-im_0.5.0.orig.tar.gz.asc
309854f5c589eeb7a9b431d621e0fb80181436d2708c6430ed4eee93d6b6da03 8888
dino-im_0.5.0-1.debian.tar.xz
8be1eb8f7b8e748b89f1b900f05ee534a91bb53edde05e293ba7a30329cb2eec 19322
dino-im_0.5.0-1_amd64.buildinfo
Files:
80fdc3cdf0771e854abd7ce399451307 1951 net optional dino-im_0.5.0-1.dsc
4d35e98629d878437fb289e8b609a74e 1002577 net optional dino-im_0.5.0.orig.tar.gz
4e99b56555c072a0eb3905078483b7f2 866 net optional dino-im_0.5.0.orig.tar.gz.asc
34ce42a7e23fd2f013c95f5f0f4ba678 8888 net optional
dino-im_0.5.0-1.debian.tar.xz
e8978b3e20a64db93329180e3e8b9fa0 19322 net optional
dino-im_0.5.0-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iHUEARYKAB0WIQSf2tN7CfkTuZaqhq20kOPfM38yEwUCZ/lUJgAKCRC0kOPfM38y
E7UbAP9BgCddKO3b8R7MH08j1hfam+9joNdSkxsCX51NXbTVmQEA1fkj82Te+qp8
qlRZUSEWfwkZTelL5x6vT60RsZJL1Qw=
=xP/7
-----END PGP SIGNATURE-----
pgpcmWEmMuyjI.pgp
Description: PGP signature
--- End Message ---
