On Tue, Dec 16, 2014 at 8:46 PM, Jérémie Courrèges-Anglas
<j...@wxcvbn.org> wrote:
> viq <vic...@gmail.com> writes:
>
>> On Mon, Dec 15, 2014 at 12:41 AM, viq <vic...@gmail.com> wrote:
>>> http://sleekxmpp.com/
>>
>> And it usually works better with a tarball attached.
>
> I think - I don't use XMPP - that TLS certificate verification and SRV
> records processing are expected nowadays. Thus I propose to make
> py-asn1-modules and dnspython hard requirements. What do you think?
Yes, I was thinking of that, I'm for it.
> Here's an updated tarball that also applies the ${SETENV} ${MAKE_ENV}
> dance to do-test.
I'll have a look tomorrow, thanks.
> Some tests are failing but their number seems to vary
> and to depend on timing.
Yes, that's what I've seen too.
> I'm a bit worried though about the thirdparty subdir: the gnupg.py file
> seems to be affected by the same issue as our py-gnupg package, which
> could use an update. I don't know right now how problematic this CVE
> is.
>
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1927
Their site says:
As part of reducing the number of dependencies, some third party
modules are included with SleekXMPP in the thirdparty directory.
Imports from this module first try to import an existing installed
version before loading the packaged version, when possible.
So I guess it would make sense to make hard requirements of the
modules it has in there. And maybe even surgically remove that
directory to avoid accidents?
--
viq
