On Tue, Dec 16, 2014 at 10:11 PM, Landry Breuil <lan...@rhaalovely.net> wrote: > On Tue, Dec 16, 2014 at 10:05:42PM +0100, viq wrote: >> On Tue, Dec 16, 2014 at 8:46 PM, Jérémie Courrèges-Anglas >> <j...@wxcvbn.org> wrote: >> > viq <vic...@gmail.com> writes: >> > >> >> On Mon, Dec 15, 2014 at 12:41 AM, viq <vic...@gmail.com> wrote: >> >>> http://sleekxmpp.com/ >> >> >> >> And it usually works better with a tarball attached. >> > >> > I think - I don't use XMPP - that TLS certificate verification and SRV >> > records processing are expected nowadays. Thus I propose to make >> > py-asn1-modules and dnspython hard requirements. What do you think? >> >> Yes, I was thinking of that, I'm for it. > > Totally. running plaintext xmpp those days on the interweb would be > insane. > >> > Here's an updated tarball that also applies the ${SETENV} ${MAKE_ENV} >> > dance to do-test. >> >> I'll have a look tomorrow, thanks. >> >> > Some tests are failing but their number seems to vary >> > and to depend on timing. >> >> Yes, that's what I've seen too. >> >> > I'm a bit worried though about the thirdparty subdir: the gnupg.py file >> > seems to be affected by the same issue as our py-gnupg package, which >> > could use an update. I don't know right now how problematic this CVE >> > is. >> > >> > http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1927 >> >> Their site says: >> >> As part of reducing the number of dependencies, some third party >> modules are included with SleekXMPP in the thirdparty directory. >> Imports from this module first try to import an existing installed >> version before loading the packaged version, when possible. >> >> So I guess it would make sense to make hard requirements of the >> modules it has in there. And maybe even surgically remove that >> directory to avoid accidents? > > That sounds like the sanest idea here.
Here's an updated version, cutting out all bundled libs except StateMachine and adding explicit dependencies on the ports I just sent. Works for the simple task I started looking at it for, namely http://sleekxmpp.com/getting_started/sendlogout.html - haven't tested beyond that. -- viq