Dear Developers, I learnt about Ring when it first appeared on F-Droid and I have instaled it for a few days now. I also saw your presentation at FOSDEM yesterday morning. Thus, I think I can write I know *something* about Ring, enough to share some comments.
In the Android app as well as in Gnome front-end I miss an online/offline switch and a connection indicator I got used to in every IM application. As an advanced user I also miss a kind of advanced stats/info screen and en event log (see Orbot). I know I will probably find this info via adb/logcat but from time to time I'd like to see some details even without a PC. If you say Ring is in alpha stage you may consider adding a bug reporting buttone. As far as I am concerned an e-mail template shared via an e-mail app is enough. The template may contains some questions for a user to answer like: what happened? how to reporoduce it? etc. as well as some information dumped from the app version, IP type (public, RFC1918) you name it. First "bug" I have spotted is no notification about incoming (out of connection) text messages (at least I think there was no). With regard to "ooc" text messages I'd like Ring to behave like an ordinary SMS application. Moreover, you might consider writing actually two front-ends, one that acts as a dialer and the other to replace a messaging (SMS/MMS app) supporting of course those legacy transports. At the moment I use SMSSecure[1] which supports encryption over SMS/MMS transports. You might consider working wtith SMSSecure developers to add the Ring transport to their app. That's more or less UX. Now, allow me to make some technical remarks. From my side I'd like to make two statements: 1) I haven't read the source yet of neither part of Ring. 2) I am neither crypto not security specialist. During your presentation I found no information about IPv6 support although there was a lengthy part about NAT traversal techniques. IPv6 isn't very popular yet but it is what brings end-to-end Internet communication back to mere mortals. If Ring supports communication over IPv6 then I'd like to see it in the "advanced stats" (see above) and possibly choose (in "advanced settings") whether to use/advertise IPv4/IPv6 addresses. Some IPv6 adresses are considerd local and shouldn't be advertised anyway like RFC1918 in IPv4. On the other hand some clients might choose to advertise them anyway. User-configurable set of rules may be a solution here. Crypto "questions" I have found in Ring. Are you sure SHA-1 is good enough? NIST recommends transition to SHA-2 family of hash functions[2] and software developers follow this recommendation, GnuPG being a notable example. Have you considered public key algorithms other than RSA? You have mentioned embedded devices as one of your targets and RSA isn't the most efficient algorithm resource-wise. Elliptic curves with their short keys seem to be a good choice nowadays. Both OpenSSH and GnuPG either use today or are introducing usage of Daniel Bernstein's Curve25519. It has several nice features: short 32-bytes keys, very simple key generation procedure, fast constant time implementation available/possible. [1] https://github.com/SMSSecure/SMSSecure [2] http://csrc.nist.gov/groups/ST/hash/statement.html Kind regards, -- Łukasz Stelmach z podróży _______________________________________________ Ring mailing list [email protected] https://lists.savoirfairelinux.net/mailman/listinfo/ring
