[Bug 296867]
*** This bug is a duplicate of bug 1616956 *** https://bugs.launchpad.net/bugs/1616956 "[Bug 296867] Re: Empathy needs to support OTR encryption" Sebastian Schlatow doc -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/296867 Title: Empathy needs to support OTR encryption To manage notifications about this bug go to: https://bugs.launchpad.net/empathy/+bug/296867/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 296867] Re: Empathy needs to support OTR encryption
*** This bug is a duplicate of bug 1616956 *** https://bugs.launchpad.net/bugs/1616956 Could someone explain how OTR request is duplicate of OMEMO request? As far as I am aware, Empathy supports multiple instant messaging protocols which all support OTR as it's not tied to any specific protocol. On the other hand OMEMO is XMPP-only and not yet formalized XMPP extension, so by considering this as a duplicate I believe users of those other protocols are left without option for end-to-end encryption. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/296867 Title: Empathy needs to support OTR encryption To manage notifications about this bug go to: https://bugs.launchpad.net/empathy/+bug/296867/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 296867] Re: Empathy needs to support OTR encryption
*** This bug is a duplicate of bug 1616956 *** https://bugs.launchpad.net/bugs/1616956 ** Summary changed: - empathy needs to support OTR encryption + Empathy needs to support OTR encryption ** Tags added: otr ** Tags added: messaging ** This bug has been marked a duplicate of bug 1616956 Empathy needs to support OMEMO encryption -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/296867 Title: Empathy needs to support OTR encryption To manage notifications about this bug go to: https://bugs.launchpad.net/empathy/+bug/296867/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 296867] Re: empathy needs to support OTR encryption
** Tags removed: 14.04 ** Tags added: yakkety -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/296867 Title: empathy needs to support OTR encryption To manage notifications about this bug go to: https://bugs.launchpad.net/empathy/+bug/296867/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 296867]
> Maybe no one wanted to spend time on this feature for a good reason. Mostly no one wanted to spend time on this because development on Telepathy stalled in 2014. It was largely being maintained by Collabora, and their funding dried up. I do have the ability to merge code to telepathy, but I don't have time to work on a feature this complex. Someone else will need to volunteer to implement this. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/296867 Title: empathy needs to support OTR encryption To manage notifications about this bug go to: https://bugs.launchpad.net/empathy/+bug/296867/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 296867]
KDE Telepathy has an implementation of OTR, There's a proxy component that handles adding/removing the encryption before passing it to the chat window. It's in https://quickgit.kde.org/?p=ktp-common-internals.git=tree There's also some UI level code in https://quickgit.kde.org/?p=ktp-text- ui.git=tree A quick skim of the #includes suggests otr-proxy mostly just depends on TelepathyQt and not strongly on other KDE telepathy components. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/296867 Title: empathy needs to support OTR encryption To manage notifications about this bug go to: https://bugs.launchpad.net/empathy/+bug/296867/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 296867]
(In reply to Luke from comment #107) > I am now uninterested and > have stopped using most GNOME telecommunication products completely due to > lack of documentation and security. ¯\_(ツ)_/¯ 1) GNOME is a destkop has nothing to do with communication, you can install any application under gnome 2) GNOME is open-source software not a product >From dictionary product - "an article or substance that is manufactured or refined for sale" 3) There is plenty of documentation 4) Major part of open-source software is a contribution developed by people in their spare time 5) I believe it's of very minor importance what you use or not, or do in your life for the people signed up for this bug issue Maybe no one wanted to spend time on this feature for a good reason. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/296867 Title: empathy needs to support OTR encryption To manage notifications about this bug go to: https://bugs.launchpad.net/empathy/+bug/296867/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 296867]
Worth mentioning that Xavier Claessens's never implemented patch is now likely vulnerable anyway... https://www.helpnetsecurity.com/2016/03/10/critical-bug-libotr-open-users-chatsecure-adium-pidgin-compromise/ Upstream libotr has already addressed the vulnerability, so any attempts at this should be sure to implement the latest version without the memory bug. @Andre Klapper: All I asked for was a quick tutorial on how to build it. However, as the years have continued to go by, I am now uninterested and have stopped using most GNOME telecommunication products completely due to lack of documentation and security. ¯\_(ツ)_/¯ -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/296867 Title: empathy needs to support OTR encryption To manage notifications about this bug go to: https://bugs.launchpad.net/empathy/+bug/296867/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 296867]
I don't think that OTR and OMEMO are mutually exclusive in any way. Besides, looking at the bug age it doesn't seems like there are much of efforts which could be "focused" anyway. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/296867 Title: empathy needs to support OTR encryption To manage notifications about this bug go to: https://bugs.launchpad.net/empathy/+bug/296867/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 296867]
I would like to point everyone to this bug that I just opened https://bugs.freedesktop.org/show_bug.cgi?id=93090 It seems there is a better alternative to OTR now, called OMEMO. Maybe the focus should be on implementing that, rather than OTR. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/296867 Title: empathy needs to support OTR encryption To manage notifications about this bug go to: https://bugs.launchpad.net/empathy/+bug/296867/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 296867] Re: empathy needs to support OTR encryption
** Bug watch added: freedesktop.org Bugzilla #93090 https://bugs.freedesktop.org/show_bug.cgi?id=93090 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/296867 Title: empathy needs to support OTR encryption To manage notifications about this bug go to: https://bugs.launchpad.net/empathy/+bug/296867/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 296867]
"it doesn't work" is too vague plus Bugzilla is not a support forum for general software development question. There are many pages out there which explain how to compile software... Thanks for your understanding. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/296867 Title: empathy needs to support OTR encryption To manage notifications about this bug go to: https://bugs.launchpad.net/empathy/+bug/296867/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 296867] Re: empathy needs to support OTR encryption
** Changed in: libtelepathy Importance: Wishlist => Critical -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/296867 Title: empathy needs to support OTR encryption To manage notifications about this bug go to: https://bugs.launchpad.net/empathy/+bug/296867/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 296867]
@Xavier: Can't you provide us, at very least, a small tutorial showing how to compile this with the latest empathy build? Because it doesn't work. If not - I donated years ago for this to be implemented, so I'll want my money back. :P -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/296867 Title: empathy needs to support OTR encryption To manage notifications about this bug go to: https://bugs.launchpad.net/empathy/+bug/296867/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 296867] Re: empathy needs to support OTR encryption
No idea - I've long migrated to software which cares enough about security not to have critical bugs opened for 5 years. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/296867 Title: empathy needs to support OTR encryption To manage notifications about this bug go to: https://bugs.launchpad.net/empathy/+bug/296867/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 296867]
Anyone still working on getting this into released empathy ? Thanks, -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/296867 Title: empathy needs to support OTR encryption To manage notifications about this bug go to: https://bugs.launchpad.net/empathy/+bug/296867/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 296867]
In regards to my previous comment. I discovered enable-otr is in /src/connection.c, once you get the right branch... git clone git://people.freedesktop.org/~smcv/telepathy-gabble git checkout untested-otr I also tried setting the default FALSE option to TRUE. Still OTR doesn't work for me, perhaps empathy also needs to be patched (instead of just gabble). However Xaivers empathy branch no longer runs properly on my system due to changes in gtk, so I am unable to test the older version. So, that's as far as I made it. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/296867 Title: empathy needs to support OTR encryption To manage notifications about this bug go to: https://bugs.launchpad.net/empathy/+bug/296867/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 296867]
(In reply to Xavier Claessens from comment #99) You probably want python2. Build just fine on ubuntu 15.04, it just has a warning for a deprecated gnutls function, but you can ignore that with --disable-Werror (or make a fix). sudo apt-get build-dep telepathy-gabble ./autogen.sh --disable-Werror make make install I can confirm it compiles after fixing the depreciated function and forcing the Makefile to use python2.7 followed by making it read-only (keeps trying to put 3.4 in there). So after I ran the make install I started up empathy, but was unable to use /otr start. It claims command is not found. I then read this: You need to set enable-otr=true in your CM parameters, otherwise OTR is disabled No idea what a CM parameter is or where to set it, so I ran grep on all the files. Nothing says enable-otr. Can someone clarify where to put that line? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/296867 Title: empathy needs to support OTR encryption To manage notifications about this bug go to: https://bugs.launchpad.net/empathy/+bug/296867/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 296867]
You probably want python2. Build just fine on ubuntu 15.04, it just has a warning for a deprecated gnutls function, but you can ignore that with --disable-Werror (or make a fix). sudo apt-get build-dep telepathy-gabble ./autogen.sh --disable-Werror make make install -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/296867 Title: empathy needs to support OTR encryption To manage notifications about this bug go to: https://bugs.launchpad.net/empathy/+bug/296867/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 296867]
(In reply to JKAbrams from comment #93) What is the status of this project? Is it dead? More like (deliberately?) ignored. When most all the work is done, and working patches exist you have to wonder... -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/296867 Title: empathy needs to support OTR encryption To manage notifications about this bug go to: https://bugs.launchpad.net/empathy/+bug/296867/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 296867]
There are patches, there are review comments, and 55 subscribers to this bug. If only one of you could just work on it instead of complaining... -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/296867 Title: empathy needs to support OTR encryption To manage notifications about this bug go to: https://bugs.launchpad.net/empathy/+bug/296867/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 296867]
In the year 2015, this should have priority highest not medium (and certainly not ignore). -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/296867 Title: empathy needs to support OTR encryption To manage notifications about this bug go to: https://bugs.launchpad.net/empathy/+bug/296867/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 296867]
Xavier, I'm happy to pay you now. PayPal to email? Sam On 2 Jun 2015 21:01, Xavier Claessens xclae...@gmail.com wrote: There are patches, there are review comments, and 55 subscribers to this bug. If only one of you could just work on it instead of complaining... -- You received this bug notification because you are subscribed to the bug report. https://bugs.launchpad.net/bugs/296867 Title: empathy needs to support OTR encryption To manage notifications about this bug go to: https://bugs.launchpad.net/empathy/+bug/296867/+subscriptions -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/296867 Title: empathy needs to support OTR encryption To manage notifications about this bug go to: https://bugs.launchpad.net/empathy/+bug/296867/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 296867]
See comment #81 for the few items missing. As far as I'm concerned it can be merged if someone just fix those, and it's close to trivial to do IIRC. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/296867 Title: empathy needs to support OTR encryption To manage notifications about this bug go to: https://bugs.launchpad.net/empathy/+bug/296867/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 296867]
(In reply to Xavier Claessens from comment #97) See comment #81 for the few items missing. As far as I'm concerned it can be merged if someone just fix those, and it's close to trivial to do IIRC. Seeing as the compile process isn't well documented, it's very confusing for newcomers. If you'll also note, someone else asked if you could provide some build instructions on your blog post to help compile it. From what I've managed to figure out so far, with some hours of trial and error... git clone git://people.freedesktop.org/~smcv/telepathy-gabble --single-branch untested-otr cd untested-otr/ sh autogen.sh cd lib/ext/wocky sh autogen.sh make cd ../../.. cd src sed -i.bak s/#define \_BSD_SOURCE/#define \_DEFAULT_SOURCE/g ft-manager.c cd .. cd tools sed -i.bak s/xrange/range/g xincludator.py //give up at this point since this project has tons of Python3 bugs I need to research... //then presumably// ./configure make install -- -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/296867 Title: empathy needs to support OTR encryption To manage notifications about this bug go to: https://bugs.launchpad.net/empathy/+bug/296867/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 296867] Re: empathy needs to support OTR encryption
How will this be marked as complete on freedomsponsors? How do we pay Xavier? Sam On Tue, Jun 2, 2015 at 2:32 PM, G4JC 296...@bugs.launchpad.net wrote: Just so everyone knows, this has been completed quite some time ago via a bounty developer on FreedomSponsors. However, upstream is furiously continuing to ignore the patch and keep their users insecure. Source of upstream stupidity: https://bugs.freedesktop.org/show_bug.cgi?id=16891#c46 Read More about how the patch was made: https://freedomsponsors.org/issue/333/telepathy-should-support-otr-encryption PoC working patch: https://launchpad.net/~zdra/+archive/ubuntu/otr -- You received this bug notification because you are subscribed to the bug report. https://bugs.launchpad.net/bugs/296867 Title: empathy needs to support OTR encryption To manage notifications about this bug go to: https://bugs.launchpad.net/empathy/+bug/296867/+subscriptions -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/296867 Title: empathy needs to support OTR encryption To manage notifications about this bug go to: https://bugs.launchpad.net/empathy/+bug/296867/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 296867] Re: empathy needs to support OTR encryption
Just so everyone knows, this has been completed quite some time ago via a bounty developer on FreedomSponsors. However, upstream is furiously continuing to ignore the patch and keep their users insecure. Source of upstream stupidity: https://bugs.freedesktop.org/show_bug.cgi?id=16891#c46 Read More about how the patch was made: https://freedomsponsors.org/issue/333/telepathy-should-support-otr-encryption PoC working patch: https://launchpad.net/~zdra/+archive/ubuntu/otr -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/296867 Title: empathy needs to support OTR encryption To manage notifications about this bug go to: https://bugs.launchpad.net/empathy/+bug/296867/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 296867] Re: empathy needs to support OTR encryption
Ick! If telepathy makes doing OTR securely impossible, that's very bad news. We should lobby to remove Empathy and telepathy from Debian stable and Ubuntu then. OTR is critical post Snowden. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/296867 Title: empathy needs to support OTR encryption To manage notifications about this bug go to: https://bugs.launchpad.net/empathy/+bug/296867/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 296867] Re: empathy needs to support OTR encryption
As good as dead if you care about security. Luckily there are plethora of alternatives out there with OTR support. See http://otr.im for details. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/296867 Title: empathy needs to support OTR encryption To manage notifications about this bug go to: https://bugs.launchpad.net/empathy/+bug/296867/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 296867]
What is the status of this project? Is it dead? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/296867 Title: empathy needs to support OTR encryption To manage notifications about this bug go to: https://bugs.launchpad.net/empathy/+bug/296867/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 296867]
(In reply to comment #91) Realization of the first three points would require adding a new interface to gabble. I imagine it as an extension of connection interface providing settings individually for every account. Would using gdbus codegen just like in case of the currently implemented otr channel be acceptable here? You could make it go next to the Connection just like Xavier's code produces an object next to the Channel, yes. (Unfortunately, the fact that, in general, telepathy-glib uses the deprecated dbus-glib instead of GDBus is not going to get fixed, unless someone with a lot more time available than me picks it up. See the various Telepathy 1.0 bugs for details.) I suppose that adding these features would mean some major changes in the current implementation which is completely closed in the channel interface. Making behind-the-scenes C function calls between the Connection and Channel objects is fine. There are also things that need to be fixed as stated above: ... I understand that they have to be done first before introducing new changes? Yes, I think that would be better than hoping they will be fixed later. I consider those fixes to be merge blockers for these branches, because I don't want to add an interop and security feature that, on closer inspection, turns out to be non-interoperable or insecure :-) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/296867 Title: empathy needs to support OTR encryption To manage notifications about this bug go to: https://bugs.launchpad.net/empathy/+bug/296867/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 296867]
Hi I am currently working on OTR support for KDE Telepathy. There are some features we would like to have: - otr policy settings - a way to generate a new private key for account - possibility to manage known fingerprints (trust/distrust) - two additional ways of peer authentication (shared secret and question-answer) Realization of the first three points would require adding a new interface to gabble. I imagine it as an extension of connection interface providing settings individually for every account. Would using gdbus codegen just like in case of the currently implemented otr channel be acceptable here? I suppose that adding these features would mean some major changes in the current implementation which is completely closed in the channel interface. There are also things that need to be fixed as stated above: Still to do: * testing (in particular, send lt; and a message that resembles HTML in both directions between Empathy and Pidgin, and check that neither is misinterpreted) * review from someone who understands libotr * string-only handling of fingerprints (emit strings to D-Bus, parse hex - binary when asked to trust a fingerprint from D-Bus) I understand that they have to be done first before introducing new changes? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/296867 Title: empathy needs to support OTR encryption To manage notifications about this bug go to: https://bugs.launchpad.net/empathy/+bug/296867/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 296867]
As far as I understood it can used with gnome-chat or whatever client using telepathy library - once it's upstreamed of course. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/296867 Title: empathy needs to support OTR encryption To manage notifications about this bug go to: https://bugs.launchpad.net/empathy/+bug/296867/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 296867]
(In reply to comment #88) As far as I understood it can used with gnome-chat or whatever client using telepathy library - once it's upstreamed of course. Ah, that's great! Also, why was it necessary to make it protocol- specific? OTR is supposed to be useful for any sychronous messaging -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/296867 Title: empathy needs to support OTR encryption To manage notifications about this bug go to: https://bugs.launchpad.net/empathy/+bug/296867/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 296867]
(In reply to comment #87) Why is the patch protocol-specific? Telepathy does not have any central point where OTR can be done for all protocols and all UIs simultaneously. We can either do it once per protocol backend, or once per UI. Once per UI would break the ability to log OTR messages or have them appear correctly in more than one UI (e.g. both Empathy and GNOME Shell). Every attempt at implementing OTR in Telepathy has had the plan to do it once per protocol backend; this implementation is no different. In practice, like most new features, everyone prototyped it in the XMPP protocol backend first, because that's the one that works best. I think the approach that is most likely to yield results in a finite time is to get the XMPP implementation high-quality and mergeable first, then expand to the other protocols; then any implementation mistakes in the first implementation will hopefully not be repeated, and the rest will be a simple matter of pretty much what Gabble did. Using a library for common code, or adding functionality to libotr, would be fine too, but that's an implementation detail. Anyone interested in this could add similar glue to telepathy-haze to cover the various proprietary protocols (AOL, etc.). It might have seemed more natural to go for -haze first, but -haze uses libpurple, which is not really designed for things that aren't shaped like Pidgin, so it can be awkward to get right and doesn't make a great place for prototyping. The missing protocol backends after that would be telepathy-salut for link-local XMPP, telepathy-idle for IRC, and telepathy-rakia for SIP. I think it'd make sense to do -haze and maybe -salut. I'm not sure -idle or -rakia is necessarily worthwhile, but if people do use OTR on those protocols in practice, sure, why not. (In reply to comment #87) Would it be possible to use the same code for the new gnome-chat application which will likely replace Empathy? The majority of the glue between Telepathy and libotr (as exemplified here by patches to Gabble), and the design: yes, it lives in the protocol backend(s). The UI: no, the UI code in Empathy is specific to Empathy. gnome-chat would need to provide a way to enable/disable OTR and mark fingerprints as trusted, and to be properly secure, it would need to display the notifications from libotr in a way that cannot be spoofed by contacts. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/296867 Title: empathy needs to support OTR encryption To manage notifications about this bug go to: https://bugs.launchpad.net/empathy/+bug/296867/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 296867]
Why is the patch protocol-specific? Would it be possible to use the same code for the new gnome-chat application which will likely replace Empathy? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/296867 Title: empathy needs to support OTR encryption To manage notifications about this bug go to: https://bugs.launchpad.net/empathy/+bug/296867/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 296867]
(In reply to comment #83) I did manage to start a session using Xavier's branch but noticed the following bug: - Start an OTR session between Empathy and Pidgin - In Pidgin using the OTR menu pick End private conversation - Try sending a message from Empathy. The message doesn't reach Pidgin and this error is displayed: Your message was not sent because cassidy-te...@jabber.belnet.be closed their connection. Either close your private connection, or refresh it. It's not a bug, it's a feature. User must acknoledge that he's not in private chat anymore by typing /otr stop or /otr start. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/296867 Title: empathy needs to support OTR encryption To manage notifications about this bug go to: https://bugs.launchpad.net/empathy/+bug/296867/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 296867]
(In reply to comment #83) I did not manage to start an OTR session with this branch. The '/otr start' command was displaying OTR:$blob in empathy-chat. You need to set enable-otr=true in your CM parameters, otherwise OTR is disabled in Simon's branch. There is magic mc-tool command for that, did not try yet. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/296867 Title: empathy needs to support OTR encryption To manage notifications about this bug go to: https://bugs.launchpad.net/empathy/+bug/296867/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 296867]
(In reply to comment #76) 1) handle html, I'm not sure to understand what you mean or why it is that important... Maybe you can make the changes that you want? Looking into it. The more important direction (don't send plain text where HTML is expected, so that parts of messages that happen to look a bit like html tags aren't silently ignored) is easy, it just needs g_markup_escape_text(). The other direction (don't send HTML where plain text is expected) is more difficult, but libxml should be able to do it; and if we don't, the failure mode is that a user sees HTML markup instead of plain text, which isn't *so* bad. 2) Find a solution if we don't want the other end to be able to initiate an OTR session without approving it first. I think a CM parameter is the only way to do this. It'll work for MC- stored accounts (which includes all Haze accounts and all unbranded accounts like generic Jabber/IRC, even if GOA is used), and for UOA- stored accounts. I agree that GOA's account parameter storage limitations mean it won't work for GOA-stored Google Talk or Facebook accounts, or GOA-stored Windows Live accounts in the unlikely event that Microsoft bring back their XMPP bridge. If you want communications privacy, Google and Facebook are probably not the ideal option anyway... and that GOA issue is not something that Telepathy can fix in any case. 3) Fix string spelling. Maybe you can patch them yourself, as I'm not native? :) Sure. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/296867 Title: empathy needs to support OTR encryption To manage notifications about this bug go to: https://bugs.launchpad.net/empathy/+bug/296867/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 296867]
(In reply to comment #58) + type=(say) access=read Are these literally the hex and binary versions of the same digest, or do they have different information content? (Or is the string version some OTR-specific thing that is easier to transcribe than hex?) I'm not particularly happy about this type duplicating the information: whenever there's duplication, there's the possibility that the duplicates don't agree. I can see why you did it, though - the OTR library doesn't seem to have a function to convert a human-readable digest back into binary (although we could easily write one), so you currently need the binary digest in order to set trust. If possible I'd prefer to stick to one encoding or the other, consistently - either always a string (which I think is what I'd prefer), or always a byte-array. At the moment we only put the string form in message headers, not the byte-array. I'm tempted to implement a function to turn the string into binary (decode hex, ignore whitespace, report an error unless it has exactly 40 hex digits) and just use strings throughout. I think it would also be useful to spec that one of the forms of the remote fingerprint will appear in the message header (0'th part) of each individual message, perhaps { otr-remote-fingerprint: a string }. That would make it easy for someone to do either of these things in a race-condition-free way: * record in the Logger that the messages were encrypted/verified * give the Logger a configuration setting [ ] do not log OTR messages (which it would recognize by seeing that they have an OTR remote fingerprint You added otr-sender-fingerprint to received messages. I think we should also add a fingerprint to messages that were sent during an OTR session, so that we can associate the logged session with the fingerprint (or avoid logging them at all), too. For now I'm changing it to otr-remote-fingerprint, because that's always the easier one to get - we could use otr-sender-fingerprint and otr- recipient-fingerprint if there's some reason that's better, but just having one seems easier. (In reply to comment #50) Could we also get a config option that turns this whole feature on/off? Still needed, IMO. (In reply to comment #61) I would really like im-channel to implement o.fd.Telepathy.Securable Non-blocker but still desirable. Given what I said in Comment #78, I think we can set Encrypted when OTR is active, but we can't set Verified in any case, because the thing that Securable says we Verified (that the key with which we're encrypting belongs to the contact identified by the Channel's Target_ID) does not seem to be what OTR actually verifies. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/296867 Title: empathy needs to support OTR encryption To manage notifications about this bug go to: https://bugs.launchpad.net/empathy/+bug/296867/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 296867]
Security issue: it isn't at all clear to me what trust means here. In something like GPG or SSL, the trusted assertion is the key whose fingerprint is ...63c7cc90 is controlled by 'Simon McVittie simon.mcvit...@collabora.co.uk' or the key whose fingerprint is ... is controlled by the administrators of bugs.freedesktop.org - it binds a key to a somewhat human-comprehensible identity (name and email address, or domain name). I would have automatically assumed that the same was true in OTR - binding a key fingerprint to a JID (or whatever else the identifier is, in non-XMPP protocols) - but that doesn't seem to be happening here. Instead, we're saying I trust this fingerprint but it isn't clear what property of the fingerprint we're trusting. In particular, we don't seem to be binding a fingerprint to a JID. Concretely, suppose I talk to xavier.claess...@collabora.co.uk and you present key ID 12345678 [1]. I verify out-of-band that that is really your key ID (perhaps by phoning you or receiving GPG-signed email) and mark it as trusted. Next, I talk to guillaume.desmot...@collabora.co.uk who presents key ID fedcba98, and again, I mark it as trusted. Now Guillaume hijacks your XMPP account, and when I next try to talk to you, Guillaume presents key ID fedcba98. I have trusted that key, so my UI doesn't indicate that anything is wrong - but it isn't your key, it's Guillaume's! How does OTR typically deal with this situation? Do OTR users memorize key IDs and ignore the JIDs and contact names presented by the UI, or does the Pidgin OTR plugin store pairs (JID, key ID) and warn the user if an unexpected pairing is found, or does trust here mean I trust this person not to impersonate any of my other contacts? [1] in real life the key ID would be longer than that, but you get the idea -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/296867 Title: empathy needs to support OTR encryption To manage notifications about this bug go to: https://bugs.launchpad.net/empathy/+bug/296867/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 296867]
(In reply to comment #78) In particular, we don't seem to be binding a fingerprint to a JID. On closer inspection of libotr, it seems we are indeed binding a (remote username, local account name, protocol) tuple to a fingerprint; the API just doesn't make that obvious. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/296867 Title: empathy needs to support OTR encryption To manage notifications about this bug go to: https://bugs.launchpad.net/empathy/+bug/296867/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 296867]
fp_data = g_variant_get_data (fp_variant); fp = otrl_context_find_fingerprint (context, (guchar *) fp_data, 0, NULL); I'm still considering use string fingerprints with error-checking to be a merge blocker, because I don't think this code is OK for the case where fp_data has length != 20 bytes. I think TrustFingerprint(DEADBEEF) should raise InvalidArgument, whereas TrustFingerprint(12345678 12345678 12345678123456781234578) (with any whitespace) should work. If you strongly prefer the binary encoding, I'd be OK with making TrustFingerprint([a number of bytes other than 20]) an InvalidArgument, but I think string fingerprints are going to be nicer to deal with. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/296867 Title: empathy needs to support OTR encryption To manage notifications about this bug go to: https://bugs.launchpad.net/empathy/+bug/296867/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 296867]
I've made most of the changes I wanted but haven't had time to test them yet. Use at own risk: http://cgit.freedesktop.org/~smcv/telepathy-gabble/log/?h=untested-otr Still to do: * testing (in particular, send lt; and a message that resembles HTML in both directions between Empathy and Pidgin, and check that neither is misinterpreted) * review from someone who understands libotr * Empathy: make sure OTR notifications are presented in a way that peers cannot fake. Because Empathy doesn't support HTML messages yet, distinctive formatting would be enough. * string-only handling of fingerprints (emit strings to D-Bus, parse hex - binary when asked to trust a fingerprint from D-Bus) Nice to have, but not blockers: * TPAW UI for the enable-otr boolean parameter (for now, early adopters can turn it on with mc-tool - but I think real UI *is* a blocker for switching the default to be enabled) * Chan.I.Securable.{Encrypted,Verified} integration * enable-opportunistic-otr boolean parameter, and UI for the same (it will end up looking very similar to enable-otr, but with different handling in im-channel*.c) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/296867 Title: empathy needs to support OTR encryption To manage notifications about this bug go to: https://bugs.launchpad.net/empathy/+bug/296867/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 296867]
(In reply to comment #81) I've made most of the changes I wanted but haven't had time to test them yet. Use at own risk: http://cgit.freedesktop.org/~smcv/telepathy-gabble/log/?h=untested-otr I did not manage to start an OTR session with this branch. The '/otr start' command was displaying OTR:$blob in empathy-chat. I did manage to start a session using Xavier's branch but noticed the following bug: - Start an OTR session between Empathy and Pidgin - In Pidgin using the OTR menu pick End private conversation - Try sending a message from Empathy. The message doesn't reach Pidgin and this error is displayed: Your message was not sent because cassidy-te...@jabber.belnet.be closed their connection. Either close your private connection, or refresh it. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/296867 Title: empathy needs to support OTR encryption To manage notifications about this bug go to: https://bugs.launchpad.net/empathy/+bug/296867/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 296867]
(In reply to comment #83) I did manage to start a session using Xavier's branch but noticed the following bug: - Start an OTR session between Empathy and Pidgin - In Pidgin using the OTR menu pick End private conversation - Try sending a message from Empathy. The message doesn't reach Pidgin and this error is displayed: Your message was not sent because cassidy-te...@jabber.belnet.be closed their connection. Either close your private connection, or refresh it. Fwiw, I think I've seen the same message in pidgin when chatting with an adium user who closed the conversation window or something like that. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/296867 Title: empathy needs to support OTR encryption To manage notifications about this bug go to: https://bugs.launchpad.net/empathy/+bug/296867/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 296867]
(In reply to comment #54) trust_level_to_str(): I'd mention encrypt using OTR to be clearer and avoid confusion my server encryption. Fixed. return _(The conversation is currently unencrypted.); I'd say unencrypted with OTR to stay coherent and crystal clear. Your branch looks good to me. I'm fine merging it to Empathy master as soon as the Gabble branch lands. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/296867 Title: empathy needs to support OTR encryption To manage notifications about this bug go to: https://bugs.launchpad.net/empathy/+bug/296867/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 296867]
From a (very) quick look on the Gabble branch, it seems that all the channel messages are now sent through OTR (if built with it), even when it has not been activated. Is that really what we want? Also, shouldn't we use it only for contact channels? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/296867 Title: empathy needs to support OTR encryption To manage notifications about this bug go to: https://bugs.launchpad.net/empathy/+bug/296867/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 296867]
(In reply to comment #56) From a (very) quick look on the Gabble branch, it seems that all the channel messages are now sent through OTR (if built with it), even when it has not been activated. Is that really what we want? Yes, that's what pidgin-otr does as well. That's because all received messages needs to be parsed by OTR first because it will catch message starting with ?OTR? because when receiving that it means the other side wants to start an OTR session. In that case the message is considered as internal OTR protocol message and it returns ignore=true so we don't dispaly that to the user. We could avoid passing sending messages to OTR when session is not started indeed. I didn't do that because OTR will just return a copy of the initial message so it doesn't change anything (just wasting CPU cycles), and I prefer not adding any conditions to make damn sure we never have the case where we send something that didn't got encrypted first. Also, shouldn't we use it only for contact channels? I don't think OTR can be used on MUC, or at least that's out of scope for now. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/296867 Title: empathy needs to support OTR encryption To manage notifications about this bug go to: https://bugs.launchpad.net/empathy/+bug/296867/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 296867]
Implementation in Gabble: + /* FIXME: There should be no sender for a notification, but setting handle to + * 0 makes empathy crash atm. */ + tp_message_mixin_take_received (G_OBJECT (self), + tp_cm_message_new_text (base_conn, + tp_base_channel_get_target_handle (base_chan), + TP_CHANNEL_TEXT_MESSAGE_TYPE_NOTICE, text)); Is this a message from the OTR library, something like *** Verified peer fingerprint: b...@example.com ***? I think using the target handle for this is OK semantically. However, I suspect remote users can spoof this by sending their own NOTICE. Messages coming from the OTR library should have a distinctive message header that an OTR-literate UI can take as evidence that they were locally-generated. Ideally, that distinctive message header should be a machine-readable version of the message, so OTR-literate UIs (Empathy) can discard the untranslated version from Gabble and display something translated. We've always had a policy of putting UI strings and their translations in the UIs, not the CMs. + return g_variant_new ((s@ay), display_fp, + g_variant_new_fixed_array (G_VARIANT_TYPE_BYTE, fp_raw, 20, ... + guchar our_fp_raw[20]; The magic number 20 makes me nervous. Isn't there a constant for length of a raw OTR fingerprint in bytes in libotr? If there really isn't, #define'ing our own would be better than nothing. +static void +otr_inject_message (void *opdata, + const gchar *accountname, + const gchar *protocol, + const gchar *recipient, + const gchar *message) +{ + inject_message (opdata, message); +} Is @message text/plain or text/html? Telepathy can only do text/plain at the moment, so if it's text/html, we need to strip tags, then unescape entities (stuff;). +static gint +otr_max_message_size (void *opdata, + ConnContext *context) +{ + return 0; +} We should probably give some guess at what's generally interoperable. + msg = otrl_proto_default_query_msg (get_self_id (self), OTRL_POLICY_DEFAULT); Do we need to update what otr_policy() would return here, too? + bus_name = g_strconcat (tp_base_connection_get_bus_name (base_conn), + .OTR, NULL); I suppose this isn't *so* bad, but the spec should tell the API user where to find this name. + content = wocky_node_get_content_from_child (node, body); + + err = otrl_message_sending (userstate, ui_ops_p, self, + get_self_id (self), xmpp, get_target_id (self), + priv-instag, content, NULL, new_content, + OTRL_FRAGMENT_SEND_ALL_BUT_LAST, NULL, + NULL, NULL); Does otrl_message_sending() expect @content to be text/plain or text/html? If it expects text/html, we need to escape special characters with g_markup_escape_text(). Similarly, is @new_content text/plain or text/html? If text/html, we need to strip tags and unescape entities. +gchar * +gabble_im_channel_otr_receiving (GabbleIMChannel *self, + const gchar *content) Same here. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/296867 Title: empathy needs to support OTR encryption To manage notifications about this bug go to: https://bugs.launchpad.net/empathy/+bug/296867/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 296867]
Just doing the spec right now: The extra DBus channel interface is implemented using GDBus so it needs to be exported on a different bus name. Ugh. Can we not do strange hacks like this, please? Either use the extensions mechanism, or save it for 1.0. + interface name=im.telepathy.v1.Channel.Interface.OTR1 + tp:causes-havoc=experimental + tp:added version=Gabble 0.UNRELEASED(Gabble-specific)/tp:added If doing this in 0.x, please use o.fd.Channel.Interface.OTR1 and add it to telepathy-spec (OK to go via extensions/ until we do the spec - tp- glib dance, though). In 1.0, certainly add it to the spec. + A simple D-Bus API a + href=https://otr.cypherpunks.ca/;Off The Record/a. ... API for a... + pThe current trust level of this channel: + 0=TRUST_NOT_PRIVATE, 1=TRUST_UNVERIFIED, 2=TRUST_PRIVATE, + 3=TRUST_FINISHED/p This deserves a tp:enum and documentation. I assume the meanings go something like this: TRUST_NOT_PRIVATE: not using OTR at all? (Can we also see this when using OTR but something has gone wrong?) (o.fd.Channel.I.Securable.Encrypted=FALSE, o.fd.Channel.I.Securable.Verified=FALSE) TRUST_UNVERIFIED: the channel is encrypted, but you might be talking to a man-in-the-middle instead of the peer you expected. (o.fd.Channel.I.Securable.Encrypted=TRUE, o.fd.Channel.I.Securable.Verified=FALSE) TRUST_PRIVATE: the channel is encrypted, and the user has indicated that the peer's key fingerprint is trusted to belong to that peer. (o.fd.Channel.I.Securable.Encrypted=TRUE, o.fd.Channel.I.Securable.Verified=TRUE) TRUST_FINISHED: this channel is over, nothing more should be sent or received on it. (o.fd.Channel.I.Securable.Encrypted and o.fd.Channel.I.Securable.Verified keep their previous values?) What are the possible state transitions? I assume can only increase? + type=(say) access=read + pUser's current fingerprint. The first element is a human readable + fingerprint that can be displayed to the user so he can communicate it + to the other end by other means so he can trust it. The 2nd element is + the fingerprint raw data./p Are these literally the hex and binary versions of the same digest, or do they have different information content? (Or is the string version some OTR-specific thing that is easier to transcribe than hex?) + property name=RemoteFingerprint + tp:name-for-bindings=Fingerprint + type=(say) access=read + tp:docstring xmlns=http://www.w3.org/1999/xhtml; What value does this take when the channel is not using OTR? ('', [])? When we're in the UNVERIFIED state, am I right in thinking that we are cryptographically guaranteed to have the right fingerprint for who we're talking to, but the thing that is unverified is that the fingerprint belongs to the person we wanted to talk to? (i.e. if we're talking to a man-in-the-middle, this would be the fingerprint of the man-in-the- middle's key, right?) Is it possible for this to change? (Presumably from ('', []) to non- empty, at the same time that the trust changes to UNVERIFIED or PRIVATE?) After this has become non-empty, can it change further? (I would hope not.) I think it would also be useful to spec that one of the forms of the remote fingerprint will appear in the message header (0'th part) of each individual message, perhaps { otr-remote-fingerprint: a string }. That would make it easy for someone to do either of these things in a race- condition-free way: * record in the Logger that the messages were encrypted/verified * give the Logger a configuration setting [ ] do not log OTR messages (which it would recognize by seeing that they have an OTR remote fingerprint -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/296867 Title: empathy needs to support OTR encryption To manage notifications about this bug go to: https://bugs.launchpad.net/empathy/+bug/296867/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 296867]
(In reply to comment #50) Could we also get a config option that turns this whole feature on/off? I ask because some industries (like the one where I work) require that all electronic communications related to the business get recorded and reviewed by compliance officers and made available to regulatory agencies upon request. I think we do need a connection parameter to control this. I think the possible sensible settings are: - never use OTR, behave exactly as though it was not implemented - start an OTR conversation if the local user or remote peer explicitly requests it - try to start OTR conversations automatically I think that would be most comprehensible as two booleans: something like enable-otr (default false initially, default true after a couple of releases) and enable-opportunistic-otr (not implemented in Xavier's patch, but someone could add it). The writer of Comment #50 would explicitly set enable-otr to false; the people getting excited about this bug would explicitly set enable-otr to true, and when implemented, probably also set enable-opportunistic-otr to true. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/296867 Title: empathy needs to support OTR encryption To manage notifications about this bug go to: https://bugs.launchpad.net/empathy/+bug/296867/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 296867]
Corner cases: What happens when we try to send a message and the channel is already TRUST_FINISHED? I think we should refuse, for the rest of the lifetime of that channel (until Close()), to avoid the security flaw where we send messages to a channel that just closed. What happens when we close a channel locally? I think the answer should be we terminate the OTR session, and start from an unsecured state next time - even if the channel is in fact going to respawn due to unacknowledged messages. This means the channel needs to reset its Encrypted flag, Verified flag and all OTR state when it respawns. We will still be able to tell the rescued messages were encrypted/verified because the header that I suggested adding will say so. What happens if I'm talking to b...@example.com/Laptop using OTR, and I receive a message from b...@example.com/Phone without OTR? I hope the answer is libotr deals with it and reports OTRL_MSGEVENT_RCVDMSG_UNENCRYPTED. Is it safe (as in, not a security vulnerability) to rely on that? What happens when we receive a message and the channel is already TRUST_FINISHED? I hope the answer is libotr deals with it and reports OTRL_MSGEVENT_RCVDMSG_UNENCRYPTED. Is it safe (as in, not a security vulnerability) to rely on that? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/296867 Title: empathy needs to support OTR encryption To manage notifications about this bug go to: https://bugs.launchpad.net/empathy/+bug/296867/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 296867]
I would really like im-channel to implement o.fd.Telepathy.Securable - as a starting point we can have the two booleans not be requestable, and just have them set by the OTR code calling a new gabble_im_channel_indicate_security (GABBLE_SECURABLE_ENCRYPTED|GABBLE_SECURABLE_VERIFIED) (or only one of those, or neither of those, as appropriate). I notice we never specified how those properties did change notification, because our only use of them so far was for SASL channels. Let's retcon them to they emit PropertiesChanged in the 0.x and 1.0 spec. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/296867 Title: empathy needs to support OTR encryption To manage notifications about this bug go to: https://bugs.launchpad.net/empathy/+bug/296867/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 296867]
(In reply to comment #59) Ideally, that distinctive message header should be a machine-readable version of the message, so OTR-literate UIs (Empathy) can discard the untranslated version from Gabble and display something translated. We've always had a policy of putting UI strings and their translations in the UIs, not the CMs. The more I think about this, the more I think Gabble should not contain translated strings. It's OK for it to contain strings in the C locale (international English), but all translation should be taking place somewhere that already needs to be translated - the UIs. As a purely practical thing, Gabble does not have any of the translation machinery, so those strings aren't going to be translated anyway. Is the OtrlMessageEvent enum sufficiently stable that we can use it in the D-Bus API directly? That would probably be the easiest way. The only other information we need to put in the message header is: - for OTRL_MSGEVENT_SETUP_ERROR: gcry_strerror (err) (perhaps { otr-error: that string }) - for various codes: the username or account name, which the UI already knows anyway - for OTRL_MSGEVENT_RCVDMSG_UNENCRYPTED: the unencrypted message (perhaps { otr-unencrypted-message: that string }) - for OTRL_MSGEVENT_RCVDMSG_GENERAL_ERR: the message (perhaps { otr-error: that string }) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/296867 Title: empathy needs to support OTR encryption To manage notifications about this bug go to: https://bugs.launchpad.net/empathy/+bug/296867/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 296867]
After fixing the obvious things, it would also be good to get someone who understands the OTR protocol and/or libotr to review this (particularly the things I raised in Comment #59 and Comment #62). I don't think there's any such person among the main Telepathy developers, but perhaps one of the 49 people in Cc can give an informed review? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/296867 Title: empathy needs to support OTR encryption To manage notifications about this bug go to: https://bugs.launchpad.net/empathy/+bug/296867/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 296867]
+static void +otr_handle_smp_event (void *opdata, + OtrlSMPEvent smp_event, + ConnContext *context, + unsigned short progress_percent, + gchar *question) +{ + DEBUG (UNIMPLEMENTED\n); +} Is this OK/allowed? Should we at least tell libotr no, I don't implement SMP? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/296867 Title: empathy needs to support OTR encryption To manage notifications about this bug go to: https://bugs.launchpad.net/empathy/+bug/296867/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 296867]
en_GB speaker review of strings: + notify (self, _(An error occurred when encrypting your message and + not sent.)); This sentence no verb. Maybe ... and it was not sent? + notify (self, _(Your message was not sent because %s closed their + connection. Either close your private connection, or refresh it.), + context-username); What does that last sentence mean in Telepathy terms? If it means you should close this channel (i.e. close the Empathy window), perhaps Close this conversation and try again? (Or perhaps we should even auto-close the channel, but we're trying to get away from self-closing channels.) + err_msg = g_strdup (_(You transmitted an unreadable encrypted message.)); Thought bubble: no, I'm pretty sure I didn't :-) If this happens, it's presumably either Gabble's fault, or one of the user's other resources, not anything the user themselves typed. Internal error: transmitted an unreadable... instead, maybe? Same for You transmitted a malformed data message.. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/296867 Title: empathy needs to support OTR encryption To manage notifications about this bug go to: https://bugs.launchpad.net/empathy/+bug/296867/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 296867]
@content to be text/plain or text/html? If it expects text/html, we need to escape special characters with g_markup_escape_text(). It doesn't care, it get a string, encrypt it, and set new_content to ?OTR:base64. +gchar * +gabble_im_channel_otr_receiving (GabbleIMChannel *self, + const gchar *content) Same here. It doesn't matter, if the message is in the form ?OTR:base64 then it puts new_content to whatever the original message was (html or not). OTR doesn't change anything if user wants to send html message as plaintext, empathy will escape when displaying them. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/296867 Title: empathy needs to support OTR encryption To manage notifications about this bug go to: https://bugs.launchpad.net/empathy/+bug/296867/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 296867]
A brief glance at Empathy: + return _(The conversation is currently encrypted with + OTR but the remote contact has not been + authentified); There is no such word. I think you mean authenticated and/or identified. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/296867 Title: empathy needs to support OTR encryption To manage notifications about this bug go to: https://bugs.launchpad.net/empathy/+bug/296867/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 296867]
(In reply to comment #61) I would really like im-channel to implement o.fd.Telepathy.Securable - as a starting point we can have the two booleans not be requestable, and just have them set by the OTR code calling a new gabble_im_channel_indicate_security (GABBLE_SECURABLE_ENCRYPTED|GABBLE_SECURABLE_VERIFIED) (or only one of those, or neither of those, as appropriate). I notice we never specified how those properties did change notification, because our only use of them so far was for SASL channels. Let's retcon them to they emit PropertiesChanged in the 0.x and 1.0 spec. I would consider this non-blocker future enhancement. Atm I'm not proposing the spec to be included in tp-spec, only private to gabbleempathy. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/296867 Title: empathy needs to support OTR encryption To manage notifications about this bug go to: https://bugs.launchpad.net/empathy/+bug/296867/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 296867]
(In reply to comment #60) (In reply to comment #50) Could we also get a config option that turns this whole feature on/off? I ask because some industries (like the one where I work) require that all electronic communications related to the business get recorded and reviewed by compliance officers and made available to regulatory agencies upon request. I think we do need a connection parameter to control this. I think the possible sensible settings are: - never use OTR, behave exactly as though it was not implemented - start an OTR conversation if the local user or remote peer explicitly requests it - try to start OTR conversations automatically I think that would be most comprehensible as two booleans: something like enable-otr (default false initially, default true after a couple of releases) and enable-opportunistic-otr (not implemented in Xavier's patch, but someone could add it). The writer of Comment #50 would explicitly set enable-otr to false; the people getting excited about this bug would explicitly set enable-otr to true, and when implemented, probably also set enable-opportunistic-otr to true. It can be done later. ATM the policy is MANUAL and it's the right thing until we have an explicit option. I would consider this non-blocker future enhancement. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/296867 Title: empathy needs to support OTR encryption To manage notifications about this bug go to: https://bugs.launchpad.net/empathy/+bug/296867/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 296867] Re: empathy needs to support OTR encryption
** Bug watch added: GNOME Bug Tracker #729762 https://bugzilla.gnome.org/show_bug.cgi?id=729762 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/296867 Title: empathy needs to support OTR encryption To manage notifications about this bug go to: https://bugs.launchpad.net/empathy/+bug/296867/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 296867]
(In reply to comment #69) It can be done later. ATM the policy is MANUAL and it's the right thing until we have an explicit option. I would consider this non-blocker future enhancement. That's OK, but only if MANUAL specifically means do not initiate *or accept* OTR sessions without user input. (In reply to comment #70) I would consider this non-blocker future enhancement. Atm I'm not proposing the spec to be included in tp-spec, only private to gabbleempathy. I don't like private APIs. They have a nasty habit of becoming de facto public APIs as soon as you commit them (and we only recently managed to get rid of Renaming being a private API, despite it not having changed for 5 years). We have API versioning now, so if it's good enough to merge, it's good enough for the spec. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/296867 Title: empathy needs to support OTR encryption To manage notifications about this bug go to: https://bugs.launchpad.net/empathy/+bug/296867/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 296867]
. Fair enough. I thought OTR had some sort of transparent chunking mechanism that might actually make OTR-over-XMPP more compatible with crap servers than just sending text over XMPP :-) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/296867 Title: empathy needs to support OTR encryption To manage notifications about this bug go to: https://bugs.launchpad.net/empathy/+bug/296867/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 296867]
(In reply to comment #68) It doesn't matter, if the message is in the form ?OTR:base64 then it puts new_content to whatever the original message was (html or not). OTR doesn't change anything if user wants to send html message as plaintext, empathy will escape when displaying them. Are you saying that in this message message body?OTR:123123123/body /message the recipient is expected to decrypt 123123123 and treat the result as plain text, but in this message message html xmlns='http://jabber.org/protocol/xhtml-im' body xmlns='http://www.w3.org/1999/xhtml' ?OTR:456456456 /body /html the recipient is expected to decrypt 456456456 and treat the result as HTML? Or what? There must be a rule you can use to determine whether the decrypted content is text/plain or text/html. Text that may contain HTML is not a well-formed concept - either the message lt; is a 4 character reply to remind me how you escape in HTML?, or it's a single U+003C LESS- THAN SIGN character. It can't be both. It is entirely possible that the rule is do whatever Pidgin does, which in practice probably means it's always treated as HTML - that's what my review comments assume. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/296867 Title: empathy needs to support OTR encryption To manage notifications about this bug go to: https://bugs.launchpad.net/empathy/+bug/296867/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 296867]
(In reply to comment #62) Corner cases: What happens when we try to send a message and the channel is already TRUST_FINISHED? I think we should refuse, for the rest of the lifetime of that channel (until Close()), to avoid the security flaw where we send messages to a channel that just closed. Just tested, OTR refuse to send and a message is displayed. te...@test.collabora.co.uk: Your message was not sent because te...@test.collabora.co.uk closed their connection. Either close your private connection, or refresh it. What happens when we close a channel locally? I think the answer should be we terminate the OTR session, and start from an unsecured state next time - even if the channel is in fact going to respawn due to unacknowledged messages. This means the channel needs to reset its Encrypted flag, Verified flag and all OTR state when it respawns. We will still be able to tell the rescued messages were encrypted/verified because the header that I suggested adding will say so. I don't end the otr session yet (adding a patch now to do that). pending messages are already decrypted so user won't know if they were sent privately or not. Indeed adding the fingerprint in the message parts can be helpful. otoh I would consider this future enhancement, when a new chat window arrives if there is no message telling its private the user should just assume it's not. He can always start a new otr session and ask to repeat to be sure. IMO that's corner case so it's not that bad if user needs to ask repeating. What happens if I'm talking to b...@example.com/Laptop using OTR, and I receive a message from b...@example.com/Phone without OTR? I hope the answer is libotr deals with it and reports OTRL_MSGEVENT_RCVDMSG_UNENCRYPTED. Is it safe (as in, not a security vulnerability) to rely on that? I didn't test what happens with multiple resources, tbh. But if for any reason something unencrypted arrives, it raises OTRL_MSGEVENT_RCVDMSG_UNENCRYPTED. What happens when we receive a message and the channel is already TRUST_FINISHED? I hope the answer is libotr deals with it and reports OTRL_MSGEVENT_RCVDMSG_UNENCRYPTED. Is it safe (as in, not a security vulnerability) to rely on that? it does indeed raise OTRL_MSGEVENT_RCVDMSG_UNENCRYPTED. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/296867 Title: empathy needs to support OTR encryption To manage notifications about this bug go to: https://bugs.launchpad.net/empathy/+bug/296867/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 296867]
to: https://bugs.launchpad.net/empathy/+bug/296867/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 296867]
Voilà, added commits to fix most of your comments. What's missing: 1) handle html, I'm not sure to understand what you mean or why it is that important... Maybe you can make the changes that you want? 2) Find a solution if we don't want the other end to be able to initiate an OTR session without approving it first. 3) Fix string spelling. Maybe you can patch them yourself, as I'm not native? :) Anything else I missed in those long comments? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/296867 Title: empathy needs to support OTR encryption To manage notifications about this bug go to: https://bugs.launchpad.net/empathy/+bug/296867/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 296867]
(In reply to comment #46) Empathy: http://cgit.collabora.com/git/user/xclaesse/empathy.git/log/?h=otr Ok for the first commit. Second commit: + tuple = empathy_gdbus_channel_interface_otr1_get_remote_fingerprint ( + priv-otr_proxy); I have no idea how these new generated API work, but GVariant API are usually 'return: (transfer full)' that's not the case here? + level = empathy_gdbus_channel_interface_otr1_get_trust_level ( + priv-otr_proxy); I guess this returns a cached value (not a blocking call) right? What happens if the proxy is not ready yet? Aren't we going to treat it as a wrong level and update it right after? + g_variant_get (tuple, (s@ay), fp, NULL); What's the 'ay' arg being ignored? Please add at least one comment. What happens if the user doesn't trust the fingerprint. The communication is still crypted? +N_(/otr action: Interact with the Off-The-Record system. Possible actions are:\n Is there a way to check (without changing) the current trust level? + g_variant_get (tuple, (s@ay), NULL, fp_variant); + empathy_gdbus_channel_interface_otr1_call_initialize ( + priv-otr_proxy, NULL, NULL, NULL); How does the user know if the operation succeeded or not? Just wait for the level update message? I think we should explicitely say if it failed so user explicitely know the conversation is not safe. + g_variant_get (tuple, (s@ay), NULL, fp_variant); I think fp_variant is leaked. chat_command_otr() will crash/assert if one of the D-Bus API failed. Also, shouldn't we use async API here? trust_level_to_str(): I'd mention encrypt using OTR to be clearer and avoid confusion my server encryption. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/296867 Title: empathy needs to support OTR encryption To manage notifications about this bug go to: https://bugs.launchpad.net/empathy/+bug/296867/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 296867]
(In reply to comment #53) (In reply to comment #46) Empathy: http://cgit.collabora.com/git/user/xclaesse/empathy.git/log/?h=otr Ok for the first commit. Second commit: + tuple = empathy_gdbus_channel_interface_otr1_get_remote_fingerprint ( + priv-otr_proxy); I have no idea how these new generated API work, but GVariant API are usually 'return: (transfer full)' that's not the case here? No it returns the cached variant. There is a _dup_ method as well in the generated API. + level = empathy_gdbus_channel_interface_otr1_get_trust_level ( + priv-otr_proxy); I guess this returns a cached value (not a blocking call) right? What happens if the proxy is not ready yet? Aren't we going to treat it as a wrong level and update it right after? Properties are fetched and cached when creating the proxy, there is a _new_for_bus_sync() call. I added an extra patch to make it async now. + g_variant_get (tuple, (s@ay), fp, NULL); What's the 'ay' arg being ignored? Please add at least one comment. The fingerprint I send over dbus is in 2 forms: the 's' is formatted to display to the user and the 'ay' is the raw data of the fingerprint which cannot be displayed since it's not utf8. What happens if the user doesn't trust the fingerprint. The communication is still crypted? By default it's not encrypted at all. When one side does /otr start it will be encrypted but a MITM could have set its own public key instead. So both sides must verify the fingerprint by other way (like calling, or asking IRL, etc) then if they checked the the fingerprint wasn't changed by a MITM they can do /otr trust and it will remember that f...@example.com has that fingerprint and if future conversations uses that fingerprint then it's still trusted. That's why we have different TrustLevel: TRUST_LEVEL_NOT_PRIVATE: it means there is no OTR at all, plain text. TRUST_LEVEL_UNVERIFIED: it means it is encrypted but we don't know to who we are speaking. Could be encrypted with the key of an attacker... TRUST_LEVEL_PRIVATE: it means it is encrypted and the user verified that he is talking to the real person. TRUST_LEVEL_FINISHED: actually not sure, it's when one side stopped the otr session, probably same has NOT_PRIVATE. + N_(/otr action: Interact with the Off-The-Record system. Possible actions are:\n Is there a way to check (without changing) the current trust level? Yes, /otr status + + empathy_gdbus_channel_interface_otr1_call_initialize ( + priv-otr_proxy, NULL, NULL, NULL); How does the user know if the operation succeeded or not? Just wait for the level update message? I think we should explicitely say if it failed so user explicitely know the conversation is not safe. Yep, the user knows it succeeded when he sees the trust level change message. If it fails then trust level won't change and user doesn't know what happens. Handling the error here will only mean something failed on the DBus level, we have no way to know on the OTR level if it failed. For example if the other side does not support OTR at all, our initialization message we send won't receive any reply and that's it... You are not safe unless explicitly told you're safe. When in doubt, assume you're not safe. + g_variant_get (tuple, (s@ay), NULL, fp_variant); I think fp_variant is leaked. Hm, no, it is unreffed after calling empathy_gdbus_channel_interface_otr1_call_trust_fingerprint(). chat_command_otr() will crash/assert if one of the D-Bus API failed. Also, shouldn't we use async API here? The proxy caches properties locally, so it cannot fail AFAIK. If it fails to fetch properties empathy_gdbus_channel_interface_otr1_proxy_new_for_bus() would have failed. There is no blocking calls there. trust_level_to_str(): I'd mention encrypt using OTR to be clearer and avoid confusion my server encryption. Fixed. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/296867 Title: empathy needs to support OTR encryption To manage notifications about this bug go to: https://bugs.launchpad.net/empathy/+bug/296867/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 296867]
(In reply to comment #51) The conversation won't be encrypted until you type /otr start or if the other side request a private conversation. So you should be fine AFAIK. Actually I was wrong, when both sides are OTR-aware, it initialize itself without an explicit user request. I changed the policy from DEFAULT to MANUAL and now it won't start encrypting until explicitly asked by one side. (In reply to comment #48) Commits relevant for telepathy-gabble: http://cgit.collabora.com/git/user/xclaesse/telepathy-gabble.git/commit/ ?h=otrid=4addae9f4173eb3ed19581c1201fecc43a405fc6 Commits relevant for empathy: http://cgit.collabora.com/git/user/xclaesse/empathy.git/commit/ ?h=otrid=6dabfdc8acd178eec8dac6bb68f1693a00f906c8 http://cgit.collabora.com/git/user/xclaesse/empathy.git/commit/ ?h=otrid=ae0fcfe9c33c276220dcdbaf2be8ac04240130ae Better to use the branch than direct commit links, since I fixed a few bugs already compared to those commits. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/296867 Title: empathy needs to support OTR encryption To manage notifications about this bug go to: https://bugs.launchpad.net/empathy/+bug/296867/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 296867] Re: empathy needs to support OTR encryption
I just logged in to say thank you! I am so happy to see this eventually finished. Thank you so much. :) Hope to see this soon merged into mainline. Thanks again :) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/296867 Title: empathy needs to support OTR encryption To manage notifications about this bug go to: https://bugs.launchpad.net/empathy/+bug/296867/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 296867]
Could we also get a config option that turns this whole feature on/off? I ask because some industries (like the one where I work) require that all electronic communications related to the business get recorded and reviewed by compliance officers and made available to regulatory agencies upon request. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/296867 Title: empathy needs to support OTR encryption To manage notifications about this bug go to: https://bugs.launchpad.net/empathy/+bug/296867/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 296867]
The conversation won't be encrypted until you type /otr start or if the other side request a private conversation. So you should be fine AFAIK. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/296867 Title: empathy needs to support OTR encryption To manage notifications about this bug go to: https://bugs.launchpad.net/empathy/+bug/296867/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 296867] Re: empathy needs to support OTR encryption
Just because the conversation is encrypted end to end doesnt mean you cant log locally. Dont know how empathy does this, but in pidgin it can be set up easily. There is even an option to omiss the conversations that are encrypted. I dont really like that distinction, because it implies all encrypted communication is sensitive. Rather its best to moreso always encrypt so that you dont draw attention to something by said connection. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/296867 Title: empathy needs to support OTR encryption To manage notifications about this bug go to: https://bugs.launchpad.net/empathy/+bug/296867/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 296867]
Here it is! It is limited to XMPP, and empathy has only rudimentary UI. To start an OTR session, in empathy chat window, type /otr start. Type /help otr to see other supported otr actions. There is no graphical UI atm. Notably, to authenticate the other end, you need to verify its fingerprint by other means, like IRL or phone, etc, then type /otr trust. It remembers fingerprints you trust of course, so you won't have to repeat that for each conversation. I tested this between empathy and pidgin-otr only. Gabble: http://cgit.collabora.com/git/user/xclaesse/telepathy- gabble.git/log/?h=otr Empathy: http://cgit.collabora.com/git/user/xclaesse/empathy.git/log/?h=otr I hacked this on my free time. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/296867 Title: empathy needs to support OTR encryption To manage notifications about this bug go to: https://bugs.launchpad.net/empathy/+bug/296867/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 296867]
Big thanks Xavier. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/296867 Title: empathy needs to support OTR encryption To manage notifications about this bug go to: https://bugs.launchpad.net/empathy/+bug/296867/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 296867]
Commits relevant for telepathy-gabble: http://cgit.collabora.com/git/user/xclaesse/telepathy- gabble.git/commit/?h=otrid=4addae9f4173eb3ed19581c1201fecc43a405fc6 Commits relevant for empathy: http://cgit.collabora.com/git/user/xclaesse/empathy.git/commit/?h=otrid=6dabfdc8acd178eec8dac6bb68f1693a00f906c8 http://cgit.collabora.com/git/user/xclaesse/empathy.git/commit/?h=otrid=ae0fcfe9c33c276220dcdbaf2be8ac04240130ae -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/296867 Title: empathy needs to support OTR encryption To manage notifications about this bug go to: https://bugs.launchpad.net/empathy/+bug/296867/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 296867]
This is fantastic news Xavier. Thank you for your hard work - this proves that crowd funding great ideas works! Now GNOME project will be able to celebrate Reset The Net on June 5th. Someone should nominate! https://www.resetthenet.org/ -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/296867 Title: empathy needs to support OTR encryption To manage notifications about this bug go to: https://bugs.launchpad.net/empathy/+bug/296867/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 296867]
Complaints show fear, anger ungratefulness while calm feature requests show peace, gratefulness understanding of a problem. Community giving of FOSS shows kindness compassion, while taking complaining shows an unsatisfied desire for control. True control lies in harmonising with the community, and paradoxically involves letting go of your need for control while also giving the part which is under your control. Heartbleed shows inherent insecurity of a house divided against itself yet it also shows the speed of the Whole to heal itself. Privacy is an illusion... security built on deterministic Laws has little room for true randomness without hiding within Complexity. The appearance of randomness is Chaos, yet within the chaos lies a higher Order. No matter which side you think you are on... you're actually on both, and they are not truly opposed when undivided. On Mon, Apr 28, 2014 at 12:31 PM, Sam Liddicott s...@liddicott.com wrote: I'm feed up of people complaining about people complaining about wilful bad security. This is doubly so considering all the criticism that has gone the way of the OpenSSL people in the wake of Heartbleed. A little more discussion there might have helped, but here it obviously hasn't! When someone gives their time and experience to improve software designs from fatal flaws, often in the evenings with other distractions, they get next to no gratitude and a whole heap of criticism as if their drawing attention to the flaw is worse than the flaw itself. Free software doesn't stop people talking about the naked emperor. If they are not government spies and but just play at spies in their evenings (with other distractions) then that is fine, but if they then make a public gift of it can they really expect people to not talk about it? They don't buy our silence with their wooden horse! We don't use it and we warn others. We actually care about their users! Sam On 28 Apr 2014 18:55, Chris Kerr gingek...@gmail.com wrote: I'm fed up of people complaining about developers. It's *free software*, and if you get anything more than you paid for then you should be grateful (I certainly am). This is doubly so considering all the criticism that has gone the way of the OpenSSL people in the wake of Heartbleed. When someone gives their best effort to produce software as a gift to the community, often working in spare evenings with lots of other distractions which prevent them giving their full focus to the task, they get next to no praise when it works and a whole heap of criticism when they make a tiny mistake. People even accuse them of deliberately inserting the mistake as a government spy. I'm currently writing up my PhD thesis. When I finish, I will have some free time while waiting for my viva voce, and would be willing to spend some of that time trying to fix this, as it is something I would find useful myself and potentially also a helpful addition to my CV. However there are probably plenty of people out there who would do a better job than I, especially since I have mainly used Fortran and Python for the last 4 years so my C/C++ is rather rusty. -- You received this bug notification because you are subscribed to the bug report. https://bugs.launchpad.net/bugs/296867 Title: empathy needs to support OTR encryption To manage notifications about this bug go to: https://bugs.launchpad.net/empathy/+bug/296867/+subscriptions -- You received this bug notification because you are subscribed to the bug report. https://bugs.launchpad.net/bugs/296867 Title: empathy needs to support OTR encryption To manage notifications about this bug go to: https://bugs.launchpad.net/empathy/+bug/296867/+subscriptions -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/296867 Title: empathy needs to support OTR encryption To manage notifications about this bug go to: https://bugs.launchpad.net/empathy/+bug/296867/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 296867]
Disturbingly that applies as much to Monsanto as it does to Ubuntu or FOSS. On 30 Apr 2014 07:15, James Cuzella trinitr...@gmail.com wrote: Complaints show fear, anger ungratefulness while calm feature requests show peace, gratefulness understanding of a problem. Community giving of FOSS shows kindness compassion, while taking complaining shows an unsatisfied desire for control. True control lies in harmonising with the community, and paradoxically involves letting go of your need for control while also giving the part which is under your control. Heartbleed shows inherent insecurity of a house divided against itself yet it also shows the speed of the Whole to heal itself. Privacy is an illusion... security built on deterministic Laws has little room for true randomness without hiding within Complexity. The appearance of randomness is Chaos, yet within the chaos lies a higher Order. No matter which side you think you are on... you're actually on both, and they are not truly opposed when undivided. On Mon, Apr 28, 2014 at 12:31 PM, Sam Liddicott s...@liddicott.com wrote: I'm feed up of people complaining about people complaining about wilful bad security. This is doubly so considering all the criticism that has gone the way of the OpenSSL people in the wake of Heartbleed. A little more discussion there might have helped, but here it obviously hasn't! When someone gives their time and experience to improve software designs from fatal flaws, often in the evenings with other distractions, they get next to no gratitude and a whole heap of criticism as if their drawing attention to the flaw is worse than the flaw itself. Free software doesn't stop people talking about the naked emperor. If they are not government spies and but just play at spies in their evenings (with other distractions) then that is fine, but if they then make a public gift of it can they really expect people to not talk about it? They don't buy our silence with their wooden horse! We don't use it and we warn others. We actually care about their users! Sam On 28 Apr 2014 18:55, Chris Kerr gingek...@gmail.com wrote: I'm fed up of people complaining about developers. It's *free software*, and if you get anything more than you paid for then you should be grateful (I certainly am). This is doubly so considering all the criticism that has gone the way of the OpenSSL people in the wake of Heartbleed. When someone gives their best effort to produce software as a gift to the community, often working in spare evenings with lots of other distractions which prevent them giving their full focus to the task, they get next to no praise when it works and a whole heap of criticism when they make a tiny mistake. People even accuse them of deliberately inserting the mistake as a government spy. I'm currently writing up my PhD thesis. When I finish, I will have some free time while waiting for my viva voce, and would be willing to spend some of that time trying to fix this, as it is something I would find useful myself and potentially also a helpful addition to my CV. However there are probably plenty of people out there who would do a better job than I, especially since I have mainly used Fortran and Python for the last 4 years so my C/C++ is rather rusty. -- You received this bug notification because you are subscribed to the bug report. https://bugs.launchpad.net/bugs/296867 Title: empathy needs to support OTR encryption To manage notifications about this bug go to: https://bugs.launchpad.net/empathy/+bug/296867/+subscriptions -- You received this bug notification because you are subscribed to the bug report. https://bugs.launchpad.net/bugs/296867 Title: empathy needs to support OTR encryption To manage notifications about this bug go to: https://bugs.launchpad.net/empathy/+bug/296867/+subscriptions -- You received this bug notification because you are subscribed to the bug report. https://bugs.launchpad.net/bugs/296867 Title: empathy needs to support OTR encryption To manage notifications about this bug go to: https://bugs.launchpad.net/empathy/+bug/296867/+subscriptions -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/296867 Title: empathy needs to support OTR encryption To manage notifications about this bug go to: https://bugs.launchpad.net/empathy/+bug/296867/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 296867]
After all that NSA, PRISM, etc, scandal, I don't want to imagine the silly face Telepathy's developers who stated so arrogantly that security wasn't very important must have every morning. They thought that critic users who were demanding security were little less than intellectually retarded people, who couldn't distinguish what is really important, whereas they, the developers, in Their infinite wisdom, had the Truth, knowing what was prioritary, not us, stupid users who can't even code. After all these of costant slapping in their faces from the news, the papers, the public; in short: the reality, one would think they must have become a little humbler (Christ, they even rejected to work on encryption despite people was ready to collect money pay them to do it!), but it seems that things haven't evolved too much, right? (KDE's Telepathy implementation has even been removed from Prism Break website because its [lack of] security is just unacceptable: https://github.com/nylira/prism-break/issues/939 ) Well, we, the critic users, aren't developers in this project, or at all. We can't tell them to do what we think is prioritary when the other 90% of users think is not (y'all know: a trillion flies can't be wrong. Let's eat sh*t), nor can we write an encryption plugin, so I think all critic users should stop trying to make TP devs reason, it's a lost cause. I suspect that Collabora, the company after Telepathy, might have been intentionally delaying as much as possible the securization of Telepathy. We known now that the obscure hand of the NSA has been involved in the development of cryptography standards and even in TOR. As an iceberg's peak, surely we don't even imagine the 90% unter the water. Suspiction is not knowledge, of course, but all that immovable interest in not writting a damn plugin for OTR o implementing any other secure encryption method year after year, even when people was ready to pay... Well, it just smells rather fishy. So, dear folks who do know that fascistoid governments and companies arent interested in bad guys only but want to have controlled all of their people just in case, simply use Pidgin; it's ugly as a witch, yes, but it works; or if you want to polute your system with Java, you have Jisti, which is more feature rich, but I don't think all this discussion, all this bitching and all that We are the devs, if you wan't something do it yourself! has any sense, and even less if there are interests who don't want our conversations to be private. Cheers. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/296867 Title: empathy needs to support OTR encryption To manage notifications about this bug go to: https://bugs.launchpad.net/empathy/+bug/296867/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 296867]
I think most people take it for granted that telepathy devs are on the dark side - even the name of the project gives it away! Telepathy is for other people to read your thoughts. But it's bad manners to bring it up on the bug report list. On 28 Apr 2014 17:51, Bugzi 296...@bugs.launchpad.net wrote: After all that NSA, PRISM, etc, scandal, I don't want to imagine the silly face Telepathy's developers who stated so arrogantly that security wasn't very important must have every morning. They thought that critic users who were demanding security were little less than intellectually retarded people, who couldn't distinguish what is really important, whereas they, the developers, in Their infinite wisdom, had the Truth, knowing what was prioritary, not us, stupid users who can't even code. After all these of costant slapping in their faces from the news, the papers, the public; in short: the reality, one would think they must have become a little humbler (Christ, they even rejected to work on encryption despite people was ready to collect money pay them to do it!), but it seems that things haven't evolved too much, right? (KDE's Telepathy implementation has even been removed from Prism Break website because its [lack of] security is just unacceptable: https://github.com/nylira/prism-break/issues/939 ) Well, we, the critic users, aren't developers in this project, or at all. We can't tell them to do what we think is prioritary when the other 90% of users think is not (y'all know: a trillion flies can't be wrong. Let's eat sh*t), nor can we write an encryption plugin, so I think all critic users should stop trying to make TP devs reason, it's a lost cause. I suspect that Collabora, the company after Telepathy, might have been intentionally delaying as much as possible the securization of Telepathy. We known now that the obscure hand of the NSA has been involved in the development of cryptography standards and even in TOR. As an iceberg's peak, surely we don't even imagine the 90% unter the water. Suspiction is not knowledge, of course, but all that immovable interest in not writting a damn plugin for OTR o implementing any other secure encryption method year after year, even when people was ready to pay... Well, it just smells rather fishy. So, dear folks who do know that fascistoid governments and companies arent interested in bad guys only but want to have controlled all of their people just in case, simply use Pidgin; it's ugly as a witch, yes, but it works; or if you want to polute your system with Java, you have Jisti, which is more feature rich, but I don't think all this discussion, all this bitching and all that We are the devs, if you wan't something do it yourself! has any sense, and even less if there are interests who don't want our conversations to be private. Cheers. -- You received this bug notification because you are subscribed to the bug report. https://bugs.launchpad.net/bugs/296867 Title: empathy needs to support OTR encryption To manage notifications about this bug go to: https://bugs.launchpad.net/empathy/+bug/296867/+subscriptions -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/296867 Title: empathy needs to support OTR encryption To manage notifications about this bug go to: https://bugs.launchpad.net/empathy/+bug/296867/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 296867]
I'm fed up of people complaining about developers. It's *free software*, and if you get anything more than you paid for then you should be grateful (I certainly am). This is doubly so considering all the criticism that has gone the way of the OpenSSL people in the wake of Heartbleed. When someone gives their best effort to produce software as a gift to the community, often working in spare evenings with lots of other distractions which prevent them giving their full focus to the task, they get next to no praise when it works and a whole heap of criticism when they make a tiny mistake. People even accuse them of deliberately inserting the mistake as a government spy. I'm currently writing up my PhD thesis. When I finish, I will have some free time while waiting for my viva voce, and would be willing to spend some of that time trying to fix this, as it is something I would find useful myself and potentially also a helpful addition to my CV. However there are probably plenty of people out there who would do a better job than I, especially since I have mainly used Fortran and Python for the last 4 years so my C/C++ is rather rusty. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/296867 Title: empathy needs to support OTR encryption To manage notifications about this bug go to: https://bugs.launchpad.net/empathy/+bug/296867/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 296867]
Well, my issue isn't how the devs choose to spend their time, but the extremely hostile and dismissive attitude they took towards security and privacy when they have addressed this bug/feature request/feature. I haven't paid them, they are not obligated to me, I am disturbed that Ubuntu would switch to an unsecurable chat software as their default. I'm disturbed that people would have such a hostile attitude to security and privacy. I'm not bothered that they don't want to spend their time doing it. On Mon, Apr 28, 2014 at 10:40 AM, Chris Kerr gingek...@gmail.com wrote: I'm fed up of people complaining about developers. It's *free software*, and if you get anything more than you paid for then you should be grateful (I certainly am). This is doubly so considering all the criticism that has gone the way of the OpenSSL people in the wake of Heartbleed. When someone gives their best effort to produce software as a gift to the community, often working in spare evenings with lots of other distractions which prevent them giving their full focus to the task, they get next to no praise when it works and a whole heap of criticism when they make a tiny mistake. People even accuse them of deliberately inserting the mistake as a government spy. I'm currently writing up my PhD thesis. When I finish, I will have some free time while waiting for my viva voce, and would be willing to spend some of that time trying to fix this, as it is something I would find useful myself and potentially also a helpful addition to my CV. However there are probably plenty of people out there who would do a better job than I, especially since I have mainly used Fortran and Python for the last 4 years so my C/C++ is rather rusty. -- You received this bug notification because you are subscribed to the bug report. https://bugs.launchpad.net/bugs/296867 Title: empathy needs to support OTR encryption Status in Chat app, and Telepathy user interface: Confirmed Status in One Hundred Papercuts: Invalid Status in Telepathy framework - library: Confirmed Status in “empathy” package in Ubuntu: Triaged Status in “libtelepathy” package in Ubuntu: Confirmed Status in “empathy” package in Fedora: Won't Fix Bug description: Binary package hint: empathy Hello, I just tried empathy (the Intrepid version) and it looked very solid and stable. There were a few minor things that could be improved (e.g. automatically resizing the contact list), but that is not the topic here. The reason why I won't switch to empathy from pidgin is the missing OTR support (http://www.cypherpunks.ca/otr/ ). This is a really important feature because no one should read your messages. There were others with the same idea (links at the bottom). Would be so great if it could support that important encryption standard. Thanks for helping out! Links: https://bugs.launchpad.net/ubuntu/+source/empathy/+bug/253452/comments/2 http://lists.cypherpunks.ca/pipermail/otr-users/2008-September/001479.html http://bugs.freedesktop.org/show_bug.cgi?id=16891 To manage notifications about this bug go to: https://bugs.launchpad.net/empathy/+bug/296867/+subscriptions -- Plato seems wrong to me today. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/296867 Title: empathy needs to support OTR encryption To manage notifications about this bug go to: https://bugs.launchpad.net/empathy/+bug/296867/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 296867]
I'm feed up of people complaining about people complaining about wilful bad security. This is doubly so considering all the criticism that has gone the way of the OpenSSL people in the wake of Heartbleed. A little more discussion there might have helped, but here it obviously hasn't! When someone gives their time and experience to improve software designs from fatal flaws, often in the evenings with other distractions, they get next to no gratitude and a whole heap of criticism as if their drawing attention to the flaw is worse than the flaw itself. Free software doesn't stop people talking about the naked emperor. If they are not government spies and but just play at spies in their evenings (with other distractions) then that is fine, but if they then make a public gift of it can they really expect people to not talk about it? They don't buy our silence with their wooden horse! We don't use it and we warn others. We actually care about their users! Sam On 28 Apr 2014 18:55, Chris Kerr gingek...@gmail.com wrote: I'm fed up of people complaining about developers. It's *free software*, and if you get anything more than you paid for then you should be grateful (I certainly am). This is doubly so considering all the criticism that has gone the way of the OpenSSL people in the wake of Heartbleed. When someone gives their best effort to produce software as a gift to the community, often working in spare evenings with lots of other distractions which prevent them giving their full focus to the task, they get next to no praise when it works and a whole heap of criticism when they make a tiny mistake. People even accuse them of deliberately inserting the mistake as a government spy. I'm currently writing up my PhD thesis. When I finish, I will have some free time while waiting for my viva voce, and would be willing to spend some of that time trying to fix this, as it is something I would find useful myself and potentially also a helpful addition to my CV. However there are probably plenty of people out there who would do a better job than I, especially since I have mainly used Fortran and Python for the last 4 years so my C/C++ is rather rusty. -- You received this bug notification because you are subscribed to the bug report. https://bugs.launchpad.net/bugs/296867 Title: empathy needs to support OTR encryption To manage notifications about this bug go to: https://bugs.launchpad.net/empathy/+bug/296867/+subscriptions -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/296867 Title: empathy needs to support OTR encryption To manage notifications about this bug go to: https://bugs.launchpad.net/empathy/+bug/296867/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 296867] Re: empathy needs to support OTR encryption
I'm not complaining about people who spend time auditing security software and finding these bugs making their discoveries known - even if they are less than polite while doing so. (I myself am taking maximum advantage of the opportunity to poke fun at ridiculous or borderline fraudulent statements I've spotted during my literature review - it's one of the few redeeming features of writing a PhD thesis.) They are just as crucial as and even less appreciated than the developers. Certainly if I get round to writing this code it will need their attention. What I don't like are people who do nothing except repeat something we already know (This software doesn't do X. People want it to do X.) but louder and more rudely. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/296867 Title: empathy needs to support OTR encryption To manage notifications about this bug go to: https://bugs.launchpad.net/empathy/+bug/296867/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 296867] Re: empathy needs to support OTR encryption
I think people are trying provoke a post-Snowden comment from the devs or Ubuntu. This uncomfortable discussion has an important social role in establishing or restoring or writing off credibility. Pre-Snowden the official position seemed incredible, but potentially honestly held. It may even have been part of the Ubuntus baffling but consistent long term strategy of replacing working software with half finished software. But post-Snowden we see an opportunity to discover if they are accidental helps or wilful supporters of the evil empire. Thus are reputations forged. Sam On 28 Apr 2014 20:15, Chris Kerr gingek...@gmail.com wrote: I'm not complaining about people who spend time auditing security software and finding these bugs making their discoveries known - even if they are less than polite while doing so. (I myself am taking maximum advantage of the opportunity to poke fun at ridiculous or borderline fraudulent statements I've spotted during my literature review - it's one of the few redeeming features of writing a PhD thesis.) They are just as crucial as and even less appreciated than the developers. Certainly if I get round to writing this code it will need their attention. What I don't like are people who do nothing except repeat something we already know (This software doesn't do X. People want it to do X.) but louder and more rudely. -- You received this bug notification because you are subscribed to the bug report. https://bugs.launchpad.net/bugs/296867 Title: empathy needs to support OTR encryption To manage notifications about this bug go to: https://bugs.launchpad.net/empathy/+bug/296867/+subscriptions -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/296867 Title: empathy needs to support OTR encryption To manage notifications about this bug go to: https://bugs.launchpad.net/empathy/+bug/296867/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 296867] Re: empathy needs to support OTR encryption
Please bump the priority for this. If you can't add OTR support then please give instructions how to add a plugin. I've been waiting patiently for several years for this support. I was thrilled to see an IM client get audio and video support on Linux. Now it's time to get encryption. We have the evil US empire spying on human rights activists, protesters, etc and by not supporting encryption we're enabling that spying. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/296867 Title: empathy needs to support OTR encryption To manage notifications about this bug go to: https://bugs.launchpad.net/empathy/+bug/296867/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 296867] Re: empathy needs to support OTR encryption
I also feel that Canonical should be funding this or providing developers since they made it the default for Ubuntu and exposed all their users to sending cleartext personal info over the internet. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/296867 Title: empathy needs to support OTR encryption To manage notifications about this bug go to: https://bugs.launchpad.net/empathy/+bug/296867/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 296867] Re: empathy needs to support OTR encryption
From comments when this first arose, the empathy developers were not interested in something that was interoperable with OTR, but might, someday, be interested in their own unique snowflake of an encryption system. I'm not a coder, but OTR is out there, works, and plays well with others. They really ought to make it work in empathy, one way or another. Perhaps there is a new bug that people might pay attention to, given the emphasis on crypto these days? On Fri, Apr 18, 2014 at 3:23 PM, WhyteHorse whyteho...@gmail.com wrote: I also feel that Canonical should be funding this or providing developers since they made it the default for Ubuntu and exposed all their users to sending cleartext personal info over the internet. -- You received this bug notification because you are subscribed to the bug report. https://bugs.launchpad.net/bugs/296867 Title: empathy needs to support OTR encryption Status in Chat app, and Telepathy user interface: Confirmed Status in One Hundred Papercuts: Invalid Status in Telepathy framework - library: Confirmed Status in “empathy” package in Ubuntu: Triaged Status in “libtelepathy” package in Ubuntu: Confirmed Status in “empathy” package in Fedora: Won't Fix Bug description: Binary package hint: empathy Hello, I just tried empathy (the Intrepid version) and it looked very solid and stable. There were a few minor things that could be improved (e.g. automatically resizing the contact list), but that is not the topic here. The reason why I won't switch to empathy from pidgin is the missing OTR support (http://www.cypherpunks.ca/otr/ ). This is a really important feature because no one should read your messages. There were others with the same idea (links at the bottom). Would be so great if it could support that important encryption standard. Thanks for helping out! Links: https://bugs.launchpad.net/ubuntu/+source/empathy/+bug/253452/comments/2 http://lists.cypherpunks.ca/pipermail/otr-users/2008-September/001479.html http://bugs.freedesktop.org/show_bug.cgi?id=16891 To manage notifications about this bug go to: https://bugs.launchpad.net/empathy/+bug/296867/+subscriptions -- Plato seems wrong to me today. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/296867 Title: empathy needs to support OTR encryption To manage notifications about this bug go to: https://bugs.launchpad.net/empathy/+bug/296867/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 296867] Re: empathy needs to support OTR encryption
Now it's time to get encryption I also feel that Canonical should be funding They really ought to make it work in empathy Because open source is all about freedom. The freedom to demand that other people should do free work for you. Sorry, these comments are not helpful. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/296867 Title: empathy needs to support OTR encryption To manage notifications about this bug go to: https://bugs.launchpad.net/empathy/+bug/296867/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 296867] Re: empathy needs to support OTR encryption
Updated URL for JPRvita's Spec: https://gitorious.org/jprvita-repos /telepathy-gabble/ -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/296867 Title: empathy needs to support OTR encryption To manage notifications about this bug go to: https://bugs.launchpad.net/empathy/+bug/296867/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 296867]
Sorry I had tested that previously, but I guess i had missed some of the URL on paste. Basicly JPRvita's spec was much farther along then mine and is a more complete spec. https://gitorious.org/jprvita-repos/telepathy-gabble/source/master: https://gitorious.org/jprvita-repos/telepathy-gabble/ -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/296867 Title: empathy needs to support OTR encryption To manage notifications about this bug go to: https://bugs.launchpad.net/empathy/+bug/296867/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 296867]
@Jordan F, why did you remove a working link and replace it with a broken one? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/296867 Title: empathy needs to support OTR encryption To manage notifications about this bug go to: https://bugs.launchpad.net/empathy/+bug/296867/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 296867]
Sad to see that wolfrage stop his work on this bug. No reply from Telepathy's developers. Security is no one of our goal ?? https://bugs.launchpad.net/ubuntu/+source/libtelepathy/+bug/296867/comments/170 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/296867 Title: empathy needs to support OTR encryption To manage notifications about this bug go to: https://bugs.launchpad.net/empathy/+bug/296867/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 296867] Re: empathy needs to support OTR encryption
I think they are waiting for a clean well specified standard maybe with nsa approved security ;-) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/296867 Title: empathy needs to support OTR encryption To manage notifications about this bug go to: https://bugs.launchpad.net/empathy/+bug/296867/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 296867]
(In reply to comment #39) No reply from Telepathy's developers. Security is no one of our goal ?? Ah, it's our goal (good ol' royal we), but it's Telepathy's developers who should work on it. Have you considered to continue working on the patch if this goal is so important to you? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/296867 Title: empathy needs to support OTR encryption To manage notifications about this bug go to: https://bugs.launchpad.net/empathy/+bug/296867/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 296867]
(In reply to comment #40) (In reply to comment #39) No reply from Telepathy's developers. Security is no one of our goal ?? Ah, it's our goal (good ol' royal we), but it's Telepathy's developers who should work on it. Have you considered to continue working on the patch if this goal is so important to you? I am a simple user. I have no knowledge for development. I participate to the crossfunding. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/296867 Title: empathy needs to support OTR encryption To manage notifications about this bug go to: https://bugs.launchpad.net/empathy/+bug/296867/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs