Fwd: Pidgin Password Patch
Mark Doliner
mark at kingant.net
Thu Jan 24 14:33:39 EST 2008
On Thu, 24 Jan 2008 11:40:10 -0500, Luke Schierer wrote
> Some intro:
>
> Shaun and I have exchanged a few emails here on a class project at
> his university. The students in a computer security class would
> like to design a system to store passwords used in pidgin in a keychain.
>
> In particular, they are looking at windows systems, but on my advise,
> they are looking at the gnome keychain as well. They plan to
> submit their work as a patch or patches sometime this semester. We
> have already discussed the fact that an implementation of password
> storage has to be able to handle the keyrings available on multiple
> platforms, as well as the absence of any available keyring.
>
> Some limitations naturally apply, if you share a .purple directory
> between keyring and non-keyring systems, you might experience some
> funkyness, and if you use different keyring systems with the
> same .purple directory, you'll naturally have to store that password
> once on each system, and will potentially have issues if you ever
> change a password. These are, I suspect, inevitable, but outside
> the scope of this email.
>
> I'm not sure how best to answer this question, so I'm passing it on
> for further discussion. My inclination is to think that this will
> be handled much the same way ssl is by libpurple, and that the
> specifics of windows or gnome keyrings will be in a plugin which
> interacts with generic libpurple bindings. Does this seem reasonable?
>
> luke
>
> Begin forwarded message:
>
> > From: CS Wagner <cs at kainaw.com>
> > Date: January 24, 2008 11:31:05 EST
> > To: Luke Schierer <lschiere at pidgin.im>
> > Subject: Pidgin Password Patch
> >
> > A question came up in class that I feel you can answer very quickly...
> >
> > Does each implementation (ie, GTK) have its unique code for saving/
> > loading passwords or is it in a central library (ie: libpurple)?
Saving/loading passwords is in a central library (libpurple). The code is in
the file libpurple/accounts.c If you search around for
"purple_account_set_password" and "purple_account_get_password" you'll see
where the magic happens.
> > The current assignment is to write a patch that can be added/removed
> > easily that will use any existing password management service that
> > is running on the computer. I believe that is best because it
> > doesn't intrude on existing code.
It's probably a good idea to give the user a choice of whether to use a
keyring, and if so which one. It seems like the best approach would be what
Luke described above--where each keyring implementation is a separate plugin.
If the code exists only as a patch then it will likely not be used by many
people, because only a very small percentage of Pidgin users actually compile
the code themselves.
-Mark
More information about the Devel
mailing list