OTR and general security stuff
elb at pidgin.im
Wed Feb 13 11:22:52 EST 2013
Jurre van Bergen spake unto us the following wisdom:
> I've been auditing various parts in Pidgin, I'm working with some
> fellow hackers to audit various parts of the libpurple and pidgin code,
> I found some potentially sketchy code, I'll hope to email the security
> team soon with a write-up. Also, I plan on keep doing this for a while.
> I plan on;
> * Audit the codebase.
> * Writing some fuzzers and look what ASan/TSan/MSan think of it.
> * Getting a better SSL implementation going (NSS/GNUTLS in a pluggable
> way) 
This ... seems to be confused. We already *have* NSS and GnuTLS in a
pluggable way. In addition, the first bug report you cite in  was
incorrect and needlessly inflammatory; the author read a tweet that
was factually incorrect and flew off the handle.
I won't suggest that our SSL support cannot be improved, as I'm sure
it can, but I think your gross strategy may have to be reconsidered.
> * Sandbox integration for Linux platform. Think libvirt-sandbox or Seccomp?
This seems like something that shouldn't be folded into individual
applications, but provided as part of the system.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 482 bytes
Desc: Digital signature
More information about the Devel