Tomasz Wasilczyk working on security improvements in Pidgin and libpurple

Fri Jun 21 08:22:14 EDT 2013

I'd like to start working on HTTP implementation related task, so I'm
asking for opinion.

Some thoughts:
- am I right, MSN is not working anymore? In such case, migrating its
code to new http api is a waste of time. Shouldn't we just drop the
whole prpl?
- should I backport all of it to 2.x.y? I think it can be time
consuming task and I'm not sure if it's worth the effort.
- I should make sure that people like it, so, please take a look and
give me some opinion. From my point of view, I've put the effort to
make it really flexible and clear, but there may be other approaches
for some aspects.

Tomek

2013/3/25 Mark Doliner <mark at kingant.net>:
> A small announcement...
>
> A large company donated $10,000 USD to Instant Messaging Freedom, Inc.
> (http://imfreedom.org/) with the funds earmarked for security
> improvements for Pidgin, Finch and libpurple.  Some this discussion
> happened on the board at imfreedom.org mailing list, if you'd like more
> info.
>
> We've chosen last year's Google Summer of Code student Tomasz
> Wasilczyk to do some work.  The "work" in question isn't very well
> defined.  And of course it's not really up to IMF to decide what
> changes are made in Pidgin (although there IS a lot of overlap between
> IMF and Pidgin developers).
>
> The list of things that I've talked to Tomasz about is below.  I'm
> interested in any feedback about:
> - objections to things on this list
> - advice about these specific tasks
> - possible additions. anything security-related that you might have in mind
>
> THE LIST:
> - Finish and merge master password branch into default
> - Finish new HTTP implementation, make sure people like it, have
> someone review it, convert all our code to use it, and remove old
> fetch URL code.
> - Add indication icons to IM window and maybe also to the Buddy List
> that show users how secure their communication is.  And add an API
> such that OTR can change the indicator icons, as needed.
> - Resolve http://developer.pidgin.im/ticket/13879 "Add gcc and linker
> hardening options to configure.ac."  Might need to add some flags.
> Might need to figure out how to get perl plugin to play nicely with
> additional flags.  Might decide that we don't need to make any further
> changes.
> - Resolve https://developer.pidgin.im/ticket/14565 "Link to .asc files
> and mention signature validation on download pages."  Possibly other
> changes (Ethan mentions a few things in his comment on the ticket).
> I'd be happy to weigh in on what changes we should make.  I think
> these would be website changes only.  The Pidgin website is the
> default branch of http://hg.pidgin.im/www/pidgin/.  You can make
> changes and test locally using the nginx sandbox script included in
> the repo.  And I can give you write access to the repo if you don't
> have it.  As for pushing updates live, I could do that in the
> beginning, or I could give you access to our web server, if you would
> prefer.
>
> BONUS TASKS:
> - Maybe help the OTR guys import the source of the Pidgin OTR plugin
> and build by default as part of our standard build.
> - Try to talk the GTK+ project into offering https downloads (this is
> kind of hypocritical of us, since we don't offer https downloads
> ourselves right now).
> - Possibly upgrade the GTK+ version we build against on Windows.
> - Possibly migrate MSN to the new HTTP implementation.  I worry that
> the MSN PRPL will become obsolete later this year (Microsoft has
> announced that they're killing off MSN in favor of Skype, but we don't
> know if this means that the MSN protocol will be killed, or maybe this
> is just a branding change).