Tomasz Wasilczyk working on security improvements in Pidgin and libpurple

Jorge Villaseñor salinasv at
Fri Jun 21 16:02:30 EDT 2013

On Fri, Jun 21, 2013 at 7:22 AM, Tomasz Wasilczyk
<tomkiewicz at>wrote:

> I'd like to start working on HTTP implementation related task, so I'm
> asking for opinion.
> Some thoughts:
> - am I right, MSN is not working anymore? In such case, migrating its
> code to new http api is a waste of time. Shouldn't we just drop the
> whole prpl?

It is working, I am using it right now. But still I don't think it worth to
migrate the code since will be dropped when MS decide to unplug the cable.

- should I backport all of it to 2.x.y? I think it can be time
> consuming task and I'm not sure if it's worth the effort.
> - I should make sure that people like it, so, please take a look and
> give me some opinion. From my point of view, I've put the effort to
> make it really flexible and clear, but there may be other approaches
> for some aspects.
> Tomek
> 2013/3/25 Mark Doliner <mark at>:
> > A small announcement...
> >
> > A large company donated $10,000 USD to Instant Messaging Freedom, Inc.
> > ( with the funds earmarked for security
> > improvements for Pidgin, Finch and libpurple.  Some this discussion
> > happened on the board at mailing list, if you'd like more
> > info.
> >
> > We've chosen last year's Google Summer of Code student Tomasz
> > Wasilczyk to do some work.  The "work" in question isn't very well
> > defined.  And of course it's not really up to IMF to decide what
> > changes are made in Pidgin (although there IS a lot of overlap between
> > IMF and Pidgin developers).
> >
> > The list of things that I've talked to Tomasz about is below.  I'm
> > interested in any feedback about:
> > - objections to things on this list
> > - advice about these specific tasks
> > - possible additions. anything security-related that you might have in
> mind
> >
> > - Finish and merge master password branch into default
> > - Finish new HTTP implementation, make sure people like it, have
> > someone review it, convert all our code to use it, and remove old
> > fetch URL code.
> > - Add indication icons to IM window and maybe also to the Buddy List
> > that show users how secure their communication is.  And add an API
> > such that OTR can change the indicator icons, as needed.
> > - Resolve "Add gcc and linker
> > hardening options to"  Might need to add some flags.
> > Might need to figure out how to get perl plugin to play nicely with
> > additional flags.  Might decide that we don't need to make any further
> > changes.
> > - Resolve "Link to .asc files
> > and mention signature validation on download pages."  Possibly other
> > changes (Ethan mentions a few things in his comment on the ticket).
> > I'd be happy to weigh in on what changes we should make.  I think
> > these would be website changes only.  The Pidgin website is the
> > default branch of  You can make
> > changes and test locally using the nginx sandbox script included in
> > the repo.  And I can give you write access to the repo if you don't
> > have it.  As for pushing updates live, I could do that in the
> > beginning, or I could give you access to our web server, if you would
> > prefer.
> >
> > - Maybe help the OTR guys import the source of the Pidgin OTR plugin
> > and build by default as part of our standard build.
> > - Try to talk the GTK+ project into offering https downloads (this is
> > kind of hypocritical of us, since we don't offer https downloads
> > ourselves right now).
> > - Possibly upgrade the GTK+ version we build against on Windows.
> > - Possibly migrate MSN to the new HTTP implementation.  I worry that
> > the MSN PRPL will become obsolete later this year (Microsoft has
> > announced that they're killing off MSN in favor of Skype, but we don't
> > know if this means that the MSN protocol will be killed, or maybe this
> > is just a branding change).
> _______________________________________________
> Devel mailing list
> Devel at


A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing on usenet and in e-mail?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Devel mailing list