Tomasz Wasilczyk working on security improvements in Pidgin and libpurple

[Mark Doliner]

A small announcement...

A large company donated $10,000 USD to Instant Messaging Freedom, Inc.
(http://imfreedom.org/) with the funds earmarked for security
improvements for Pidgin, Finch and libpurple.  Some this discussion
happened on the board at imfreedom.org mailing list, if you'd like more
info.

We've chosen last year's Google Summer of Code student Tomasz
Wasilczyk to do some work.  The "work" in question isn't very well
defined.  And of course it's not really up to IMF to decide what
changes are made in Pidgin (although there IS a lot of overlap between
IMF and Pidgin developers).

The list of things that I've talked to Tomasz about is below.  I'm
interested in any feedback about:
- objections to things on this list
- advice about these specific tasks
- possible additions. anything security-related that you might have in mind

THE LIST:
- Finish and merge master password branch into default
- Finish new HTTP implementation, make sure people like it, have
someone review it, convert all our code to use it, and remove old
fetch URL code.
- Add indication icons to IM window and maybe also to the Buddy List
that show users how secure their communication is.  And add an API
such that OTR can change the indicator icons, as needed.
- Resolve http://developer.pidgin.im/ticket/13879 "Add gcc and linker
hardening options to configure.ac."  Might need to add some flags.
Might need to figure out how to get perl plugin to play nicely with
additional flags.  Might decide that we don't need to make any further
changes.
- Resolve https://developer.pidgin.im/ticket/14565 "Link to .asc files
and mention signature validation on download pages."  Possibly other
changes (Ethan mentions a few things in his comment on the ticket).
I'd be happy to weigh in on what changes we should make.  I think
these would be website changes only.  The Pidgin website is the
default branch of http://hg.pidgin.im/www/pidgin/.  You can make
changes and test locally using the nginx sandbox script included in
the repo.  And I can give you write access to the repo if you don't
have it.  As for pushing updates live, I could do that in the
beginning, or I could give you access to our web server, if you would
prefer.

BONUS TASKS:
- Maybe help the OTR guys import the source of the Pidgin OTR plugin
and build by default as part of our standard build.
- Try to talk the GTK+ project into offering https downloads (this is
kind of hypocritical of us, since we don't offer https downloads
ourselves right now).
- Possibly upgrade the GTK+ version we build against on Windows.
- Possibly migrate MSN to the new HTTP implementation.  I worry that
the MSN PRPL will become obsolete later this year (Microsoft has
announced that they're killing off MSN in favor of Skype, but we don't
know if this means that the MSN protocol will be killed, or maybe this
is just a branding change).