security review and patches for libpurple
Evan Schoenberg
evan at adium.im
Mon Jul 18 13:39:32 EDT 2011
On Jul 18, 2011, at 12:10 PM, Jacob Appelbaum <jacob at appelbaum.net> wrote:
> On 07/18/2011 12:52 PM, Evan Schoenberg wrote:
>> On Jul 18, 2011, at 11:14 AM, Ethan Blanton <elb at pidgin.im> wrote:
>>
>>> Jacob Appelbaum spake unto us the following wisdom:
>>>>> With that in mind, I'd like to ask again if there are any
>>>>> objections to my committing these patches to ipp without
>>>>> embargo or a coordinated release. If not, I will land them
>>>>> some time tomorrow. If anyone even simply thinks we should
>>>>> wait a few days or get additional input before landing them,
>>>>> that's fine, too.
>>>>
>>>> I would really strongly encourage you to co-ordinate with the
>>>> Adium folks. It seems to me that they're behind on libpurple
>>>> updates and any new security releases that don't go into Adium
>>>> may cause Mac OS X users major trouble.
>>>
>>> I appreciate that input. There are several Adium developers on
>>> the security at pidgin.im contact list, so they are in the loop on
>>> this
>>
>> I apologize; I mixed up security threads. I was referring to the IRC
>> whois issue.
>>
>> Integration of the larger patch set, which is being applied only
>> against im.pidgin.pidgin as I understand it, will be a somewhat more
>> complicated issue but we will work to make it happen in coordination
>> based on timing for Pidgin's release as it's discussed here.
>>
>
> Is there any chance that Adium will simply move to the newest release of
> libpurple soon? The newest libpurple also has a new proxy type
> "Tor/Privacy" that is a security fix for users who use Tor with Adium. I
> know many Adium (myself included) users who would like this fix/enhancement.
Once 1.4.3 is live, given the other security implications of the newer libpurple release, I'll work on updating to it and doing a 1.4.4 in short order with just that change set. I really want to shift focus away from our bug fix branch (1.4.x) but 1.5 is not ready for public consumption and 1.4 will be the last release series with Mac OS X 10.5 support.
I don't want to change the minor release version late in our beta period since it entails API changes and therefore potential complicating factors.
-Evan
> All the best,
> Jacob
More information about the security
mailing list