Security

[Mark Doliner]

On Fri, Aug 9, 2013 at 4:37 AM,  <jochen.herrmann at unifo.lu> wrote:
> Thus I would like to know whether :
>
> 1. Pidgin development is really 100% Open Source
> 2. There is no organisation based in one of the above mentioned countries
> behind this software.

Both of these are true. The Pidgin source code is licensed under the
GPLv2 or later (mostly), GPLv2, LPGL, maybe a few bits of BSD, and
maybe a few bit of public domain code. Most of us care about our
license and care about open source software.

Pidgin is developed by individuals. I'm not aware of any of us being
controlled by any organization or government (although many Pidgin
developers reside in the US, UK, Canada, New Zealand, and Australia).
And I'm not aware of any code in Pidgin that attempts to undermine
users' privacy.

One disclosure: Some of us and former devs run a US not-for-profit
organization called Instant Messaging Freedom (https://imfreedom.org/)
with the goal of assisting with administrative and legal needs of
Pidgin and other IM software. Namely, IM Freedom accepts money on
behalf of Pidgin, mostly from Google Summer of Code. IM Freedom
doesn't control the development of Pidgin, though (that's controlled
by a loose quorum of the people with commit access, with more active
devs tending to have more weight).

So Pidgin as an IM client should be safe for you to use. Note that
your IM traffic could still be intercepted elsewhere. Either at the
destination (e.g. by AIM, MSN, Yahoo allowing access to your data), or
possibly along the route (e.g. by someone decrypting your IM traffic).

Using XMPP with a server your trust is fairly safe, assuming the
server is using TLS. The weak points are:
1. The client of the person you're talking to
2. The TLS certificate used by the XMPP server (I have very little
faith in Certificate Authorities)

Using the OTR plugin will help.