[Pidgin] #14830: dbus information leakage

[Pidgin]

#14830: dbus information leakage
------------------------------------+---------------------------------------
 Reporter:  dfunc                   |        Owner:  bleeter
     Type:  enhancement             |       Status:  new    
Milestone:  Patches welcome         |    Component:  privacy
  Version:  2.10.0                  |   Resolution:         
 Keywords:  libpurple dbus plugins  |  
------------------------------------+---------------------------------------

Comment(by dfunc):

 @ultramancool: regarding the "being a developer" quote, I didn't mean this
 in a disrespecting manner and I hope I have not offended you. This ticket
 openned up last December and up until your response, there was no
 negative/positive statement as to whether this was going to be fixed or
 not by the pidgin devs. I'm not a lobbyist.. :-) so with the limited time
 I've got in my hands, I'm trying to reach pidgin devs first.

 @MarkDoliner: CVEs are assigned for information leaks too.

 Regarding updates, upstream may choose to publish fixes for bugs they
 consider
 as less risky along with normal updates. When distribution package
 maintainers have
 access to upstream's repository they sometimes group such bug fixes
 together to
 provide an interim package update, when the next official source release
 is a bit
 further down the road. So at the end of the day, both upstream and package
 maintainers
 reserve the right to choose when and how they will publish a fix.
 Personally, for this bug,
 I would not press for a quick fix, but I would like to see the developer
 team's commitment
 for the needed API change. And this change is much simpler in Pidgin than
 in
 other IMs because of its "loose" coupling with DBUS.

 Please remember: CVEs are not there to scare developers. CVEs are there to
 track security
 issues in specific versions of software.

 Regarding the API change, I agree that it should be up to the user to
 select if this
 information will or will not be broadcast over DBUS (with the default
 being no broadcast).

 While reading your comments I see that you're mostly thinking this issue
 in terms of
 exploitation. But the main issue here is privacy. If a user opts out from
 logging OTR
 messages, then pidgin should be doing its part in making sure these
 messages don't end up
 on the filesystem (or swap) through 3rd party applications.

 @bleeter: Let's deal with one issue at a time. Plugins should be able to
 flag information
 as private for starters. We can look at ways to enhance the OTR side of
 pidgin afterwards :-)

 On a more personal note, I'd like thank everyone that has contributed to
 this discussion.
 Also big thank you's are due to the pidgin team for providing us with a
 great IM
 library & client.

-- 
Ticket URL: <http://developer.pidgin.im/ticket/14830#comment:15>
Pidgin <http://pidgin.im>
Pidgin