registry team mailing list archive
-
registry team
-
Mailing list archive
-
Message #14462
[Bug 296867] Re: empathy needs to support OTR encryption
Launchpad has imported 28 comments from the remote bug at
http://bugs.freedesktop.org/show_bug.cgi?id=16891.
If you reply to an imported comment from within Launchpad, your comment
will be sent to the remote bug automatically. Read more about
Launchpad's inter-bugtracker facilities at
https://help.launchpad.net/InterBugTracking.
------------------------------------------------------------------------
On 2008-07-29T09:44:21+00:00 Fionn wrote:
The only reason that keeps me from switching from pidgin to telepathy is
that at my company OTR is mandatory for IM. It is the only IM encryption
model so far that works across many different platforms and protocols,
so most people can stay with their favourite IM client and still
communicate safely. Most people, but telepathy users are not in the
club.
As mentioned, there is an OTR plugin for pidgin for reference.
Reply at: https://bugs.launchpad.net/empathy/+bug/296867/comments/0
------------------------------------------------------------------------
On 2008-09-30T14:01:28+00:00 der_vegi wrote:
Yeah, encryption is a must for me, too. This the only reason using
Pidgin instead of telepathy for me.
Reply at: https://bugs.launchpad.net/empathy/+bug/296867/comments/1
------------------------------------------------------------------------
On 2008-10-01T01:35:34+00:00 Mikhail-zabaluev wrote:
The draft Messages UI should theoretically allow anything that has a MIME type.
The underlying protocol support is another story, however.
Reply at: https://bugs.launchpad.net/empathy/+bug/296867/comments/2
------------------------------------------------------------------------
On 2008-10-27T07:46:43+00:00 Adam Schmalhofer wrote:
C-library[1] and python binding[2] are availible, too. So "only" the
telepathy glue is needed. After that minor extensions to the different
user interfaces really make it functional.
[1] http://www.cypherpunks.ca/otr/README-libotr-3.2.0.txt
[2] http://python-otr.pentabarf.de/
Reply at: https://bugs.launchpad.net/empathy/+bug/296867/comments/3
------------------------------------------------------------------------
On 2008-11-16T03:56:10+00:00 ibotty wrote:
if given some mentoring, i could spend some time implementing it.b
Reply at: https://bugs.launchpad.net/empathy/+bug/296867/comments/6
------------------------------------------------------------------------
On 2009-02-12T14:18:44+00:00 Andre Klapper wrote:
(Note to myself: maemo.org downstream ticket at
https://bugs.maemo.org/show_bug.cgi?id=1921 )
Reply at: https://bugs.launchpad.net/empathy/+bug/296867/comments/7
------------------------------------------------------------------------
On 2009-02-13T14:31:40+00:00 Will Thompson wrote:
Downgrading priority; there are more pressing spec issues, and I think
that supporting encryption on protocols like XMPP where it can be done
cleanly (rather than as misc. sent in the regular plain text stream) is
a higher priority.
Reply at: https://bugs.launchpad.net/empathy/+bug/296867/comments/8
------------------------------------------------------------------------
On 2009-02-17T15:20:56+00:00 Daniel Golle wrote:
in my experience this is why i myself and most people i know still use
pidgin, though everybody believes telepathy would be nicer.
Reply at: https://bugs.launchpad.net/empathy/+bug/296867/comments/9
------------------------------------------------------------------------
On 2009-02-17T15:26:37+00:00 Will Thompson wrote:
Re-lowering priority. Daniel: while it's a shame that this is keeping
you from using Telepathy, there really are higher-priority spec issues.
Also see point 2.1 on
<https://bugzilla.mozilla.org/page.cgi?id=etiquette.html>: the priority
field is to help developers track the relative priorities of bugs, not
for voting on how important you think a bug is.
Reply at: https://bugs.launchpad.net/empathy/+bug/296867/comments/10
------------------------------------------------------------------------
On 2009-08-03T00:33:36+00:00 Eric-freedesktop wrote:
I consider Telepathy to be completely broken for my purposes unless it
interoperates properly with OTR on other clients. If you want to do a
better version of OTR with deniability in XMPP, go right ahead. Just
make sure that the old way still works.
Adium having built in OTR support has been a fantastic boon.
I will discourage everybody I know from using Empathy and uninstall it
on systems I administrate until this is fixed. This should have been
thought of in the very beginning and been a feature in the program since
its inception. Bad security is unforgivable.
You treating this as a low priority bug tells me a whole lot about what
kinds of things the Empathy development team thinks is important, and
good security is apparently not an important consideration.
Reply at: https://bugs.launchpad.net/empathy/+bug/296867/comments/15
------------------------------------------------------------------------
On 2009-08-03T00:54:31+00:00 Paul C. Bryan wrote:
(In reply to comment #9)
Eric:
I will actively discourage everybody I know from reading your drivel
until you resolve your issue by rolling up your sleeves and adding this
feature. You should have considered doing this yourself ever since you
decided to bitch about it here.
Your unwillingness to fix this yourself tells me a whole lot about what
kinds of things you think are important, and apparently good security is
not an important consideration.
Reply at: https://bugs.launchpad.net/empathy/+bug/296867/comments/16
------------------------------------------------------------------------
On 2009-08-03T00:57:30+00:00 Arie Skliarouk wrote:
(In reply to comment #9 (of Eric Hopper))
> I will discourage everybody I know from using Empathy and uninstall it on
> systems I administrate until this is fixed. This should have been thought of
> in the very beginning and been a feature in the program since its inception.
As the Empathy developers are more knowledgeable with what users want, or at
least have better tools to gather the information, I guess they have different
list of priorities of tasks to work on.
> Bad security is unforgivable.
This is the kind of program where security is good-to-have feature. The OTR can
be added later, once the basis is stable.
> You treating this as a low priority bug tells me a whole lot about what kinds
> of things the Empathy development team thinks is important, and good security
> is apparently not an important consideration.
Nobody is against good security. It is just a matter of percentage of users
that are needed to be catered to first. As the developer's resources are
scarce, they need to judge carefully where to direct theirs efforts.
At this point empathy is barely suitable for everyday work (which is important
for about 90% of users), whereas security is important for about 5% of users.
Reply at: https://bugs.launchpad.net/empathy/+bug/296867/comments/17
------------------------------------------------------------------------
On 2009-08-03T04:05:33+00:00 ThiloPfennig wrote:
I have to disagree. Although I fully understand the fact that no
developer is willing to take up that task, security should be a priority
for all users. For me security is part of the basis. A chat client
without encryption I do not consider to be functional. I dont chat with
people sho do not use encryption. I think Telepathy is more than stable,
as it is already part of GNOME and Empathy is going to be the default
chat client for Ubuntu 9.10. I would have It is also true, that OTR is
broken by design. but it works and I dont know of any client which
provides a sane implementation of a chat encryption bedides the ones
using OTR.
So again its only up to current and upcoming developers to decide if
they are going to implement OTR, but I consider it much more important
than providing a lot of chat protocols.
Reply at: https://bugs.launchpad.net/empathy/+bug/296867/comments/18
------------------------------------------------------------------------
On 2009-08-03T04:21:18+00:00 Will Thompson wrote:
(In reply to comment #12)
> OTR is broken by design. but it works
This is not a good justification for an encryption scheme. :)
Reply at: https://bugs.launchpad.net/empathy/+bug/296867/comments/19
------------------------------------------------------------------------
On 2009-08-03T04:43:07+00:00 ThiloPfennig wrote:
Well, yes, but name me any other existing chat encrpytion that actually
works. There are many standards out there which are far from perfect.
GIF wasnt perfect, but it was used. Most of the protocol standards liek
MSN or AIM are broken by design also. But they are used and are already
implemented.
Reply at: https://bugs.launchpad.net/empathy/+bug/296867/comments/20
------------------------------------------------------------------------
On 2009-08-03T05:54:01+00:00 Ivan Vučica wrote:
(In reply to comment #14)
> Well, yes, but name me any other existing chat encrpytion that actually works.
> There are many standards out there which are far from perfect. GIF wasnt
> perfect, but it was used. Most of the protocol standards liek MSN or AIM are
> broken by design also. But they are used and are already implemented.
>
I have no stance for and against OTR encryption and I don't know what
OTR encryption is about behind the scenes. I will therefore judge only
by your words.
You seem strangely interested in security... provided by (by your own
words) a broken security layer? Do you really think that providing
broken security, and lulling people into false sense of security is
better than providing no "security" at all?
And to others. I am not a Telepathy developer... but seriously guys,
flaming developers while not being ready to get yourselves on the line?
If you find it useful and especially if you find it critical, do it
yourself. Otherwise, feel free to keep using Pidgin until you get this
critical feature, which Thilo considers broken by design.
I think there's room for other improvements before encryption, because
I, and many other home users, find it unnecessary. Encryption is not
important for majority of people on this world.
Take your tinfoil hats off, people, nobody's going to eat your brains.
And if you really need it for your company, well, either you or your
company can invest resources into Telepathy. I personally don't find OTR
important, and I'm sure most users don't, either. And I don't consider
myself completely paranoia-free.
If other clients provide you security, use those. Or use email+GPG for
even more security. Filing a request is fine. Posting a comment
supporting the request is fine. Attacking people like some of you did is
not fine.
Reply at: https://bugs.launchpad.net/empathy/+bug/296867/comments/21
------------------------------------------------------------------------
On 2009-08-03T06:50:26+00:00 Eric-freedesktop wrote:
(In reply to comment #15)
> You seem strangely interested in security... provided by (by your own words) a
> broken security layer? Do you really think that providing broken security, and
> lulling people into false sense of security is better than providing no
> "security" at all?
OTR's brokenness is due to the fact that it is a hacky kludge on top of
existing IM protocols, not because it has any security flaws. It's
inelegant and ugly, but it works.
I'm all for an elegant solution. But I don't think it should take a
backseat to interoperability. I know that the various IM protocols are
also mostly a bunch of ugly kludges as well. But that doesn't stop them
from being implemented.
> And to others. I am not a Telepathy developer... but seriously guys, flaming
> developers while not being ready to get yourselves on the line? If you find it
> useful and especially if you find it critical, do it yourself. Otherwise, feel
> free to keep using Pidgin until you get this critical feature, which Thilo
> considers broken by design.
>
> I think there's room for other improvements before encryption, because I, and
> many other home users, find it unnecessary. Encryption is not important for
> majority of people on this world.
I am worried because Empathy appears to be getting a huge userbase and
being used as the default IM client for a number of distributions
without having a feature I think is incredibly important and should've
been built in at the start, almost especially because most users don't
really care about it.
Most people will not care about encryption. Most people also do not
care about ACID database semantics. But anybody who made a database
lacking the latter feature (i.e. Microsoft Access) would be roundly and
justly flamed. Especially if they managed to somehow get that database
into general use.
There are a whole host of features that users do not care about but are
critical pieces of infrastructure. One of the things that most pleases
me about Adium is that the developers understood and so many of my
friends who have no clue or desire for encryption end up using it anyway
because they use Adium.
> If other clients provide you security, use those. Or use email+GPG for even
> more security. Filing a request is fine. Posting a comment supporting the
> request is fine. Attacking people like some of you did is not fine.
Email encryption is nearly a lost cause. But with Adium and a couple of
other popular IM clients supporting OTR, widespread IM encryption was
beginning to happen. I don't think activists in Iran should have to
worry about which IM client their friends are using in order to avoid
being snooped on. I don't think their choice of IM client should be
able to be used to single them out for special treatment by their
government. All new IM clients should just do the right thing out of
the box.
Widespread support for good encryption is not something I care about
because I am especially paranoid about my own IM conversations. It's
because I care about the pernicious effects of all IM conversations
being potentially public knowledge.
Reply at: https://bugs.launchpad.net/empathy/+bug/296867/comments/22
------------------------------------------------------------------------
On 2009-08-03T06:58:02+00:00 Xavier Claessens wrote:
Eric, flaming is not going to give you anything.
If you need OTR so much, either propose a patch, or don't use Empathy.
OTR is not going to happen if nobody gives a patch. End of discussion.
Reply at: https://bugs.launchpad.net/empathy/+bug/296867/comments/23
------------------------------------------------------------------------
On 2009-08-03T07:21:19+00:00 Felipe Contreras wrote:
(In reply to comment #17)
> Eric, flaming is not going to give you anything.
>
> If you need OTR so much, either propose a patch, or don't use Empathy.
>
> OTR is not going to happen if nobody gives a patch. End of discussion.
Even if you, or any Empathy developers, don't plan to implement OTR,
it's still an important feature and the priority should be set to high.
Or you don't agree it's an important feature? If that's the case I can
provide evidence.
Reply at: https://bugs.launchpad.net/empathy/+bug/296867/comments/25
------------------------------------------------------------------------
On 2009-08-03T07:52:26+00:00 Simon McVittie wrote:
"priority" is the priority that we, the current Telepathy developers,
give to implementing OTR. If it's a high priority for *you*, you're
welcome to implement it, or hire someone to implement it; but it's not a
high priority for *us*, and so it stays priority=low in Bugzilla.
I think helping the XMPP Standards people to provide end-to-end
encryption (implementing <http://xmpp.org/extensions/inbox/xtls.html> or
something like it, and advancing it to Recommended status) is a much
better use of developer time; it'll result in a better protocol, with a
well-defined security model, that does not conflict with the protocol's
normal extensibility mechanisms.
Reply at: https://bugs.launchpad.net/empathy/+bug/296867/comments/26
------------------------------------------------------------------------
On 2009-08-03T08:15:37+00:00 Craig wrote:
(In reply to comment #19)
> I think helping the XMPP Standards people to provide end-to-end encryption
> (implementing <http://xmpp.org/extensions/inbox/xtls.html> or something like
> it, and advancing it to Recommended status) is a much better use of developer
> time; it'll result in a better protocol, with a well-defined security model,
> that does not conflict with the protocol's normal extensibility mechanisms.
>
OTR also works over non-XMPP networks (I use primarily over AIM). That's
something that this XMPP standard can never achieve.
I'm not taking sides - just stating some (hopefully) useful facts.
Reply at: https://bugs.launchpad.net/empathy/+bug/296867/comments/27
------------------------------------------------------------------------
On 2009-08-03T08:48:53+00:00 Paul C. Bryan wrote:
(In reply to comment #16)
> I am worried because Empathy appears to be getting a huge userbase and being
> used as the default IM client for a number of distributions without having a
> feature I think is incredibly important and should've been built in at the
> start, almost especially because most users don't really care about it.
By far the overwhelming majority of IM clients in use are those provided
by the protocol vendors, and I can assure you, they don't ship with OTR.
Empathy's userbase is growing, but it's stil early days and it's likely
not going to dwarf the others anytime soon.
> Most people will not care about encryption. Most people also do not care
> about ACID database semantics. But anybody who made a database lacking the
> latter feature (i.e. Microsoft Access) would be roundly and justly flamed.
No, they should not be flamed, and this is the reason your posts are so
inappropriate: you think that because feature X is missing, developers
should be flamed. Developers in a number of projects work on a voluntary
basis, and in my opinion deserve some semblance of respect for their
contributions, not being hassled by the likes of you.
> There are a whole host of features that users do not care about but are
> critical pieces of infrastructure.
OTR is not a generally accepted critical piece of infrastructure.
> Email encryption is nearly a lost cause. But with Adium and a couple of other
> popular IM clients supporting OTR, widespread IM encryption was beginning to
> happen.
Back up your unqualified assertions about encryption uptake with some
verifiable facts.
> I don't think activists in Iran should have to worry about which IM client
> their friends are using in order to avoid being snooped on.
Perhaps a nice utopian vision of the future, but not the basis for a
rational discussion. This is an unqualified "oh-won't-someone-please-
think-of-the-X" appeal to emotion without presenting reasonable facts or
arguments to base it on.
It sounds like you have strong convictions. Strong enough though only to
sound off about it here and not really do anything about it. If these
objectives are so important to you, why aren't you writing your own OTR
extension now?
> I don't think their choice of IM client should be able to be used to single
> them out for special treatment by their government. All new IM clients should
> just do the right thing out of the box.
Reality: People's choices in the technology adoption affect their
security. You can't control the proliferation of technology, and you
can't control people's choices. You lose on both counts.
> Widespread support for good encryption is not something I care about because I
> am especially paranoid about my own IM conversations. It's because I care
> about the pernicious effects of all IM conversations being potentially public
> knowledge.
You only care enough about it to flame the volunteer developers who are
working on the IM technology -- not enough to actually do anything about
it yourself and contribute to make it better. Oh right, you're also
boycotting Empathy/Telepathy and telling all your friends not to use it.
Reply at: https://bugs.launchpad.net/empathy/+bug/296867/comments/28
------------------------------------------------------------------------
On 2009-08-03T09:31:50+00:00 Fionn wrote:
Hello all,
since I am the creator of this "bug", I feel obliged to calm the waves a
bit and add a plea for seriousness in this discussion.
What some developers might call "broken by design" is probably the backside of OTR being a technology that just works with each and every IM protocol out there, even the worst ones like MSN and Yahoo. I presume, providing such a bandwidth of features just wont go without some kludgy solutions.
In my daily life (and in the life of many others I would bet) practical solutions are what counts and what is needed. OTR is a practical solution.
As a contract worker for several German companies I can tell you that in many European IT departments OTR has become the de facto standard for on-the-fly exchange of information bits like the casual end user password and similar stuff of more-than-zero triviality.
To the best of my knowledge, all current versions of OTR provide no "false security" when properly used and the fact that they might not be working very elegant "under the hood" is actually the bit that is of "minor importance" to me.
For me, the important point is that I totally depend on a cross-protocol
encryption solution for IM that "just works" in my daily life and so do
many other people. OTR is already here and has been for several years
now. And despite the fact that there might be more or less obvious and
more or less major disadvantages to OTR from the developers POV, *not*
*one* single viable alternative has come to my attention in the last
years that is not forcing users to use a specific IM protocol or even a
specific OS platform.
Conclusion: Unless proven otherwise I'd like to state as a FACT that in the field of IM privacy, OTR has become the de-facto standard. At least in Europe it is very widely deployed and often expected to be available. And there are just no alternatives available at all which work cross-protcol and cross-platform.
From my POV this means there is also (currently) no alternative available to implementing OTR for every IM UA that wants to be taken seriously.
Thank you for reading.
Reply at: https://bugs.launchpad.net/empathy/+bug/296867/comments/29
------------------------------------------------------------------------
On 2009-09-10T21:49:45+00:00 northa wrote:
There are many good arguments as to why otr support should be high priority in this thread, and others, and to as to why many people consider leaving out otr-support a very bad idea. We
Google: telepathy otr and you'll see a lot of them.
My view: Should be a default out-of-the-box, as it works with all
protocols. Almost everyone in my contactlist uses otr now-a-days, and
no, they are not all "nerds". We use otr at work too.
Reply at: https://bugs.launchpad.net/empathy/+bug/296867/comments/34
------------------------------------------------------------------------
On 2009-09-16T13:31:23+00:00 segler wrote:
if someone would like to create a plugin, does somebody know good documentation
first on creating telepathy or empathy plugins ( C or Python, C++)
and second on using libotr??
please comment or
directly to segler_alex@xxxxxx
Reply at: https://bugs.launchpad.net/empathy/+bug/296867/comments/36
------------------------------------------------------------------------
On 2009-09-23T00:57:14+00:00 Fionn wrote:
@24: AFAIK there is not even a plugin API available yet.
Reply at: https://bugs.launchpad.net/empathy/+bug/296867/comments/40
------------------------------------------------------------------------
On 2009-10-25T12:48:10+00:00 amay82 wrote:
I will use Pidgin until Empathy supports OTR. Unfortunately, I don't
have the time to do it myself but for my purposes, private and secure
messaging is a must-have. Please don't take this as "bitching" but only
as information about a user's requirements.
Reply at: https://bugs.launchpad.net/empathy/+bug/296867/comments/45
------------------------------------------------------------------------
On 2009-10-26T03:08:28+00:00 Andre Klapper wrote:
Please don't spam my inbox with "/me too" comments if there are no new arguments included. They are not helpful, don't change any opinions, and just slow down the process in general.
Thanks a lot.
Reply at: https://bugs.launchpad.net/empathy/+bug/296867/comments/46
** Changed in: libtelepathy
Importance: Unknown => Wishlist
** Bug watch added: Maemo Bugzilla #1921
https://bugs.maemo.org/show_bug.cgi?id=1921
--
empathy needs to support OTR encryption
https://bugs.launchpad.net/bugs/296867
You received this bug notification because you are a member of Registry
Administrators, which is the registrant for Fedora.
