Gajim - 2014-04-08


  1. bot RSS: Feeds for Gajim • Ticket #7717 (gajim fails to reconnect, dumps xep-198 session) created Bug description When using Gajim on mobile networks, stream management should prevent message loss because of unreliable connections. But sometimes, Gajim fails reconnecting and goes to offline state. The next connection leads to a new session without a try to resume the last session. Gajim should keep the xep-198 session alive until the user sets the statu[…] https://trac.gajim.org/ticket/7717
  2. heavymetal hi
  3. heavymetal Link Mauve, thanks for the OpenSSL advisory.
  4. heavymetal (just patched)
  5. heavymetal Good night.
  6. henk hi, I created a log from "gajim -v" as requested in https://trac.gajim.org/ticket/7492. It grew to 26GB in half a day and http://pastie.org/private/d33xictaovvrl5lqeutu5a is the problematic part in this case. AFAICT it’s not actually related to the bugreport, but it also fills up the HDD very inconveniently. Can anyone here advise what to do so this problem can be fixed? btw: this happened just after resuming from suspend to ram.
  7. teo0056 Bonjour
  8. teo0056 à qui m'adresser pour une aide technique ?
  9. teo0056 need a help
  10. teo0056 my audio and video in gajim are desactivated
  11. Link Mauve You need Gstreamer 0.10 and Farstream 0.1.
  12. teo0056 Thank you for your replay
  13. teo0056 i will try this now
  14. Link Mauve It should be noted in Help > Features > Audio/Video.
  15. Link Mauve So, teo0056, audio/video isn’t supported on Windows XP yet.
  16. teo0056 Thank you link move for your help
  17. Link Mauve You will have to wait for 0.16.
  18. teo0056 yes i am using windows
  19. Link Mauve There is already a RC for it, AFAIK.
  20. Link Mauve Here: http://gajim.org/downloads.php#windows
  21. teo0056 I will try
  22. teo0056 thank you again
  23. teo0056 for your help
  24. Link Mauve :)
  25. vorner Shouldn't the problem with XP be solved by it getting outdated? O:-)
  26. Link Mauve Yeah, nobody should use that anymore.
  27. Link Mauve But it’s been that way for many years already.
  28. Link Mauve You can’t get security and XP at the same time.
  29. heavymetal I still can't believe Microsoft is ending support.
  30. heavymetal Old or not, it's just everywhere.
  31. vorner heavymetal: Being you, would you enjoy fixing bugs in >10 years old crap you hoped to get rid long ago while it brings you no money at all?
  32. Link Mauve Better end the support and make money by providing extended support.
  33. mathieui I would do that
  34. heavymetal vorner, that reminds me a certain web browser....
  35. heavymetal Anyway, it's not like they would have to add features or fix functionality bugs... we're talking about fixing vulnerabilites discovered by other people.
  36. vorner Which sometimes may mean rewriting and redesigning something from ground.
  37. heavymetal hmm... well, in some cases maybe.
  38. heavymetal You're right there.
  39. heavymetal hg is slow........
  40. heavymetal Will gajim support Python3?
  41. Link Mauve heavymetal, it’s already in trunk.
  42. heavymetal Cool.
  43. heavymetal I guess that's why I'm getting the print file= error.
  44. heavymetal It has been ported? Entirely?
  45. Link Mauve I think so.
  46. Link Mauve If you want the python2 version, checkout the gajim_0.16 branch.
  47. heavymetal No, it's cool to have it ported :O
  48. Link Mauve :)
  49. heavymetal I thought it would not happen.
  50. heavymetal pip install nbxmpp fails, I guess I'll have to use hg version too.
  51. heavymetal But it's giving certificate error...
  52. Link Mauve Yeah, get the python23 branch, it does what the name implies.
  53. Link Mauve Either install CACert’s certificate, or use the HTTP version.
  54. Link Mauve Or hg clone --insecure
  55. heavymetal RootCA is quite a bad name.
  56. heavymetal Most certificates in /etc/ssl/certs cointain those two words!
  57. heavymetal hg still fails...
  58. Link Mauve Did you add --insecure?
  59. heavymetal No.
  60. heavymetal I would like it secure.
  61. Link Mauve I don’t know then.
  62. Link Mauve Maybe just check the fingerprint manually?
  63. heavymetal If hg gave it...
  64. heavymetal Oh, it gives it.
  65. heavymetal Weird enough. The fingerprint does not match.
  66. Link Mauve :o
  67. Asterix you need the cacert.org root certificate
  68. heavymetal Asterix, I downloaded the class 1 one and put it in /etc/ssl/certs, then ran update-ca-certificates.
  69. heavymetal But the fingerprint thing is weird.
  70. Asterix I use the class3 ...
  71. Asterix having a cert from class1 is too expensive
  72. heavymetal I added that one too.
  73. heavymetal Expensive, why?
  74. Asterix that that should work :/
  75. heavymetal Isn't the class 1 the one with RSA 1024 and md5?
  76. heavymetal Could it be a SNI issue?
  77. Asterix http://wiki.cacert.org/FAQ/TechnicalQuestions#What_is_the_difference_between_Class_1_and_Class_3_Certificates
  78. heavymetal I knew that.
  79. heavymetal I'll continue with --insecure :\
  80. Asterix you could also get the certificate and add the path in hgrc file
  81. heavymetal Isn't there a requirements file?
  82. Asterix hm?
  83. heavymetal A file with the name and versions of packages in the cheeseshop that gajim requires.
  84. heavymetal So you can do pip install -r requirements.txt
  85. heavymetal Guessing names in the cheeseshop is painful.
  86. heavymetal There are no conventions, separate names for different versions, half the packages are named python-something... as if I were to use pip to install ruby deps!
  87. Asterix :)
  88. Asterix non we don't have that, but in pip there is no daily packages
  89. heavymetal It would be still be useful for pyopenssl and company.
  90. heavymetal But maybe I'm better off using system' python3 and --system-site-packages
  91. Asterix I don't really understand what you want ...
  92. heavymetal I want to run gajim from hg.
  93. Asterix if you want to install nbxmpp, there is just python(3) setup.py install
  94. heavymetal In a Ubuntu 14.04 system.
  95. heavymetal Also, I had 12.04 before and installed manually python3.4 from source... Now it seems Python has no make uninstall.
  96. heavymetal rm -rf */* works.
  97. Asterix :)
  98. heavymetal Is PyOpenSSL still required for Py3?
  99. pvtlth Asterix, I have found an SSL problem on your server! http://possible.lv/tools/hb/?domain=gajim.org
  100. pvtlth It is vulnerable to the heartbleed openssl bug which was published yesterday. Maybe you've heared of it already
  101. Asterix I just updated to the latest openssl version ... there is no newer version in debian testing for the moment AFAIK
  102. Asterix yes I've heard, it's why I just updated :/
  103. mathieui Asterix, you have to restart the services using openssl
  104. pvtlth ok thank you
  105. mathieui otherwise it’s not fixed
  106. pvtlth indeed
  107. Asterix I also restarted apache, but I have 1.0.1f, so I'm vulnerable I know
  108. mathieui 1.0.1f compiled with -DOPENSSL_NO_HEARTBEATS is not vulnerable, though
  109. pvtlth You updated to the f version?
  110. Asterix # apt-get install openssl Reading package lists... Done Building dependency tree Reading state information... Done openssl is already the newest version. openssl set to manually installed. 0 upgraded, 0 newly installed, 0 to remove and 332 not upgraded. # dpkg -l openssl Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-==============-============-============-================================= ii openssl 1.0.1f-1 amd64
  111. Asterix repos doesn't seem updated :/
  112. pvtlth compile the g version yourself https://www.openssl.org/source/
  113. mathieui Asterix, don’t you have the security repo? :|
  114. mathieui it’s kind of mandatory
  115. mathieui https://www.debian.org/security/
  116. Asterix I do
  117. mathieui https://security-tracker.debian.org/tracker/CVE-2014-0160
  118. mathieui right, they didn’t fix it for jessie yet. what.
  119. Asterix https://packages.debian.org/search?keywords=openssl
  120. Asterix here the g seems to be available for jessie ...
  121. Asterix but it's not in repository :/
  122. pvtlth Is the client affected too?
  123. Link Mauve Yes.
  124. Link Mauve A rogue server could access your memory.
  125. pvtlth all my memory or only the openssl part of it?
  126. Link Mauve All the memory of the process.
  127. pvtlth of the openssl process or the openssl using process?
  128. Link Mauve openssl doesn’t run in a separate process.
  129. Link Mauve It would mitigate the attack if it did.
  130. pvtlth so all my gajim's things for example
  131. Link Mauve Yeah.
  132. Link Mauve In chunks of 64 KiB, starting from the heartbeats packet.
  133. pvtlth incl. usernames and passwords of all my accounts... not funny. I just changes all my passwords a few months ago...
  134. Asterix only the 64 first kB, no?
  135. Link Mauve Yeah.
  136. Asterix which contains pw indeed ...
  137. Link Mauve pvtlth, I expect most of your servers to have been vulnerable those past two years, so change them again as soon as the servers are confirmed for not having been compromised.
  138. pvtlth 64kb in memory can store lots of sensitive data
  139. pvtlth I will of course.
  140. heavymetal Hi, what happened to the muc?
  141. heavymetal (conference.gajim.org gave an error about being too busy)
  142. Asterix no pb for me
  143. heavymetal Maybe it happened only from my server :\
  144. heavymetal I tried running gajim from hg, but I'm getting an error: ValueError. No such digest method.
  145. heavymetal (python3)
  146. Asterix do you have the full traceback?
  147. heavymetal Yes, of course.
  148. heavymetal https://paste.gajim.org/view/97d441e8
  149. Asterix typo ... Fixin
  150. Asterix typo ... Fixing ...
  151. heavymetal Hilarious!
  152. Asterix fixed, you can update
  153. heavymetal Cool :)
  154. heavymetal But there are more :(
  155. heavymetal 'str' does not support the buffer interface.
  156. Asterix I have not tested this code ...
  157. Asterix my cert is already generated
  158. heavymetal Do you use python2 or 3?
  159. heavymetal Ah.
  160. Asterix I don't have much time to test it right now
  161. bot RSS: Feeds for Gajim • Changeset [15450:182aaa7fab1a]: fix typo fix typo https://trac.gajim.org/changeset/182aaa7fab1a7321da76fb6ef5efa90c098cf4e7
  162. heavymetal It's normal it fails.
  163. heavymetal common/jingle_xtls.py:293
  164. heavymetal It's decoding a bytestring to unicode... to write it on a binary file.
  165. heavymetal Fixed I guess (?)
  166. Asterix removing the .decode() fixes it, right?
  167. heavymetal Yep.
  168. Asterix ok and everything is opk after that?
  169. Asterix ok and everything is ok after that?
  170. heavymetal There are many many deprecation warnings.
  171. heavymetal But they belong to Gtk.
  172. heavymetal So I think it's fine.
  173. Asterix yes I know about that. They don't want us to use icons in menu / buttons :/
  174. Asterix I commited the removal of .decode()
  175. Asterix ha openssl has been updated in jessie!
  176. heavymetal Oh, now it will fail when I run hg pull; hg update!
  177. heavymetal undoes.
  178. Asterix but the test still fails :/
  179. Asterix --insecure
  180. heavymetal Which test?
  181. Asterix http://possible.lv/tools/hb/?domain=gajim.org
  182. heavymetal Asterix, have you restarted Apache/nginx/whatever?
  183. Asterix yep
  184. heavymetal It's still vulnerable indeed.
  185. Asterix but I have 1.0.1g-1 installed
  186. heavymetal Debian Jessie?
  187. heavymetal Which web server do you use?
  188. heavymetal Maybe you built OpenSSL statically?
  189. Asterix yes jessie, apache2
  190. heavymetal Apache should take the new OpenSSL even with just a reload
  191. Asterix I did a restart
  192. heavymetal That's strange.
  193. heavymetal Do you have more servers? Bouncers?
  194. Asterix more servers ?
  195. heavymetal Like "I use Apache, but proxied by nginx"
  196. bot RSS: Feeds for Gajim • Changeset [15451:9dbca6d480c4]: remove wrong .decode() remove wrong .decode() https://trac.gajim.org/changeset/9dbca6d480c46e74545a3530fb89b3135533bf5d
  197. Asterix no no, apache is joined directly
  198. heavymetal lsof -n | grep DEL |grep '\.so'
  199. heavymetal Does it return something?
  200. Asterix yes, a lot of things, but nothing about apache
  201. Asterix mysql / postgres / ...
  202. heavymetal Those are processes using old versions of libraries. You should restart them.
  203. heavymetal Although Apache should be taking the new library :\
  204. Asterix yes butthat's not so easy to cut them all
  205. heavymetal Why not?
  206. heavymetal Downtime is a fact.
  207. Asterix donutsd for ex, I don't remember where it's launched from ...
  208. Asterix dibbler doesn't want to restart it seems
  209. heavymetal What's donutsd?
  210. heavymetal I live better since I know systemd services.
  211. Asterix something that checks my dnssec regulary and informs me that I have to resign
  212. heavymetal Writing service files is way much easier and reliable than writing initscripts.
  213. Asterix all is restarted except those 2.
  214. Asterix I'll see later why apache is still vulnerable :/
  215. heavymetal Once upon a time I feared reboots because I had to start several screen's, run and dettach.
  216. heavymetal No more. Writing the service file is easier.
  217. Asterix I indeed prefer not to reboot ... :)
  218. heavymetal Asterix, does those 2 services depend on libssl?
  219. Asterix I don't think so
  220. Asterix I don't know the internal of diabbler, but I don't think it does
  221. heavymetal It should be listed in lsof.
  222. Asterix # lsof -n | grep DEL |grep '\.so' donutsd 1850 root DEL REG 8,5 21503628 /usr/lib/perl/5.14.2/auto/IO/IO.so donutsd 1850 root DEL REG 8,5 21626894 /usr/lib/perl/5.14.2/auto/Socket/Socket.so donutsd 1850 root DEL REG 8,5 21503635 /usr/lib/libperl.so.5.14.2 dibbler-c 28326 root DEL REG 8,5 22283408 /lib/x86_64-linux-gnu/libgcc_s.so.1 dibbler-c 28326 root DEL REG 8,5 21637835 /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.18 dibbler-c 28326 28327 root DEL REG 8,5 22283408 /lib/x86_64-linux-gnu/libgcc_s.so.1 dibbler-c 28326 28327 root DEL REG 8,5 21637835 /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.18
  223. Asterix so no
  224. Asterix om donutsd restarted, only dibbler, but that's not a big problem
  225. heavymetal Oh, there is a Debian package for checking old libraries.
  226. heavymetal package: debian-goodies filename: /usr/bin/checkrestart
  227. Asterix ok, but time to sleep for me
  228. heavymetal Good night.
  229. Asterix thanks, GN all
  230. bot RSS: Feeds for Gajim • Ticket #7718 (0.16-rc1 doesn't warn about certificate change) created I've just put new certificate in my XMPP server and then relogged / rerun Gajim. There was no warning about SHA1 fingerprint change. I remember Gajim used to warn about it. https://trac.gajim.org/ticket/7718 • Ticket #7718 (0.16-rc1 doesn't warn about certificate change) closed fixed: it's a problem in nbxmpp and it's already fixed ​there https://trac.gajim.org/ticket/7718#comment:1