Gajim - 2016-12-18


  1. petmos Hello all, I'm using Gajim-nightlies on ubuntu 14.04. Since yesterday Gajim tells me GPG isn't usable ("GPG ist nicht benutzbar" ). In Accounts -> Personal informations I see: OpenPGP cannot be used on this PC ("OpenPGP kann auf diesem Computer nicht genutzt werden.").
  2. petmos But OpenGPG works with thunderbird as expected.
  3. petmos Can someone confirm this behaviour?
  4. aleks.vienna is openpgpg still possible even it's not in the core? I can't see it in the plugins list.
  5. aleks.vienna I use 0.16.6 just installed ;-)
  6. linus petmos: you probably need to install the appropriate Python module
  7. linus Something like python3-gnupg or python3-gpg
  8. linus Since it's not included with gajim anymore
  9. linus Might make sense to add it to the dependencies for the package, at least as a suggests
  10. linus aleks.vienna: it's a core feature, not a plugin, iirc
  11. aleks.vienna Ah okay so I just need to install gpg on windows and must tell gajim where the bin is. I will try
  12. linus Hm, surely it should be bundled on windows.
  13. linus I think lovetox is the one to ask about this. Although he's not here right now
  14. aleks.vienna no probs I just download it an will se
  15. aleks.vienna okay. after installing gpg4win gajim was able to get openpgp keys. ;-)
  16. aleks.vienna very cool programm ;-)
  17. aleks.vienna I now need someone to talk with omeo ;-)
  18. Asterix python-gnupg is shipped with windows installers. So installing gpg should be enough.
  19. Asterix under linux, yes I just removed it from sources, so it has to be installed, and yes I should add it in the suggested packages
  20. aleks.vienna is there a irc plugin ?! I haven't seen it in the plugins
  21. Asterix Gajim is a XMLL client, not IRC, but some servers offer XMPP to IRC bridge. So you can chat on IRC with Gajim
  22. Asterix but Gajim only see XMLL protocole
  23. aleks.vienna ah thanks
  24. Martin Remove url_image_preview from Debian for now? I'm maintaining the plugin in Debian, but I feel uneasy about the fact, that people you chat with can use this to find out your current IP address or might (if they know some bug in PIL) even do worse. Maybe even unknowingly by frivously forwarding a link. What do the experts here think? :~)
  25. petmos Asterix: python3-gnupg is installed. Do I needed something else?
  26. Martin If there is a solution (like showing the link first and requesting user action to actually show the picture), I can re-add it, of course.
  27. Asterix petmos: which gajim package do you install? gajim-daily or gajim-default-daily?
  28. Asterix Martin: you should talk to lovetox about that (not here for now)
  29. linus Martin: I think it's acceptable as long as it's not active by default. Maybe the description should include a warning as well
  30. linus But I don't think it should be removed outright.
  31. petmos Gajim-nightly. What is the difference to nightly-default? Can I switch back to 0.16.6-1 without braking databases or something else?
  32. Asterix petmos: nightly is py2 gtk2, like 0.16.* default is py3 gtk3.
  33. Asterix petmos: yes you can switch between them
  34. Asterix if you have nightly you have to install python-gnupg, not python3-gnupg
  35. Martin Asterix, linus, I'll talk to lovetox about it. I can do two things other than remove the package: Add a warning in the Debian package description and in the manifest.ini description, as suggested by linus, and maybe also move the package to Debian "experimental". But probably setting the description right, is sufficient.
  36. lovetox Martin, PIL and pixbuf is used also for avatars, in theory you could also manipulate an avatar
  37. lovetox as i said im all for it to deactivate it in generel in MUCs and on contacts that are not in your roster
  38. lovetox but for contacts in your roster, i dont see what a button that shows the image brings
  39. lovetox why would you not hit that button?
  40. lovetox if you have to hit it everyday with all your contacts
  41. lovetox why should you not hit it for that one malicious link?
  42. Martin lovetox, we have two problems here:
  43. Martin 1. privacy (by following the link, my IP, maybe location, maybe other information) is revealed to third party
  44. Martin 2. malicious image might damage Gajim
  45. Martin The button would at least allow the user to decide whether they want to reveal their IP to one user, but maybe not to the other.
  46. petmos Asterix‎: Thank you, now it works gain. I installed python-gnupg as you suggested.
  47. Martin I don't see an easy solution to potential security bugs in PIL/pixbuf. It might be easier to exploit a bug in the libraries by an arbitrary HTTP link than by an avatar, but the problem is similar.
  48. lovetox i dont see a problem with it, these libs are there to process images
  49. lovetox we can say we dont process images no more, or we have the risk
  50. lovetox i dont see a way in between
  51. Martin yes, that's right
  52. Martin so we only should talk about the first point, the potential privacy violation by automatically following HTTP links without user interaction
  53. lovetox i agree with your points
  54. lovetox ulitmately i dont want to preview links
  55. lovetox i want to preview a file transfer via http upload
  56. lovetox but at the moment we cant know the difference
  57. lovetox but i have no time to change it, so either someone other does it, or it will stay that way for now, do what you feel is right for the debian repo :)
  58. arune lovetox: why show http-uploaded images and not other linked images? That won't improve privacy
  59. Martin sorry for the stupid (XMPP-wise) question: if I HTTP upload a file, to what server is it uploaded and from what server is it downloaded? is the file transferred s2s from one XMPP server to another?
  60. Martin If the file is still on the senders server, the privacy is not improved.
  61. lovetox it is improved in the way that less images are previewed
  62. arune Martin: the file is uploaded to the sender's server
  63. lovetox so the chance of a malicious one is reduced
  64. lovetox that is a generel problem of httpupload
  65. lovetox i cant fix that
  66. lovetox all things have pros and cons
  67. Martin OK, sure. That's a problem of the XEP.
  68. lovetox file is stored on the server so its not p2p so your privacy is reduced
  69. lovetox yes of course we could implement a button on the first image
  70. lovetox and dialog
  71. lovetox do you want to preview all file transfers in the future
  72. lovetox etc
  73. Martin This sounds like a good idea. I will put some warning in the description for now, so that users are "risk-aware".
  74. arune Best would be to check if user is in your roster like conversations does
  75. lovetox that should be done anyway arune :)
  76. Martin Need to leave now, but would love to continue the discussion on XMPP privacy issues. Maybe better on the XMPP mailing list, because it is outside the scope of Gajim?
  77. arune And if it's a muc, a non-anonymous muc, preview images of other participants in your roster
  78. lovetox Yeah write to the mailinglist, for my use case the pros outweigh the cons, that the sender server knows my ip
  79. lovetox that will not change
  80. lovetox thats just server storage vs p2p
  81. arune We use gajim on a private xmpp network where every user knows each other so no privacy issues
  82. arune So please don't deactivate getting images
  83. andrey.g lovetox: just in case you'd have some suggestion how to use plugins.git only for separate profile with gajim.git (as mentioned on https://lists.gajim.org/pipermail/gajim-devel/2016-December/001153.html), it would be very welcome.
  84. lovetox dont use profiles
  85. lovetox use the config switch
  86. lovetox -c
  87. lovetox to define a other user dir
  88. lovetox completly
  89. lovetox andrey.g
  90. lovetox the profile separation is not a full separation in the gajim_0.16 branch
  91. lovetox in the default branch there is a option for that
  92. andrey.g lovetox: thanks. Using separate configs is already included in separate profile, I think. The issue is to use different plugin versions (sources) for development.
  93. andrey.g lovetox: Is the default (gtk3?) branch usable?
  94. lovetox no
  95. lovetox i dont get what you want to do
  96. lovetox you just want a separate setup from your stable
  97. lovetox so 2 totally separate gajim instances
  98. lovetox or do you need more?
  99. lovetox and no with -p switch there is not -c included
  100. andrey.g Yes. I'm using "stable" as packaged in debian and for testing 2 profiles.
  101. lovetox you can separate with profiles
  102. lovetox atleast plugins
  103. lovetox you have to use -c PATH and set a config dir path for every instance
  104. lovetox cant*
  105. andrey.g using -p I have ~/.config/gajim/pluginsconfig.test1, ~/.config/gajim/pluginsconfig.test2 but those are configs. What seems not to work is to have different sources: not only ~/.local/share/gajim/plugins but also ~/.local/share/gajim/plugins.test1 and ~/.local/share/gajim/plugins.test2
  106. andrey.g However actually for test1 and test2 I'd need only one plugins source dir.
  107. lovetox we have a misunderstanding
  108. lovetox -c does have nothing to do with a plugin config dir
  109. lovetox its the complete user dir
  110. lovetox where everything is saved
  111. andrey.g Yes, I'm not using -c yet.
  112. lovetox thats the config dir
  113. lovetox - /.local/share/gajim
  114. lovetox with -c you can set it to - /.local/share/gajim2
  115. lovetox sorry im coming from windows
  116. lovetox we dont have configs and stuff splitted into mulitple dirs
  117. lovetox everything is in one gajim dir
  118. lovetox but nevertheless should work on linux
  119. andrey.g windows - aha, then sorry.
  120. andrey.g It would be nice, if there would be no plugins dir in gajim.git, so that one could just clone pugins repository into development dir of gajim git.
  121. lovetox you can
  122. lovetox there are 2 plugin dirs
  123. andrey.g It seems to me much simpler, than config, data dirs, where I have now similar data.
  124. lovetox one in src and one outside
  125. lovetox you have to clone into the one outside
  126. lovetox plugin folder in the root dir
  127. lovetox there are even plugins in there
  128. lovetox but you should the use the -c switch still, because i think gajim will pull from both directorys, the one in the dev and the one in your user dir
  129. andrey.g Yes, that I consider as problem: they are already under git: both in root dir and src.
  130. lovetox so whats the problem just clone into the one in root
  131. andrey.g That's interesting. I'll look into it.
  132. lovetox and start with .-c switch
  133. lovetox :)
  134. lovetox we should make a switch that it only pulls from dev dir ^^
  135. andrey.g if I'm gajim.git and see plugins, I can't clone into this dir.
  136. andrey.g Switch? Yes!
  137. lovetox what do you mean you cant clone into it?
  138. lovetox personally i clone the plugin repo somewhere else
  139. lovetox and just link into the plugin dir
  140. lovetox because usually i dont want to load 20 plugins on every start
  141. lovetox if im working on one
  142. andrey.g lovetox: (I was away) cloning: I mean it is not possible to clone into an existing dir; Making a symbolic link into gajim.git/plugins/... would be an interesting option, if git wouldn't complains about not tracked files. Linking into user plugins dir is perhaps the best workaround I'll try. loading all plugins: I supposed if they are not enabled they don't get loading?
  143. lovetox andrey.g: they actually get all parsed
  144. lovetox and in a way loaded
  145. lovetox for example if there is a syntax error in one
  146. lovetox gajim will not load
  147. lovetox (i know its bad)
  148. lovetox they dont get activated though in the sense that the events get hooked
  149. andrey.g Good to know. For now I'm trying out: cd ~/.local/share/gajim/plugins/ ln -s /path/to/gajim-plugins.git/omemo .
  150. lovetox btw, what do you want to do?
  151. lovetox omemo jingle filetransfer?
  152. lovetox if you make contributions to the plugin repo, could you name the commits [omemo] xxxx for example
  153. lovetox because its one repo for all commits, so we see better what commit was for which plugin
  154. lovetox i know it hasnt been done really often until now
  155. lovetox but it would be nice
  156. andrey.g Yes, exactly. I'm predictable, yeah? :) Yes, I've noticed, that commits are prepended with plugin name. Thanks for the reminder.
  157. lovetox if you need help finding stuff in the omemo plugin just ask
  158. lovetox would that be a file transfer thats encrypted with axolotl, or would that be something like httpupload, where we use normal AES and send the key encrypted with a message
  159. lovetox ‎andrey.g
  160. andrey.g Thanks. Recently I've asked myself, why ssh doesn't work over omemo already. And the answer is that omemo is missing stream read()/write() API for now. That's why jingle will work similar to HTTP File Upload.
  161. andrey.g The question is, why omemo is missing it. Some general problem or it's just not yet implemented.
  162. lovetox ok but then im not so sure if this code would be good in the omemo plugin
  163. lovetox because what do you need the plugin actually for?
  164. lovetox you want to send a single message to a contact with a key, thats all the part omemo takes
  165. lovetox you could implement the whole encryption with AES etc, in the jingle module
  166. lovetox and just trigger sending a omemo message from the jingle module
  167. lovetox and on receiving in the omemo plugin, pass it to the jingle module perhaps
  168. lovetox or maybe you planned it that way anyway :)
  169. andrey.g I tried not to change generality of jingle in gajim but to use events to hook all that needs to be changed in the omemo plugin.
  170. lovetox hm k im excited to see your work :)
  171. lovetox hm i think on the ui, will it be a user choice to send encrypted
  172. lovetox or are you thinking about some automation, if a omemo session exists
  173. lovetox send it encrypted
  174. andrey.g If omemo is activated, then files must be sent encrypted.
  175. lovetox yeah i do this with httpupload
  176. lovetox but the difference is i dont have to care what resources are online
  177. lovetox with jingle you have
  178. lovetox in generel you can get the information if a device supports omemo with the disco