Gajim - 2017-01-22


  1. petmos In a german Tech portal someone wrote gajim for Windows uses very old libraries. Is this correct? https://m.heise.de/forum/heise-Security/News-Kommentare/XMPP-Jabber-Krypto-Messenger-ChatSecure-verschluesselt-mit-OMEMO-Protokoll/Gajim-Release-enthaelt-uralte-Versionen-von-Python-OpenSSL/posting-29818036/show/
  2. lovetox petmos, it is in the installer but not used by gajim
  3. lovetox it was used years back and when it was not used anymore no one cared to adapt the installer script
  4. lovetox gajim uses pyopenssl
  5. bot Philipp Hörist pushed 6 commits to branch _refs/heads/gajim_0.16_ of _gajim_ <https://dev.gajim.org/gajim/gajim>: *17214c2b* <https://dev.gajim.org/gajim/gajim/commit/17214c2b75efc7a831fb872fd4be9c13fc9304af> Parse commandline arguments earlier *498d049a* <https://dev.gajim.org/gajim/gajim/commit/498d049a21c849b66ff485b8bf19a73db4cd26e5> Simplify configpaths import *6af02d78* <https://dev.gajim.org/gajim/gajim/commit/6af02d78eb5eedcc435ef5d28f69057a399bfee9> Create logfile always in config path *38e12198* <https://dev.gajim.org/gajim/gajim/commit/38e121988c53a07076bec3e91819b5161e0c8360> Create logfile only when gajim is frozen *3dc7e38b* <https://dev.gajim.org/gajim/gajim/commit/3dc7e38b4bdfff770913afc0f7f5bd8a41772399> Make verbose logging less verbose *8abf73f9* <https://dev.gajim.org/gajim/gajim/commit/8abf73f94e63f96ab859bd4651553e7186e6fd76> Merge branch 'gajim_0.16' into 'gajim_0.16' Portable Logfile See merge request !30
  6. bot Philipp Hörist pushed 2 commits to branch _refs/heads/master_ of _gajim_ <https://dev.gajim.org/gajim/gajim>: *9ea208e3* <https://dev.gajim.org/gajim/gajim/commit/9ea208e36a717dc2c8f55f4a5edb0ddc14e9cc90> Use separate application id for each profile. Application id is customized in do_handle_local_options just before it is registered and can't be changed any further. This makes it possible to run multiple instances of Gajim, at most one for each profile. *ca3b5eee* <https://dev.gajim.org/gajim/gajim/commit/ca3b5eee3cee990237134210f97edbe6b0dc9d26> Merge branch 'multiple-instances' into 'master' Use separate application id for each profile. See merge request !32
  7. andrey.g zak, lovetox has just addressed also your question.
  8. zak andrey.g‎: You mean the commits?
  9. zak Sorry... telephone...
  10. andrey.g No, OpenSSL version.
  11. lovetox you can track down the specific version that is used by getting the details of _ssl.pyd which is part of pyopenssl
  12. lovetox the file is from 2014, so far from current
  13. lovetox but its not 2009
  14. andrey.g lovetox, though I personally do not use gajim on Windows, I think to address the issue with OpenSSL in a bug report.
  15. lovetox beginning with the next version we will include always the most uptodate pyopenssl version
  16. lovetox this was already done andrey.g
  17. lovetox and also already solved
  18. lovetox new installer solves all this
  19. andrey.g Aha, lets look...
  20. lovetox previously the windows installer was made on asterix pc, with cx freeze
  21. lovetox we now in the future use appveyor a building platform
  22. lovetox you can see which packages it pulls in the appveyor.yml
  23. lovetox in the repo
  24. andrey.g So the new installer doesn't anymore link openssl dlls statically, so that once dlls get a minor update (which is major security) the user can just download new dlls and replace them, which is relatively easy?
  25. lovetox the DLLs werent used for a long time i think
  26. lovetox if pyopenssl gets a security update
  27. lovetox we can just release a new gajim build
  28. lovetox instantly as soon as pyopenssl publishes a new version
  29. lovetox i dont think windows users will download dlls and replace them ever :)
  30. andrey.g Sure, auto-update is always better. If gajim would use the patch version number for such cases, it would be great. E.g. new release: 0.17, 0.18,... If security or critical bugs arise, then 0
  31. andrey.g Sure, auto-update is always better. If gajim would use the patch version number for such cases, it would be great. E.g. new release: 0.17, 0.18,... If security or critical bugs arise, then 0.17.1, 0.17.2,..
  32. andrey.g But the openssl library is not in pyopenssl, but in cryptography, upon which pyopenssl depends.
  33. lovetox though gajims codebase is rather big, i dont even know everything that slumbers in it
  34. andrey.g Python seems to be also extremely old: $ strings bin/python27.dll | grep '2\.7' 2.7.9
  35. lovetox yeah
  36. lovetox 2.7.12 is used in the next version
  37. lovetox i see that we release it in the next week
  38. andrey.g 2.7.13 has been released over month ago.
  39. lovetox the this will probably be used
  40. lovetox whatever appveyor has installed at the time of the build
  41. andrey.g Back to jingle_ft. Enabling version check would make usage impossible for now. Since the current development version is still 0.16.6. Does gajim not increment the version promptly after release?
  42. lovetox we dont have development versions
  43. lovetox but this is something we should consider doing in the future
  44. lovetox exactly for that reason
  45. lovetox i could up the version number to 0.16.7
  46. andrey.g Then I commit check for 0.16.6, which could be then incremented.
  47. andrey.g Then I could make a commit which will be ready to use.
  48. lovetox you mean check for 0.16.7
  49. andrey.g Yes.
  50. lovetox yes ok
  51. lovetox in the future we should up the version right after release
  52. andrey.g Yes, definitively.
  53. lovetox when you clone the commit is added to the version number until now
  54. lovetox so in that sense you know you are on dev and on which commit
  55. lovetox but its not good for checking
  56. lovetox to come back to the ssl topic
  57. lovetox i just looked at my nightly installer
  58. andrey.g BTW, do these windows snapshot releases get published?
  59. lovetox yes
  60. lovetox normally its here
  61. lovetox https://gajim.org/downloads/snap/win/
  62. lovetox but there is only for gtk3 right now
  63. lovetox because i think asterix script deletes everything older then 5 days
  64. lovetox and we only build when there is a commit
  65. lovetox for 0.16.7
  66. lovetox the snapshot is here
  67. lovetox https://ci.appveyor.com/api/buildjobs/1x6neww18xwvm2rp/artifacts/Gajim-0.16.6-2017-01-14.exe
  68. lovetox tomorriw it should als be on the ftp
  69. lovetox because i commited today something to the 0.16 repo
  70. lovetox yeah and there are still two version of ssl.pyd
  71. lovetox _ssl.pyd
  72. lovetox and the one from cryptogrphy
  73. andrey.g ftp://gajim.org/ ?
  74. lovetox https://gajim.org/downloads/snap/win/
  75. andrey.g OK.
  76. lovetox i dont actually know where _ssl.pyd comes dfrom
  77. lovetox it has to be included in some python package
  78. andrey.g Good question. It would be nice to see what versions of all the packages does appveyor packs exaclty.
  79. andrey.g Good question. It would be nice to see what versions of all the packages does appveyor pack exaclty.
  80. lovetox you can see this here
  81. lovetox https://ci.appveyor.com/project/lovetox/gajim
  82. lovetox on latest build
  83. lovetox i think _ssl.pyd is python own ssl lib?
  84. lovetox it ships a ssl module
  85. andrey.g At least it is for now the latest release: python-2.7.13$ strings _ssl.pyd | grep '^OpenSSL ' OpenSSL 1.0.2j 26 Sep 2016 I'm wondering what does it do there. This would force python team to release python once openssl gets updated. I'm in doubt this happens in this way. But what python version is used by appveyor. I can't see.
  86. lovetox seems there is only 2.7.13 installed
  87. lovetox https://www.appveyor.com/docs/installed-software/
  88. andrey.g On the first glance appveyor is pretty nontransparent for me.
  89. lovetox why what do you want to know?
  90. lovetox i could print out every detail about the VM where gajim is build, in the build script
  91. andrey.g I mean, that all the package names with version information should be printed somewhere on top of the log, so that one could quickly check what lands in the installer. And where every file does come from would be also great (this way work all the package managers for GNU/Linux and also Windows: see msys2/mingw-w64).
  92. zak So... I'm back.
  93. zak So, no obsolete dll included in the next windows gajim version then?
  94. lovetox yes zak
  95. lovetox andrey.g you misunderstand completly what appveyour does
  96. zak Great. Any clue when 0.16.7 will be released?
  97. lovetox i think next week
  98. lovetox though you can just delete the dlls they have no function whatsoever and are not used
  99. zak No, not because of this. I don't even use windows :-)
  100. lovetox appveyour just lends a VM to me
  101. zak Just interested in the progress.
  102. lovetox i install on it then various python packages via console commands
  103. lovetox afterwards i call a script that makes a exe installer
  104. lovetox appveyour just provides me a windows VM, what i do with it is my thing
  105. lovetox they put only out what the console gives back after i issue commands
  106. andrey.g Good, just adding something like 'python.exe --version' to the script could solve the issue. But still I don't see python2.7 in requirements.txt. So the VM in not empty and it configured somewhere to have something preinstalled on it yet before you start the script?
  107. lovetox yes what is installed is here
  108. lovetox https://www.appveyor.com/docs/installed-software/
  109. lovetox requirements.txt is just a file that pip can parse
  110. lovetox so i dont have to add multiple times "pip install xxx" to the scropt
  111. andrey.g ok
  112. lovetox also we ship with windows a full python installation
  113. lovetox so there are many files that are not used probably
  114. lovetox but thats the same on linux, if you have installed python, it does not mean you use every file of it
  115. andrey.g The main advantage on GNU/Linux (and msys2/mingw-w64 on Windows) is that there are no (dubious) binaries. Every binary is packaged at the appropriate place. And there must be only one :)
  116. lovetox if you install pre compiled applications you will always have to trust the one who did it, for people that dont want this, they can always start gajim from source also on windows, but it needs a lot more setup
  117. lovetox but interesting thought
  118. lovetox what if someone infiltrates the build platform and supplys manipulated binaries
  119. andrey.g That is what reproducible builds come for.
  120. soccerhub Hi
  121. soccerhub When i start, i´m receiving the message "secure connection not supported" What is wrong there ?
  122. lovetox what system?
  123. lovetox your own server?
  124. soccerhub Linux and not my server. I´m just a lurker
  125. lovetox can you give me part of the exact message
  126. lovetox i dont find the string "secure connection not supported"
  127. soccerhub OK, i make a shot and up it
  128. soccerhub lovetox,
  129. soccerhub Here is the message https://s24.postimg.org/waa60vih1/Jabber_secure_2017_01_22_21_26_46.png
  130. lovetox you have to make an account on jabber.de
  131. lovetox to use this server
  132. lovetox you try to connect anonymous to it
  133. lovetox but the server doesnt allow that
  134. soccerhub you have to make an account on jabber.de // i think i did that. OK
  135. soccerhub So, then it is not an error ?
  136. lovetox then you have to supply your username and password in the window where you add the account to gajim
  137. soccerhub yes
  138. lovetox maybe there is "anonym authentification"
  139. lovetox checked?
  140. lovetox uncheck it in the accounts window
  141. soccerhub Hmm, i have 2 accounts, one is a wrong try i think. the one , that contains the pw dots has secure unticked
  142. soccerhub But OK, i will sort that out and come back.
  143. wuzzap moin kann hier jemand deutsch? mein english ist leider total grottig :)
  144. soccerhub lol
  145. wuzzap kannst du mir vielleicht helfen? ich versuche nachrichten über das terminal rauszuschicken...
  146. soccerhub ne, nie gemacht
  147. wuzzap so... i try to talk english^^ i am try to send messages in the linux mint terminal via gajim-remote, but it says to me that gajim not is running
  148. elmo Hello! I'm trying to get Gajim run on my Mac. I installed gtk3 and got it running in virtualenv (talking to you right now from this homecooked version), but 1) the console output shows ugly warnings like "ImportError: no module named 'gtk'" -- how are you drawing the widgets if you don't have gtk... Secondly, more importantly, I can't figure out how to make End-to-End crypto work. I installed "pip install crypto" and it shows up in pip freeze as crypto==1.4.1, but Gajim's "features" UI doesn't recognize the fact. What could I do?
  149. lovetox hi elmo, we use gtk3
  150. lovetox did you follow the macosx installation guide?
  151. elmo We have one?
  152. lovetox kind of
  153. lovetox open whisper system
  154. lovetox https://dev.gajim.org/gajim/gajim/wikis/help/GajimMacOSX
  155. lovetox its beyond me why it shows you that warning
  156. lovetox and works at the same time
  157. lovetox the package you searching for is pycrypto
  158. lovetox not crypto
  159. elmo hmm, thanks!
  160. elmo Nope. Installed pycrypto but still no e2e. I'll try again later following the install guide. Thanks for the link.
  161. Mic92 Are there bigger plugin incompatibilities to be expected, when using gajim from master? Especially omemo would be important for me.
  162. Mic92 OK just found the gtk3 plugin branch
  163. lovetox gtk3 omemo plugin is not up to date
  164. lovetox but it is usable
  165. tm make[2]: *** No rule to make target 'no.po', needed by 'no.gmo'. Stop. "no" should be removed from LINGUAS?
  166. lovetox https://dev.gajim.org/gajim/gajim/commit/6386a6a128c780e2455be59ecce8784757fbcf50
  167. lovetox hm yeah
  168. tm I created !33 for it (together with missing import in logging_helpers.py)
  169. bot Philipp Hörist pushed 2 commits to branch _refs/heads/gajim_0.16_ of _gajim_ <https://dev.gajim.org/gajim/gajim>: *63439d08* <https://dev.gajim.org/gajim/gajim/commit/63439d0871925019ae1c960c6d7dea5118f2ae50> Fix translation list and add missing import. *6ed3651d* <https://dev.gajim.org/gajim/gajim/commit/6ed3651dcf83e1b7a2d68dd94309e98b167e9747> Merge branch 'minor-fixes' into 'gajim_0.16' Fix translation list and add missing import. See merge request !33
  170. lovetox thanks, damn i tested that logfile mr only on windows, and missed the missing import because of that :/
  171. andrey.g Regarding nightly Gajim-default-2017-01-15.exe: Python 3.4.4 (OpenSSL 1.0.2g) is outdated.
  172. lovetox thanks, yeah will switch it to 3.6
  173. lovetox and my pylint is not working for some reason :/
  174. wuzzap anybody can help me with gajim-remote?
  175. wuzzap it just says gajim is not started cant get the reason -.-
  176. andrey.g wuzzap‎, indeed, the same for me
  177. wuzzap ye this sux... btw is omemo possible with remote? cant find it in the commandlist
  178. lovetox its not possible i think
  179. lovetox maybe Asterix can help you with that, when he comes online
  180. wuzzap what you think which time?
  181. wuzzap omemo is not a must have important for me is just to send messages via terminal
  182. lovetox i dont know, maybe tomorrow
  183. lovetox stay in this channel :)
  184. tm wuzzap, re gajim-remote, do you have remote_control activated in advanced config editor?
  185. tm it is disabled by default
  186. kalkin Does Gajim-ng(?) support adding decorations to messages?
  187. kalkin so we can implement TOFU for OMEMO in Gajim?
  188. kalkin Currently I don't see a good way to do it, because there is no way to distinguish how and which msg is encrypted
  189. wuzzap oh thanks tm i will try
  190. wuzzap how is the gajim prozess called? pidof gajim returns nothing...
  191. wuzzap need it to restart
  192. lovetox thats the problem kalkin :)