Gajim - 2017-07-14


  1. lovetox tell me what you think
  2. lovetox we could even show a warning dialog when the user checks that plain box under connection
  3. lovetox with all the implications
  4. SaltyBones so you would connect plain even if tls is available in that case?
  5. SaltyBones i think i prefer always trying secure first
  6. SaltyBones after all the user has to specifically acknowledge that they re okay with plain
  7. SaltyBones what we could do is reset that option when a secure connection succeeds
  8. SaltyBones in any case, allowing insecure connections should imho require a trip to the advanced config editor because people should just not fucking do it :)
  9. lovetox hm setting it back is i think overkill, if we dont have a "OK do it anyway", and a user ventures to the settings to explicitly set "Plain", then i guess he knows what he is doing, we dont have to doubt him and changing his setting back later
  10. lovetox i think it would be more nice to have a checkbox for it, as we dont have to explain in the first TLS popup what options in the ACE have to be set
  11. lovetox and when he checks the box, we can display a dialog that shows the implications of Plain
  12. SaltyBones hm....maybe we should distinguish between "self-signed cert" and "other problems"
  13. lovetox but thats a whole other topic
  14. SaltyBones because self-signed certs might be something people want but all other failures are just stupid
  15. SaltyBones well, if we re discussing how to get around the restrictions then I think that s the same topic :)
  16. lovetox no, the case we want to fix now is, if there is no openssl lib installed
  17. lovetox what to display and what to do
  18. lovetox i think the case where a ssl lib is installed and ssl errors happen is actually solved quite well
  19. SaltyBones okay, then i would say make don't even make it an ace option
  20. SaltyBones why would you not want to install openssl that badly?
  21. lovetox no reason, we just have to handle it
  22. lovetox i would give no pointers in the error
  23. lovetox just TLS failed, because no ssl lib installed
  24. SaltyBones yeah, and then we can discuss if there is a hidden option for it ;)
  25. lovetox if someone really wants to connect plain i guess he will find Account -> Connections
  26. SaltyBones but that option currently does something else, right?
  27. lovetox either way, i want to go away from that allowed connection type list
  28. SaltyBones should we really use the same option for people who don't even have ssl?
  29. lovetox because right now gajim trys every entry in that list
  30. lovetox if it fails one
  31. SaltyBones is that a problem? as long as it tries secure first?
  32. lovetox yeah, but then things happen like, you go out of standby, your network manager tells gajim internet is on
  33. lovetox gajim trys, but network manager lags and its still not on
  34. lovetox gajim jumps to the next entry
  35. SaltyBones oh shit
  36. SaltyBones hadn't thought of that
  37. lovetox thats actually what happens
  38. lovetox on linux network manager tells us over dbus a second to soon
  39. lovetox the first connectiontype is never chosen..
  40. lovetox thats why i want away from that list of many connection types
  41. SaltyBones but it only happens if you explicitly allowed plain in the first place...
  42. lovetox actually we need only two
  43. SaltyBones hmhmhm
  44. lovetox TLS and Plain, and plain gets only ever chosen by gajim
  45. lovetox if the setting is set
  46. SaltyBones i don't even know what else there is...ssl, tls, plain?
  47. lovetox ssl and tls is the same
  48. lovetox not exactly
  49. lovetox tls = START TLS
  50. lovetox and ssl is pure TLS
  51. SaltyBones yeah, ssl is the one that requires a specific port
  52. lovetox from a security standpoint it doesnt matter which of the two is chosen
  53. lovetox or works
  54. SaltyBones as long as it doesn't move from a failed SSL to PLAIN even when TLS is an option....
  55. lovetox yeah thats what i dont like about lists
  56. lovetox you have to think this cases through
  57. lovetox when does it fallback etc
  58. lovetox when does it jump to the next entry
  59. lovetox plain should not ever be in that list
  60. lovetox we should ask the plain config setting extra
  61. lovetox also i want to make it clear for the user what happens
  62. lovetox if someone writes "plain" into a list where "ssl tls" already is
  63. lovetox he doesnt know what will happen on the next connect
  64. lovetox its totally unclear
  65. SaltyBones yeah, let's just get rid of the list
  66. SaltyBones let's try both secure versions implicilty and have an option that allows plain
  67. lovetox yeah like ssl fails tls fail, ask is "allow plain" true? then connect plain
  68. lovetox and that allow plain is true, user has to click a checkbox under connections
  69. SaltyBones yes, and while we're at it
  70. lovetox and we present him with a dialog
  71. SaltyBones let's make sure that ssl and tls failed because of ssl/tls reasons
  72. lovetox about BAD STUFF WILL HAPPEN
  73. SaltyBones so that if there is no connection they cannot get skipped
  74. Link Mauve Err, are you still debating that plain connections should be supported?
  75. SaltyBones Link Mauve, yeah, you want in on the action? :)
  76. Link Mauve That’s something that should be removed altogether, or hidden as much as possible.
  77. SaltyBones I think we all agree there. :)
  78. Link Mauve You really shouldn’t design anything around it.
  79. lovetox we actually want to make it harder link mauve.
  80. lovetox SaltyBones found a dialog where you can connect plain with a click on a button
  81. lovetox ok have to go to bed, lets sleep on it :)
  82. SaltyBones aye, gnight