Project

General

Profile

Feature #7868

Use gajim instead of pidgin (more secure OTR chat)

Added by colas about 5 years ago. Updated over 1 year ago.

Status:
Rejected
Priority:
Low
Assignee:
-
Category:
-
Target version:
-
Start date:
09/01/2014
Due date:
% Done:

0%

Estimated time:
3.00 h
Feature Branch:
Type of work:
Discuss
Blueprint:
Starter:
Affected tool:
Instant Messaging

Description

Hi community

Gajim is a similar client to pidgin, while it only allows XMPP (jabber) accounts it makes OTR much more secure. I'd rather be limited to just jabber then have a false hope that OTR is encrypting the chat properly. Read this for a detailed explanation as to why: https://micahflee.com/2013/02/using-gajim-instead-of-pidgin-for-more-secure-otr-chat/

The problem of it only using XMPP (jabber) can be resolved with this: http://www.jaim.at/server/

Thanks!


Related issues

Related to Tails - Bug #11541: OMEMO support in Tails Confirmed 06/21/2016
Related to Tails - Bug #8573: Hopefully replace Pidgin some day In Progress 01/07/2015

History

#1 Updated by intrigeri about 5 years ago

I'd rather be limited to just jabber then have a false hope that OTR is encrypting the chat properly.

Micah's article is not about Pidgin-OTR not encrypting the chat properly. It's about the impact of security issues in Pidgin. Also, note that we have plans to confine Pidgin with AppArmor at some point. The AppArmor profile is ready, we "just" need AppArmor to be fixed to work on Live systems. This should alleviate most of the concerns raised by Micah in the article you're linking to.

Other reasons I see not to do the switch:

  • Gajim's security track record isn't that good either;
  • Gajim is much less used than Pidgin (https://qa.debian.org/popcon.php?package=gajim vs https://qa.debian.org/popcon.php?package=pidgin), so it probably has seen less scrutiny; granted, the reviews that were made on Pidgin are so scary, that there's little chance that Gajim is much worse;
  • the useotr project people are working on another OTR-enabled chat client; it might very well be that we want to ship it at some point; hence, I'd rather see the dust settle a bit, and avoid forcing our users to switch IM clients twice;
  • the OTR plugin for Gajim is not in Debian yet this is of course a blocker.

The problem of it only using XMPP (jabber)

IRC support is a must for Tails.

can be resolved with this: http://www.jaim.at/server/

Their homepage is down right now, so I cannot check what this is useful for.

Care to start this discussion on tails-dev@, maybe, or are the points I make above enough to drop this idea at least until the useotrproject's client is ready and/or it's clearer what the AppArmor status for Tails is?

#2 Updated by intrigeri about 5 years ago

  • Type of work changed from Code to Discuss

#3 Updated by BitingBird about 5 years ago

  • Status changed from New to Rejected

No answer in over a month, the feature request is closed.

Please note also that pidgin is now running with AppArmor, which mitigated security problems.

#4 Updated by sajolida about 3 years ago

  • Related to Bug #11541: OMEMO support in Tails added

#5 Updated by sajolida about 3 years ago

  • Related to Bug #8573: Hopefully replace Pidgin some day added

#6 Updated by sajolida about 3 years ago

Going back some of the reasons evoked when rejecting this ticket two years ago:

  • "Gajim is much less used than Pidgin": I don't expect any of the possible replacements for Pidgin to be anything else than "much less used than Pidgin" amongst the possible candidates (otherwise we might have found it already).
  • "IRC support is a must for Tails" other candidates, such as CoyIM, only support XMPP as well.

So I'm adding Gajim to /blueprint/replace_Pidgin/.

#7 Updated by Kurtis about 3 years ago

Is it a non-starter to suggest that Tails ship both Gajim and Pidgin? XMPP + OMEMO is the future. IRC + OTR is the past. I feel like the situation changed when Gajim's OMEMO plugin hit the debian repo a few weeks ago. https://packages.debian.org/sid/gajim-omemo Can this closed ticket be reconsidered in light of these new facts?

#8 Updated by intrigeri about 3 years ago

Is it a non-starter to suggest that Tails ship both Gajim and Pidgin?
I feel like the situation changed when Gajim's OMEMO plugin hit the debian repo a few weeks ago. https://packages.debian.org/sid/gajim-omemo Can this closed ticket be reconsidered in light of these new facts?

There's some room to e.g. drop IRC support by default (and leave it to power users to install whatever IRC client they prefer). See #8573 and https://tails.boum.org/blueprint/replace_Pidgin/. So a client that supports XMPP but not IRC could potentially be a valid candidate. #11686 is where the next steps should happen.

#9 Updated by sajolida over 1 year ago

Upstream ticket about Gajim with Tails: https://dev.gajim.org/gajim/gajim/issues/8796.

#10 Updated by Kurtis over 1 year ago

From the dev.gajim.org link above: "Gajim 1.0.0-alpha2 is in Debian unstable, together with the most important plugins, esp. httpupload, omemo, pgp, and urlimagepreview. Please feel free to contact me (Debian maintainer) directly, if you have any issues with Gajim and Tails and/or Debian! {mailto|xmpp}:"

Also available in: Atom PDF