Feature #7868

Use gajim instead of pidgin (more secure OTR chat)

Added by colas 2014-09-01 10:49:27 . Updated 2018-03-30 02:54:32 .

Status:
Rejected
Priority:
Low
Assignee:
Category:
Target version:
Start date:
2014-09-01
Due date:
% Done:

0%

Feature Branch:
Type of work:
Discuss
Blueprint:

Starter:
Affected tool:
Instant Messaging
Deliverable for:

Description

Hi community

Gajim is a similar client to pidgin, while it only allows XMPP (jabber) accounts it makes OTR much more secure. I’d rather be limited to just jabber then have a false hope that OTR is encrypting the chat properly. Read this for a detailed explanation as to why: https://micahflee.com/2013/02/using-gajim-instead-of-pidgin-for-more-secure-otr-chat/

The problem of it only using XMPP (jabber) can be resolved with this: http://www.jaim.at/server/

Thanks!


Subtasks


Related issues

Related to Tails - Bug #11541: OMEMO support in Tails Confirmed 2016-06-21
Related to Tails - Bug #8573: Hopefully replace Pidgin some day In Progress 2015-01-07

History

#1 Updated by intrigeri 2014-09-09 15:53:25

> I’d rather be limited to just jabber then have a false hope that OTR is encrypting the chat properly.

Micah’s article is not about Pidgin-OTR not encrypting the chat properly. It’s about the impact of security issues in Pidgin. Also, note that we have plans to confine Pidgin with AppArmor at some point. The AppArmor profile is ready, we “just” need AppArmor to be fixed to work on Live systems. This should alleviate most of the concerns raised by Micah in the article you’re linking to.

Other reasons I see not to do the switch:

  • Gajim’s security track record isn’t that good either;
  • Gajim is much less used than Pidgin (https://qa.debian.org/popcon.php?package=gajim vs https://qa.debian.org/popcon.php?package=pidgin), so it probably has seen less scrutiny; granted, the reviews that were made on Pidgin are so scary, that there’s little chance that Gajim is much worse;
  • the useotr project people are working on another OTR-enabled chat client; it might very well be that we want to ship it at some point; hence, I’d rather see the dust settle a bit, and avoid forcing our users to switch IM clients twice;
  • the OTR plugin for Gajim is not in Debian yet; this is of course a blocker.

> The problem of it only using XMPP (jabber)

IRC support is a must for Tails.

> can be resolved with this: http://www.jaim.at/server/

Their homepage is down right now, so I cannot check what this is useful for.

Care to start this discussion on tails-dev@, maybe, or are the points I make above enough to drop this idea at least until the useotrproject’s client is ready and/or it’s clearer what the AppArmor status for Tails is?

#2 Updated by intrigeri 2014-09-09 15:54:02

  • Type of work changed from Code to Discuss

#3 Updated by BitingBird 2014-10-17 09:59:02

  • Status changed from New to Rejected

No answer in over a month, the feature request is closed.

Please note also that pidgin is now running with AppArmor, which mitigated security problems.

#4 Updated by sajolida 2016-08-24 03:58:22

  • related to Bug #11541: OMEMO support in Tails added

#5 Updated by sajolida 2016-08-24 03:59:39

  • related to Bug #8573: Hopefully replace Pidgin some day added

#6 Updated by sajolida 2016-08-24 04:03:21

Going back some of the reasons evoked when rejecting this ticket two years ago:

  • “Gajim is much less used than Pidgin”: I don’t expect any of the possible replacements for Pidgin to be anything else than “much less used than Pidgin” amongst the possible candidates (otherwise we might have found it already).
  • “IRC support is a must for Tails” other candidates, such as CoyIM, only support XMPP as well.

So I’m adding Gajim to /blueprint/replace_Pidgin/.

#7 Updated by Kurtis 2016-09-17 12:34:39

Is it a non-starter to suggest that Tails ship both Gajim and Pidgin? XMPP + OMEMO is the future. IRC + OTR is the past. I feel like the situation changed when Gajim’s OMEMO plugin hit the debian repo a few weeks ago. https://packages.debian.org/sid/gajim-omemo Can this closed ticket be reconsidered in light of these new facts?

#8 Updated by intrigeri 2016-09-20 03:52:01

> Is it a non-starter to suggest that Tails ship both Gajim and Pidgin?
> I feel like the situation changed when Gajim’s OMEMO plugin hit the debian repo a few weeks ago. https://packages.debian.org/sid/gajim-omemo Can this closed ticket be reconsidered in light of these new facts?

There’s some room to e.g. drop IRC support by default (and leave it to power users to install whatever IRC client they prefer). See Bug #8573 and https://tails.boum.org/blueprint/replace_Pidgin/. So a client that supports XMPP but not IRC could potentially be a valid candidate. Bug #11686 is where the next steps should happen.

#9 Updated by sajolida 2018-03-05 11:48:46

Upstream ticket about Gajim with Tails: https://dev.gajim.org/gajim/gajim/issues/8796.

#10 Updated by Kurtis 2018-03-30 02:54:32

From the dev.gajim.org link above: “Gajim 1.0.0-alpha2 is in Debian unstable, together with the most important plugins, esp. httpupload, omemo, pgp, and urlimagepreview. Please feel free to contact me (Debian maintainer) directly, if you have any issues with Gajim and Tails and/or Debian! {mailto|xmpp}:debacle@debian.org”