Empathy

Bug #296867
Comment #22

Comment 22 for bug 296867

Revision history for this message

In freedesktop.org Bugzilla #16891, Eric-freedesktop (eric-freedesktop) wrote on 2009-08-03:

#22

(In reply to comment #15)
> You seem strangely interested in security... provided by (by your own words) a
> broken security layer? Do you really think that providing broken security, and
> lulling people into false sense of security is better than providing no
> "security" at all?

OTR's brokenness is due to the fact that it is a hacky kludge on top of existing IM protocols, not because it has any security flaws. It's inelegant and ugly, but it works.

I'm all for an elegant solution. But I don't think it should take a backseat to interoperability. I know that the various IM protocols are also mostly a bunch of ugly kludges as well. But that doesn't stop them from being implemented.

> And to others. I am not a Telepathy developer... but seriously guys, flaming
> developers while not being ready to get yourselves on the line? If you find it
> useful and especially if you find it critical, do it yourself. Otherwise, feel
> free to keep using Pidgin until you get this critical feature, which Thilo
> considers broken by design.
>
> I think there's room for other improvements before encryption, because I, and
> many other home users, find it unnecessary. Encryption is not important for
> majority of people on this world.

I am worried because Empathy appears to be getting a huge userbase and being used as the default IM client for a number of distributions without having a feature I think is incredibly important and should've been built in at the start, almost especially because most users don't really care about it.

Most people will not care about encryption. Most people also do not care about ACID database semantics. But anybody who made a database lacking the latter feature (i.e. Microsoft Access) would be roundly and justly flamed. Especially if they managed to somehow get that database into general use.

There are a whole host of features that users do not care about but are critical pieces of infrastructure. One of the things that most pleases me about Adium is that the developers understood and so many of my friends who have no clue or desire for encryption end up using it anyway because they use Adium.

> If other clients provide you security, use those. Or use email+GPG for even
> more security. Filing a request is fine. Posting a comment supporting the
> request is fine. Attacking people like some of you did is not fine.

Email encryption is nearly a lost cause. But with Adium and a couple of other popular IM clients supporting OTR, widespread IM encryption was beginning to happen. I don't think activists in Iran should have to worry about which IM client their friends are using in order to avoid being snooped on. I don't think their choice of IM client should be able to be used to single them out for special treatment by their government. All new IM clients should just do the right thing out of the box.

Widespread support for good encryption is not something I care about because I am especially paranoid about my own IM conversations. It's because I care about the pernicious effects of all IM conversations being potentially public knowledge.

OTR's brokenness is due to the fact that it is a hacky kludge on top of existing IM protocols, not because it has any security flaws.  It's inelegant and ugly, but it works.

I'm all for an elegant solution.  But I don't think it should take a backseat to interoperability.  I know that the various IM protocols are also mostly a bunch of ugly kludges as well.  But that doesn't stop them from being implemented.

> And to others. I am not a Telepathy developer... but seriously guys, flaming
> developers while not being ready to get yourselves on the line? If you find it
> useful and especially if you find it critical, do it yourself. Otherwise, feel
> free to keep using Pidgin until you get this critical feature, which Thilo
> considers broken by design.
> 
> I think there's room for other improvements before encryption, because I, and
> many other home users, find it unnecessary. Encryption is not important for
> majority of people on this world.

Most people will not care about encryption.  Most people also do not care about ACID database semantics.  But anybody who made a database lacking the latter feature (i.e. Microsoft Access) would be roundly and justly flamed.  Especially if they managed to somehow get that database into general use.

There are a whole host of features that users do not care about but are critical pieces of infrastructure.  One of the things that most pleases me about Adium is that the developers understood and so many of my friends who have no clue or desire for encryption end up using it anyway because they use Adium.

Email encryption is nearly a lost cause.  But with Adium and a couple of other popular IM clients supporting OTR, widespread IM encryption was beginning to happen.  I don't think activists in Iran should have to worry about which IM client their friends are using in order to avoid being snooped on.  I don't think their choice of IM client should be able to be used to single them out for special treatment by their government.  All new IM clients should just do the right thing out of the box.

Widespread support for good encryption is not something I care about because I am especially paranoid about my own IM conversations.  It's because I care about the pernicious effects of all IM conversations being potentially public knowledge.