Telepathy framework - library

empathy needs to support OTR encryption

Reported by goto on 2008-11-11
This bug affects 331 people
Affects Status Importance Assigned to Milestone
Empathy
Confirmed
Wishlist
Nominated for Trunk by onny
One Hundred Papercuts
Undecided
Unassigned
libtelepathy
Confirmed
Wishlist
empathy (Fedora)
Won't Fix
Unknown
empathy (Ubuntu)
Wishlist
Unassigned
Declined for Maverick by Sebastien Bacher
libtelepathy (Ubuntu)
Wishlist
Unassigned
Declined for Maverick by Sebastien Bacher

Bug Description

Binary package hint: empathy

Hello,
I just tried empathy (the Intrepid version) and it looked very solid and stable. There were a few minor things that could be improved (e.g. automatically resizing the contact list), but that is not the topic here.
The reason why I won't switch to empathy from pidgin is the missing OTR support (http://www.cypherpunks.ca/otr/ ). This is a really important feature because no one should read your messages.
There were others with the same idea (links at the bottom).
Would be so great if it could support that important encryption standard.
Thanks for helping out!

Links:
https://bugs.launchpad.net/ubuntu/+source/empathy/+bug/253452/comments/2
http://lists.cypherpunks.ca/pipermail/otr-users/2008-September/001479.html
http://bugs.freedesktop.org/show_bug.cgi?id=16891

Yeah, encryption is a must for me, too. This the only reason using Pidgin instead of telepathy for me.

The draft Messages UI should theoretically allow anything that has a MIME type.
The underlying protocol support is another story, however.

C-library[1] and python binding[2] are availible, too. So "only" the telepathy glue is needed. After that minor extensions to the different user interfaces really make it functional.

[1] http://www.cypherpunks.ca/otr/README-libotr-3.2.0.txt
[2] http://python-otr.pentabarf.de/

goto (gotolaunchpad) wrote :

Binary package hint: empathy

Hello,
I just tried empathy (the Intrepid version) and it looked very solid and stable. There were a few minor things that could be improved (e.g. automatically resizing the contact list), but that is not the topic here.
The reason why I won't switch to empathy from pidgin is the missing OTR support (http://www.cypherpunks.ca/otr/ ). This is a really important feature because no one should read your messages.
There were others with the same idea (links at the bottom).
Would be so great if it could support that important encryption standard.
Thanks for helping out!

Links:
https://bugs.launchpad.net/ubuntu/+source/empathy/+bug/253452/comments/2
http://lists.cypherpunks.ca/pipermail/otr-users/2008-September/001479.html
http://bugs.freedesktop.org/show_bug.cgi?id=16891

Pedro Villavicencio (pedro) wrote :

that's a telepathy request

Changed in empathy:
importance: Undecided → Wishlist
status: New → Triaged
Changed in libtelepathy:
status: Unknown → Confirmed

if given some mentoring, i could spend some time implementing it.b

(Note to myself: maemo.org downstream ticket at https://bugs.maemo.org/show_bug.cgi?id=1921 )

Downgrading priority; there are more pressing spec issues, and I think that supporting encryption on protocols like XMPP where it can be done cleanly (rather than as misc. sent in the regular plain text stream) is a higher priority.

in my experience this is why i myself and most people i know still use pidgin, though everybody believes telepathy would be nicer.

Re-lowering priority. Daniel: while it's a shame that this is keeping you from using Telepathy, there really are higher-priority spec issues. Also see point 2.1 on <https://bugzilla.mozilla.org/page.cgi?id=etiquette.html>: the priority field is to help developers track the relative priorities of bugs, not for voting on how important you think a bug is.

Changed in empathy:
status: Unknown → New
Raybuntu (raybuntu) wrote :

+1 That's a must have feature! Without this Emphaty can never replace Pidgin.

jaduncan (jaduncan) wrote :

I'd agree this is extremely important. Any chance of a comment on this from the devs?

Bernd Schlapsi (bernd-sch) wrote :

+1 This is also a important feature for me. OTR should be supported before it replaces Pidgin in Ubuntu!

Laurent Bigonville (bigon) wrote :

This is not releated to libtelepathy

Changed in libtelepathy (Ubuntu):
status: Triaged → Invalid

I consider Telepathy to be completely broken for my purposes unless it interoperates properly with OTR on other clients. If you want to do a better version of OTR with deniability in XMPP, go right ahead. Just make sure that the old way still works.

Adium having built in OTR support has been a fantastic boon.

I will discourage everybody I know from using Empathy and uninstall it on systems I administrate until this is fixed. This should have been thought of in the very beginning and been a feature in the program since its inception. Bad security is unforgivable.

You treating this as a low priority bug tells me a whole lot about what kinds of things the Empathy development team thinks is important, and good security is apparently not an important consideration.

(In reply to comment #9)

Eric:

I will actively discourage everybody I know from reading your drivel until you resolve your issue by rolling up your sleeves and adding this feature. You should have considered doing this yourself ever since you decided to bitch about it here.

Your unwillingness to fix this yourself tells me a whole lot about what kinds of things you think are important, and apparently good security is not an important consideration.

(In reply to comment #9 (of Eric Hopper))
> I will discourage everybody I know from using Empathy and uninstall it on
> systems I administrate until this is fixed. This should have been thought of
> in the very beginning and been a feature in the program since its inception.

As the Empathy developers are more knowledgeable with what users want, or at
least have better tools to gather the information, I guess they have different
list of priorities of tasks to work on.

> Bad security is unforgivable.

This is the kind of program where security is good-to-have feature. The OTR can
be added later, once the basis is stable.

> You treating this as a low priority bug tells me a whole lot about what kinds
> of things the Empathy development team thinks is important, and good security
> is apparently not an important consideration.

Nobody is against good security. It is just a matter of percentage of users
that are needed to be catered to first. As the developer's resources are
scarce, they need to judge carefully where to direct theirs efforts.

At this point empathy is barely suitable for everyday work (which is important
for about 90% of users), whereas security is important for about 5% of users.

I have to disagree. Although I fully understand the fact that no developer is willing to take up that task, security should be a priority for all users. For me security is part of the basis. A chat client without encryption I do not consider to be functional. I dont chat with people sho do not use encryption. I think Telepathy is more than stable, as it is already part of GNOME and Empathy is going to be the default chat client for Ubuntu 9.10. I would have It is also true, that OTR is broken by design. but it works and I dont know of any client which provides a sane implementation of a chat encryption bedides the ones using OTR.

So again its only up to current and upcoming developers to decide if they are going to implement OTR, but I consider it much more important than providing a lot of chat protocols.

(In reply to comment #12)
> OTR is broken by design. but it works

This is not a good justification for an encryption scheme. :)

Well, yes, but name me any other existing chat encrpytion that actually works. There are many standards out there which are far from perfect. GIF wasnt perfect, but it was used. Most of the protocol standards liek MSN or AIM are broken by design also. But they are used and are already implemented.

(In reply to comment #14)
> Well, yes, but name me any other existing chat encrpytion that actually works.
> There are many standards out there which are far from perfect. GIF wasnt
> perfect, but it was used. Most of the protocol standards liek MSN or AIM are
> broken by design also. But they are used and are already implemented.
>

I have no stance for and against OTR encryption and I don't know what OTR encryption is about behind the scenes. I will therefore judge only by your words.

You seem strangely interested in security... provided by (by your own words) a broken security layer? Do you really think that providing broken security, and lulling people into false sense of security is better than providing no "security" at all?

And to others. I am not a Telepathy developer... but seriously guys, flaming developers while not being ready to get yourselves on the line? If you find it useful and especially if you find it critical, do it yourself. Otherwise, feel free to keep using Pidgin until you get this critical feature, which Thilo considers broken by design.

I think there's room for other improvements before encryption, because I, and many other home users, find it unnecessary. Encryption is not important for majority of people on this world.

Take your tinfoil hats off, people, nobody's going to eat your brains. And if you really need it for your company, well, either you or your company can invest resources into Telepathy. I personally don't find OTR important, and I'm sure most users don't, either. And I don't consider myself completely paranoia-free.

If other clients provide you security, use those. Or use email+GPG for even more security. Filing a request is fine. Posting a comment supporting the request is fine. Attacking people like some of you did is not fine.

(In reply to comment #15)
> You seem strangely interested in security... provided by (by your own words) a
> broken security layer? Do you really think that providing broken security, and
> lulling people into false sense of security is better than providing no
> "security" at all?

OTR's brokenness is due to the fact that it is a hacky kludge on top of existing IM protocols, not because it has any security flaws. It's inelegant and ugly, but it works.

I'm all for an elegant solution. But I don't think it should take a backseat to interoperability. I know that the various IM protocols are also mostly a bunch of ugly kludges as well. But that doesn't stop them from being implemented.

> And to others. I am not a Telepathy developer... but seriously guys, flaming
> developers while not being ready to get yourselves on the line? If you find it
> useful and especially if you find it critical, do it yourself. Otherwise, feel
> free to keep using Pidgin until you get this critical feature, which Thilo
> considers broken by design.
>
> I think there's room for other improvements before encryption, because I, and
> many other home users, find it unnecessary. Encryption is not important for
> majority of people on this world.

I am worried because Empathy appears to be getting a huge userbase and being used as the default IM client for a number of distributions without having a feature I think is incredibly important and should've been built in at the start, almost especially because most users don't really care about it.

Most people will not care about encryption. Most people also do not care about ACID database semantics. But anybody who made a database lacking the latter feature (i.e. Microsoft Access) would be roundly and justly flamed. Especially if they managed to somehow get that database into general use.

There are a whole host of features that users do not care about but are critical pieces of infrastructure. One of the things that most pleases me about Adium is that the developers understood and so many of my friends who have no clue or desire for encryption end up using it anyway because they use Adium.

> If other clients provide you security, use those. Or use email+GPG for even
> more security. Filing a request is fine. Posting a comment supporting the
> request is fine. Attacking people like some of you did is not fine.

Email encryption is nearly a lost cause. But with Adium and a couple of other popular IM clients supporting OTR, widespread IM encryption was beginning to happen. I don't think activists in Iran should have to worry about which IM client their friends are using in order to avoid being snooped on. I don't think their choice of IM client should be able to be used to single them out for special treatment by their government. All new IM clients should just do the right thing out of the box.

Widespread support for good encryption is not something I care about because I am especially paranoid about my own IM conversations. It's because I care about the pernicious effects of all IM conversations being potentially public knowledge.

Eric, flaming is not going to give you anything.

If you need OTR so much, either propose a patch, or don't use Empathy.

OTR is not going to happen if nobody gives a patch. End of discussion.

Omnifarious (omnifarious) wrote :

I will not use empathy until it has OTR support. It is worthless to me. I don't care if the maintainers think they can think of something better. Unless they can get it adopted by other popular IM clients, I want OTR. And it's not better unless it also has the deniability that OTR provides.

(In reply to comment #17)
> Eric, flaming is not going to give you anything.
>
> If you need OTR so much, either propose a patch, or don't use Empathy.
>
> OTR is not going to happen if nobody gives a patch. End of discussion.

Even if you, or any Empathy developers, don't plan to implement OTR, it's still an important feature and the priority should be set to high.

Or you don't agree it's an important feature? If that's the case I can provide evidence.

"priority" is the priority that we, the current Telepathy developers, give to implementing OTR. If it's a high priority for *you*, you're welcome to implement it, or hire someone to implement it; but it's not a high priority for *us*, and so it stays priority=low in Bugzilla.

I think helping the XMPP Standards people to provide end-to-end encryption (implementing <http://xmpp.org/extensions/inbox/xtls.html> or something like it, and advancing it to Recommended status) is a much better use of developer time; it'll result in a better protocol, with a well-defined security model, that does not conflict with the protocol's normal extensibility mechanisms.

(In reply to comment #19)
> I think helping the XMPP Standards people to provide end-to-end encryption
> (implementing <http://xmpp.org/extensions/inbox/xtls.html> or something like
> it, and advancing it to Recommended status) is a much better use of developer
> time; it'll result in a better protocol, with a well-defined security model,
> that does not conflict with the protocol's normal extensibility mechanisms.
>

OTR also works over non-XMPP networks (I use primarily over AIM). That's something that this XMPP standard can never achieve.

I'm not taking sides - just stating some (hopefully) useful facts.

(In reply to comment #16)

> I am worried because Empathy appears to be getting a huge userbase and being
> used as the default IM client for a number of distributions without having a
> feature I think is incredibly important and should've been built in at the
> start, almost especially because most users don't really care about it.

By far the overwhelming majority of IM clients in use are those provided by the protocol vendors, and I can assure you, they don't ship with OTR. Empathy's userbase is growing, but it's stil early days and it's likely not going to dwarf the others anytime soon.

> Most people will not care about encryption. Most people also do not care
> about ACID database semantics. But anybody who made a database lacking the
> latter feature (i.e. Microsoft Access) would be roundly and justly flamed.

No, they should not be flamed, and this is the reason your posts are so inappropriate: you think that because feature X is missing, developers should be flamed. Developers in a number of projects work on a voluntary basis, and in my opinion deserve some semblance of respect for their contributions, not being hassled by the likes of you.

> There are a whole host of features that users do not care about but are
> critical pieces of infrastructure.

OTR is not a generally accepted critical piece of infrastructure.

> Email encryption is nearly a lost cause. But with Adium and a couple of other
> popular IM clients supporting OTR, widespread IM encryption was beginning to
> happen.

Back up your unqualified assertions about encryption uptake with some verifiable facts.

> I don't think activists in Iran should have to worry about which IM client
> their friends are using in order to avoid being snooped on.

Perhaps a nice utopian vision of the future, but not the basis for a rational discussion. This is an unqualified "oh-won't-someone-please-think-of-the-X" appeal to emotion without presenting reasonable facts or arguments to base it on.

It sounds like you have strong convictions. Strong enough though only to sound off about it here and not really do anything about it. If these objectives are so important to you, why aren't you writing your own OTR extension now?

> I don't think their choice of IM client should be able to be used to single
> them out for special treatment by their government. All new IM clients should
> just do the right thing out of the box.

Reality: People's choices in the technology adoption affect their security. You can't control the proliferation of technology, and you can't control people's choices. You lose on both counts.

> Widespread support for good encryption is not something I care about because I
> am especially paranoid about my own IM conversations. It's because I care
> about the pernicious effects of all IM conversations being potentially public
> knowledge.

You only care enough about it to flame the volunteer developers who are working on the IM technology -- not enough to actually do anything about it yourself and contribute to make it better. Oh right, you're also boycotting Empathy/Telepathy and telling all your friends not to use it.

Hello all,

since I am the creator of this "bug", I feel obliged to calm the waves a bit and add a plea for seriousness in this discussion.

What some developers might call "broken by design" is probably the backside of OTR being a technology that just works with each and every IM protocol out there, even the worst ones like MSN and Yahoo. I presume, providing such a bandwidth of features just wont go without some kludgy solutions.
    In my daily life (and in the life of many others I would bet) practical solutions are what counts and what is needed. OTR is a practical solution.
As a contract worker for several German companies I can tell you that in many European IT departments OTR has become the de facto standard for on-the-fly exchange of information bits like the casual end user password and similar stuff of more-than-zero triviality.
To the best of my knowledge, all current versions of OTR provide no "false security" when properly used and the fact that they might not be working very elegant "under the hood" is actually the bit that is of "minor importance" to me.

For me, the important point is that I totally depend on a cross-protocol encryption solution for IM that "just works" in my daily life and so do many other people. OTR is already here and has been for several years now. And despite the fact that there might be more or less obvious and more or less major disadvantages to OTR from the developers POV, *not* *one* single viable alternative has come to my attention in the last years that is not forcing users to use a specific IM protocol or even a specific OS platform.

Conclusion: Unless proven otherwise I'd like to state as a FACT that in the field of IM privacy, OTR has become the de-facto standard. At least in Europe it is very widely deployed and often expected to be available. And there are just no alternatives available at all which work cross-protcol and cross-platform.
  From my POV this means there is also (currently) no alternative available to implementing OTR for every IM UA that wants to be taken seriously.

Thank you for reading.

Chris Busch (christianbusch) wrote :

OTR is a must-have feature.

You can not replace pidgin with empathy while not supporting OTR.

It's the only widespread encryption technology that works protocoll independend.

I like empathy and think it has a lot of potential to be a really nice piece of software but lacking support for encryption will force me to use pidgin instead.

I will not use empathy without OTR support either. The statement of the developers is absurd - they think, that their users dont need it and the only other option is to wait until there is native support in some protocol, which most users dont use or even know about. So thank you for telling me, that I dont need OTR and should convince all my chat-buddies to switch to jingle, but I prefer I to choose what to do with my computer, so until there is OTR support for empathy I will use Pidgin.

Ronald Pottol (ronaldpottol) wrote :

OTR support is critical. It needs to be there, and it needs to be something that other people are using. I guess I need to go back to pidgin.

alien8 (fb-alien8) wrote :

There are many good arguments as to why otr support should be high priority in this thread, and others, and to as to why many people consider leaving out otr-support a very bad idea. We
Google: telepathy otr and you'll see a lot of them.

My view: Should be a default out-of-the-box, as it works with all protocols. Almost everyone in my contactlist uses otr now-a-days, and no, they are not all "nerds". We use otr at work too.

164747 (jacquet-david) wrote :

I totally agree, OTR is eminent. I can se no reason denying users their right to privacy. The OTR should work for all communacations within empathy, text, audio, video, and all protocols.

if someone would like to create a plugin, does somebody know good documentation
first on creating telepathy or empathy plugins ( C or Python, C++)
and second on using libotr??
please comment or
directly to <email address hidden>

haeger (haeger-the-terrible) wrote :

Encryption is an absolut ko-creterion. So i have two reasons why pidgin will remain on my system:

1.) The Devs of empathy told me on irc that i have to trust the people how run the communication-server! Or i have to set up an own server! That's both totally out of the question for the average user. Sometime i get the impression that some devs are ignorant.

2.) I can't understand how a piece of software which trample on users privacy can make it into ubuntu. Using tubes to control remote desktops without encryption is a great security issue.

The underlying idea of empathy/telepathy may be good. But really important things are ignored. To move the responsibility to ONE protocol (jabber ) which may implement encryption in the future is really unsatisfying.

Omnifarious (omnifarious) wrote :

Not to mention that the proposed idea for implementing encryption over Jabber doesn't give the same level of privacy guarantees as OTR, nor is it actually as nice a standard in a lot of other ways.

The average user will never generate an X.509 certificate for themselves. Anything based on that kind of technology is broken from the start. It's like making an email application that requires the user be in X.500 directory before it delivers mail.

Miron Cuperman (devrandom) wrote :

Added package empathy from Ubuntu, as this represents a regression from Intrepid.

Also, there seems to be no plugin system in empathy / telepathy, so it's no clear how to proceed with implementing an OTR plugin.

@24: AFAIK there is not even a plugin API available yet.

Changed in empathy (Ubuntu):
status: New → Triaged
importance: Undecided → Wishlist
Changed in empathy (Fedora):
status: Unknown → Confirmed
Changed in empathy (Fedora):
status: Confirmed → Won't Fix
Changed in empathy:
status: New → Confirmed
DaveW (dave-stricklers) on 2010-05-05
Changed in empathy (Ubuntu):
status: Triaged → In Progress
status: In Progress → Confirmed
Changed in empathy (Ubuntu):
status: Confirmed → Triaged
status: Triaged → Confirmed
status: Confirmed → Triaged
Changed in libtelepathy:
importance: Unknown → Wishlist
Changed in empathy:
importance: Unknown → Wishlist
Changed in libtelepathy (Ubuntu):
assignee: nobody → Jordan Farrell (wolfrage)
status: Invalid → In Progress
Chris Wilson (notgary) on 2010-12-14
Changed in hundredpapercuts:
status: New → Invalid
Changed in libtelepathy:
importance: Wishlist → Unknown
Changed in libtelepathy:
importance: Unknown → Wishlist
komputes (komputes) on 2012-03-20
tags: added: css-sponsored-p
Changed in libtelepathy (Ubuntu):
assignee: Jordan Farrell (wolfrage) → nobody
status: In Progress → Incomplete
97 comments hidden view all 177 comments
Pander (pander) on 2012-07-12
tags: added: 12.10

It has been two years and there hasn't been an update on this. Telepathy is in a well working state now but there is no sign of OTR encryption. I love the concept of telepathy but it not having support for OTR is really a showstopper for me and
ALL linux users I know personally. OTR can be considered a major feature for people concerned with security, which most linux/BSD/etc. users are. It's sad this bug is just left aside with low priority. I can't program well, so I can't fix this but I really hope somebody will soon. This would make telepathy more awesome than all other messengers. Until then I will have to stick with something else.

I love empathy, but it lacks a off the record plugin or encryption like in adium or pidgin,,,,it is a shame, as empathy is such a great messaging client.

(In reply to comment #30)
> It has been two years and there hasn't been an update on this.

Nothing to highlight here. Many bug reports here have not ever seen a comment for more than two years.
"Open Source" is not "the developers must do my bidding." Everyone wants to help, but no one else has any obligation to fix the bugs you want fixed. Therefore, nobody should act as if you expect someone to fix a bug by a particular date or release. Contributing patches normally helps, "I want this too!" comments not.

Pander (pander) on 2012-11-19
tags: added: encryption
Pander (pander) on 2012-11-19
Changed in libtelepathy (Ubuntu):
status: Incomplete → Confirmed
Ronny Rabuzarus (rabuzarus) wrote :

OK, soon gsoc will start again. Maybe it can used to find someone who will implement OTR in telepathy. Does anybody has good connection to telepathy/gnome/fdo developers to ask if they would provide a mentor for such a project?

What really annoys me about the otr integration in telepathy is the lack of information you get. People (e.g. jprvita, McVittie) come and go. Someone never hear something again about the project and the status. There are some questions in my head. Something like, is the approach of jpvita usefull for furher devlopment. If it's useful, what needs to be done to finish it?
I think it would be useful to have a wiki page with such kind of informations. I can't believe that nobody is willing to code on this, so the question seems to be what keeps developers away from coding on this or vice versa what incentives must be given that someone is willing to work on otr implementation.

P.S. Don't get me wrong I don't want to blame anybody with this post. It presents just a couple of questions which have risen in my head.

I would love to jump in and tackle this: I'm a developer, I want to switch to Empathy.

I know lots of developers work on things they care about in their free time; I can't afford to do that right now. Without turning this into a classified ad, I'll simply suggest that anyone interested in helping me with this (or talking to me more! I like meeting people anyway) email me via my profile.

Mods: if this is an inappropriate comment, I sincerely apologize and will never do it again. I can make this happen if a lot of people help me, and it seems there are a lot of people who care and use this forum to stay up to date.

My idea comes one day late as the deadline was yesterday :(

OpenITP is looking for projects to fund. Eligible projects must work on improving users' ability to circumvent censorship and surveillance on the Internet. So OTR support for Empathy fits perfectly!

http://openitp.org/?q=openitp_first_round_of_2013_project_funding_now_open_for_proposals

What do you think? Should we keep one eye on this kind of fundings and get someone paid to do it?
I have no idea about who would be willing to do it but I'm sure you guys can find one person in the community.

Kẏra (kxra) wrote :

It might be worth asking if we can get an exension on the deadline

I'm willing to do it! I think it's worth asking, Pablo.

Jan (jan23) wrote :

You could also consider a Kickstarter campaign. Don't expect a fortune but maybe enough to compensate your efforts.

Yesterday I sent OpenITP an email regarding a possible deadline extension but they haven't answered yet.
I'll let you know if they answer me.

No deadline extension is possible, they have received a lot of proposals.

They told me that there will be another funding round this year.

Do we have someone who can commit to doing this work if funding shows
up? I'm happy to help promote a kickstarter campaign.

On Thu, Apr 4, 2013 at 11:55 AM, Pablo Castellano <email address hidden> wrote:
> No deadline extension is possible, they have received a lot of
> proposals.
>
> They told me that there will be another funding round this year.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/296867
>
> Title:
> empathy needs to support OTR encryption
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/empathy/+bug/296867/+subscriptions

--
http://about.me/justizin

Sam Liddicott (sam-liddicott) wrote :

It may be worth approaching the guy who did it for pidgin.

An alternative might be to write a shim library so that pidgin plugins
would work with empathy.

On Thu, Apr 11, 2013 at 10:39 PM, Justin Alan Ryan <
<email address hidden>> wrote:

> Do we have someone who can commit to doing this work if funding shows
> up? I'm happy to help promote a kickstarter campaign.
>
> On Thu, Apr 4, 2013 at 11:55 AM, Pablo Castellano <email address hidden>
> wrote:
> > No deadline extension is possible, they have received a lot of
> > proposals.
> >
> > They told me that there will be another funding round this year.
> >
> > --
> > You received this bug notification because you are subscribed to the bug
> > report.
> > https://bugs.launchpad.net/bugs/296867
> >
> > Title:
> > empathy needs to support OTR encryption
> >
> > To manage notifications about this bug go to:
> > https://bugs.launchpad.net/empathy/+bug/296867/+subscriptions
>
>
> --
> http://about.me/justizin
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/296867
>
> Title:
> empathy needs to support OTR encryption
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/empathy/+bug/296867/+subscriptions
>

Pander (pander) wrote :

Could someone create feature request funding at https://www.catincan.com/

Might there be new interest in seeing this one through, in light of the recent revelations?

Pander (pander) wrote :

I think https://en.wikipedia.org/wiki/2013_mass_surveillance_scandal should be a good motivator to speed up support for OTR.

4 comments hidden view all 177 comments

I think https://en.wikipedia.org/wiki/2013_mass_surveillance_scandal should be a good motivation to speed up support for OTR.

3 comments hidden view all 177 comments
Sam Liddicott (sam-liddicott) wrote :

pidgin was written by problem solvers
empathy is written by architects
they have different itches to scratch.

Those who want encryption still use pidgin. It still works.

On Tue, Jul 23, 2013 at 4:20 PM, Pander <email address hidden> wrote:

> I think https://en.wikipedia.org/wiki/2013_mass_surveillance_scandal
> should be a good motivator to speed up support for OTR.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/296867
>
> Title:
> empathy needs to support OTR encryption
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/empathy/+bug/296867/+subscriptions
>

Bengt Lüers (bengtlueers) wrote :

@sam-liddicott Empathy does not need to support OTR, because *there are no* alternatives that do. Empathy needs to support OTR, because *there are* alternatives that do. It is state of the art to support OTR and Empathy not including it is backward.

Empathy is the instant messenger included the GNOME desktop which ships as a default for many modern distributions, so Empathy is itself a default. An user could educate oneself about this default, notice this backwardness and replace Empathy with a less backward instant messenger. Educating oneself about the security of the installed instant messenger requires but examination that not all users may be able to perform, because of the complexity of the topic. So especially the less computer literate users, who would benefit the most from it will not get covered by OTR.

So this boils down to a question of defaults: Should the default be to ship an instant messenger with OTR-support with GNOME desktop? I think recent revelations have shown that "security by default" should have been targeted wherever possible for a long time now.

Etienne Perot (etienneperot) wrote :

Maybe the GNOME folks would share a bit of their $20,000 that they raised to enhance security and privacy for the GNOME desktop? https://www.gnome.org/news/2013/07/gnome-raises-20000-to-enhance-security-and-privacy/

Sam Liddicott (sam-liddicott) wrote :

@Bengt Lüers
I agree with all your points.
But none of the empathy dev want to do it.
No-one who is capable of doing it wants to do it.
I was just trying to summarise why that might be the case.

1 comments hidden view all 177 comments

Hi everyone.
This issue is a big deal for me, so I'm willing to pay USD 50.00 for it.
This offer is registered on FreedomSponsors (http://freedomsponsors.org/core/issue/333/telepathy-should-support-otr-encryption).
If you solve it (according to the acceptance criteria described there), please register on FreedomSponsors and mark it as resolved there
I'll then check it out and gladly pay up!

Oh, and if anyone else also wants throw in a few bucks on this, you should check out FreedomSponsors!

Just in case it motivates someone, I also sponsored the issue for US$ 50 via FreedomSponsors: http://freedomsponsors.org/core/offer/359/telepathy-should-support-otr-encryption .

Individual offers of $50 on a bug report are great, but we talked of
having a Kickstarter. I bet in the current climate we could raise
thousands.

Who is capable of taking a quarter million dollars, or 120k, or 50k,
or 10k, and doing this?

It happens for other crap. Why not for this awesome?

On Mon, Aug 26, 2013 at 12:30 PM, MartinDengler
<email address hidden> wrote:
> Just in case it motivates someone, I also sponsored the issue for US$ 50
> via FreedomSponsors: http://freedomsponsors.org/core/offer/359
> /telepathy-should-support-otr-encryption .
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/296867
>
> Title:
> empathy needs to support OTR encryption
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/empathy/+bug/296867/+subscriptions

--
http://about.me/justizin

Bounty is now up to $225 USD. Everybody who wants this feature but doesn't have the skills to code an implementation and submit a patch, please contribute to the bounty instead.

Bengt Lüers (bengtlueers) wrote :

Bounty is now at 400 USD. Make that 4000 USD and someone with the required skills can spend a month between two jobs collecting it. Sadly, FreedomSponsors seems quite unpopular, so that people in the right position might not see the tender offer. Are there perhaps other platforms one could advertise for it? Maybe freelancing sites or so?

Mozaic (mozaic) wrote :

Thi bug depend of thi one:
https://bugs.freedesktop.org/show_bug.cgi?id=16891
There are crownd funding project with one or two student who work on. The find are to 450 $
http://freedomsponsors.org/core/issue/333/telepathy-should-support-otr-encryption

For the record, here is a thread summarising the design issues regarding end-to-end security in Telepathy: http://lists.freedesktop.org/archives/telepathy/2012-June/006122.html

Pander (pander) on 2013-10-23
tags: added: 14.04
removed: 12.10
tags: added: im

(In reply to comment #36)
> For the record, here is a thread summarising the design issues regarding
> end-to-end security in Telepathy:
> http://lists.freedesktop.org/archives/telepathy/2012-June/006122.html

Also, don't forget about the ZRTP option, as discussed in the Bug #29904.

Note that freedomsponsors somehow changed their urls, old link is 404 now, new link is http://freedomsponsors.org/core/issue/333/telepathy-should-support-otr-encryption (currently at US$ 575)

Lucian Strombach (lucian80) wrote :

https://freedomsponsors.org/core/issue/333/telepathy-should-support-otr-encryption

$942

Maybe someone is willing to spend some time on this. I tried at a point to gather some support, but well the core developers of empathy believe OTR is a bad idea, and well jprvita is not willing to continue with the project, wolfrage seems to have disappeared and so on. Anyway, trolling won't help, just a reminder that the bounty is now higher.

Jordan Farrell (wolfrage) wrote :

I am sorry if you feel that I have disappeared. I did not intend it that way. I did what I could to help. The developers of empathy stated that they could not implement OTR unless they had a spec first. They also forced the issue that my spec had to include XTLS. I am only a novice programer and certianly not a spec writer, I also volunteered for far more then I could handle hoping that OTR would be a welcome addition to Telepathy. Unfortunately even after the Spec was ready for review, it never recieved a review. I also was working in Python as that is what I program in, and Telepathy removed support for Python around this same time. JPRvita told me that he would take my spec and complete it for XTLS and that he could program in C. For a long time it looked like this would work. JPRvita had a solid spec, but as happend with me the spec was never reviewed, I am not sure what happened to him and his GSoC XTLS/OTR Spec for Telepathy.

References:
http://jprvita.wordpress.com/2011/07/17/otr-over-xmpp-on-telepathy/
http://lists.freedesktop.org/archives/telepathy/2011-June/005583.html

Honestly my take is that this is a developer issue, they don't want OTR and no one can force it upon them.

So I got over it and I use Pidgin.

FYI for "cbris" or "ScotlandHacks" you should use jprvita's Spec it was much further along than mine, it is here: https://gitorious.org/jprvita-repos/telepathy-gabble/source/

Sad to see that wolfrage stop his work on this bug.

No reply from Telepathy's developers. Security is no one of our goal ??
https://bugs.launchpad.net/ubuntu/+source/libtelepathy/+bug/296867/comments/170

Arne Brix (torpak) wrote :

I think they are waiting for a "clean" well specified standard maybe with "nsa approved" security ;-)

(In reply to comment #39)
> No reply from Telepathy's developers. Security is no one of our goal ??

Ah, it's "our goal" (good ol' "royal we"), but it's "Telepathy's developers" who should work on it. Have you considered to continue working on the patch if this goal is so important to you?

(In reply to comment #40)
> (In reply to comment #39)
> > No reply from Telepathy's developers. Security is no one of our goal ??
>
> Ah, it's "our goal" (good ol' "royal we"), but it's "Telepathy's developers"
> who should work on it. Have you considered to continue working on the patch
> if this goal is so important to you?

I am a simple user. I have no knowledge for development.

I participate to the crossfunding.

1 comments hidden view all 177 comments

@Jordan F, why did you remove a working link and replace it with a broken one?

Sorry I had tested that previously, but I guess i had missed some of the URL on paste. Basicly JPRvita's spec was much farther along then mine and is a more complete spec.
https://gitorious.org/jprvita-repos/telepathy-gabble/source/master:
https://gitorious.org/jprvita-repos/telepathy-gabble/

1 comments hidden view all 177 comments
Jordan Farrell (wolfrage) wrote :
Displaying first 40 and last 40 comments. View all 177 comments or add a comment.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Bug attachments

Remote bug watches

Bug watches keep track of this bug in other bug trackers.