MIR looks good, thanks, a couple of points worry me though.
= Security =
# Does not directly process binary or structured data such as video, sound, or pdf
this directly contradicts:
# Would have network activity inasmuch as it handles network traffic for MSN chats, which includes receiving incoming files over chat.
I think this is a typical security sensitive lib, exposed to network data, with buffers, string parsing, marshalling / unmarshalling of network data into objects etc.
This risk is probably largely alleviated by the fact that it should communicate mostly with MSN servers, but msn/p2p.cpp let's me think there are also user to user connections.
I propose that we ask at least for a quick look from a security person; perhaps we can also enable some stronger hardening flags for this particular package?
= IP =
I don't think the MSN protocol is an open standard; I understand it was reverse engineered. I guess this is ok for interoperability, but deserves a mention in the MIR.
I also wonder about usage of the name libmsn; gaim at to be renamed because of TM issues. I guess this is an upstream problem and we will rename if we get asked to.
MIR looks good, thanks, a couple of points worry me though.
= Security =
# Does not directly process binary or structured data such as video, sound, or pdf
this directly contradicts:
# Would have network activity inasmuch as it handles network traffic for MSN chats, which includes receiving incoming files over chat.
I think this is a typical security sensitive lib, exposed to network data, with buffers, string parsing, marshalling / unmarshalling of network data into objects etc.
This risk is probably largely alleviated by the fact that it should communicate mostly with MSN servers, but msn/p2p.cpp let's me think there are also user to user connections.
I propose that we ask at least for a quick look from a security person; perhaps we can also enable some stronger hardening flags for this particular package?
= IP =
I don't think the MSN protocol is an open standard; I understand it was reverse engineered. I guess this is ok for interoperability, but deserves a mention in the MIR.
I also wonder about usage of the name libmsn; gaim at to be renamed because of TM issues. I guess this is an upstream problem and we will rename if we get asked to.