On Tue, Dec 16, 2014 at 10:05:42PM +0100, viq wrote:
> On Tue, Dec 16, 2014 at 8:46 PM, Jérémie Courrèges-Anglas
> <[email protected]> wrote:
> > viq <[email protected]> writes:
> >
> >> On Mon, Dec 15, 2014 at 12:41 AM, viq <[email protected]> wrote:
> >>> http://sleekxmpp.com/
> >>
> >> And it usually works better with a tarball attached.
> >
> > I think - I don't use XMPP - that TLS certificate verification and SRV
> > records processing are expected nowadays. Thus I propose to make
> > py-asn1-modules and dnspython hard requirements. What do you think?
>
> Yes, I was thinking of that, I'm for it.
Totally. running plaintext xmpp those days on the interweb would be
insane.
> > Here's an updated tarball that also applies the ${SETENV} ${MAKE_ENV}
> > dance to do-test.
>
> I'll have a look tomorrow, thanks.
>
> > Some tests are failing but their number seems to vary
> > and to depend on timing.
>
> Yes, that's what I've seen too.
>
> > I'm a bit worried though about the thirdparty subdir: the gnupg.py file
> > seems to be affected by the same issue as our py-gnupg package, which
> > could use an update. I don't know right now how problematic this CVE
> > is.
> >
> > http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1927
>
> Their site says:
>
> As part of reducing the number of dependencies, some third party
> modules are included with SleekXMPP in the thirdparty directory.
> Imports from this module first try to import an existing installed
> version before loading the packaged version, when possible.
>
> So I guess it would make sense to make hard requirements of the
> modules it has in there. And maybe even surgically remove that
> directory to avoid accidents?
That sounds like the sanest idea here.
Landry
