Hi, tl;dr: I support Antoine's proposal to drop from Squeeze and Wheezy any OTR client or plugin that supports both OTRv1 and OTRv2.
I strongly doubt we're still shipping anything that supports v1 only, but it would be wise to check. > OTRv1 is susceptible to downgrade attacks (if my memory is correct). Some more background info, in case it matters, or if someone is curious: OTRv1 has various security issues known for years, that were fixed in the v2 protocol. Any client supporting both OTRv1 and OTRv2 (such as pidgin-otr 3.x) is subject to downgrade attacks. So, the only safe way these days is to only support OTRv2. It took a while to obsolete older v1-only software, but now I think the time has come when we can reasonably expect v2-only to work for everyone. (Probably OT as far as the release team is concerned: it might be worth filing CVE's against the clients that still support v1 and v2. Antoine, do you want to ask the OTR developers what's their take on it?) > I have been asked by numerous users to remove xchat-otr from squeeze, > so here it the formal request. I am going to backport the irssi-otr > plugin to wheezy soon, if if there are enough requests, to > squeeze-sloppy-backports too. FWIW, I had in mind to do basically the same for pidgin-otr, including the RM request, now that the libotr transition is over. (And no, I've not talked to the maintainer yet, not filed any bug report yet, and I've no idea if they're aware of the big picture in which their specific package is taking part. Will do.) Cheers, -- intrigeri | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/85a9ikdff5....@boum.org
