[liberationtech] Current state of Pidgin OTR vs Jitsi OTR
Nick
liberationtech at njw.me.uk
Mon Jul 1 04:24:05 PDT 2013
On Mon, Jul 01, 2013 at 07:02:03AM -0400, Tom Ritter wrote:
> If libpurple/pidgin itself has bugs, that compromises OTR. If an
> attacker gets in through a window or your sliding door, he's still in
> your house. And libpurple is full of bugs. That's the easy, go-to
> answer for this question.
> http://web.nvd.nist.gov/view/vuln/search-results?query=libpurple&search_type=all&cves=on
True, but having many CVEs also means that many people are actively
finding and doing the right thing with security bugs; it's as much
an indicator of developer activity and practises as it is the
insecurity of the software. I'm sure we've all seen software with
many dodgy security bugs, that because it isn't as widely used as
its competitor never bothers with CVEs, or doesn't have the
expertise to properly understand or fix the bugs.
More information about the liberationtech
mailing list