[Bug 308060] Re: Include libmsn in main
Loïc Minier
lool at dooz.org
Wed Dec 17 10:07:57 UTC 2008
MIR looks good, thanks, a couple of points worry me though.
= Security =
# Does not directly process binary or structured data such as video, sound, or pdf
this directly contradicts:
# Would have network activity inasmuch as it handles network traffic for MSN chats, which includes receiving incoming files over chat.
I think this is a typical security sensitive lib, exposed to network
data, with buffers, string parsing, marshalling / unmarshalling of
network data into objects etc.
This risk is probably largely alleviated by the fact that it should
communicate mostly with MSN servers, but msn/p2p.cpp let's me think
there are also user to user connections.
I propose that we ask at least for a quick look from a security person;
perhaps we can also enable some stronger hardening flags for this
particular package?
= IP =
I don't think the MSN protocol is an open standard; I understand it was
reverse engineered. I guess this is ok for interoperability, but
deserves a mention in the MIR.
I also wonder about usage of the name libmsn; gaim at to be renamed
because of TM issues. I guess this is an upstream problem and we will
rename if we get asked to.
--
Include libmsn in main
https://bugs.launchpad.net/bugs/308060
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
ubuntu-bugs at lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
More information about the universe-bugs
mailing list