Slashdot Mirror
Pidgin Adds Google Talk Voice and Video Support (and a Vulnerability)
ottothecow writes "While various attempts at video and voice support have been in the pipeline since long before GAIM became Pidgin, fully functioning support over XMPP is on its way. Lifehacker reports that Pidgin 2.6 adds voice and video support for GChat (and presumably any other XMPP network) for Mac and Linux. Windows still has a few bugs but they are being worked on. Pidgin 2.6.1 is only available as source at the moment (but precompiled versions are available at getdeb)." Less happily, an anonymous reader writes "A remote arbitrary-code-execution vulnerability has been found in Libpurple (used by Pidgin and Adium instant messaging clients, among others), which can be triggered by a remote attacker by sending a specially crafted MSNSLP packet with invalid data to the client through the MSN server. No victim interaction is required, and the attacker is not required to be in the victim's buddy list (under default configuration)."
Are not available yet.... :(
http://pdb.finkproject.org/pdb/package.php/pidgin
2.6.1 is only available as source at the moment?
http://sourceforge.net/projects/pidgin/files/Pidgin/pidgin-2.6.1.exe
So that's magic? If you install that do the terrorists win?
oogly boogly!
"Pidgin" is just a fancy word for the low-class broken English that most American blacks speak. Look it up if you don't believe me. So as far as I'm concerned, it never had any credibility in the first place.
What? Way to project your own biases. "Pidgin" languages are any sort of conglomeration languages that develop when you have two peoples that don't have a common language who have to communicate.
In fact, the "low-class broken English that most American blacks speak" (let's even ignore the glaring inaccuracy of that phrase) is really not a pidgin language at all.
So 2.5.9 is a stability release for distros/maintainers who don't want to upgrade to 2.6.0 for whatever reason. 2.6.0 was released at the same time as 2.5.9 but a bug was immediately found so then they released 2.6.1.
All your base are belong to Wii.
-1 for not backing up your statement on Pidgin's credibility.
And good for you that all your contacts reside on GMail, and that you prefer a GMail's web app to a desktop app that centralizes the many forms of communication on the Net. If that works for you, fine. It does not work for me. I want faster response time, a unified UI for all my communication, more flexible message notification, logging, etc. that keeps me in control of my settings and data locally.
cp -a /home/me/.purple/ /media/Backup/Pidgin/
I have friends on AIM, Facebook, GMail, and one or two with their own XMPP address. Fortunately, I do not need MSN to contact anyone I know.
2.5.9 and 2.6.0 were both released Tuesday, August 18th addressing this security issue (CVE-2009-2694). 2.5.9 is 2.5.8 with only CVE-2009-2694 addressed and an unrelated crash bug fix. 2.6.0 contains CVE-2009-2694 in addition to many other bug fixes and the new Voice and Video support.
Unfortunately, another security issue was discovered with sending URL's over the Yahoo protocol and 2.6.1 was released on Wednesday, August 19th. According to the pidgin developers, 2.5.9 was not affected by separate bug.
Note: The Voice and Video support in pidgin-2.6.1 is a bit fragile. You MUST have the latest version of farsight2 and the stack of libraries it requires. You may also need to open ports on your firewall to allow it to connect.
Well, if you enable the Release Notifications plugin it will tell you about updates. I did once post to the mailing list about adding an auto-update feature, but since Pidgin is multiplatform and a built-in autoupdate doesn't make sense on Linux with package managers, the idea was rejected. But really, the Release Notifications plugin is more or less good enough.
All your base are belong to Wii.
Err, the bug was already fixed and no vulnerable builds were even built for Windows. And incidentally, it'd be easier to just use the WinPidgin build environment fetcher script and cygwin or msys (I prefer msys) than try to compile it with eclipse, although once you have the environment set up eclipse should be able to use it as a Makefile project.
All your base are belong to Wii.
No, they're trying to be professional and principled about things. Pidgin is one of the few projects that has standards about versioning, unlike eg. Firefox which goes more along the lines of whatever they feel like bumping the version by. More seriously, Firefox has a longer development cycle between major releases but in general they seem to just bump their version roughly proportionally to the amount of time a release was in development. In Pidgin land, major.minor.x releases are just security/bugfix releases, major.minor releases add features, and major releases break API, or something along those lines. 2.5.9 is a separate line from 2.6, and it's just to patch the vulnerability for those that won't move to the 2.6 line right away.
All your base are belong to Wii.
I don't need an IM application anyway; if I need to contact someone I just open Gmail.
If I need to contact someone, I just yell really loud.
#DeleteChrome
Here is a recipie to build a set of 2.6.1 packages for debian lenny based on the packaging ari has done for sid (but not uploaded yet hence the download from svn.debian.org).
wget http://sourceforge.net/projects/pidgin/files/Pidgin/pidgin-2.6.1.tar.bz2
bunzip2 pidgin-2.6.1.tar.bz2
tar -xf pidgin-2.6.1.tar
gzip pidgin-2.6.1.tar
mv pidgin-2.6.1.tar.gz pidgin_2.6.1.orig.tar.gz
cd pidgin-2.6.1
svn export -r 14052 svn://svn.debian.org/svn/collab-maint/deb-maint/pidgin/trunk/debian
sed -i s/tcl8.6-dev/tcl8.5-dev/ debian/control
sed -i s/tk8.6-dev/tk8.5-dev/ debian/control
sed -i 's/libgstfarsight0.10-dev (>= 0.0.9),//' debian/control
sed -i 's/(>= 0.4.53)//' debian/control
sed -i 's/(>= 1.1.1)//' debian/control
sed -i 's/--enable-vv/--disable-vv/' debian/rules
dpkg-buildpackage
if it complains about missing build-depends install them and run dpkg-buildpackage again
note: I had to disable video/voice because libgstfarsight is not available in lenny.
note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
Right if your running a vulnerable app, you should let it update itself, sigh!
IranAir Flight 655 never forget!
Easier fix. Don't use MSN.
I guess us snobby iChat users will just continue to talk to each other.
As if you'd have it any other way. ;)
Thanks, Vin Diesel.
The rest of us have to use whistles.
I think we're still calling that ebonics or some such made-up word?
As opposed to every other word out there that was found in nature?
It's like carbon credits.
It is for people who support FSF and feel guilty for running a closed source OS. Instead of actually installing Linux, they offset their use of closed source by installing an open source application. It helps to reduce the guilt and increase "street credentials" among their fellow dwellers of cubicles.
As an example I have Windows XP running Photoshop. In order to offset I looked up the FSF Source-Credits Guide Lines and Regulations Handbook (FSCGLRH) and found out:
Windows XP +10 Source Credits
Photoshop = +5 Source Credits
Offsets I selected:
Pidgin = -4 Source Credits
OpenOffice = -5 Source Credits
Gimp* = -3 Source Credits
Amaya** = -3 Source Credits
*I do not use Gimp, however by installing it, I offset my credits by 3. Thereby reducing my guilt by d6 with a +1 modifier.
** I commonly use FireFox, however, it provides only 0 credits, Amaya on the other hand offsets my credits by 3.
I am happy to say that I am Source Credit Neutral as defined by FSCGLRH. I am even thinking about installing X-Chat 2 in order to sell my credits to offset other people.
First of all, to that security company. Good job really publicizing a vulnerability without checking with unpaid developers of a complete open source project. Also whatever junk you use to create the pages pages doesn't work with Opera 10 and I am too tired to fire up another browser.
Second: Where are you "web 2.0" cool privacy killing instant messenger sites built on Pidgin libraries, where is your patch to the security vulnerability? Can't you spare some of the entrepreneur provided millions to hire some actual developers and fix the issues with the core you rely on?
Third: How hard to assign couple of MSN, AOL, Yahoo developers to Pidgin project by respective companies and let them maintain their own mess which they call a "protocol"? It is not like 100s of millions of Win32 users will use a GTK2 client on their Windows while you already push your own with OS install right? I talk about 3 guys at most, who will at least oversee the protocol development.
All we "open standards" loving nerds are running bunch of closed source, proprietary, low quality, badly engineered IM protocols and at end, people who are unpaid, overworked struggling to keep up with the junk above gets the blame... It is a huge shame really.
Trillian is probably your best bet. I've never tried the A/V support, but it's been there for quite a while. Also look into Gizmo.