XSF Discussion - 2018-08-10

If there is no device list there is literally no way to send encrypted messages. I have no idea what conversations even sends in that case. A message only with the "your client does not support omemo" message? It should not ask to disable, but rather simply tell the user that encryption is impossible and switch to plaintext.

No buttons that helpless users have to decide between

as someone said earlier, if you're scared and don't understand something, you probably click "cancel"

Syndace: it won't let you send anything, that's the correct behavior

Oh, that dialogue reappears until you click disable?

We have years of evidence that falling back to unencrypted is bad

ISPs strip STARTLS all the time for example

not talking about silent fallback

Yep @ dialog reappearing

Okay, that makes things a bit better.

But it's not really "falling back" to plaintext if there never was an encrypted chat in the first place

I think "force encryption" should be an opt-in setting

It's opt out now in conversations

I think that's the correct choice

I would agree if the message was a bit friendlier for non-it people

A message that does not make you click cancel because you don't understand what's going on

But it's okay I guess, my initial rage was a bit too much

Hi. I don't think OMEMO by default is a good choice as long as 1) there is no full stanza encryption and 2) it's not at least in draft. But the situation is difficult, for a messenger where one of the main goal is security, the choice of Conversation is understandable.

https://puri.sm/posts/librem5-progress-report-17/

so looks like the futur Librem5 phone will have XMPP shipped in, using the libpurple library

I was quite surprised, as they said they were going to use Matrix. Or maybe both come with it?

looks like both

but with libpurple I don't expect to have a modern XMPP experience as well…

maybe somebody should sacrifice themselves and bring libpurple to a reasonable level?

Crowdsource some monies for it?

I'm starting to think that's the only answer (fixing Pidgin/libpurple)

I've been semi-seriously thinking that a while myself.

Maybe that's a job for a student who's using Pidgin anyway already?

Ge0rG, good thing I’m not a student anymore

Lucky escape

jonasw: being a student doesn't magically stop with a master's degree. You are still tainted by the attitude.

speaking of attitude: that’s just, like, your opinion, man

> who's using Pidgin Did you stop?

jonasw: I've got some strong opinions, so you better not question them :P

I'm guessing they did research before using libpurple. What does libpurple offer that other libraries don't?

Support for every protocol under the sun.

More cruft than you can shake a stick at.

Dubious security track record