Dev Communiqué for February 2022
Published on February 28, 2022 by Sam Whited
This month saw a return to work on Communiqué and lots of improvements to the library! We'll start there. But first, the stats:
- 23 commits to mellium.im/xmpp from 1 contributor
- 2 releases of the library
- 0 new contributors :(
- 1 CVE filed against mellium.im/xmpp
- 12 commits to Communiqué (and more in the current working branch)
- $40 donated by 1 contributor split across the Jingle and OMEMO projects
mellium.im/xmpp
This month saw the release of several new packages including an integration testing package for slixmpp, support for PEP Native Bookmarks, better support for various cryptographic hashes, and support for entity capabilities!
In addition, this month saw our first CVE (thanks to Travis Burtrum for the report). A vulnerability was found in the websocket package that could lead to an attacker being able to redirect websocket requests to a server under their control. The issue was assigned the identifier CVE-2022-24968.
Two releases were cut this month: one feature release and one to address the CVE already mentioned. More information can be found in the release posts for v0.21.0 and v0.21.1.
There were too many new features this month to talk about, so I'll pick my personal favorite: entity capabilities support. Entity caps is a mechanism that provides a cache key for service discovery requests so that the entire list of features and identities doesn't need to be fetched every time it's needed. Though the underlying spec has some notable security issues that cannot be resolved, with careful use this provides much needed functionality for clients. Our implementation does not get its own package, instead it lives in the disco package alongside service discovery.
In addition, this month saw our first CVE (thanks to Travis Burtrum for the report). A vulnerability was found in the websocket package that could lead to an attacker being able to redirect websocket requests to a server under their control. The issue was assigned the identifier CVE-2022-24968.
Two releases were cut this month: one feature release and one to address the CVE already mentioned. More information can be found in the release posts for v0.21.0 and v0.21.1.
There were too many new features this month to talk about, so I'll pick my personal favorite: entity capabilities support. Entity caps is a mechanism that provides a cache key for service discovery requests so that the entire list of features and identities doesn't need to be fetched every time it's needed. Though the underlying spec has some notable security issues that cannot be resolved, with careful use this provides much needed functionality for clients. Our implementation does not get its own package, instead it lives in the disco package alongside service discovery.
Communiqué
Work also resumed on Communiqué this month!
Though no major user-visible changes were merged into the main branch, our working branch now has support for toggling between the roster, bookmarks, and a new "recent conversations" pane in the sidebar!
This will allow us to simplify managing presence subscriptions and autojoining channels as well as help keep the chats list more manageable than showing a jumble of every contact and channel. But, that's skipping ahead! The main features merged into the client this month are the ability to check and cache entity capabilities and service discovery information, support for the legacy "private XML" based bookmarks (used in conjunction with the more modern bookmark standard implemented by the library), and a refactor of the code that renders the sidebar.
Though no major user-visible changes were merged into the main branch, our working branch now has support for toggling between the roster, bookmarks, and a new "recent conversations" pane in the sidebar!
This will allow us to simplify managing presence subscriptions and autojoining channels as well as help keep the chats list more manageable than showing a jumble of every contact and channel. But, that's skipping ahead! The main features merged into the client this month are the ability to check and cache entity capabilities and service discovery information, support for the legacy "private XML" based bookmarks (used in conjunction with the more modern bookmark standard implemented by the library), and a refactor of the code that renders the sidebar.