{{Header}} {{#seo: |description=Gajim - TODO for installing Gajim by default in {{project_name_long}} }} = TODO = * Gajim might intelligently set a Tor socks user name per account already. Do we still manually specify a user/password? ** Gajim developers said they don't intelligently set a Tor socks user name per account. https://dev.gajim.org/gajim/gajim/issues/9213 * security ** (3) TODO: create an AppArmor profile * does it have any [https://gitlab.torproject.org/legacy/trac/-/wikis/doc/TorifyHOWTO#protocol-leaks protocol leaks]? ** (4) TODO: check Gajim's built-in XML console * how to pre-configure Gajim with all these settings by default as a linux distribution? ** (5) TODO: feature request for .d config folder support - https://dev.gajim.org/gajim/gajim/issues/9214 * feature request: Forcing OMEMO out of the box ** https://dev.gajim.org/gajim/gajim/issues/9215 = Resolved = Was a blocker: * Despite the proxy setting, it routes DNS requests use system default networking, thus end up in Tor's {{Code2|TransPort}}, thereby DNS is not [[Stream Isolation|stream isolated]]. ** Won't be fixed. Python limitation. ** https://dev.gajim.org/gajim/gajim/issues/8538 ** Violates [[Dev/Default_Application_Policy|{{project_name_short}} Default Application Policy]]. *** https://forums.whonix.org/t/gajim-messenger/708/7 *** https://forums.whonix.org/t/should-strict-stream-isolation-by-a-requirement-in-whonixs-default-application-policy/3940 * --> Strict stream isolation removed from {{project_name_short}} Default Application Policy. = Done = * Are uploads by gajim-httpupload encrypted using gajim-omemo? ** Developer responded: "yes if you have activated OMEMO, httpupload will always encrypt the file, in fact you can not send a unencrypted file with OMEMO activated even if you wanted." * Plugin installer is only using https for verification which is weaker than gpg which is used by APT which is usually used to install software. https://tails.boum.org/blueprint/replace_Pidgin/ https://gitlab.tails.boum.org/tails/tails/-/issues/7868 ** We can nuke the plugin installer. [https://github.com/{{project_name_short}}/anon-apps-config anon-apps-config] which is installed by default will [https://github.com/{{project_name_short}}/anon-apps-config/blob/master/debian/anon-apps-config.hide deactivate gajim plugin installer / updater] because it's not secure. Using config-package-dev displace. ** (2) Debian feature request to ship the gajim plugin-installer plugin in a separate Debian package. https://bugs.debian.org/902237 = Discussion = * some answers here: https://dev.gajim.org/gajim/gajim/issues/8651 * gajim {{project_name_short}} integration development discussion: https://forums.whonix.org/t/gajim-messenger * it would take a lot patches to ensure that OMEMO encryption is always used, but on the other hand, because it is written in Python, Gajim is very easy to patch. * Gajim can keep its account username and passwords in [https://www.kicksecure.com/wiki/Keepassxc KeepassXc] using LibSecret integration. If we look at end-to-end security, and worry about the weakest links, then integration of IM with a password-manager should be a high priority. = Footnotes = {{reflist|close=1}} {{Footer}} [[Category:Development]]