New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
make CTCP responses less unique #1974
Comments
I'd be in favor of removing the compilation date from |
Hi, I agree that compilation date should be removed from CTCP VERSION. The CTCP TIME is used to know the local time of the other user, so if WeeChat returns UTC time, every user will return the same time, not its local time, becoming useless. I'll check if the CTCP options can be created by default. |
Hmm… weird, the CTCP TIME response is supposed to be sent in English, and it works with no script loaded, but doesn't work when any Perl script is loaded (the locale used is then always the current locale). |
I'd argue CTCP TIME isn't really that useful either. I believe running Weechat on a server is relatively common (in my circles, at least), and servers don't always have the same timezone as their owner/users. Thus, if you use CTCP TIME, you'll need to follow up with the other party anyways, to ensure if the timezone you've got is correct. But, if you need to manually ask for the timezone anyways - why keep CTCP TIME in? |
Why wouldn't you configure WeeChat to use your local time zone? It seems very impractical to me to have it in another time zone. (You don't need root on the server to configure it, just set the TZ environment variable for your user or when starting WeeChat). |
Yes you can configure your timezone on the server (recommended to have your local time displayed in WeeChat). CTCP TIME is somewhat standard and shouldn't leak too much info for me.
|
Done, with additional changes:
|
Feature description
The current default CTCP responses are pretty unique, potentially allowing correlation of different connections from the same user. This could be a privacy issue if someone is connected under separate identities to e.g. a workplace server and an LGBT/activist/whatever server.
In particular:
VERSION
leaks the compilation date, identifying the distribution someone is usingTIME
leaks the user's timezone, and potentially their clock skew tooIn my opinion, only
VERSION
is useful, but it could probably do without the compilation date. The rest could probably be disabled. Also, it'd be good to set the related config options by default, so they'd show up in fset. Opinions?The text was updated successfully, but these errors were encountered: