make CTCP responses less unique

[dzwdz]

Feature description

The current default CTCP responses are pretty unique, potentially allowing correlation of different connections from the same user. This could be a privacy issue if someone is connected under separate identities to e.g. a workplace server and an LGBT/activist/whatever server.

In particular:

• VERSION leaks the compilation date, identifying the distribution someone is using
• TIME leaks the user's timezone, and potentially their clock skew too

In my opinion, only VERSION is useful, but it could probably do without the compilation date. The rest could probably be disabled. Also, it'd be good to set the related config options by default, so they'd show up in fset. Opinions?

[benharri]

I'd be in favor of removing the compilation date from VERSION and showing all time as UTC.

[flashcode]

Hi,

I agree that compilation date should be removed from CTCP VERSION.

The CTCP TIME is used to know the local time of the other user, so if WeeChat returns UTC time, every user will return the same time, not its local time, becoming useless.
By the way, the time should probably be returned in English instead of the local language, eg: Wed, 05 Jul 2023 19:28:52 +0200 instead of mer., 05 juil. 2023 19:28:52 +0200 (French).

I'll check if the CTCP options can be created by default.

[flashcode]

Hmm… weird, the CTCP TIME response is supposed to be sent in English, and it works with no script loaded, but doesn't work when any Perl script is loaded (the locale used is then always the current locale).

[dzwdz]

I'd argue CTCP TIME isn't really that useful either. I believe running Weechat on a server is relatively common (in my circles, at least), and servers don't always have the same timezone as their owner/users. Thus, if you use CTCP TIME, you'll need to follow up with the other party anyways, to ensure if the timezone you've got is correct. But, if you need to manually ask for the timezone anyways - why keep CTCP TIME in?

[trygveaa]

I believe running Weechat on a server is relatively common (in my circles, at least), and servers don't always have the same timezone as their owner/users.

Why wouldn't you configure WeeChat to use your local time zone? It seems very impractical to me to have it in another time zone. (You don't need root on the server to configure it, just set the TZ environment variable for your user or when starting WeeChat).

[flashcode]

Yes you can configure your timezone on the server (recommended to have your local time displayed in WeeChat).

CTCP TIME is somewhat standard and shouldn't leak too much info for me.
And anyway you can block it if you don't want to reply to other users:

/set irc.ctcp.time ""

[flashcode]

Done, with additional changes:

• options irc.ctcp.* are now created when irc.conf is created (typically first WeeChat run); but they are not created on upgrade
• options irc.ctcp.* are now evaluated, the format is then more flexible, and any existing option is converted to the new format on upgrade (eg: $version converted to ${version})
• the reply to CTCP CLIENTINFO is now built dynamically, based on options irc.ctcp.* (and if a CTCP is blocked, it's then not advertised in CLIENTINFO reply)
• for privacy reasons, the default CTCP replies FINGER and USERINFO have been removed (FINGER was not a problem, but it's kind of duplicate with VERSION, so not needed); these CTCP replies can still be added manually if needed (see release notes).