Delist Ricochet #1135

jonah · 2019-08-11T13:57:25Z

Mikaela commented

2019-08-11 13:57:25 +00:00

(Migrated from github.com)

Description

Resolves: #781

Ricochet's development appears to be stopped and in the linked issue I proposed replacing it with Cwtch where I understand the development to continue. However there @blacklight447-ptio said that it's not in usable state and proposed replacing it with Briar instead, which we list as worth mentioning, so I think Ricochet was forgotten.

How long is Ricochet going to stay secure if it's unmaintained? Are users going to follow the instructions to update Tor binary? Are users going to follow Tor's releases and keep the Tor binary up-to-date? I think keeping it listed is a disaster waiting to happen.

Also Tor is misspelled as TOR in our description which in my opinion looks bad and if we won't delist it, we should fix that. I don't know if the misspelling looks like a warning to stay away though, so maybe it can be positive.

## Description Resolves: #781 Ricochet's development appears to be stopped and in the linked issue I proposed replacing it with Cwtch where I understand the development to continue. However there @blacklight447-ptio said that it's not in usable state and proposed replacing it with Briar instead, which we list as worth mentioning, so I think Ricochet was forgotten. How long is Ricochet going to stay secure if it's unmaintained? Are users going to follow the instructions to update Tor binary? Are users going to follow Tor's releases and keep the Tor binary up-to-date? I think keeping it listed is a disaster waiting to happen. Also Tor is misspelled as TOR in our description which in my opinion looks bad and if we won't delist it, we should fix that. I don't know if the misspelling looks like a warning to stay away though, so maybe it can be positive.

👍 2

netlify[bot] commented

2019-08-11 13:58:08 +00:00

(Migrated from github.com)

Deploy preview for privacytools-io ready!

Built with commit 953d8c3714

https://deploy-preview-1135--privacytools-io.netlify.com

Deploy preview for *privacytools-io* ready! Built with commit 953d8c3714e976366b17b00dfdcc3b5908d454a3 https://deploy-preview-1135--privacytools-io.netlify.com

netlify[bot] commented

2019-08-11 13:58:39 +00:00

(Migrated from github.com)

Deploy preview for privacytools-io ready!

Built with commit db46562b4f

https://deploy-preview-1135--privacytools-io.netlify.com

Deploy preview for *privacytools-io* ready! Built with commit db46562b4fb21b0215bb94faf278e804711db369 https://deploy-preview-1135--privacytools-io.netlify.com

nitrohorse (Migrated from github.com) reviewed 2019-08-11 16:58:40 +00:00

nitrohorse (Migrated from github.com) left a comment

LGTM

jonah commented

2019-08-11 23:04:24 +00:00

I was under the impression Ricochet was still safe if the Tor binary was updated. It also doesn’t appear to be completely dead, it looks like development is just more focused on the protocol than the actual client.

nitrohorse commented

2019-08-12 00:24:30 +00:00

(Migrated from github.com)

I was under the impression Ricochet was still safe if the Tor binary was updated. It also doesn’t appear to be completely dead, it looks like development is just more focused on the protocol than the actual client.

Based on the open issues and PRs it sure looks unmaintained. Hmm... some digging...

The reason I am reluctant to add anyone to the github team is because I know the issues that lurk in the codebase, and the amount of work required to fix them - rolling out a new legacy ricochet release with a new tor version won't fix those problems - a new release without those gives users a false sense of security.

If there truly is desire to revive the old ricochet, I would strongly encourage you to redo both the authentication protocol and the regex handling - both are currently a source of legacy issues, and known vulnerabilities - neither are trivial to fix but If there are secure PRs for those submitted I will try and find time to review & merge them.

If there really is willingness and effort to fund work /input energy into metadata resistant communications, I would ask you to deeply consider joining us to move Cwtch forward rather than investing effort into reviving the original Ricochet.

https://github.com/ricochet-im/ricochet/issues/600#issuecomment-511488605

In addition to Cwtch it looks like some of the community has moved to https://ricochetrefresh.net/.

> I was under the impression Ricochet was still safe if the Tor binary was updated. It also doesn’t appear to be completely dead, it looks like development is just more focused on the protocol than the actual client. Based on the open [issues](https://github.com/ricochet-im/ricochet/issues) and PRs it sure looks unmaintained. Hmm... some digging... >The reason I am reluctant to add anyone to the github team is because I know the issues that lurk in the codebase, and the amount of work required to fix them - rolling out a new legacy ricochet release with a new tor version won't fix those problems - a new release without those gives users a false sense of security. > If there truly is desire to revive the old ricochet, I would strongly encourage you to redo both the authentication protocol and the regex handling - both are currently a source of legacy issues, and known vulnerabilities - neither are trivial to fix but If there are secure PRs for those submitted I will try and find time to review & merge them. > If there really is willingness and effort to fund work /input energy into metadata resistant communications, I would ask you to deeply consider joining us to move Cwtch forward rather than investing effort into reviving the original Ricochet. https://github.com/ricochet-im/ricochet/issues/600#issuecomment-511488605 In addition to Cwtch it looks like some of the community has moved to https://ricochetrefresh.net/.

jonah reviewed 2019-08-13 18:00:19 +00:00

blacklight447 (Migrated from github.com) reviewed 2019-08-14 15:13:04 +00:00

This repo is archived. You cannot comment on pull requests.

No reviewers