[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1077726842.746.44.camel@patience.faceprint.com>
From: faceprint at faceprint.com (Nathan Walp)
Subject: Advisory 02/2004: Trillian remote
overflows -> maybe this is off-topic, but...
On Wed, 2004-02-25 at 02:02, Stefan Esser wrote:
> Hello,
>
> On Tue, Feb 24, 2004 at 08:23:44PM -0500, Luke Schierer wrote:
> > Jeff is absolutely correct. We've given them yahoo code, they have given
> > us yahoo code. Sean Egan and one of their heads, a guy named Scott, are
> > on good terms. no theft either way involved here.
> > luke
>
> There is actually one little problem... Eric Warmenhoven, the guy who commited
> the yahoo code had no clue that this code is used by Trillian. Noone from the
> GAIM team except himself has the right to dual license his code. And the second
> thing is: take a close look on the commit messages:
>
> It a) references external persons
>
> rev 1.11: Valdis Kletnieks (sysphrog) suggested this fix.
> This seems really odd to me. Typical Yahoo.
>
> (The fix is actually only a "+1" fix)
>
>
> b) has mysterious comments...
>
> rev 1.12: this seems... i don't know.
>
> (sounds to me like... Hmmm got this code commited it, but don't know if or why
> it is better)
Take a journey with me:
rev 1.41:
Sean Egan commits the new authorization code he just wrote.
rev 1.46:
Sean Egan adjusts the authorization code to use version 9 instead of 6.
rev 1.97 (yes, it's been that long since auth was touched):
Sean Egan changes some auth code around, and renames some stuff
rev 1.104:
Sean Egan modifies yahoo to send the username in lowercase, fixing auth.
rev 1.140:
Sean Egan changes the protocol version again from 0x0900 to 0x000b
rev 1.145:
Sean Egan commits drastically new auth code. I believe this was written
by him after Trillian figured out the new authentication mechanism.
rev 1.160:
Sean Egan commits more yahoo auth fixes, presumably with help from
Trillian
rev 1.162:
Sean Egan commits his "web auth" code, giving Gaim 2 ways to log into
Yahoo
Now I'm sick of looking through commit logs, but I think you get the
idea. Also, by this point, Trillian is sending us code, not
vice-versa. The only code that was ever sent to them was the auth code,
which Sean wrote. Sean is allowed to send that code to anyone he
pleases. As much of a stickler as he is for the GPL, I really don't
think he'd violate it so blatently and publically.
Nathan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040225/a9bfd9df/attachment.bin
Powered by blists - more mailing lists