Open Realtime.
Ignite Realtime is the community site for the users and developers of Jive Software's open source Real Time Communications projects. Your involvement is helping to change the open RTC landscape.
Open Realtime.
Ignite Realtime is the community site for the users and developers of Jive Software's open source Real Time Communications projects. Your involvement is helping to change the open RTC landscape.
We are happy to announce the release of (a)Smack 4.0.0-rc1. This is the first aSmack release that is in sync with Smack's codebase and therefore marks an important milestone for Smack on Android. It is also the first non-snapshot release that is going to be available on the Maven Central Repositories (SMACK-265).
Smack 4.0.0-rc1 includes some major changes and important improvements including security related fixes. While this is marked as release candidate, users are encouraged to update because some important security bugs have been fixed. Please consult the "Smack 4.0 Readme and Upgrade Guide" for further information regarding the changes between Smack 3.4 and 4.0.
Previous Smack versions suffered from a missing "Basic Constraints" check in ServerTrustManager (SMACK-410): this allowed anyone with a valid CA-signed certificate for any domain to generate a certificate for any other domain that would be accepted by Smack's ServerTrustManager. Moxie Marlinspike found the same error in IE back in 2002 and wrote a detailed summary about it: http://www.thoughtcrime.org/ie-ssl-chain.txt
We would like to thank Ryan Sleevi of the Google Chrome Security Team for reporting the issue to us.
The fix for Smack was simply removing ServerTrustManager and the related code altogether. ConnectionConfiguration now only has a setting for a custom SSLContext. We shifted the responsibility for TLS certificate validation out of the library to the user, where it belongs. A fixed version of ServerTrustManager may return as an optional module in a future Smack release. Contributions are, as always, welcome.
A second important security vulnerability often found in XMPP implementations was made public by Thijs Alkemad aka xnyhps early this year. Affected implementations did not properly verify the 'from' attribute of IQ responses and were therefore vulnerable to spoofed IQ packets. You can read more about it here: http://tools.ietf.org/html/draft-alkemade-xmpp-iq-validation-00
Thijs also reported Smack as vulnerable in SMACK-533 and SMACK-538. Thanks to Lars Noschinski, patches were quickly provided and Smack is now immune.
(a)Smack 4.0.0-rc1 is considered mature. It is marked as release candidate because we have only a small number of people who are testing the current (a)Smack development snapshot. We ask everyone using Smack in some sort of staging, development or non-critical production environment to try 4.0.0-rc1 and report any problems or feedback to the community forums.
Thanks to everyone working on Smack 4.0:
git shortlog -sn 3.4.1..4.0.0-rc1
166 Florian Schmaus
10 Lars Noschinski
4 Georg Lukas
2 Vyacheslav Blinov
2 rcollier
1 Daniele Ricci
1 Jason Sipula
1 XiaoweiYan
1 atsykholyas
Besides the mentioned security issues, Smack 4.0 contains also many new improvments and other bugfixes. An overview of all resolved issues in Smack 4.0.0-rc1 can be found in JIRA
Smack 4.0.0-rc1 can be downloaded from maven central
aSmack 4.0.0-rc1 is avaiable as jar at http://asmack.freakempire.de/4.0.0-rc1/
Hi there, I'm Smack's new maintainer. Some of you may know me already as the maintainer of aSmack, the Android port of Smack. I first like to thank Robin for his work on Smack in the past.
Smack has a long development history. The first recorded commit dates back to Jan 13 2003. Now, over 11 years later, we are going make fundamental changes to Smack in order to ensure that it will last another decade.
Most importantly: Ignite Realtime is applying as Google Summer of Code organization. We propose a project to modernize and modularize Smacks build system. One reason why this is necessary, is that we want Smack to be able to target Java SE and Android. Read more about it here.
Smacks SVN repository has been migrated to git, and the code is now hosted on GitHub. We are currently evaluating hosting the code in our own Atlassian Stash, but that isn't decided yet and is not a high priority right now.
Let's have a look at Smack's contributors of the last 11 years:
513 Gaston Dombiak
474 Matt Tucker
123 rcollier
105 Thiago Camargo
104 Florian Schmaus
69 Alex Wenckus
46 Bill Lynch
43 Derek DeMoro
24 Günther Niess
15 Daniel Henninger
12 Henning Staib
11 loki
7 Michael Will
7 Wolf Posdorfer
7 guus
6 Holger Bergunde
6 Jeff Williams
5 Jay Kline
4 Marilyn Daum
3 Francisco Vives
2 bruce
1 (no author)
1 Andrew Wright
1 Pete Matern
1 Tim Jentz
1 root
Hopefully this list will grow over the time. 
If you'd like to contribute bigger patches to Smack, please consult the developers. Either via IRC #smack (freenode) or via the developers forum. All patches will be reviewed, since there are usually a few things that should be improved before the commit is ready for Smack's master branch. Make also sure to read the Guidelines for Smack Developers and Contributors.
Besides the GSOC project, there are more goodies in the queue, like XEP-0198 Stream Mangament and Roster Versioning.
We also work on migrating the build system to gradle, including deployments to sonatype/maven central. I expect the next release to be available as jar and via maven central.
Finally, shortly after the 3.4.0 release, a memory leak was reported in the forum. The cause was , and a fixed nighlty release was made availabe shortly after. I am going to use this importand fix as reason to release Smack 3.4.1 today, in order to get familar with the release process of Smack.
Yesterday's release of Openfire 3.9.0 had some problems with packaging of the release. Bouncycastle signed jar files were getting packed, which then caused problems when Openfire attempted to load them. We have hopefully fixed this issue and cleaned up a few other details and are proud to announce a 3.9.1 release!
Openfire is a real time collaboration (RTC) server licensed under the Open Source Apache license. It uses the only widely adopted open protocol for instant messaging, XMPP (also called Jabber). Openfire is incredibly easy to setup and administer, but offers rock-solid security and performance.
The download page offers these files and here are their md5sums for your comparison.
| md5sum | filename |
|---|---|
979c431cbf416d387b2ef7ca5d7f6531 | JSopenfire-3.9.1-ALL.pkg.gz |
| 7fb231b58d581babd5d7b65e05b9a953 | openfire-3.9.1-1.i386.rpm |
| 0ffbeb206b45538e8f0ff63325026e37 | openfire-3.9.1-1.src.rpm |
| 3ca1d72c5a34b820a5e0ab15ab21ee34 | openfire_3.9.1_all.deb |
| 028af7beb80cd552a4233434e7597729 | openfire_3_9_1.dmg |
| 79c13434815d05d88031b75adcf85275 | openfire_3_9_1.exe |
| f05b0bfbbc6e04a6fc8cbcdd53e79d8c | openfire_3_9_1.tar.gz |
| 9799c471bed11058c971ed8598ce8449 | openfire_3_9_1.zip |
| 25f716c5497597b59dcce71b7fb0dbb2 | openfire_src_3_9_1.tar.gz |
| 9b7ccb7d1483f62f4da930553c9363c2 | openfire_src_3_9_1.zip |
Please report any issues to us in the forums. We are always looking for developers to help improve Openfire, so please let us know if interested!
The Ignite Realtime community is happy to announce the release of version 3.9.0 of Openfire! Downloads for various platforms are available here.
Openfire is a real time collaboration (RTC) server licensed under the Open Source Apache license. It uses the only widely adopted open protocol for instant messaging, XMPP (also called Jabber). Openfire is incredibly easy to setup and administer, but offers rock-solid security and performance.
There are a few important fixes with this release, be sure to checkout the changelog for more details.
As always, we welcome your feedback, suggestions, tips, hints, questions and other contributions in the Ignite Realtime Community pages.
We are also looking for people interested in helping to develop Openfire! If you enjoy hacking at Java code and would like to pitch in, please let us know on the forums.
Update 6 Feb 2014 20 UTC: There was a problem with the initial build of 3.9.0 and the packaging of the bouncycastle libraries. This has been fixed. The following MD5 checksums should be used to check the files you download.
| md5sum | filename |
|---|---|
e68c95feba256d8f010682b845a901e2 | openfire_3_9_0.dmg |
| a5cf6e3121aaf8b8367381db0eddb7e5 | openfire_3_9_0.exe |
| a0b4e5d15e4e9c0ac9f5fb8645a32faf | openfire_3_9_0.tar.gz |
| a3088db15e73c884f22ff14842d80642 | openfire_3_9_0.zip |
| d09cb027cf537c866c2e8896b1f3125d | openfire_src_3_9_0.tar.gz |
| 8fffc005508684e2fb23314df8d4f502 | openfire_src_3_9_0.zip |
| 674b86bc209ca51e71fe8fe9f05883f4 | JSopenfire-3.9.0-ALL.pkg.gz |
| 3e883a6c8a8504f6a0934b7054efce66 | openfire-3.9.0-1.i386.rpm |
| 8d661624495d232323ae061246b47ecd | openfire-3.9.0-1.src.rpm |
| 48167fb89ba804e297faa70b37da1b95 | openfire_3.9.0_all.deb |
It is with a heavy heart that I am stepping down as the project lead for Smack.
I am happy to have managed to push out 6 releases in the last 3 years, but even from the start I always had issues finding the time to dedicate to this project. Things have never really improved on that front. Three young children and some unexpected illnesses in my family haven't exactly made for a lot of free time over the last couple of years.
I have been thinking about this for awhile actually, but it has only been this year that some other eager contributors have come along with a lot of ideas and motivation for the project. So that makes for a good time to step aside and let those with time and dedication move the project forward.
I still plan on contributing when and if I can, but it will probably be less code and more helping others in the forums. It takes much shorter blocks of time.
So, I wish the best of luck to Flow, who will be taking over my role as project lead.
Recent Discussions
dele in
"Re: No video of the second participant"
mrosenthal in
""Failed to load Main-Class manifest..." java error when trying to install Jitsivideobridge plugin"
jghuang in
"
Flow in
"