Yes, unnecessarily rude and offensive to the developer(s) who wrote it. If he'd just used a more respectful title and removed the last sentence it would have been fine.
No, it wouldn't have been fine. If you find a security bug, you have to follow the reporting procedures. Otherwise you're just making things worse. This should not be in a public ticket.
That aside, I have a hard time seeing that there's any level of rudeness this sort of code doesn't deserve.
In general, lobotomy victims did not choose to have the procedure and have no recourse but to live with the results. This title is rude both to the developers (who we can assume are good intentioned) and to lobotomy victims (who likely had nothing to do with this security issue).
Or, it's just old cruft that is no longer used. As per datallah's response:
"If you don't look carefully, it may appear that the NSS plugin doesn't do any validation of the SSL certificates, but that isn't the case; the validation is done, just not by the SSL_AuthCertificateHook hook."
"If you look at ssl-nss.c#l454, you'll see that before the SSL connection is considered "connected" from libpurple's perspective, ssl_nss_handshake_cb is called to validate the certificate using the libpurple's purple_certificate_verify functionality."
This is why you don't jump to conclusions, throw out an emotional diatribe, and generally make an ass of yourself when writing bug reports.
Do you think that using SSL where your client accepts every certificate (the link points to a function that returns a success code unconditionally, the 'real' stuff is disabled by preprocessor directives) is bad?
Whatever the severity (for me this is certainly high), the tone in that bug report is inexcusable.
Edit 2: The bug report has now a proper response, quite relaxed. So it seems this is totally expected - for whatever reasons. I'm still curious why the code is littered with #if 0 fragments for years (dead code belongs in the vcs history for me), but the initial expectation of a total lack of certificate verification is wrong.
The author of this ticket isn't exaggerating when he states that "MITMing this crawling horror would be no more difficult than a plain, unencrypted TCP connection".
"If you don't look carefully, it may appear that the NSS plugin doesn't do any validation of the SSL certificates, but that isn't the case; the validation is done, just not by the SSL_AuthCertificateHook hook."
This bug report appears to have been written by a lobotomy victim who has had their "communicating with humans" part of the brain removed.</troll>
It makes me so sad to see this kind of attitude. And usually (don't know about this case) it comes from a person who does not contribute to the project.
Not everyone is a cryptographer. Although they should refrain from writing crypto code, calling them "lobotomy victims" makes you sound like one.
Why isn't libpurple, being a library, licensed under the LGPL, instead of the GPL? If it were, then there would be no problem linking with OpenSSL if I understand things correctly.
