the first link referring to another project called Briar and its laterally sucks why?
1- it supporting only android which Ricochet itself wasnt made for any phone platform.
2- it doesnt even mention where did they do any progress to Ricochet
3- not inside Debian package nor i think will be in the soon time
second link is not much helping as the first link (and S-rah has no idea what does it mean its not maintained anymore)
so these my opinions , in Conclusion Ricochet is BAD to be installed by default inside whonix.
there r alot of cool apps built on matrix going to come by debian packages on buster. so i think waiting to that time is the only way to go for now atm.
[1] Whonix is based on Debian. It depends on Debian. Whonix depends on hundredths of packages which themselves depend on thousands of other packages (tools) and libraries.
If you believe ricochet is dead, therefore insecure and should be removed, then this is primarily a bug to be reported to Debian.
Definition of dead?
code base untouched for >2 years?
no word from author for >2 years?
This first needs a very clear definition. Otherwise we won’t have any other subject ever again arguing what is dead what is not.
I am sure, under that definition there are a ton of packages from [1] which meet that definition.
but Debian philosophy through this subject it cant be ours why?
because our distro is anonymity focused not compatibility problems (only). so giving this time to the app and just trusting Debian pointview on its components that doesnt mean our product is safe. anonymity needs active projects and fix and upgrades the issues with nonstop (even if its taking long time in the fixation process). but being zero active project with no improvements to any tickets = run away for ur life if u r searching for anonymity.
so maybe the app still working on debian and compatible with its distros versions but that doesnt mean its safe and good decision to keep using it.
I know of s-rah’s efforts on building a secure remote command shell using Ricochet and apparently they are on-going. I believe that besides Patrick’s definition we should also not remove a package if:
it has no known sec vulns
does not require major maintenance efforts on our part or is a core dependency.
tl;dr I’m for keeping it at the moment and monitoring how things play out.
the problem of which i think no body studied the effect of it, Ricochet considering each client as hidden service but Ricochet last support is to Tor version 0.2.5 and by default now whonix support 0.3.x. so im not sure on which version of onioning its going to create, is it the v2 or v3 ? also there r many fixes to Tor for hidden services from v0.2.x to 0.3.x.
in conclusion, Ricochet is great app with Tor but its only were continued …
i suggest to check Matrix there is too many users migrating to it. (as also Tox chat no more supporting Debian…)
The problem with this 0day argument its fatalistic and there is no way to verify it. There is are always 0days in the kernel too but that doesn’t mean we should abandon all hope and stop developing?
Understand ricochet is also written in memory safe python (though migrating to Go) and written with security in mind. There are many other base Debian packages that are not. If there is something that’s a weaker link its probably something else.
Worst case scenario it won’t affect anyone who doesn’t run it and so I wouldn’t consider it affecting “all Whonix users”
Matrix is interesting but can you suggest a desktop client already packaged for Debian?
Directly meaning “look into https://github.com/Whonix/anon-meta-packages/blob/master/debian/control”. Only package whonix-workstation-default-applications-guiDepends:vlc and whonix-workstation-default-applications-gui is not installed on Whonix-Gateway. So VLC on Whonix-Gateway is a dependency of something else.
Ricochet is working well here. There is absolutely no need to remove a functional and stable piece of software after all the effort it took to support and integrate in Whonix.