Smack is an Open Source XMPP (Jabber) client library for instant messaging and presence. A pure Java library, it can be embedded into your applications to create anything from a full XMPP client to simple XMPP integrations such as sending notification messages and presence-enabling devices.
After months of hard work it's at the time to release the first alpha version of Smack 4.1, the open source Java XMPP client library, for testing purposes.
Smack 4.1 marks a milestone in the development history of Smack, as it's the first version that runs native on Android. This means that aSmack is no longer required and will be phased out in the future. Future aSmack releases will be solely form the stable 4.0 branch.
Together with support for Android, Smack 4.1 also adds support for XEP-198 "Stream Management" in smack-tcp. XMPP connections with enabled Stream Management provide acknowledgments of sent stanzas (and acknowledges received stanzas to the server) and allow transparent stream resumption in case of a network outage (for example because of a WiFi ↔ GSM switch on Android).
Smack 4.1.0-alpha1 is now available from Maven Central and we would welcome interested and adventurous users to try this early alpha release and provide feedback. For more information about using Smack 4.1 and how to include it in your Android project, consult the "Smack 4.1 Readme and Upgrade Guide".
5 months after the relase of Smack 3.4.1 the Ignite Realtime developer community is proud to annouce the first release of Smack 4, which marks a milestone in the development history of Smack. Smack has undergone a major overhaul and refactoring, including moving from Ant to Gradle and from SVN to git.
Smack 4 also includes security related fixes. Users are encouraged to update as soon as possible.
Many people have helped to develop this release. We especially would like to thank
- Ryan Sleevi of the Google Chrome Security Team for reporting a security flaw in ServerTrustManager (
- Thijs Alkemad for reporting a security flaw regarding IQ spoofing (
- Lars Noschinski for fixing the IQ spoofing flaws and adding support for roster versioning (
- Jens Offenbach for helping making Smack an OSGi bundle (
Six weeks after the release of the first Release Candidate (-rc1) of Smack 4, the Ignite Realtime Community is proud to announce the release of the second and likely final Release Candidate.
Smack 4.0.0-rc2 contains many improvements and bug fixes. The API underwent some major changes and is considered stable. Now is the perfect time to test (a)Smack 4.0 if you haven't already. Smack is available from Maven Central (direct link). aSmack can be obtained from http://asmack.freakempire.de/4.0.0-rc2/
We are happy to announce the release of (a)Smack 4.0.0-rc1. This is the first aSmack release that is in sync with Smack's codebase and therefore marks an important milestone for Smack on Android. It is also the first non-snapshot release that is going to be available on the Maven Central Repositories (SMACK-265).
Smack 4.0.0-rc1 includes some major changes and important improvements including security related fixes. While this is marked as release candidate, users are encouraged to update because some important security bugs have been fixed. Please consult the "Smack 4.0 Readme and Upgrade Guide" for further information regarding the changes between Smack 3.4 and 4.0.
Previous Smack versions suffered from a missing "Basic Constraints" check in ServerTrustManager (SMACK-410): this allowed anyone with a valid CA-signed certificate for any domain to generate a certificate for any other domain that would be accepted by Smack's ServerTrustManager. Moxie Marlinspike found the same error in IE back in 2002 and wrote a detailed summary about it: http://www.thoughtcrime.org/ie-ssl-chain.txt
We would like to thank Ryan Sleevi of the Google Chrome Security Team for reporting the issue to us.
The fix for Smack was simply removing ServerTrustManager and the related code altogether. ConnectionConfiguration now only has a setting for a custom SSLContext. We shifted the responsibility for TLS certificate validation out of the library to the user, where it belongs. A fixed version of ServerTrustManager may return as an optional module in a future Smack release. Contributions are, as always, welcome.
A second important security vulnerability often found in XMPP implementations was made public by Thijs Alkemad aka xnyhps early this year. Affected implementations did not properly verify the 'from' attribute of IQ responses and were therefore vulnerable to spoofed IQ packets. You can read more about it here: http://tools.ietf.org/html/draft-alkemade-xmpp-iq-validation-00
(a)Smack 4.0.0-rc1 is considered mature. It is marked as release candidate because we have only a small number of people who are testing the current (a)Smack development snapshot. We ask everyone using Smack in some sort of staging, development or non-critical production environment to try 4.0.0-rc1 and report any problems or feedback to the community forums.
Thanks to everyone working on Smack 4.0:
git shortlog -sn 3.4.1..4.0.0-rc1
166 Florian Schmaus
10 Lars Noschinski
4 Georg Lukas
2 Vyacheslav Blinov
1 Daniele Ricci
1 Jason Sipula
Besides the mentioned security issues, Smack 4.0 contains also many new improvments and other bugfixes. An overview of all resolved issues in Smack 4.0.0-rc1 can be found in JIRA
Smack 4.0.0-rc1 can be downloaded from maven central
aSmack 4.0.0-rc1 is avaiable as jar at http://asmack.freakempire.de/4.0.0-rc1/
Hi there, I'm Smack's new maintainer. Some of you may know me already as the maintainer of aSmack, the Android port of Smack. I first like to thank Robin for his work on Smack in the past.
Smack has a long development history. The first recorded commit dates back to Jan 13 2003. Now, over 11 years later, we are going make fundamental changes to Smack in order to ensure that it will last another decade.
Most importantly: Ignite Realtime is applying as Google Summer of Code organization. We propose a project to modernize and modularize Smacks build system. One reason why this is necessary, is that we want Smack to be able to target Java SE and Android. Read more about it here.
Smacks SVN repository has been migrated to git, and the code is now hosted on GitHub. We are currently evaluating hosting the code in our own Atlassian Stash, but that isn't decided yet and is not a high priority right now.
Let's have a look at Smack's contributors of the last 11 years:
513 Gaston Dombiak
474 Matt Tucker
105 Thiago Camargo
104 Florian Schmaus
69 Alex Wenckus
46 Bill Lynch
43 Derek DeMoro
24 Günther Niess
15 Daniel Henninger
12 Henning Staib
7 Michael Will
7 Wolf Posdorfer
6 Holger Bergunde
6 Jeff Williams
5 Jay Kline
4 Marilyn Daum
3 Francisco Vives
1 (no author)
1 Andrew Wright
1 Pete Matern
1 Tim Jentz
Hopefully this list will grow over the time. If you'd like to contribute bigger patches to Smack, please consult the developers. Either via IRC #smack (freenode) or via the developers forum. All patches will be reviewed, since there are usually a few things that should be improved before the commit is ready for Smack's master branch. Make also sure to read the Guidelines for Smack Developers and Contributors.
Besides the GSOC project, there are more goodies in the queue, like XEP-0198 Stream Mangament and Roster Versioning.
We also work on migrating the build system to gradle, including deployments to sonatype/maven central. I expect the next release to be available as jar and via maven central.
Finally, shortly after the 3.4.0 release, a memory leak was reported in the forum. The cause was , and a fixed nighlty release was made availabe shortly after. I am going to use this importand fix as reason to release Smack 3.4.1 today, in order to get familar with the release process of Smack.