Insecure loading of code over network
When using the plugin "plugin installer" to install the OTR plugin, I noticed that Gajim loads code over the network. It does this over FTP without any encryption, authentication or integrity checking. A MITM attacker could leverage this bug to get code execution. At the very least, I would like this to be a TLS connection that only allows the connection if the fingerprint of the remote server is exactly as is expected - no CA nonsense, no concern for scale, just a fail closed method.
Additionally, I'd like to ensure that if this plugin touches the network, I'd like it to use a global proxy as suggested in #7023 (closed).
Steps to reproduce
Use the plugin installer plugin - use Wireshark to observe FTP transaction - hope no one replaces the code and roots your machine.
This is current as of Gajim changeset: 13361:edee1e4ca03a