Wednesday, September 19, 2012
council@muc.xmpp.org
September
Mon Tue Wed Thu Fri Sat Sun
          1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
             
XMPP Council Room | https://xmpp.org/about/xmpp-standards-foundation#council | Room logs: http://logs.xmpp.org/council/ | https://trello.com/b/ww7zWMlI/xmpp-council-agenda

[00:14:54] *** Neustradamus has left the room
[00:15:38] *** Neustradamus has joined the room
[00:21:53] *** Neustradamus shows as "away"
[00:24:24] *** Neustradamus has left the room
[00:31:54] *** Neustradamus has left the room
[00:34:37] *** Tobias shows as "away" and his status message is "Available"
[00:34:38] *** Tobias shows as "away" and his status message is "Available"
[00:40:10] *** Tobias has left the room
[01:06:01] *** m&m has joined the room
[01:06:07] *** m&m shows as "online"
[01:11:30] *** m&m shows as "dnd" and his status message is "in a meeting!"
[01:49:24] *** m&m has left the room
[05:14:07] *** Tobias shows as "online" and his status message is "Available"
[05:33:42] *** Tobias shows as "away" and his status message is "Available"
[05:38:14] *** Tobias shows as "online" and his status message is "Available"
[05:48:47] *** Tobias shows as "away" and his status message is "Available"
[05:53:11] *** Tobias shows as "online" and his status message is "Available"
[06:00:07] *** Tobias has left the room
[06:39:02] *** Kev shows as "online"
[08:35:18] *** Kev shows as "online"
[08:35:19] *** Kev shows as "online"
[08:40:47] *** Kev shows as "online"
[08:40:47] *** Kev shows as "online"
[08:40:55] *** Kev shows as "online"
[08:40:56] *** Kev shows as "online"
[08:41:23] *** Kev shows as "online"
[08:41:23] *** Kev shows as "online"
[08:42:27] *** Kev shows as "online"
[08:42:27] *** Kev shows as "online"
[10:06:54] *** Tobias has joined the room
[10:06:56] *** Tobias shows as "online" and his status message is "Available"
[10:37:27] *** Tobias has left the room
[10:39:41] *** Kev shows as "away"
[10:42:21] *** Kev shows as "online"
[11:25:59] *** Tobias has joined the room
[11:25:59] *** Tobias shows as "online" and his status message is "Available"
[11:46:03] *** Zash has joined the room
[11:46:04] *** Zash shows as "online"
[11:46:37] *** Kev shows as "away"
[11:51:57] *** Kev shows as "online"
[11:52:00] *** Kev shows as "online"
[12:04:28] *** Tobias shows as "away" and his status message is "Available"
[12:17:33] *** Tobias shows as "online" and his status message is "Available"
[12:27:45] *** Kev shows as "away"
[12:36:28] *** Kev shows as "online"
[13:16:41] *** Tobias has left the room
[13:22:57] *** Zash has left the room
[13:24:12] *** Zash has joined the room
[13:24:13] *** Zash shows as "online"
[13:29:37] *** Tobias has joined the room
[13:29:38] *** Tobias shows as "online" and his status message is "Available"
[13:29:53] *** Kev shows as "away"
[13:48:06] *** Kev shows as "online"
[13:49:45] *** Kev has left the room
[14:14:32] *** m&m has joined the room
[14:20:22] *** m&m shows as "online"
[14:23:24] *** Kev shows as "online"
[14:26:23] *** m&m shows as "away" and his status message is "stuffage"
[14:33:47] <Kev> I'm here with 30mins to spare. Hoorah.
[14:33:56] <Kev> Now to try and make sure I don't get caught up in the next half hour.
[14:51:19] *** ralphm has joined the room
[14:59:36] *** MattJ has joined the room
[14:59:51] *** ralphm shows as "away" and his status message is "Away as a result of being idle"
[15:01:47] *** ralphm shows as "online"
[15:03:56] *** m&m shows as "online"
[15:05:42] *** m&m shows as "dnd" and his status message is "XSF Council"
[15:06:40] <m&m> ding!
[15:08:26] <m&m> dong?
[15:08:35] <Tobias> pling
[15:09:00] <m&m> SYN
[15:09:10] <Tobias> FIN
[15:09:15] *** m&m has left the room
[15:09:18] *** m&m has joined the room
[15:09:39] <m&m> I take it Kev got distracted in that 30 minutes
[15:09:46] <Kev> Boom.
[15:09:46] <ralphm> :-)
[15:09:51] <Kev> I'm here.
[15:10:14] <Kev> I'm really looking forward to everything settling down.
[15:10:22] <Kev> So...
[15:10:24] <Kev> 1) Roll call
[15:10:28] <Kev> I'm here. Honest.
[15:10:31] <ralphm> Ik ben er!
[15:10:39] <m&m> presente
[15:10:45] <Tobias> so am i
[15:11:12] <Kev> MattJ: ?
[15:11:48] <MattJ> Present
[15:11:59] <Kev> Marvellous
[15:12:08] <Kev> 2) End of CfE on 71.
[15:12:55] <MattJ> I know there is some "experience" in the works, from waqas
[15:13:07] <MattJ> I'll poke him about that
[15:13:11] <Kev> One largeish question here is whether we want to follow through on that W3C feedback we're supposed to be getting.
[15:13:39] <Tobias> and the current feedback has mostly been on how to handle unformatted or other-formatted parts of the message
[15:13:52] <m&m> I agree with stpeter on this one … it won't be realistic to get a formal review from W3C folk
[15:14:19] <MattJ> I think that's fine with me
[15:14:24] <m&m> I remember asking some to look at it informally, and no one squawked
[15:14:41] <m&m> meaning, no one had big problems with the spec
[15:14:41] <Kev> I don't have strong opinions that we need the review - given that it's already just a subset of their work.
[15:14:56] <Tobias> what would be the expected result anyway? we just reduced their basic XHTML, right?
[15:15:14] *** waqas has joined the room
[15:15:15] <ralphm> Tobias: good point
[15:15:22] <m&m> /nod
[15:15:57] <Kev> ralphm: Why was it a good point when he said it, and not when I said it a minute earlier? :p
[15:16:13] <Kev> So, the next question is whether we feel ready to advance it now.
[15:16:20] <ralphm> Kev: it's personal
[15:17:01] <Kev> Course it is.
[15:17:03] <ralphm> waqas: do you feel we need to wait for your experience?
[15:17:48] <waqas> ralphm: To summarize, I have looked at various XHTML-IM client implementations. The number I couldn't compromise was zero.
[15:18:12] <waqas> This includes popular clients, such as Jappix, Pandion, Candy, etc
[15:18:22] <ralphm> So that's good.
[15:18:38] <waqas> (I was looking at web based clients, or clients embedding a browser control)
[15:19:02] <waqas> I was able to compromise them. That's good? :)
[15:19:18] <ralphm> My only personal experiences are with Adium (which does some horrible tricks with URLs) and Gajim (for which I'd prefer disabling specific styles due to Adium and iChat), but on the whole it looks good.
[15:19:19] <Tobias> waqas, in the sense that you found the issue ;)
[15:19:20] <Kev> I might be inclined to think that advancing a spec that no-one has managed to implement sensibly is ill advised.
[15:20:06] <Tobias> Kev, how can we change the situation?
[15:20:10] <m&m> have these projects been approached regarding the compromises?
[15:20:12] <MattJ> More security notes? :)
[15:20:22] <Tobias> MattJ, yeah...bigger warning signs :P
[15:21:06] <Kev> waqas: Did you let any of the projects know about the vulnerabilities?
[15:21:11] <waqas> I also found lots of other security issues in web clients. Needless to say, I wont be trusting them unless I review the code. The only clients I couldn't compromise were too simple to be of much use.
[15:21:16] <Kev> Were they consistent attacks, or did they each have different issues?
[15:21:21] <waqas> Kev: Not yet. I'll be writing emails.
[15:21:25] <ralphm> waqas: I assume most clients just take some locally available browser-like widget and through the incoming message at it?
[15:21:35] <m&m> without scrubbing
[15:21:46] <waqas> They were different issues. The clients I named went to quite some effort to sanitize the data, but left some cases uncovered.
[15:22:29] <waqas> The style attribute is particularly troublesome. All failed to properly sanitize that.
[15:22:50] <Tobias> MattJ, although it's true that the current security consideration aren't quite little
[15:22:59] <Kev> Should we be disallowing style?
[15:23:03] <MattJ> Tobias, indeed
[15:23:08] <ralphm> I suppose the only thing that can be done is file tickets against the respective projects and provide examples of exploiting messages and their unwanted behavior.
[15:23:34] <MattJ> I think the security notices and examples are our best shot at preventing this
[15:23:44] <m&m> yes
[15:23:53] <MattJ> Obviously notifying existing projects is a given, but it's our job to fix the spec, more importantly (if possible)
[15:24:02] <Tobias> right
[15:24:06] <MattJ> Security issues are the nature of HTML and CSS rendering, as the web has taught us :)
[15:24:06] <ralphm> Kev: I don't believe disallowing style will help one bit, in reality
[15:24:17] <Kev> ralphm: That may well be. I'm just asking the obvious question :)
[15:24:17] <MattJ> Thank $AUTHORS we don't support Javascript
[15:24:30] <m&m> disallowing style is effectively disallowing rich text
[15:24:34] <ralphm> MattJ: but do implementations?
[15:24:34] <Kev> MattJ: Don't go there.
[15:24:52] <Tobias> m&m, right...that'd cut the featureset quite down
[15:25:08] <Kev> m&m: Well, yes, kinda. Depending whether we allowed a separate CSS block or whatever. It depends what the big problems here are.
[15:25:31] <Tobias> don't other technologies like HTML based e-mail have similar problems? but that probably isn't standardized, right?
[15:25:40] <waqas> Kev: My recommendation would be to never use blacklists for anything, always whitelists, including for CSS values.
[15:25:54] <ralphm> I we would want to be thorough, we could provide a reference implementation that does do this properly.
[15:25:59] <ralphm> if
[15:26:08] <Kev> ralphm: If we think we're capable of doing it properly :)
[15:26:25] <ralphm> Kev: well yeah, it would take quite some time and effort, too
[15:26:55] <Kev> The consensus (I think) that I'm hearing is that this isn't ready to go to Final and needs attention for security issues.
[15:27:04] <Kev> And that should probably happen on list, rather than here.
[15:27:09] <m&m> +1
[15:27:13] <Tobias> +1
[15:27:42] <ralphm> Kev: yeah
[15:28:03] <ralphm> Kev: at the very least the word 'whitelist' probably should be in there
[15:28:49] <ralphm> essentially something similar to what the universal feed parser does for RSS/ATom
[15:28:51] <ralphm> Atom
[15:28:55] <Kev> OK.
[15:29:04] <Kev> MattJ: You happy with that too?
[15:29:28] <MattJ> wfm
[15:29:32] <Kev> OK.
[15:29:35] <Kev> 3) Date of next.
[15:29:51] <Kev> I should be here next Wednesday. Others?
[15:30:01] <waqas> I'm a bit concerned about the state of web clients. I tested around half the webclients in the xmpp.org client list. All except one were vulnerable in one way or another.
[15:30:02] <m&m> SBTSBC WFM
[15:30:03] <ralphm> Kev: point of order, did we formally vote just now?
[15:30:28] <MattJ> Next week wfm
[15:30:36] <Tobias> ditto
[15:31:50] <Kev> ralphm: I believe we just agreed to delay voting until later.
[15:32:18] <ralphm> interesting
[15:32:43] <Kev> That is - we didn't decide to move it to deprecated or final, we left it as it was with an intention to vote later once it's been updated.
[15:33:22] <Kev> But what do I know.
[15:33:27] <Kev> 4) Any other business?
[15:33:38] <ralphm> none
[15:33:49] <m&m> nay
[15:33:58] <Tobias> none here for now
[15:33:58] <MattJ> nack
[15:34:26] *** Kooda shows as "online"
[15:34:33] <Kev> Marvellous.
[15:34:36] <MattJ> I know I've said this before, but in the past week I've been ploughing my spare time into XEP-0313
[15:34:42] <Kev> MattJ: Marvellous :)
[15:34:46] <MattJ> So expect a submission shortly
[15:34:59] <MattJ> There are just a couple of open issues, I'll post those to the list after updating
[15:34:59] <Tobias> !xep 313
[15:35:00] <Kanchil> Tobias: XEP-0313(mam): http://xmpp.org/extensions/xep-0313.html
Message Archive Management - Standards Track/Experimental - Updated: 2012-04-18
[15:35:51] <MattJ> m&m, you're also owing a Carbons update for forwarding encapsulation
[15:36:02] <MattJ> but I won't shout at you until I've pushed 313 :)
[15:36:05] <Kev> Anyway ...
[15:36:23] <Kev> I think we're done.
[15:36:28] <MattJ> Yup, thanks
[15:36:30] *Kev bangs the gavel.
[15:37:07] *** m&m shows as "dnd" and his status message is "in a meeting!"
[15:40:17] <Kev> Thanks all.
[15:40:42] <Tobias> thank you
[15:41:02] <ralphm> Arrrr
[15:46:53] *** m&m shows as "online"
[15:47:11] <m&m> Avast! Ye be following the code fer this auspicious day!
[15:47:16] *** m&m shows as "away" and his status message is "stuffage"
[15:49:18] *** m&m shows as "online"
[15:59:33] *** Tobias shows as "away" and his status message is "fresh air"
[16:08:02] *** m&m shows as "away" and his status message is "stuffage"
[16:08:21] *** ralphm shows as "away" and his status message is "Away as a result of being idle"
[16:12:55] *** m&m shows as "online"
[16:18:21] *** ralphm shows as "xa" and his status message is "Not available as a result of being idle"
[16:39:10] *** Tobias shows as "online" and his status message is "Available"
[17:04:12] *** Kooda shows as "away"
[17:14:58] *** m&m shows as "away" and his status message is "stuffage"
[17:20:49] *** Kev shows as "away"
[17:27:46] *** Kev shows as "online"
[17:28:51] *** m&m shows as "online"
[17:55:41] *** MattJ shows as "away" and his status message is " (Away as a result of being idle more than 5 min)"
[18:05:41] *** MattJ shows as "xa" and his status message is " (Not available as a result of being idle more than 15 min)"
[18:12:57] *** ralphm shows as "online"
[18:14:30] *** Kev shows as "away"
[18:14:33] *** Kev shows as "online"
[18:16:17] *** MattJ shows as "online"
[18:20:54] *** m&m shows as "away" and his status message is "stuffage"
[18:33:11] *** Kev shows as "away"
[18:36:40] *** m&m has left the room
[18:36:48] *** m&m has joined the room
[18:38:20] *** Kev shows as "online"
[18:45:50] *** MattJ shows as "away" and his status message is " (Away as a result of being idle more than 5 min)"
[18:48:34] *** MattJ shows as "online"
[18:48:58] *** m&m shows as "online"
[19:00:18] *** Kev shows as "away"
[19:02:12] *** MattJ shows as "away" and his status message is " (Away as a result of being idle more than 5 min)"
[19:10:50] *** MattJ shows as "online"
[19:14:31] *** Tobias shows as "away" and his status message is "Available"
[19:17:04] *** m&m shows as "online"
[19:26:40] *** m&m shows as "away" and his status message is "stuffage"
[19:30:49] *** m&m shows as "online"
[19:31:46] *** Tobias shows as "online" and his status message is "Available"
[19:39:24] *** Neustradamus has joined the room
[19:45:47] *** m&m shows as "away" and his status message is "stuffage"
[19:45:49] *** m&m shows as "online"
[19:50:15] *** Tobias has left the room
[19:50:56] *** Tobias has joined the room
[19:50:58] *** Tobias shows as "online" and his status message is "Available"
[19:55:18] *** m&m shows as "away" and his status message is "stuffage"
[20:06:50] *** Neustradamus has left the room
[20:07:18] *** m&m shows as "online"
[20:45:10] *** Kooda shows as "online"
[20:48:58] *** Kev shows as "online"
[21:07:54] *** Zash shows as "away"
[21:07:55] *** Zash shows as "online"
[21:15:23] *** Kev shows as "away"
[21:15:33] *** m&m shows as "away" and his status message is "stuffage"
[21:15:35] *** m&m shows as "online"
[21:20:55] *** m&m shows as "away" and his status message is "stuffage"
[21:48:10] *** MattJ shows as "away" and his status message is " (Away as a result of being idle more than 5 min)"
[21:48:33] *** MattJ shows as "online"
[21:59:43] *** MattJ shows as "away" and his status message is " (Away as a result of being idle more than 5 min)"
[22:09:43] *** MattJ shows as "xa" and his status message is " (Not available as a result of being idle more than 15 min)"
[22:11:29] *** m&m shows as "online"
[22:16:23] *** MattJ shows as "online"
[22:24:05] *** m&m has left the room
[22:38:27] *** MattJ shows as "away" and his status message is " (Away as a result of being idle more than 5 min)"
[22:39:38] *** MattJ shows as "online"
[22:42:03] *** Kooda shows as "xa" and his status message is "dodo"
[22:59:10] *** Zash has left the room
[23:02:23] *** Tobias shows as "away" and his status message is "zzz"
[23:46:51] *** ralphm shows as "away" and his status message is "Away as a result of being idle"
[23:56:51] *** ralphm shows as "xa" and his status message is "Not available as a result of being idle"