XSF Discussion - 2017-02-27

will there be anything interesting going on XSF-wise on the Chemitzer Linux Tage?

Oh, it's that time again. I don't think there are any plans, but I'm going there

I’ll be there too, I think. Not sure which day(s) yet, gotta check the schedule of the event and my own :)

Any BOSH experts in here who can/want comment on https://github.com/igniterealtime/jbosh/pull/4 ?

jonasw: What where when?

zash: CLT in Karl-Marx-Stadt, err, chemnitz: https://chemnitzer.linux-tage.de/2017/de

Ge0rG, daniel and I where there last year

§W 5

Flow, the logic failure is that the client doesn't need to wait for an acknowledgement before it can send more requests (putting aside the normal BOSH rules about multiple open requests)

Flow, What PR#4 is saying doesn't immediately seem wrong - that one could use HTTP responses as acks - but the code doesn't appear to do this, and also what MattJ says.

Thanks MattJ, dwd. I think OPs main problem is using BOSH with only one (processing) thread. That will always cause a delay in one of the directions (if I'm not mistaken).

Blocking HTTP requests?

Guus: re that openfire connection issue. Is there a chance that the the upgrade somehow caused sasl mechanisms to vanish

Let's say sha1 disappearing for example

http://download.igniterealtime.org/openfire/docs/latest/changelog.html

Zash: blocking http requests?

daniel: some SCRAM changes there, maybe

Flow: Send HTTP request, wait for response before continuing with processing, have a bad time.

well that's what I think is happening in case only one thread is used with jbosh

Oh it's a client side library?

The coffee, it does nothing :|

Hey, Guus or dwd, does Openfire still do DIGEST-MD5?

Given the recent rush to hate on SHA-1, I'm impressed that nobody cares that DIGEST-MD5 is still around.

Zash: well the 24 hours news cycle and the general alarmism applies to it security news as well

My university's server offers only PLAIN so I'm on the safe side.

<3

PSA: Google announces today the accepted GSOC orgs

In 2 h 45 minutes

Zash, DIGEST-MD5's security state hasn't really changed; the biggest weakness remains that you can churn through a lot of MD5's each second, and DIGEST-MD5 only uses three per cycle.

Zash, The fact it uses MD5 is *almost* irrelevant.

isn’t it with DIGEST-MD5 that, like with PLAIN, it is enough to listen in on the connection to be able to authenticate as that user later?

(I haven’t looked into it; it has been deprecated so I didn’t bother implementing it)

not to forget the interop issues with digest-md5

dwd: I'm sure we'll receive bug reports about SCRAM-SHA-1 being terrible because SHA-1 is broken soon.

Tobias, Oh, there are lots of problems. But using MD5 isn't really one of them.

jonasw, No, it's not subject to replay.

dwd, reply with "Patches welcome!" :)

What about active MITM?

Zash, No channel binding, so yeah, an active MITM can work.

Zash, But couldn't replay, still.

dwd: I remember there being issues with SCRAM if you could get a client to try to auth with you.

Zash, Only in as much as you can potentially brute-force the SHA-1 and extract the plaintext equiv in a reasonable timeframe these days.

narf, google doesn't mention 17:00 UTC any more

Flow: the time line still says 1600Z

daniel: here → https://summerofcode.withgoogle.com/how-it-works/ ?

How it works: 1. we freeze your browser because you’re not using chromium (jk)

Flow, https://developers.google.com/open-source/gsoc/timeline

jonasw, loaded quite fast here on Firefox nightly.

Link Mauve: it behaves oddly when XHR is forbidden :)

(it blocks instead of reacting on the error O_o)

Weird.

yes.

https://summerofcode.withgoogle.com/organizations/6327289865306112/

\o/

\o/

Awesome

Tobias, Want to tweet something from @xmpp?

(Assuming Tobias is an Approved Tweeter)

I believe he is, yes. I need to get those credentials from Bear at some point.

sure

although i don't have any cerdentials

We won't hold it against you.

Kev: did you get the email yet?

arc: Nope.

I just went straight to the source :)

and?

Kev 17:01 https://summerofcode.withgoogle.com/organizations/6327289865306112/

nice

copyleft games is in too

i'll cross-link xsf on our ideas page for related organizations

I got the email, came here, and Kev had already posted.

Kev: you should link xmpp related orgs on the ideas page. it helps steer students in the right direction while they're looking ;-)

are there any restrictions which project/persons can become a gsoc mentor for xsf?

arc: If there's stuff you think I should do, can yo umail please?

I'm in the office until Wed night, so my mind is highly lossy at the moment.

And now to dinner...

Wow, the white house forbids staff to use Signal. http://www.politico.com/story/2017/02/sean-spicer-targets-own-staff-in-leak-crackdown-235413

Ge0rG, as usual the media gets it wrong, the headline anyway, isn't it they were forbidden from leaking private info, meh

that's how I read it anyhow, either way no mention of xmpp/conversations/omemo in there and I don't know whether to be happy or sad about it lol

I heart "fake news" more often in the last several months/year than during my entire life until the election crisis.

because "fake news" were just called "lies" before then

Or “conspiracy theories”. ✏