XSF Discussion - 2017-03-03


  1. jere has left
  2. Mancho has left
  3. nicolas.verite has left
  4. Guus has left
  5. Guus has left
  6. vurpo has left
  7. vurpo has joined
  8. sonny has left
  9. waqas has left
  10. jere has joined
  11. Tobias has joined
  12. sonny has left
  13. moparisthebest has left
  14. waqas has joined
  15. moparisthebest has joined
  16. sonny has left
  17. xnyhps has left
  18. nicolas.verite has joined
  19. vurpo has left
  20. vurpo has joined
  21. moparisthebest has left
  22. moparisthebest has joined
  23. efrit has joined
  24. nicolas.verite has left
  25. efrit has joined
  26. jere has joined
  27. jere has joined
  28. nicolas.verite has joined
  29. uc has left
  30. uc has joined
  31. jere has left
  32. jere has joined
  33. nicolas.verite has left
  34. waqas has left
  35. nicolas.verite has joined
  36. Mancho has joined
  37. sonny has left
  38. moparisthebest has left
  39. kalkin has left
  40. jere has joined
  41. nicolas.verite has left
  42. nicolas.verite has joined
  43. blipp has left
  44. SamWhited has left
  45. moparisthebest has left
  46. vurpo has left
  47. vurpo has joined
  48. vurpo has left
  49. vurpo has joined
  50. Lance has left
  51. nicolas.verite has left
  52. moparisthebest has joined
  53. nicolas.verite has joined
  54. vurpo has left
  55. vurpo has joined
  56. ralphm has left
  57. suzyo has joined
  58. goffi has joined
  59. vurpo has left
  60. vurpo has joined
  61. xnyhps has left
  62. nicolas.verite has left
  63. Guus has left
  64. suzyo has left
  65. suzyo has joined
  66. Piotr Nosek has joined
  67. Flow has joined
  68. xnyhps has left
  69. nicolas.verite has joined
  70. Flow has joined
  71. xnyhps has left
  72. efrit has joined
  73. xnyhps has left
  74. jonasw 100 bytes is a very optimistic MTU for 802.15.4
  75. jonasw LTIC it was more like 80 bytes.
  76. xnyhps has left
  77. kalkin has left
  78. vurpo has left
  79. vurpo has joined
  80. intosi has joined
  81. vurpo has left
  82. Tobias jonasw, 100 or 120 bytes is realistic for 6LoWPAN
  83. jonasw hmm
  84. vurpo has joined
  85. jonasw must’ve confused something then
  86. sezuan has left
  87. sezuan has left
  88. intosi has left
  89. Tobias jonasw, around 100 and with link security it was 80 https://en.wikipedia.org/wiki/6LoWPAN
  90. Tobias but yeah..it's not much
  91. Tobias at least my elliptic curve based signatures didn't fit in a single packet :D
  92. jonasw ah, I think I was thinking about zigbee
  93. Ge0rG remembers a sensor network project that was using XML over UDP and then had "unexplainable" errors when manifests grew over 64KB
  94. jonasw there the baseline is 84 bytes
  95. arc jonasw: 2.5 mesh networking eats a bit, as does TLS if you're using it
  96. arc but yes.
  97. blipp has joined
  98. arc my point is, going from SHA256 to something higher has performance costs associated with it
  99. Tobias doesn't SHA have bad runtime performance on constrained devices anyway
  100. arc Tobias: you missed the "magic"
  101. Tobias i think the SHA code even didn't fit on my target device, so i had to go with something differnet like BLAKE2 :)
  102. Ge0rG wouldn't it be possible to precompute the caps hash when compiling the firmware? :D
  103. Tobias arc, what kind of devices are you usally dealing with? I mostly played around with SAM-R21 like smallish things
  104. arc the schemaId the client uses is pre-baked, and if the server receives it and returns a different schemaId to use, it will use that. as long as its not required for SASL then there's no issue
  105. arc Tobias: im not working with a specific device right now. im just writing libexi
  106. Tobias ah, ok
  107. arc but talking about how I think EXI should be properly implemented with xmpp
  108. jonasw "just writing libexi" :)
  109. arc that method is this: the device (having no previous contact from a given server) sends a sha256: URI as the schemaId, which the server either responds to in-kind (if it is supported) with its own EXI header and the same schema, OR the server responds using a default schema all devices must support with an error, in which case the client must send the pre-encoded schema it wants to use to the server. this schema should be small enough to fit on a given embedded device.
  110. arc the key here is that the use of sha256 is a convention, and this leaves forward compatability if in the future this needs to change
  111. arc a future version of the same XEP may recommend a different hash to default to "guessing" on first connect.
  112. arc after the server receives the schema from the client though, the server returns the schemaId for the client to use in the future with that server. that schemaId SHOULD be a hash, but it can be literally any string.
  113. arc so..
  114. arc say in 2 years there's a quantum computer breakthrough and SHA256 can be easily broken, leading to the risk for cache poisoning, BUT there's a new quantum-proof hash
  115. arc there's thousands of embedded IoT devices out there..
  116. arc but XMPP server software is updated for the new hash.
  117. arc the servers can then reject all sha256 URIs and ask for the client to send the schema they want to use, on first connection to the server (or reconnection after the server is updated with this security update)
  118. intosi has joined
  119. jonasw seems reasonable
  120. arc the clients send the schema, the server responds with a QPROOFHASH:... URI to use as the schemaId, and older clients simply use that string as-is to refer to the schema they were designed to use.
  121. arc the XEP is updated accordingly, and everyone is happy.
  122. intosi has left
  123. intosi has joined
  124. Tobias right...will be interesting to see on how small of a device you can get XMPP to run
  125. arc the smallest devices ive used on a network generally was atmega running Contiki
  126. suzyo has left
  127. arc i havent done 8-bit optimizations to libexi. mostly that would be in the bitpacker I think, because an 8-bit libexi would certainly NOT be compiled with text XML capabilities which is where all the funky stuff is
  128. arc but I think its very doable.
  129. Tobias arc, do you know RIOT OS?
  130. arc no, never heard of it
  131. arc on the embedded side i'm a hobbiest at best
  132. intosi has left
  133. intosi has joined
  134. Tobias it's an IoT OS, similar to continki, but it's all standard C and you could even use C++ https://riot-os.org/
  135. ralphm has left
  136. arc I loath C++
  137. arc but that's cool, ill look into it down the road
  138. arc i see it runs on 8bit
  139. suzyo has joined
  140. Tobias haven't used it on 8bit yet, mostly 16 and 32 bit I think
  141. kalkin has left
  142. jonasw interesting
  143. jonasw but I’m too much a weird person to use a pre-made OS on an embedded system
  144. jonasw maybe for the next project :)
  145. Tobias and they have good support for standard IETF protocols
  146. arc I thought Cortex M0 was going to obsolete the AVR-based devices, but in a recent meeting I was shown a AVR-based internet connected sensor only slightly larger/thicker than a quarter that essentially stacks on top of a coin-cell battery and runs for a full year, the device costing under $5 including the cost of the battery.
  147. arc jonasw: i've written 3 TCP/IP stacks on 8-bit so far. I do not recommend it, especially IPv6
  148. jonasw :D
  149. jonasw I don’t do TCP/IP on embedded though :)
  150. nicolas.verite has left
  151. arc if you havent done it before, you should save whatever sanity is left and let someone else do that work.
  152. arc ah ok. well you're safe
  153. jonasw for MTU and "heck, I don’t want to implement a TCP/IP stack on embedded" reasons
  154. Tobias jonasw, https://github.com/RIOT-OS/RIOT/wiki (the supported devices are listed on the right)
  155. jonasw Tobias: on the website too
  156. arc you can do it. its just not fun.
  157. jonasw arc: I tried to implement UDP/IP/Ethernet in VHDL though.
  158. jonasw does that count? ;-)
  159. Tobias jonasw, didn't notice that :)
  160. arc essentially you need to run the whole thing zerocopy due to constrained RAM
  161. jonasw Tobias: well, at least enough info on the architectures that I could guess that it’ll run on anything I’ve ever touched ;-)
  162. jonasw arc: yes.
  163. jonasw that’s what I needed to do for my custom protocol
  164. arc and with that, im going to bed.
  165. jonasw I’m streaming three sensors at 200 Hz and need to spread lower sample rate data inbetween of that; the transport being Xbee it’s usual that the connection interrupts for some time. so every bit of ram needs to go into buffers.
  166. Kev Bed? At 9AM? :)
  167. arc Kev: im in DC. its 3:38am here.
  168. jonasw good night, arc
  169. Kev I knew ;)
  170. Kev NN
  171. arc i just spent 2 hours searching my old records for my social security card
  172. Kev Everyone needs a hobby.
  173. jonasw everyone needs secretaries.
  174. jubalh has joined
  175. Ge0rG I wouldn't place important things together with old records.
  176. Steve Kille has left
  177. jonasw I wouldn’t place important things on a piece of paper.
  178. jonasw but unfortunately one doesn’t always have a choice on that.
  179. Steve Kille has joined
  180. Tobias still looking for a nice document management system, so I can just scan all documents and pack them away in crates
  181. jonasw I have ~/Documents/{category}/{date-of-issuance}\ {tags}.pdf. works reasonably well
  182. vurpo has left
  183. vurpo has joined
  184. vurpo has left
  185. vurpo has joined
  186. vurpo has left
  187. vurpo has joined
  188. mhterres has joined
  189. daniel has left
  190. Flow has joined
  191. daniel has left
  192. Guus Whatever process that normally makes sure that the xmpp.org website is updated after a change in the corresponding git repository appears to be failing
  193. jonasw it wasn’t me.<x xmlns="jabber:x:tone">not-convincing</x>
  194. Guus the problem predates my merger of your code :)
  195. jonasw oh okay
  196. Tobias i can take a look
  197. Ge0rG has joined
  198. Guus I think it started going wrong on Feb 26, with my merger of the 'getting started' page
  199. Tobias unless Kev is already
  200. Guus JC's 'add subscribe url for the standards list' is live
  201. Guus ah, it failed first for my attempt to remove the empty 'who uses xmpp' page
  202. Guus that page is still on the website, although I tried deleting it here https://github.com/xsf/xmpp.org/commit/83f365dc99f8a60f31ea5b524e7daafedb714916
  203. daniel has left
  204. Kev I'm struggling at the moment to even work out what's supposed to trigger a build of the site.
  205. Tobias Kev, when I fixed things summer last year, i set up a cron job
  206. jonasw Kev: repository settings -> webhooks?
  207. Kev Tobias: Where's the cron?
  208. Kev It used to be that this was all generated in Travis so we could just pull it onto the server without running code there, but I don't think that's true any more?
  209. Tobias in staticweb's crontab?
  210. Kev Ah, staticweb, of course :)
  211. Tobias didn't want to add it to root's crontab :P
  212. Kev Tonnes of PDF generation errors.
  213. intosi /etc/crontab or /etc/cron.d would've been proper.
  214. Tobias intosi, even for user cron jobs?
  215. jonasw yes
  216. intosi Arguably this isn't a user cron job.
  217. jonasw pick a user there, prevents manipulation of the crontab by the user
  218. intosi ^ what jonasw said.
  219. jonasw Tobias: in /etc/cron* you have to explicitly state as which user the job runs
  220. jonasw so it’s not like everything there runs as root
  221. Tobias ahh
  222. Tobias ta
  223. intosi There's the added benefit that a random admin would look in /etc/cron* first, and might not even consider user crontabs for essential tasks until much later.
  224. jonasw has left
  225. Tobias feel free to move it there then
  226. Guus perhaps first fix the issue at hand?
  227. intosi Guus: that's all one go.
  228. Kev Indeed, I was looking in /etc/cron*.
  229. Kev Guus: You were right though, it does seem to be the one where you edited the sidebar :)
  230. Kev CRITICAL: UndefinedError: 'pelican.contents.Page object' has no attribute 'sidebar_menu_elem_url_8'
  231. Guus weird - why do I not get that locally? Might relate to https://github.com/xsf/xmpp.org/issues/247 ?
  232. Kev Yes, sounds like your local environment isn't quite working right, if that's the case.
  233. vurpo has left
  234. vurpo has joined
  235. Guus I might require things that are not in the repository then. My environment is a clean virtual machine, which just the repo content and build tools as listed in the readme.
  236. Tobias don't know how up to date the readme is, "Any editorial questions: Laura Gill or Simon Tennant can help", at least Simon doesn't seem to be around to respond to any questions regarding xmpp.org site
  237. Guus Kev: can you make Travis fail with the same error?
  238. kaboom has joined
  239. jubalh has left
  240. blipp has left
  241. jubalh has joined
  242. Ge0rG has left
  243. xnyhps has left
  244. nicolas.verite has joined
  245. Tobias Guus, what state is https://github.com/xsf/xmpp.org/pull/185 in?
  246. nicolas.verite has left
  247. jubalh has left
  248. jubalh has joined
  249. jubalh has left
  250. Guus Tobias: I have not looked at it since. I have now aquired a bit more knowledge about Pelican, so I might not depend on others to finish this
  251. Guus however: the data that it adds is incomplete
  252. Tobias incomplete how?
  253. Guus all votes since 2010 are not in there, I think
  254. Tobias right, but years that are in there are in there completely right?
  255. kalkin has left
  256. Guus it was a one-on-one conversion of the old pages.
  257. Guus whatever was in there, is now here.
  258. Guus I assume that the old data was complete, for those years.
  259. Tobias right
  260. daniel has left
  261. Zash has joined
  262. Alex has joined
  263. Ge0rG has left
  264. daniel has left
  265. uc has left
  266. xnyhps has left
  267. xnyhps has left
  268. uc has joined
  269. xnyhps has left
  270. Guus Kev / Tobias: I'll be away for the weekend in a short while. If I can help with the website issue, I'll need to do that now-ish.
  271. Kev No rush right now, I think.
  272. Guus just saying that I'm willing to help, but will be without laptop soon
  273. Guus (doing a weekend trip)
  274. Kev Thanks. Just enjoy your trip, the website will still be here Monday.
  275. Kev :)
  276. Guus kk :)
  277. jubalh has joined
  278. Zash has left
  279. Yagiza has joined
  280. Zash has joined
  281. Valerian has joined
  282. jonasw has left
  283. Valerian has left
  284. Valerian has joined
  285. daniel has left
  286. daniel has joined
  287. xnyhps has left
  288. xnyhps has left
  289. daniel has left
  290. daniel has joined
  291. daniel has left
  292. daniel has joined
  293. daniel has left
  294. daniel has joined
  295. nicolas.verite has joined
  296. nicolas.verite has left
  297. daniel has left
  298. daniel has joined
  299. daniel has left
  300. xnyhps has left
  301. daniel has joined
  302. daniel has left
  303. daniel has joined
  304. jonasw has left
  305. xnyhps has left
  306. mimi89999 has joined
  307. Mancho has left
  308. xnyhps has left
  309. Alex has left
  310. sezuan has left
  311. xnyhps has left
  312. winfried has joined
  313. Valerian has left
  314. Valerian has joined
  315. Valerian has left
  316. Valerian has joined
  317. jonasw has left
  318. Valerian has left
  319. Valerian has joined
  320. blipp has joined
  321. nicolas.verite has joined
  322. nicolas.verite has left
  323. Ge0rG has left
  324. daniel has left
  325. daniel has joined
  326. Alex has joined
  327. jere has joined
  328. uc has left
  329. uc has joined
  330. jubalh has left
  331. Tobias has joined
  332. jere has left
  333. jere has joined
  334. uc has left
  335. xnyhps has left
  336. uc has joined
  337. kaboom has left
  338. jubalh has left
  339. uc has left
  340. Ge0rG Flow: backward compatibility is hard :( https://github.com/ge0rg/MemorizingTrustManager/commit/168b7b5598095bfe6ae6fab4797af3f913b574f4
  341. uc has joined
  342. Yagiza has joined
  343. xnyhps has left
  344. xnyhps has left
  345. uc has left
  346. uc has joined
  347. uc has left
  348. uc has joined
  349. Flow Ge0rG: true
  350. Ge0rG in related news: running the gradle lint on yaxim turned up a dozen of issues, including this one
  351. jubalh has joined
  352. jubalh has left
  353. kalkin has left
  354. koyu has joined
  355. Flow ♥ lovles lint/static code analyzers
  356. Tobias Flow, Ge0rG, any experience using errorprone?
  357. jubalh has joined
  358. Flow Tobias: Smack uses errorprone
  359. xnyhps has left
  360. Flow and it's one of the reasons I made the previous statement
  361. Tobias ah..ok
  362. Flow but it did that foundt hat many issues in Smack
  363. Tobias well..but the thinks it found were sensible issues, right?
  364. Tobias it didn't produce tons of useless warnings
  365. Tobias or did it?
  366. Flow which is of course only because of my l337 c0d1n6 5k1ll5
  367. Flow Tobias: very sensible
  368. Flow compare to facebook's infer, which produces a ton of non-issues
  369. xnyhps has left
  370. Flow but to be fair, infer was right about every issue it found, it where just non-issues in that particular context
  371. Guus has left
  372. Valerian has left
  373. Zash Can you tell it to ignore those non-issues?
  374. Flow Zash: sure, you could suppress them
  375. Flow I decided against infer in Smack because another static code analyzer would increase the compile time again
  376. koyu has left
  377. koyu has joined
  378. koyu has left
  379. jubalh has left
  380. koyu has joined
  381. koyu has left
  382. koyu has joined
  383. koyu has left
  384. Guus has left
  385. Guus has joined
  386. Guus has left
  387. Guus has joined
  388. waqas has joined
  389. koyu has joined
  390. sezuan has left
  391. Ge0rG has joined
  392. jonasw has left
  393. koyu has left
  394. vurpo has left
  395. winfried has left
  396. Piotr Nosek has left
  397. koyu has joined
  398. kalkin has left
  399. koyu has left
  400. Ge0rG has left
  401. koyu has joined
  402. koyu has left
  403. Tobias has left
  404. koyu has joined
  405. Valerian has joined
  406. kaboom has joined
  407. Ge0rG has left
  408. jonasw people on security@ argued back then that the hash agility of 115 doesn’t work (dwd and waqas for example), but there are no conclusive reasons given.
  409. jonasw here for example: https://mail.jabber.org/pipermail/security/2009-September/000828.html
  410. Guus has left
  411. Zash doesn't work how
  412. jonasw Zash: I have no idea
  413. jonasw I would like to know.
  414. Zash md5 was used before according to the capsdb
  415. koyu has left
  416. daniel has left
  417. daniel has joined
  418. Guus has joined
  419. nicolas.verite has joined
  420. nicolas.verite has left
  421. waqas has left
  422. Zash has joined
  423. nicolas.verite has joined
  424. Martin has left
  425. Homer J has joined
  426. xnyhps has left
  427. xnyhps has left
  428. Homer J has left
  429. Guus has left
  430. Guus has joined
  431. nicolas.verite has left
  432. Guus has left
  433. Steve Kille has left
  434. waqas has joined
  435. Steve Kille has left
  436. waqas jonasw: Hash agility doesn't work. What we mean by this is backwards compatibility wasn't allowed for. Clients using new hashes vs old hashes would fail to interoperate.
  437. jonasw waqas: what would be wrong with simply sending two <c/> elements with different hash functions?
  438. vurpo has joined
  439. waqas jonasw: Reality. That wasn't allowed, and clients assume there's only one. You'd fail to interop with most (all?) existing deployments out there.
  440. jonasw okay
  441. jonasw makes sense
  442. jonasw I hate reality
  443. waqas i.e., you are modifying the XEP in a way that isn't compatible with prior understanding of implementations
  444. jonasw I like the suggestions you make in https://mail.jabber.org/pipermail/security/2009-September/000829.html btw.
  445. jonasw specifically: > Also worth considering is whether multiple hashes for different sets of data > make sense instead of just one. A hash for capabilities of an entity is the > most basic. A hash for software ID and version (disco#meta?). A hash for > disco#items. Future XEPs being able to define hashes for datasets they > define is also useful. The downside is a slightly larger presence packet > (which is mitigated by the caps optimization), but I see this leading to a > significant reduction in queries.
  446. waqas has left
  447. Flow hu? why wasn't/isn't it allowed to send multiple <c/>s?
  448. Guus has joined
  449. jonasw fwiw, aioxmpp also only uses the last one it finds, but it would be trivial to change that into a map hash->caps
  450. jonasw so it might simply not be clear that clients should expect multiple nodes
  451. jonasw has left
  452. xnyhps has left
  453. waqas has joined
  454. waqas Flow: Everything is allowed. You can even call it <b/> or <d/>. That existing clients would fail to interpret it in a defined way is the problem.
  455. waqas Client behavior when they see multiple instances of something that they expected to be single tends to vary between pick-first, pick-last, pick-random, error.
  456. arc """The Web shell used by the attackers didn't support SSL, so all their activities were logged to the webserver, enabling Verizon's RISKS team to analyze their actions. Though the idea of attacking cargo ships by hacking their CMS is a sophisticated one by the standards of sea-pirates, the attackers weren't sophisticated enough to run their attacks through a VPN, enabling the RISKS team to trace the attack back to the hackers' home IP address."""
  457. jonasw … and server behaviour when caps optimization is in place would also be interesting
  458. arc there are at least 3 things wrong with that.
  459. SamWhited ralphm: Ping; when you're next online can I get a bit of help with Trello? I keep missing you :)
  460. jonasw e.g. would the injection of caps in stanzas on first subscription to presence work?
  461. jonasw arc: what’s a CMS in this context?
  462. arc content management system
  463. jonasw d’oh
  464. jonasw I was hoping for cargo management or something domain-specific
  465. Zash arc: Why ... why would .. why the .. whaaaayyyy???
  466. arc stupid script kiddies hacked a shipping company's website and started rerouting cargo ships to them to steal the content of the ships..
  467. Flow waqas: I don't see receiving clients failing if <c =hash='sha1'/> is also send
  468. jonasw then it’s: (1) why the heck to cargo ships run a CMS which is (2) accessible from the internet and (3) can be used to take over the ship?!
  469. Flow together with a <c hash='new-hash-alg'/>
  470. arc jonasw: the ship didnt run the CMS. the shipping company operating autonomously controlled ships did
  471. jonasw arc: well, that’s only marginally better.
  472. arc the ships are controlled by the company remotely
  473. jonasw this future
  474. arc however, not only was their website - used for shipping easily hundreds of millions of goods a year - unpatched to common known vulnerabilities, but they didn't use SSL
  475. Zash They Should Have Used XMPP for their remote controlled drone ships
  476. arc but then - Verizon admits that their risk analysis team was actively monitoring unsecured HTTP, acting as a man in the middle
  477. moparisthebest arc, sorry to change the subject but you have me intrigued about EXI, it sounds like it might be feasible to run a generic exi<->xml converting proxy in front of any xmpp server to give it full exi support, yes or no?
  478. arc moparisthebest: yes, and to be clear I do think that is the first way deployment will happen, however its suboptimal to run two XML parsers in a chain like that
  479. mathieui arc, what’s the source of that read? it sounds lovely
  480. jonasw mathieui: google points me to https://boingboing.net/2016/03/03/pirates-hacked-shipping-compan.html
  481. arc mathieui: https://boingboing.net/2016/03/03/pirates-hacked-shipping-compan.html
  482. moparisthebest yea arc not as great for the server but could be excellent for clients, so when can I expect to be able to download and run the first version from you? :D
  483. Steve Kille SamWhited: thanks for that super-qucik MIX turnaround
  484. arc moparisthebest: as soon as i wrap up libexi im going to update my Apache mod_xmpp with it, which is primarily designed to serve as a proxy (websockets to xmpp) but now will also do EXI ports too
  485. SamWhited 👍 my morning coffee goes well witch catching up on emails and taking care of XSF stuff :)
  486. SamWhited Thanks for the new revision
  487. Ge0rG has joined
  488. moparisthebest arc, so when do I get an nginx module instead? :P
  489. jonasw Steve Kille: ah, you’re here. I wanted to make sure you don’t feel bothered by my insisting on the issues I pointed out. I feel that I should probably have given you more time, but then again, too often things get forgotten and then we end up with sub-optimal XEPs which cannot be changed anymore because there are too many implementations :/
  490. moparisthebest just joking that would be fine too, I'd be curious to look at adding it to Conversations
  491. jonasw am I the only one who thinks that webservers are not the right place to terminate SSL for everything?
  492. Steve Kille jonasw: not bothered at all. You are making some excellent input to help move this spec foraward.
  493. SamWhited Define "web servers"? If you mean reverse proxies like nginx and haproxy, I'd say they're definitely the right place to terminate SSL for everything :)
  494. SamWhited Because that's what they're designed to do
  495. jonasw SamWhited: apache?
  496. arc moparisthebest: I will never write a nginx module. I'm friends with their CEO, Gus, who I used to play on the same rugby team with when he lived in DC, but he was unwilling to hire me while allowing me to work on non-NGINX FOSS on my own time
  497. arc moparisthebest: you can already start, there is a complete Java library implementing EXI
  498. SamWhited jonasw: Yah, I agree with you there… apache may be good at it now, I dunno, but it was not designed to be a reverse proxy.
  499. jonasw arc: wtf?
  500. moparisthebest ah yea arc I remember you saying that, and it sounded super shitty
  501. jonasw I need to repeat: wtf? Is that even legal?
  502. SamWhited I've heard that about nginx several times now, which is kind of sad, because I do love the software…
  503. Zash jonasw: Did you know that nginx is actually an email proxy? :)
  504. jonasw Zash: unfortunately, yes.
  505. arc jonasw: yea its because of some VC agreement or someshit. but the idea of a FOSS project turned commercial turning down an employee they just interviewed and were excited about because he works on other FOSS projects is insane
  506. moparisthebest arc, well you said your EXI should work differently than the XEP, and I'd prefer to have a proper server implementation to test against, but yea the library is there at least
  507. SamWhited I think most big companies have that clause for whatever reason, but I always try to negotiate it away.
  508. jonasw I also know that their protocol implementation is simply a character state machine, I don’t want to know how people implemented XMPP on it. I bet it cannot deal with namespace prefixes properly :-)
  509. arc so I don't consider nginx to be FOSS anymore, regardless to whatever license its available under
  510. jonasw SamWhited: wait wat? clauses which forbid you to work on FLOSS in your freetime?
  511. jonasw I’m really not sure that would be legal here.
  512. arc moparisthebest: im unsure how the java library works, but it might do general xml processing. so you could start by changing it to use the different library and developing your client's exi schema
  513. moparisthebest I think it is here, I guess you can agree to about anything jonasw
  514. arc jonasw: this was the major issue with me and Atlassian, too.
  515. SamWhited jonasw: Yah, I have no idea if they're enforceable or not, but most places I've applied or worked have had some similar thing.
  516. arc and Google. and Facebook. and Twitter. and Adroll. and dozens of other firms.
  517. Zash Isn't usually that they claim ownership of anything you do while employed, not forbid things outright?
  518. arc that's why I'm founding hub.coop
  519. mathieui 15:23:00 jonasw> I’m really not sure that would be legal here. → it’s legal in some states/countries
  520. mathieui and even if illegal, nobody is challenging it in court
  521. jonasw hasn’t occured to me yet. but then again, I only worked at a startup and a research facility up to now. the latter being very clueless on software development in general.
  522. SamWhited Or at least, I think they had; I don't ever understand the legal stuff, but mostly places have made me sign a "previous inventions" thing or I've been able to negotiate that clause out.
  523. mathieui arc, btw, google doesn’t always have that clause, afaik
  524. arc Zash: California law forbids exactly that, anything you work on in your own time and on your own equipment is yours. but they can fire you for doing it without permission and without negotiating aspects about it
  525. jonasw but good to know. something to watch out for.
  526. jonasw that’d be a deal-breaker for me, too
  527. arc mathieui: Google requires that you get permission from them, and you must argue how it is in Google's best interest. if the project is *GPL they will ask you why you don't want to work on something Apache based instead, etc
  528. mathieui ha right
  529. arc AGPL will always get a hard "NO"
  530. jonasw that explains a lot.
  531. arc Google employees are not allowed to work on any AGPL licensed project.
  532. SamWhited Heh, that's okay then; AGPL is a hard no for me personally too :)
  533. jonasw I have no regrets about not pushing to join google anymore.
  534. arc having to ask permission puts them in the position of being able to say no, and negotiate with you what you can do on your own time
  535. arc SamWhited: for me its beyond the simple ability, its the morality of it.
  536. moparisthebest arc, they aren't allowed to contribute to other's AGPL projects?
  537. jonasw this explains so mcuh
  538. moparisthebest yea for me AGPL is almost always the correct choice meh
  539. arc moparisthebest: no. and that comes from a lawyer working in Google's Open Source Programs Office, the same office that runs Summer of Code is also the office that manages employees wanting to contribute to FOSS
  540. arc moparisthebest: i agree.
  541. moparisthebest makes me glad I work at a non-software company that just has in-house devs to develop in-house stuff lol, so none of this contract nonsense
  542. jonasw what the heck
  543. arc in fact Google is so hostile to the AGPL that they specifically forbade 3rd party projects from hosting them on their old code hosting site, code.google.com
  544. SamWhited I think GitHub does that now too, no? Wasn't that one of the consequences of their new TOS?
  545. jonasw uh
  546. SamWhited Or maybe that was just anything that required attribution
  547. jonasw that would make a few projects I host there illegal
  548. arc SamWhited: there were several consequences, I believe GPLv3 and AGPLv3 both
  549. arc I'm staying out of that one since I dislike github anyway
  550. moparisthebest wait what? lots of AGPL projects are on github?
  551. SamWhited yah, but technically they're not allowed anymore I think (no idea why, that's just what someone said about their new TOS). I suspect it wasn't an intentional consequence, it was just something they did that was incompatible with those licenses somehow
  552. jonasw SamWhited: do you have any sources for that?
  553. arc the concept of a for-profit company like github having so much control over FOSS projects, their new TOS a perfect example to the potential for abuse of that power, makes me extremely uncomfortable
  554. moparisthebest I can't imagine any TOS that would conflict for code hosting
  555. moparisthebest unintentionally anyway
  556. moparisthebest obviously "no agpl projects" would, but that'd be intentional
  557. arc moparisthebest: I wouldn't be too concerned for that, the folks at the FSF, SFLC, and SFC are all over it
  558. arc they'll issue a new TOS soon enough
  559. xnyhps has left
  560. jonasw arc: URLs?
  561. arc the last I heard they were apologetic for the "misunderstanding" this has caused
  562. moparisthebest arc, yea the way I justify using github is it's not like SVN where your repo is held hostage, I have everything locally and can just host my own gitlab whenever I want
  563. arc jonasw: i know this from IRC, I've been watching the lawyers talk about it
  564. jonasw arc: which IRC?
  565. moparisthebest but yea ideally I wouldn't use it at all... meh
  566. arc freenode
  567. jonasw that’s a very broad statement, arc
  568. moparisthebest not very specific :)
  569. arc mostly #Conservancy
  570. arc where else would lawyers be?
  571. moparisthebest ah the kallithea people? I love those guys
  572. arc but its all over, every channels talking about it
  573. SamWhited jonasw: Not in front of me; go read their new TOS or search for other peoples blog posts about it.
  574. arc a few projects immediately pulled their repos and started self-hosting since
  575. jonasw SamWhited: the TOS is huge and I can’t find a diff
  576. moparisthebest GIThub tos, no diff? :P
  577. SamWhited I thought they literally did have it in a repo so you could get a diff…
  578. jonasw SamWhited: yes, but
  579. mathieui that’s a line diff
  580. mathieui not a legalese diff
  581. SamWhited fair enough
  582. Zash IANAL, what up?
  583. SamWhited jonasw: Here's a source, but probably also a non-lawyer / completely biased one, so grain of salt: https://www.mirbsd.org/wlog-10_all.htm
  584. Zash SamWhited: Every comment thread I've seen about that has started with "This person doesn't know what they are talking about" ...
  585. jonasw ah, section D narrows it down so that I can take a look
  586. SamWhited Zash: Yah, they probably don't
  587. SamWhited I just assume they're seeing what they want to see, but I have no idea
  588. nicolas.verite has joined
  589. jonasw I’m not dealing with this right now
  590. nicolas.verite has left
  591. jonasw hoping to fix a bug today
  592. moparisthebest thanks SamWhited I was searching for 'github agpl' and such with no luck
  593. SamWhited yah, it was suprisingly hard to find again; makes me think it was just one or two sources being loud and blowing it way out of proportion
  594. jere has left
  595. Ge0rG has left
  596. jonasw arc: if you don’t like github (and I agree that github is a dangerous centralisation of power over FLOSS), what is your alternative suggestion, if I want the broad developer public to easily contribute to and raise bugs for my software?
  597. mathieui jonasw, you can go gitlab or bitbucket, it’s slightly less terribad
  598. jonasw mathieui: that’s only shifting the problem
  599. mathieui yes.
  600. mathieui you can run your own gitlab or whatever hip forge like gogs with external auth and it’s equally easy for people to contribute
  601. Zash Self-host all the things!
  602. jonasw I have a self-hosted gogs instance, but (a) I don’t really like the idea of having to maintain possible abuse if I open registrations or issues and (b) it adds the hurdle to create an account there while ~everyone has a github acconut.
  603. SamWhited "equally easy" except that now if everyone does that every single person has to make an account with every single project they want to contribute too…
  604. mathieui jonasw, gogs doesn’t allow gitlab oauth?
  605. mathieui -gitlab + github
  606. jonasw I don’t know, but that doesn’t solve (a)
  607. mathieui because you can login into self-hosted gitlab from github
  608. kalkin has left
  609. mathieui and yeah, there is no solution not run by other people where you don’t have to care for abuse
  610. jonasw only allowing to open issues is probably already a good reduction of possibilities for an attacker, but that’s barely sufficient if you want people to contribute patches
  611. SamWhited Now GitHub is the centralized service for auth, so you have more or less the same problem.
  612. SamWhited I dunno, not that I actually think this is a problem. If you don't want your stuff on GitHub or wherever you can move it later. I'm just going to keep using GitHub and Bitbucket; mostly they're pretty okay and legal stuff is hard.
  613. jonasw yes, currently it is not a problem and GitHub is convenient.
  614. moparisthebest that's how I justify it, I have full history and can move wherever later
  615. jonasw right
  616. jonasw except the issues and everything else which is only on gh
  617. moparisthebest I actually think github is the last 'hosted' thing I use, that I don't run myself
  618. SamWhited and if they're apologizing for the confusion over the new TOS like arc said, that probably means they're not going to start randomly deleting your software
  619. moparisthebest you can kind of export those, but yea
  620. nicolas.verite has joined
  621. nicolas.verite has left
  622. Guus has left
  623. arc SamWhited: i think one of the questions that's come up is whether you've granted github rights above and beyond the license by hosting with them
  624. nicolas.verite has joined
  625. SamWhited arc: so it's not that the AGPL is banned, it's just that the AGPL people don't want to give GitHub extra rights?
  626. moparisthebest I feel like, I would HOPE, it would be harder than just a TOS change for them to take rights above and beyond an explicit legal license...
  627. sezuan has left
  628. moparisthebest that wouldn't remotely be legal anyway right? if I push an AGPL project there that have AGPL contributions from countless different devs over the years, *I* can't legally grant anyone any other license can I ?
  629. jonasw moparisthebest: uh, actually, it shouldn’t be that hard. "By uploading to and using the service you agree that github is allowde to do X with your data"
  630. jonasw done.
  631. moparisthebest most of the time it's not *my* data though
  632. moparisthebest not to mention I didn't get any emails or even click to agree, they just published a new version and said 'by continuing...' what like I need to check it every time I push? meh
  633. jonasw well, they also state that you must ensure that you have the right to grant that license on the adta
  634. SamWhited That's the point though I think; it's not illegal for GitHub to say "if you want to use our service, you have to give us a legal grant to use whatever you put on our service", and if you can't do that (because you don't want to relicense from something else that says you can't), then you just don't use their service.
  635. SamWhited And if you can't license it because it's someone elses work, then you shouldn't be uploading it anyways (which is probably one of the things they were trying to prevent)
  636. nicolas.verite has left
  637. moparisthebest well that part isn't true
  638. moparisthebest like I have a fork of curl on github, I can't license that to others with any different license than it has, I certainly can't give github extra stuff over what the license says
  639. Guus has joined
  640. SamWhited right, so you can't upload it to GitHub because they say that to upload things to them you have to be able to give them a rights grant.
  641. moparisthebest bad example because curl has a crazy permissive license, but if it had gpl it'd be a good example :)
  642. moparisthebest so what if you do anyway because you aren't a lawyer and/or haven't read the TOS since 2012 when you signed up or whatever?
  643. moparisthebest they can't *take* those rights, they can just stop hosting you?
  644. SamWhited Yah, I think that's generally how it works
  645. moparisthebest yea and if that's worst case I don't care
  646. SamWhited Unless you *do* own the software, then you probably have given them a grant to use it however unless you live somewhere that legal contracts have to be explicit and TOS's don't count
  647. SamWhited at least, that's what this sounds like to me
  648. moparisthebest so I'm not clear legally on the boundaries there, it *seems* they can say stuff like 'by using the service you implicitly grant us rights', why can't they say stuff like 'if you walk outside today you explicitly grant us rights' ?
  649. bjc has left
  650. bjc has joined
  651. SamWhited Because you're not entering into a business relationship with them in that case.
  652. moparisthebest s/explicitly/implicitly/
  653. SamWhited (but again, I feel compelled to point out that I have no idea what I'm talking about: I'm just reading shit off the internet and interpreting it as best I can)
  654. moparisthebest then can they say 'if you utter the name github you implicitly grant us rights'
  655. SamWhited no, of course they can't
  656. moparisthebest I'm not really seeing a precise boundry here, but I guess that's law for you
  657. jonasw moparisthebest: the boundary is probably somewhere along the line of "you are using resources on their systems"
  658. moparisthebest jonasw, so then "if you ever visit github.com you are implicitly granting us rights to all your programs"
  659. sezuan has left
  660. jonasw moparisthebest: there are "if you visit our website you grant us rights" clauses
  661. SamWhited I suspect a court would also find that visiting GitHub.com doesn't count as entering into a legal contract or business relationship…
  662. jonasw that clause there is probably not in proportion and would thus be refuted
  663. moparisthebest what's the legal boundry between visiting and pushing code? both are simple https calls
  664. moparisthebest you can even edit/create code in your browser on github.com
  665. jonasw moparisthebest: the amount of data you move to their systems and which is stored persistently
  666. SamWhited What does the protocol (or anything technical) have to do with any of this?
  667. jonasw the data you store on their systems is theirs
  668. Ge0rG The data you upload to github will be thoroughly searched by the United States border control.
  669. arc SamWhited: im not sure, just things im seeing as i jump between channels. as i said im trying to stay out of it
  670. arc I don't like github, so my opinions would be biased. I'm just sharing snippets of what ive seen.
  671. arc honestly I loved bitbucket
  672. arc once i get quicksilver into a more deployable state I think it could take over
  673. arc quicksilver is a rather hackish realtime mercurial over xmpp I setup. it needs a lot more work, but is kinda cool for remote pair programming
  674. jonasw agh, I don’t like hg :-)
  675. arc jonasw: well you're in luck because there's nothing about it thats mercurial specific, I think
  676. arc it could run server-side git just as well
  677. sonny has left
  678. nicolas.verite has joined
  679. nicolas.verite has left
  680. arc but its not in great shape, extremely hackish. i literally have hg running in a subprocess right now
  681. arc i put it together with a student twoish years ago as an experiment
  682. Flow re pair programming using xmpp: It's so sad that gobby is no longer under active development
  683. moparisthebest arc, familiar with kallithea?
  684. arc I know, gobby was nice. but it had its faults too.
  685. moparisthebest or jonasw because kallithea does hg and git :P
  686. arc moparisthebest: yea ive seen it around
  687. jonasw moparisthebest: no, but let me check it out
  688. arc Flow: what i dont like about gobby is its really session oriented, it doesnt integrate well into daily workflow.
  689. arc and if you want to compile your work, and someone is editing the same session, you have to wait for them to get their part into a ready state. its a bit *too* realtime
  690. jonasw moparisthebest: not confident yet, as they don’t use kallithea to host their own code ;-)
  691. Flow uh, there is commit activity at github.com/gobby/libinfinity
  692. moparisthebest jonasw, they do https://kallithea-scm.org/repos/kallithea
  693. jonasw but not their issues etc.
  694. moparisthebest been using it at work since 2012, when it was called rhodecode, before the rhodecode dev did illegal license things and threatened to sue me and sent DMCA takedown notices for patches and stuff....
  695. jonasw gah, I can’t stand hosting services which show irrelevant information first and not the files. this is also annoying the hell out of me with the recent gitlab updates.
  696. arc QS is basically receiving realtime code pushes into your local VC as you work, but doesn't update. so you see that the code is there, and can merge it in realtime, but its not automagic
  697. Flow arc: Isn't pair programming about having a live/real-time programming session with one or more other ppl?
  698. Flow and everything else would be basically using a DVCS
  699. moparisthebest but then the software conservancy vetted it and forked it to kallithea :)
  700. SamWhited ooh, yah, Bitbucket does that by default… there's an option to change it, but it's an option on each individual repo not on your account, which is stupid.
  701. arc Flow: it is a dvcs, just with pubsub
  702. Flow arc: and it's called quicksilver?
  703. jonasw moparisthebest: all over all, kallithea looks interesting though
  704. Flow arc: got a link?
  705. arc Flow: i reserved quicksilver.vc but there's nothing really in the repo there, as i said its super hackish and only works with our GCI web-based editor
  706. arc at some point I'll get it into a deployable format and put some time into porting plugins to gedit/etc
  707. nicolas.verite has joined
  708. arc the protocol is stupid simple, the server-side is a quick and dirty pubsub service running mercurial in a subprocess with hooks and pipes, and the client side is a python script in front of local hg in their docker container receiving data from the web-based editor and chat client
  709. arc the client side is on gci.copyleftgames.org
  710. arc more than half of it was written by a 15 year old
  711. xnyhps has left
  712. arc Alight - im headed to grab coffee with Mr Miller to discuss becoming a member of the XSF
  713. jonasw good luck, arc
  714. arc Flow: if im successful you'll have more members for the IoT sig
  715. arc they're a washington dc firm doing IoT
  716. SamWhited Good luck
  717. jubalh has joined
  718. winfried has joined
  719. ralphm has left
  720. bjc has left
  721. jubalh has left
  722. kalkin has left
  723. bjc has joined
  724. Guus has left
  725. Guus has joined
  726. Valerian has left
  727. Valerian has joined
  728. nyco has joined
  729. nicolas.verite has left
  730. nyco has left
  731. xnyhps has left
  732. sezuan has left
  733. sezuan has left
  734. jubalh has joined
  735. nicolas.verite has joined
  736. Valerian has left
  737. Valerian has joined
  738. xnyhps has left
  739. sezuan has left
  740. tim@boese-ban.de has joined
  741. Steve Kille has left
  742. vurpo has joined
  743. Zash has left
  744. Steve Kille has left
  745. Lance has joined
  746. Steve Kille has joined
  747. ooih has joined
  748. ooih has left
  749. Zash has joined
  750. Zash has joined
  751. xnyhps has left
  752. mhterres has left
  753. intosi has left
  754. kaboom has left
  755. waqas has left
  756. Guus has left
  757. kalkin has left
  758. Guus has joined
  759. jubalh has left
  760. nicolas.verite has left
  761. kaboom has joined
  762. nyco has joined
  763. waqas has joined
  764. Zash has joined
  765. tim@boese-ban.de has joined
  766. nicolas.verite has joined
  767. Guus has left
  768. jonasw has left
  769. vurpo has left
  770. Guus has joined
  771. vurpo has joined
  772. vurpo has left
  773. vurpo has joined
  774. vurpo has left
  775. vurpo has joined
  776. vurpo has left
  777. Valerian has left
  778. Valerian has joined
  779. vurpo has joined
  780. vurpo has left
  781. vurpo has joined
  782. vurpo has left
  783. vurpo has joined
  784. waqas has left
  785. vurpo has left
  786. xnyhps has left
  787. vurpo has joined
  788. xnyhps has left
  789. vurpo has left
  790. vurpo has joined
  791. ralphm has left
  792. waqas has joined
  793. jubalh has joined
  794. Valerian has left
  795. Valerian has joined
  796. vurpo has left
  797. vurpo has joined
  798. daniel has left
  799. daniel has joined
  800. vurpo has left
  801. vurpo has joined
  802. vurpo has left
  803. vurpo has joined
  804. vurpo has left
  805. vurpo has joined
  806. vurpo has left
  807. Zash has joined
  808. vurpo has joined
  809. vurpo has left
  810. vurpo has joined
  811. vurpo has left
  812. vurpo has joined
  813. suzyo has left
  814. vurpo has left
  815. suzyo has joined
  816. xnyhps has left
  817. vurpo has joined
  818. nyco has left
  819. nicolas.verite has left
  820. nicolas.verite has joined
  821. xnyhps has left
  822. kaboom has left
  823. vurpo has left
  824. vurpo has joined
  825. SamWhited has left
  826. nicolas.verite has left
  827. jere has left
  828. jere has joined
  829. Flow has joined
  830. jere has left
  831. jere has joined
  832. Flow has left
  833. Valerian has left
  834. goffi has left
  835. Guus has left
  836. Alex has left
  837. Guus has joined
  838. Guus has left
  839. Guus has joined
  840. SamWhited has left
  841. vurpo has left
  842. kalkin has left
  843. vurpo has joined
  844. nicolas.verite has joined
  845. Guus has left
  846. Guus has joined
  847. waqas has left
  848. Tobias has joined
  849. Flow has joined
  850. nicolas.verite has left
  851. intosi has joined
  852. sezuan has left
  853. kalkin has left
  854. jubalh has left
  855. vurpo has left
  856. vurpo has joined
  857. intosi has left
  858. jubalh has left
  859. vurpo has left
  860. vurpo has joined
  861. sezuan has left
  862. daniel has left
  863. daniel has joined
  864. Lance has left
  865. waqas has joined
  866. goffi has joined
  867. jubalh has joined
  868. Lance has joined
  869. Zash has left
  870. vurpo has left
  871. vurpo has joined
  872. jubalh has left
  873. vurpo has left
  874. vurpo has joined
  875. Guus has left
  876. Flow has left
  877. Guus has joined
  878. vurpo has left
  879. Guus has left
  880. vurpo has joined
  881. Guus has joined
  882. winfried has left
  883. waqas has left
  884. jubalh has joined
  885. moparisthebest has joined
  886. SamWhited has left
  887. devnull has left
  888. devnull has joined
  889. Zash has joined
  890. daniel has left
  891. daniel has joined
  892. vurpo has left
  893. vurpo has joined
  894. waqas has joined
  895. Mancho has left
  896. jubalh has left
  897. jubalh has joined
  898. jubalh has left
  899. Guus has left
  900. vurpo has left
  901. vurpo has joined
  902. vurpo has left
  903. vurpo has joined
  904. vurpo has left
  905. vurpo has joined
  906. waqas has left
  907. vurpo has left
  908. vurpo has joined
  909. jere has left
  910. jere has joined
  911. nicolas.verite has joined
  912. vurpo has left
  913. vurpo has joined
  914. moparisthebest has left
  915. daniel has left
  916. daniel has joined
  917. daniel has left
  918. daniel has joined
  919. waqas has joined
  920. moparisthebest has joined
  921. daniel has left
  922. daniel has joined
  923. daniel has left
  924. daniel has joined
  925. daniel has left
  926. daniel has joined
  927. daniel has left
  928. daniel has joined
  929. daniel has left
  930. daniel has joined
  931. daniel has left
  932. daniel has joined
  933. daniel has left
  934. daniel has joined
  935. jubalh has joined
  936. daniel has left
  937. daniel has joined
  938. Valerian has joined
  939. daniel has left
  940. daniel has joined
  941. daniel has left
  942. daniel has joined
  943. Valerian has left
  944. Valerian has joined
  945. suzyo has left
  946. kaboom has joined
  947. Guus has joined
  948. daniel has left
  949. daniel has joined
  950. daniel has left
  951. daniel has joined
  952. arc 5 hours later...
  953. goffi has left
  954. Guus has left
  955. xnyhps has left
  956. xnyhps has joined
  957. daniel has left
  958. daniel has joined
  959. daniel has left
  960. daniel has joined
  961. Valerian has left
  962. waqas has left
  963. kaboom has left
  964. arc That was a long talk. I can't even begin to summarize
  965. arc He's a XMPP evangelist for sure
  966. xnyhps has left
  967. arc Wants to join the iot WG
  968. sezuan has left
  969. arc And XSF more generally...
  970. arc He suggested the Xsf should have a relationship with IEEE
  971. kaboom has joined
  972. arc He wants to get XMPP standardized for iot within IEEE and other bodies
  973. jubalh has left
  974. arc Rickard has met him and Peter Saint-Andre
  975. moparisthebest Isn't psa the xsf's relationship with the IEEE?
  976. arc If so he missed a ieee XMPP standards group forming
  977. arc Also httpx is a registered URI protocol for http over XMPP??????
  978. arc I'm trying to get the engineers in his IEEE group into XSF
  979. arc Not even a single XSF member involved
  980. arc It's mad and he agrees. He knew of XSF but didn't know how membership works... He asked how much it cost
  981. jere has joined
  982. moparisthebest And how much did you tell him arc ? :-)
  983. arc Just $599
  984. moparisthebest What a deal!
  985. SouL Where can I send the money?
  986. arc Heh
  987. nicolas.verite has left
  988. blipp has left
  989. blipp has joined
  990. arc has left