XSF Discussion - 2017-11-23

> I will execute the random selection then on the next Euro Millions draw which is this Friday, November 24th 2017.

longest drumroll ever?

;-)

Guus, If I thought we'd have got there in time, I'd have suggested the UK lottery draw last night.

that would've been very close.

BTW, sorting people by their name is an inherently unfair process.

dwd: oh, the timing doesn't matter much. I'm just glad we were able to come up with a way to resolve this in the first place.

Ge0rG, maybe hash the name + the date and then sort the hashes?

Why are we grouping people by name?

2648f46ed83b89a922e3a74aa5500dee: that's an awesome idea.

Ge0rG, I don't think it makes any difference how people are ordered, the point is that the order must be decided upon and fixed in advance.

dwd: you are absolutely right, in the context of the tie resolution

we're basically ordering them in a circle, not in a prioritized queue.

my remark was rather related to the typical ordering of studens in a class, when the teacher decides whom to ask for homework

Ge0rG, For voting, the memberbot randomizes the order each time you vote, as well. We've run into that one before, as you can tell...

dwd: right. It confused me the first time I mistyped my vote and had to recast, but it's logical.

dwd: I'm also pretty sure I read about it on the ML

Ge0rG: my best friends mum used this for job application. Uses her maiden name normally, but used her husbands family name "Aa" to put herself quite literally on the top of the stack :)

Guus: was the name really "Aa"?

that's like all the "1-2-3 plumbing" and "aaa services" in the yellow pages.

Guus, 'My surname? Yes, it's "a". Lowercase.'

the family name uses https://en.wikipedia.org/wiki/Tussenvoegsel, but otherwise, yes, Aa (and in the Netherlands, we don't use tussenvoegsels for ordering names).

dwd: just for kicks, we once looked up to see if his family really was amongst the first in the phonebook. Turns out that there really are people with "A" for a surname.

naturally, I've declared my friend a loser and moved on.

Tussenvoegsel is a very interesting word.

Yeah, filling out (some) Dutch names in international forms is fun.

it's also fun to be called Georg Lukas. People make witty remarks about lightsabres, darthvaders etc. all the time

I'm always annoyed when things like address book applications list my family ("der Kinderen") under "d" instead of "k"

Yeah, double wammy with your last name also being a common first name.

Guus, So I now learn that you are meneer Der Kinderen but Guus der Kinderen. And you're collated under "K" in Dutch, but "D" in Belgian.

dwd, that's correct.

Guus: yeah, that too. "What's your name?" -- "Lukas" -- "So what's your last name?"

we can formalize the tie resolution process in a XEP or other document, to have it in file when it happens again, also ties which involve more than 2 applicants

Alex: we can, but do we need to put in the effort? It worked out pretty well this time, without the added documentation.

Guus: agreed

Alex, Ideally, we'd publish the algorithm in the run-up to an election, so we could crank it through quickly.

Alex, But in fairness, it's happened twice in XSF history, so maybe Guus has a better idea.

not sure if "not doing anything else" qualifies as an "idea"

I like how the hash discussion for 0392 oscillates between "not too old stuff, it will get deprecated and removed" and "not too recent stuff, it won’t be available in java"

For a use case where md5 would be fine

indeed

Or like crc32

I think it's reliant on low collision, so MD5 is probably the right level.

the worry is more that md5 is deprecated in many places, and may be removed somewhen

Predictable collision is fine. Even a second preimage attack wouldn't be a problem.

mathieui, Doubtful. MD5 is used in a lot more places than just crypto. But if people are worried, SHA-1 will be with us forever, basically.

yeah

Although I like the fact is says "SHA-1 ... as defined by zlib".

dwd: Will it?

git was mentioned on the mailing list, but I think both git and hg are looking at phasing it out

Zash, git is looking into phasing out sha1, hg is looking into phasing out itself ;-)

2/10 would not be trolled again

Just read the ejabberd release post. That made me thinking, is there a link type "share via xmpp", which clients can open and which carries a predefined body, so the user only has to select a recipient?

vanitasvitae, https://xmpp.org/extensions/xep-0147.html#actions-message

I think the "select a recipient" part is trickier though

Has Firefox killed that social plugin architecture they had?

Wherein you had installed some pice of JS that would handle "share this" events.

you could do that in Javascript (sorry Zash)

Unfortunately I doubt it

MattJ: This was 100% pure JS only plugins

You could have a sidebar and share options.

Hmm, XEP-0277 doesn’t say anything about a sharing URI, the closest is https://xmpp.org/extensions/xep-0277.html#location

Yeah, looks like thr recipient is always fix.

Ha, just read the ejabberd release post. They stole our certificate configuration approach ;)

Huh?

MattJ: The one we talked about but haven't gotten around to implement yet?

"Introductin certfiles option": "The option is supposed to replace existing options ‘c2s_certfile’, ‘s2s_certfile’ and ‘domain_certfile’. The option accepts a list of file paths (optionally with wildcards “*”) containing either PEM certificates or PEM private keys. At startup, ejabberd sorts the certificates, finds matching private keys and rebuilds full certificates chains which can be used by fast_tls driver."

ignore my typo

We just pick something based on file names

"just"

Zash, It's in hardware on a load of Intel CPUs, and in use in a zillion places as a general hash. It's not very good at it, actually, but it's there.

Wait, {xep 313} says WHAT?

Zash: Message Archive Management (Standards Track, Proposed, 2017-02-22) See: https://xmpp.org/extensions/xep-0313.html

doesn't look like xep277 registers 'node' the querytype, it's even missing in xep277 § 11. Or am I missing something?

arg, node even clashes with https://xmpp.org/extensions/xep-0050.html#registrar-querytypes

Flow, hmm, it should be at the ?pubsub query type: https://xmpp.org/extensions/xep-0060.html#registrar-querytypes

That’s where it’s registered.

Link Mauve, then there is a '?pubsub' missing in xep277 § 2.1?

Seems so.

Link Mauve, https://github.com/xsf/xeps/pull/545

edhelas, goffi, ^

Flow: this would be a bad idea: 1) the URI is without "pubsub" action in XEP-0060 (the URI is not specific to microblog) 2) we have already tons of URI in the wild without the "pubsub" action 3) the "node" variable is enough to know that it's a pubsub URI (but even if it's not used for something else, it could be, so that's not great I agree)

and if we were adding and action, I would prefer to have "blog" or "microblog" instead of "pubsub", this would avoid retrieving items to know what's the node is about.

an action*

https://xmpp.org/extensions/xep-0060.html#impl-uri

(final standard)

oups draft sorry

Zash, crc32 doesn’t work

"node" is used actually, I've missed the comment abose. That's unfortunate, XEP-0060 should have used an action but it didn't. Anyway command use an action, so we can still differenciate.

you need a few hundred bytes of random input before crc32 starts to work as a proper mixing function

(tried that)

at which point it seemed to me that SHA-1 is a more sensible alternative, than something home-brew based on a crc32 variant

dwd, yes, the incorrect reference to zlib will be going away soon, when I can comfortably type again

Crypto hashes does come with all that random pre-input data, so sure.

exactly

so crc32 isn’t quite sufficient by itself

md5 would probably be fine, too

Good to see discussions/changes on XEP-0277!

goffi, ahh that thing can come without an action. i've changed the PR https://github.com/xsf/xeps/pull/545

Grr, MIX

Grrr?

I kinda assumed it didn't use type=groupchat

Yeah

I kinda assumed it would

The semantics are so different, isn't a MIX joined from your bare JID?

Why would you want groupchat routing rules on that?

MattJ: They don't matter because the server needs to be MIX-aware

I assume

I confess I'm way behind on MIX

All I'm saying is, I was surprised by this

I'll be basing all my MIX-related statements of what I overheard while people were gathered around a whiteboard drawing it up a few years ago

While intoshi, ralphm and I were cutting up XEP 60 into pieces