-
edhelas
I'm reading the Standards ML, before putting Bookmark to Final would it maybe be wise to update it, like to clarify which method is prefered for storing them ?
-
flow
edhelas, isn't that done in xep48 § 3. ?
-
marc
hm, if matrix requires an additional push protocol (GCM for Android), is it not possible to use riot without Google services installed?
-
Ge0rG
marc: AFAIU it falls back to polling the server.
-
jonasw
marc, I think it is, but that ^
-
marc
yes, okay :D
-
Ge0rG
Life is great, isn't it?
-
marc
Ge0rG, it just means to me that it sucks and has a big disadvantage in comparison to XMPP :D
-
Ge0rG
marc: what did you expect from HTTP? WebSockets?
-
daniel
Well that's what signal does
-
daniel
And rocket.chat
-
marc
daniel, signal requires GCM and if not available falls back to polling?
-
daniel
marc: no. It falls back to websockets
-
daniel
The well that was signal does was a response to what Ge0rG said
-
SaltyBones
should it be obvious why websockets works?
-
marc
websockets allow permanent connections, right?
-
daniel
Yeah using websockets is reasonable
-
Zash
I wouldn't count on "permanent"
-
daniel
Compared to polling http that is
-
SaltyBones
oh weird..so the os does the connection part for you and just gives you some magical permanent socket?
-
Zash
If that worked, everyone would be doing it
-
Zash
I imagine it has the same restrictions on mobile OSes as plain TCP
-
Ge0rG
Zash: but better firewall piercing capabilities
-
moparisthebest
but only over HTTPS, at which point, you can also just use TLS on 443
-
Tobias
https://twitter.com/ivucica/status/968538897604075521
-
jonasw
Seve, ^ might be of interest to you
-
SaltyBones
I like vvoip
-
SaltyBones
had not seend that before
-
SaltyBones
unfortunately the distinction is lost in pronounciation
-
Alex
will start our Q1 member meeting in 3 minutes
-
jonasw
uh
-
jonasw
today’s the day
-
moparisthebest
slipped my votes in just now, right under the buzzer
-
Alex
;-)
-
Alex
okay
- Alex bangs the gavel
-
Alex
here is our agenda for today: https://wiki.xmpp.org/web/Membership_Applications_Q1_2018
-
Alex
sorry here: https://wiki.xmpp.org/web/Meeting-Minutes-2018-02-27
-
Alex
let me update the first section and add the vote which just came in
-
moparisthebest
(sorry)
-
Alex
not a problem
-
Alex
1) Call for Quorum
-
Alex
as you can see 32 members voted via memberbot
-
Alex
so we have a quorum
-
Alex
2) Items Subject to a Vote
-
Alex
new and returning members, you can see all the applicantions here: https://wiki.xmpp.org/web/Membership_Applications_Q1_2018
-
Alex
3) Opportunity for XSF Members to Vote in the Meeting
-
jonasw
Alex, did pep. reach out to you?
-
jonasw
or did you receive his attempts to reach out?
-
Alex
anybody here who has not voted yet, and want to vote in teh meeting?
-
jonasw
did the MUC just die or is it just me?
-
Alex
jonasw: I don't think so. At least I do not remember
-
jonasw
Alex, he tried to reach you sevearl times since memberbot didn’t talk to him :(
-
jonasw
he also said that he probably wouldn’t be able to make this meeting though :(
-
Alex
my client blocks all messaged from unsubscribed users silently, becuase I get tons of spam
-
jonasw
ah I see
-
Alex
I he is around we can fix now and get his vote in
-
jonasw
I told him to try email though
-
Alex
otherwise we fix for the next voting period
-
Ge0rG
Alex [20:07]: > my client blocks all messaged from unsubscribed users silently, becuase I get tons of spam This policy fails to work for people with public roles.
-
jonasw
Ge0rG, he accepts subscriptions though
-
jonasw
also probably not the right time to discuss this
- Alex starts counting now, for working on the results
-
Ge0rG
Right, sorry.
-
Alex
looks like nobody wants to vote
-
Alex
Ge0rG: lets put it under otehr business and discuss at the end of our meeting
-
Alex
4) Announcement of Voting Results
-
Alex
when you reload the page at: https://wiki.xmpp.org/web/Meeting-Minutes-2018-02-27#Announcement_of_Voting_Results you can see the results
-
Alex
all new and returning members are accepted
-
Alex
congrats to everyone
-
jonasw
\o/
-
Alex
5) Any Other Business?
-
jonasw
Ge0rG, that’s your cue
-
Alex
Ge0rG: I use XMPP since the very early days when Jers first server came out. my jabber.org Jid is probably on every spammer list, and its a huge pain for me these days
-
moparisthebest
wouldn't a better system than bugging Alex just be to automatically import all member JIDs into memberbot ?
-
Alex
sometimes I log in and have 100 spams in the morning
-
jonasw
Alex, ugh
-
moparisthebest
and, while we have a database of member JIDs, tie that into the wiki and use xmpp for auth, slightly different topic though :)
-
jonasw
I fell your pain, even though probably 1.5 orders of magnitude less worse
-
Ge0rG
Alex: I'm blocking 99% of spam messages with some simple heuristics, and I had to implement "reject all requests" against presence spam
-
Alex
because of the server crash we had last year I lost the whitellist
-
Guus
Can we give someone else privs to add people to memberbot?
-
Guus
So that we don't depend solely on Alex ?
-
Alex
but usually I add all new members to the list, and when people contact me by email or xmpp it takes only some seconds to add them to teh whitelist
-
Ge0rG
https://yaxim.org/blog/2017/12/22/spam-reduction-on-yax-dot-im/
-
moparisthebest
we have a list of all XSF members surely right?
-
Alex
memberbot is pretty smart and support xdata commands for administration
-
moparisthebest
can't memberbot just always use that list?
-
Alex
Guus: memberbot also has a list of admins IIRC
-
Alex
Happy to add someone else who can execute the commands and add peopel to teh whitelist
-
Ge0rG
Jabber.org being de facto unmaintained doesn't help much, I suppose
-
Alex
its just executing 2 coommands 1) submit the Jid 2) reload the whitelist
-
Guus
Alex: add me if you want
-
Alex
Guus: done
-
Alex
restarting the bot, you can check if commands are working for you
-
Guus
Alex: later. Kid just got sock
-
Guus
Sick
-
Guus
Thanks though
-
Guus
Afk
-
SaltyBones
Ah, I thought he was a house elf
-
Alex
moparisthebest: jave seen this post, and its on my todo list to add this to my personal prosody server, but my main Jid is still on jabber.org
-
Alex
I mean Ge0rG ;-)
-
Alex
but we have to solve this SPAM problem in general, it could kill our technology when its getting worse
-
jonasw
yeah
- SaltyBones never gets any spam and feels left out.
-
jonasw
SaltyBones, you can have mine
-
jonasw
Alex, sent you a subscription request
-
moparisthebest
I didn't until I became XSF member and XEP author
-
moparisthebest
but that happened around the same time, so I don't know which or both
-
Alex
jonasw: accepted, becuase teh Jid did not conatain 3 numbers ;-)
-
Alex
6) Formal Adjournment
-
Alex
I motion that we adjourn
-
jonasw
seems reasonable :)
-
Kev
Seconded.
- Alex bangs the gavel
-
Alex
thanks guys
-
Kev
Thanks Alex.
-
jonasw
thanks for doing the work and again congrats to all (re-)accepted folks
-
Alex
we send out mail to memberslist tomorrow in the AM, and create the applications page for Q2 ASAP
-
SamWhited
I was getting a lot of spam for a while, but it was all from 3 or 4 domains that had IBR enabled so I blocked those and now I don't get any. ¯\_(ツ)_/¯
-
SamWhited
I don't think I ever got the presence spam that some people get though, so maybe I'm just not on the right lists.
-
jonasw
contextswitch: how does XEP-0401 interoperate with the European GDPR thingy? if an offering server provides MAM etc. it would have to acquire explicit consent. Or maybe we need to change clients to make consent to MAM explicit and show the privacy policy of the server beforehands? That would probably require some protocol.
-
j.r
I haven't had spam on any of my accounts
-
Zash
I got one the other day
-
Kev
I know it's not a popular viewpoint, but I still think that signing up for services through web interfaces makes sense, rather than doing it inband.
-
Zash
Why not both?
-
Zash
We have protocol to register inband, or to redirect to a website from inband.
-
Alex
the spam I get since the last ~4 weeks is always from different domains. Some of those domains look very weird and like they just get automatically created only for this purpose
-
Alex
sometimes its from "well known" domains which still have IBR open, this is a very low percentage
-
moparisthebest
do you have strict s2s requiring encryption and valid certs turned on?
-
moparisthebest
I think I'd get a lot more spam judging by my failed s2s logs
-
Alex
moparisthebest: its on my jabber.org Jid
-
moparisthebest
today for instance: Establishing a secure connection from rosolina.estate to burtrum.org failed
-
moparisthebest
what are the chances that's a legit xmpp server? (I haven't checked hehe)
-
moparisthebest
well does jabber.org require valid s2s certs and TLS ?
-
Kev
No. Requires TLS, but allows dialback.
-
moparisthebest
how many legitimate servers don't have valid TLS certs nowadays with letsencrypt?
-
jonasw
I run one
-
jonasw
because I couldn’t be bothered to set up letsencrypt for that thing
-
moparisthebest
I mean illegitimate ones can easly get valid TLS certs from letsencrypt too
-
jonasw
it’s still CACert
-
moparisthebest
but, I'd say turn it on, force bad admins to stop being lazy
-
jonasw
I actually keep it renewed
-
moparisthebest
:P
-
jonasw
*shrugh*
-
jonasw
I’d simply turn off that service instead.
-
moparisthebest
it has to be harder for you to renew CACert once than set up letsencrypt
-
jonasw
moparisthebest, no
-
jonasw
in fact it’s not
-
jonasw
letsencrypt is tedious for XMPP
-
moparisthebest
besides CACert has always been useless, just self-sign
-
jonasw
the only way to do it right is with DNS Challenge
-
jonasw
and that’s it’s own ratsnest
-
jonasw
*shrug*
-
Alex
jonasw: agree
-
Guus
jonasw: indees
-
jonasw
CACert takes the load of managing signatures off of my head :)
-
moparisthebest
it's not, you can use DNS, but I also find it rare that you can't just listen on HTTP
-
jonasw
something something CA signature serial I have no idea what I’m even talking about
-
SaltyBones
jonasw, switch to letsencrypt
-
jonasw
moparisthebest, it’s just wrong to listen on HTTP for chat.domain.example
-
jonasw
simple as that.
-
SaltyBones
it is easier to maintain and they have certificates that don't use md5...
-
jonasw
it’s not an HTTP service.
-
Alex
on my personal server I renew the lets sncrypt cert every 3 month and it sucks
-
jonasw
I’m not even going to set A/AAAA records up for that.
-
Alex
on my k8s clusters with kube lego its awesome
-
SaltyBones
Alex, really? I just did it three days ago. "certbot renew" and restarting/reloading a few services...that's it
-
Alex
maybe we need to invest a bit more in letsencrypt modules for all mayor servers
-
jonasw
yeah
-
jonasw
with DNS challenge please.
-
jonasw
I’d really love to have a thing which just implements a very trivial DNS server
-
moparisthebest
Alex, you manually renew them every 3 months?
-
jonasw
and then just delegate to it
-
Alex
SaltyBones: I host HTTP on a different server, my DNS provider cannot be automated, so I always have to add TXT records manual for validation which sucks
-
moparisthebest
jonasw, why is it wrong to listen on chat.domain.example and only serve 1 thing? :/
-
SaltyBones
ah...yeah that's a pain :D
-
SaltyBones
I just have apache vhosts for imap and jabber
-
jonasw
moparisthebest, because it is not a friggin HTTP service.
-
Kev
And then you move the certs from the http server to the xmpp one? :)
-
jonasw
Alex, lovely :<
-
jonasw
Alex, consider hosting a tiny pdns instance with RFCsoandso support (that DNS update thin>)
-
SaltyBones
Kev, that's why it's a pain if the servers are different. Although, given http_upload I suppose a letsencrypt module for servers would not be absurd...
-
jonasw
and delegating the _acme-challenge subdomains to it
-
jonasw
I do that, it works
-
moparisthebest
no Kev , I just have this nginx config on all my servers:
-
moparisthebest
server { listen 0.0.0.0:80; listen [::]:80; location ~ "^/\.well-known/acme-challenge/([-_a-zA-Z0-9]+)$" { default_type text/plain; return 200 "$1.YOUR_LETSENCRYPT_ACCOUNT_KEY_HASH"; } }
-
moparisthebest
and all letsencrypt challenges pass without any communication between servers
-
moparisthebest
easy and done
-
Alex
moparisthebest: it would be easy when I would have a subdomain for my XMPP server, or a domain which I don't use on other servers
-
SaltyBones
wait..isn't there something wrong with this? that allows me to get certs for your machine, no?
-
moparisthebest
SaltyBones, only if you have my letsencrypt account key
-
Kev
moparisthebest: So that on the HTTP server is enough to be able to generate a cert on the XMPP server?
-
moparisthebest
which is the same on all servers
-
SaltyBones
Oh, is that included in the cert?
-
moparisthebest
yes Kev
-
SaltyBones
Because I can just say "letsencrypt gimme cert for $yourdomain" and it will go to your domain and check if the file is there, think that it is, give me the cert...no?
-
moparisthebest
SaltyBones, this part return 200 "$1.YOUR_LETSENCRYPT_ACCOUNT_KEY_HASH";
-
moparisthebest
letsencrypt expects it to return the hash of the requesting key in there
-
SaltyBones
kk
-
moparisthebest
you'd have to have that key for the challenge to pass
-
SaltyBones
so I actually need to prove that I have a key with that hash?
-
moparisthebest
so if you hack into my server and steal that key you can get certs for my domains, but, if you hack into a server that's true anyway
-
moparisthebest
yep
-
SaltyBones
okay
-
Alex
this is exactly how all the big web providers handle it in their apache or nginx configurations
-
Alex
and part of my problem, because I use PAAS for my HTTP servers, they don't allow me to control the ./sell-known/ route :( The automatcially handly it with their key always
-
moparisthebest
ah yea then you have to use the DNS challenge
-
moparisthebest
this works perfect in my setup because I have 2 http servers, one for burtrum.org and one for moparisthebest.com, and 1 xmpp server that serves both, so it's nice they don't need to communicate and each can get the proper certs automatically
-
Kev
Which only works if you're prepared to set up 'bad' A records for your things like pubsub, MUC etc. pointing to the HTTP server.
-
moparisthebest
I guess, all mine just redirect you to the right domain anyway, don't see the harm
-
moparisthebest
but if you don't want to mess with it, DNS challenge
-
daniel
what clients do support micro blogging?
-
vanitasvitae
daniel: afaik the mangosta android app does
-
SaltyBones
doesn't movim also support it?