XSF Discussion - 2018-03-01

8AM and I already won the 'most pointless mail to standards@ of the day' award.

great, poezio is massively confused by this MUC. Trying to answer nontheless: how do you end up with 2046 octets? the "@" surely is needed?

Nope.

What do you need the @ for?

Kev, to separate localpart and domain?

Why do you need to do that?

(I'm not being dense, you'll get there in a moment :))

oh my god, are you suggesting to put a 1023-octet localpart and a 1023-octet domainpart into the thing without separation because it can be inferred by the length and absence of an "@" where the separation happens? ✏

:)

oh my god

:)

you can’t do that to me

good morning Kev, you already made my day :-)

No, I'm not suggesting it's a good idea, but it's 8AM and I felt the world deserved to suffer.

I am amused at this point :)

I’m sorry that you feel the need to make the world suffer, wanna talk about it? :)

(this idea is so insane and I can, in a very *very* weird way relate to it, doing embedded work from time to time)

(it keeps making me laugh)

(if that helps you in any way; if you genuinely want suffering, I’m double-sorry now)

No, not really.

This only works if your upstream implementation actually enforces the 1023 octet limits

But it reminds me of the double-linked-list-with-only-one-pointer trick.

I don’t want to know.

(although I’m guilty of using Duff’s-device-coroutines)

hmm? and where do you get the length from? Don't you need to store it instead of the separation char?

flow, the length is in the data field itself; XML delimits it for you

(and databases would too)

We were talking about sponsoring individual XMPP developers recently, and maybe this one might work out for some: https://www.buymeacoffee.com/

what’s the difference to patreon and liberapay?

> We offer Paypal and Stripe as payout options.

meh

jonasw: better branding.

Stripe does IBAN payouts, though

I signed up for liberapay and just realized that they didn’t ask me for a password yet.

that’s smooth onbording I’ll say

> Unlike other non-profit platforms, Liberapay is neutral. You can create an account without having to wait for us to approve it, and we won't kick you out unless you break the law or the terms of service. Heh. But I kind of like the overall thing

"but"?

I don't know about them, but most payment processors have very vague ToS, so you'll end up kicked anyway

jonasw, that’s kind of similar to the policy of the "kickstarter for fascists" started by far-right groups

mathieui: wasn't that more like patreon? Because patreon kicked Lauren southern?

So seems like the MLS WG is pretty limited in their planned supported scenarios.

Tobias, how come?

https://mailarchive.ietf.org/arch/msg/mls/b5YoQfdeFcoLYrFdxbZmdX__jWA

See this thread

That's a very well-written email to kick things off.

Dave Cridland, "within blue light"?

hmm, possibly rescue services and such

flow, Right, sorry, a UK term. People who drive vehicles with blue lights on top - so fire/police/ambulance.

But also coastguard, mountain rescue, cave rescue, and all sorts. Weird sector, because some of it is Government funded and some is volunteer.

That escalated quickly

XSF Board Meeting | Logs: http://logs.xmpp.org/xsf/ | Agenda https://trello.com/b/Dn6IQOu0/board-meetings

Good afternoon

0. Welcome and agenda

Hi!

Who do we have?

Me

I

Martin and nyco?

Guess not.

Any additions to the agenda?

I've added commteam membership requests to Trello earlier

(also, minutes?)

Guus: I'm following the left-most column of Trello

1. Confirm minute taker

Who (including floor) can do this?

if not anyone from the floor, I will

Thanks Guus ✏

2. Board priorities

We still need to settle the meeting which nyco was setting up

I'm tempted to say that given our track record, that meeting that we're holding this off for isn't going to happen.

can we come to a conclusion on this without that meeting?

I guess, but let's keep this on for one more week. Doing this with just 3/5 is not helpful

agreed.

My proposal to make progress on this...

I'd like to do another membership survey (though I know some people don't believe it holds much value)

I'm with the latter, but it doesn't hurt to have one either.

I can draft something up, and we'll at least have something to discuss

Right now it's such a broad open-ended topic, this "board priorities" thing really gets to me

Yeah, I agree

If all we need to do is agree that we want to make XMPP more popular and combat spam, let's just do it

and remove this card

what about making Jabber more popular?

Let's not have this discussion right now.

Mattj, please go ahead. Anything to move forward.

Yep

3. Additions to Work Teams

Ok, I'll add it to my to-do(TM)

JC asked me to add those names up for a board vote

From what I understood after the meeting last week, Winfried should have been part of the communications team. I'm +1 on adding him.

I'm very happy for anyone to contribute, and strongly believe the board should facilitate where we can, as I'm convinced that this benefits us all. My voting behavior on team membership issues is therefor "yes, unless".

Communication work team membership allows people to communicate on behalf of the XSF (by granting access to our social media accounts, and by allowing them to directly make changes to our public website).

Although he appears to be very motivated and puts in a lot of effort, I am not comfortable with Ludovic communicating on behalf of the XSF: I've experienced his style to be badgering, to the point of great annoyance, pressing non-issues, or issues that I disagree with.

I've seen, and have heard of, similar issues between him and others.

I'm therefor -1 on adding Ludovic as a member of the Communnication work team.

I have no concerns regarding Winfried's membership of the Communications work team. I'm +1 on that.

I agree with all of that Guus.

Likewise on both counts

I’m glad to see that I’m not the only one.

Ok. Motion to add Winfried carries. Motion to add Ludovic doesn't carry.

4. SPAM SIG

This was discussed after last weeks meeting briefly.

If this is an open group that essentially consists of a mailing list and MUC room, I have no objections

I want to reiterate here that the (previous) board has voted this down, and I intend to stick by that decision until there's a better proposal.

I think the initial request was for a closed group

If this facilitates an effort, I'm not against this.

MattJ: right, but a SIG is more than that and I don't see why this needs to be an XSF activity.

See also the operators mailinglist

a SIG is open by definition

the reason to make this an XSF-approved thing is to show that we are committed to fighting spam, and that we are actually doing something

I'm not on there, I think. Was there a relevant discussion, or is that an alternate venue you're referring to?

I don't care much about the formal structure

Ge0rG: until the direction of the XSF changes, we are a standards body

ralphm: then it's time to change directions

I don't see much of a difference between this and other SIGs we've formed in the past

I'm not in favour of the spam manifesto being an XSF activity, for sure

Ge0rG: and not everything XMPP under the sun has to be an XSF activity for work to get done. I tried explaining this on various occasions, and I don't understand why you don't get that.

So work on it, if there are things you can't do, propose a XEP and we'll vote on this again.

(a XEP for a SIG. XEPs for protocol can go directly to the Council)

ralphm: while I agree that we as the XSF have very limited manpower, my hope is that at least we as the XSF have a wider outreach, so we can have more contributions.

Ge0rG: there's nothing the XSF does to 'widen outreach'

ralphm: you should discuss that with the comms-wg

I suggest you get something started, tell the Comms team what you are doing and they can add a line or two in their news letter.

5. AOB

Anything else?

the ED search and bus factor thingy?

bus factor wise, we're waiting for Peter's contact at the bank to return, I think? I'll ask him about that

thanks

the Executive Director replacement, I still am unclear what needs to happen there.

but we should get that sorted (or removed)

I'd like that to be part of our Priorities discussion, if we ever have one.

we're not simply asking for someone to take over from Peter?

As was brought up briefly around the Summit, we need to know what we expect this person to do, outside of the profile that was defined long time ago.

sensible. But, perhaps take that out of context of the prio thingy - to not overload that effort?

does putting the newsletter license under CC By-SA need a board vote? I've made a P.R. for that, jc is OK for it (I've asked yesterday)

(goffi, I don't know to be honest)

I don’t think so, frankly.

goffi, it probably would

do we have something which puts all rights on work made on the website under XSF ownership?

Does the XSF even hold the copyright?

Let me check that.

if not, JC probably has the permissions to put it under any license he likes

If it is an XSF activity, yes

He's not paid for it

Neither are XEP authors?

I think payment is not a factor

XEPs are explicitly attributed to the XSF

XEP authors give ownership explicitly (I've done it)

I think going forward, it makes a lot of sense for the XSF to own the copyright to things it publishes

defining a license for website content would be a good idea.

I seem to remember we had this

or rather: digging in the archives whether there actually *is* a license on website content and it just got lost in transition

that might not be the worst of ideas

checking archive.org now

jonasw: thanks

Shall we move that to next week then?

Let's continue this out of band, and maybe add an item to our Trello

https://web.archive.org/web/20070707184343/http://www.xmpp.org/about/copyright.shtml

CC-BY

2.5

(apparently)

Shall we restore that to our current website?

I don’t find a similar attribution in the 2011 version

so technically the content created inbetween is probably in limbo

It probably got lost in all the site changes

I think it's reasonable to assume that it was not intentionally dropped and replaced by <nothing>.

yeah

Agreed

I +1 your suggestion, Guus

martin (hi!), mattj?

Yes, +1

Carries

Ok, I think that's it for today.

6. Date of Next

+1W

7. Close

Thanks all!

wfm

XSF Discussion | Logs: http://logs.xmpp.org/xsf/ | Agenda https://trello.com/b/Dn6IQOu0/board-meetings

Thanks

Holger, could you unban me from the ejabberd muc? -_-

Holger, could you unban me from the ejabberd muc, please?

:)

Alohomora might've worked as well. Guus was very unspecific.

:)

Avada Kedavra!

Well, that wouldn't be my choice, really. You want to open a lock, not kill the admin.

Dark wizardry is frowned upon by most operators.

I only remember that and Lumos. :p

SaltyBones, Vingardio Leviosa?

(wutschen und wedeln!)

Expecto Patronum!

Our testing framework for M-Link has an expectation framework called Expecto, and the 'check everything is the way it should be and fail the test otherwise' call is ->patronum().

So many of our unit tests end with the line expecto_->patronum();

How would you expect to get marks for Charms if you can't even be bothered to use the right one if it's provided on a silver plate? ;)

Kev: what's the `_` for? singleton?

member

wasn't the member `_` a prefix, typically?

Prefixes are magic in C++, and you have to be very careful to get them right. So it's safer (and reads better) to just suffix.

> Each name that begins with an underscore is reserved to the implementation for use as a name in the global namespace. Oh, didn't know *that*

C++ is full of surprises, even to experienced developers

I completely agree and hate it for that.

I thought it was just _Uppercase?

fun

I’m using m_foo now anyways

jonasw: _Uppercase is reserved in any scope, _* only in global scope

ah okay

I'm sure this distinction is never going to bite anyone.

omg.. ~/projects/psi/git$ grep -P '\b_\S+' --include '*.cpp' -r . | wc -l 1782

rion, foo._ would be safe IIUC

Ge0rG: I chose my words carefully :)

Kev: as you always do, indeed.

Wibble.

Kev: working on RowanIM again?

Something like that.

Maybe we should rename Swift to Adder or something.

Until Apple then releases a new calculator or something.

Sounds like a cunning plan.

jonasw, I always use m_xyz for non-public members, too.

When discussing IDs yesterday it was a common view that servers want to pick IDs for MAM storage.

I'm wondering if that flexibility is actually being used and is necessary?

Yes, it's being used

Don't all servers have to basically perform the same operations on the archive and need the same index?

The id can help encode indexing information

Is that something that could or should be standardized because all servers need it?

What kind of stuff do you encode there?

No, it shouldn't be standardized - it's not even standardized in Prosody, because it depends what storage you are using

It should be standardised that the server chooses, if that's the question.

Oh, right, sure. I assumed the question was "should the encoded information be standardized?"

Yes, it was (what MattJ said). :) ✏

We have a translation layer for a legacy storage mode where you need the date and offset to identify messages

O_o

https://unicode.org/reports/tr51/#Longer_Term and the XSF as a whole, regarding emoji and stickers

unicode was a mistake

wat

unicode has failed

at what

https://xkcd.com/1953/

They just have to add teletext codepoints and colour selectors, and Bob's your uncle.

that XKCD could not be more accurate

MattJ, Zash: so one thing that was not completely explained yesterday is why we do mam queries with stanza-ID. Would it be so much more complicated to query by client ID?

SaltyBones: O(n)

Can't you translate the client ID into something that can be an index? If I understand the problem correctly...

There's no index

Zash: There is an index, it's just not conventional.

So what s the O(n)?

Searching the entire archive for the right id.

It avoids O(n) by being able to skip to the right day, because there's some time info embedded in the ID

Interesting...

So there is no index except a rough time?

The legacy thing I mentioned doesn't have an index, just a directory tree.

And then it looks for the exact stanza-ID in the neighborhood?

And it's about as old as Prosody itself, and used for MUC

Who picks the stanza id in MUCs?

Is there any way for the server to check if the queries stanza-ID was good?

(efficiently)

I suppose you already answered that...

And who picks the stanza id on messages from 2009?

Are you asking me?

I'm actually talking about the thing behind http://logs.xmpp.org/xsf/

Because I have no clue. ;/

I m just wondering if we could avoid clients having to deal with stanza-IDs

Maybe they could just query by timestamp

I don't know. I'm just curious. ;)

As a client author, I don't think it's worth the effort. This is not providing much value, while many other things need solving.

SaltyBones, if there was an easy solution the people here would already have done it

everything has pro and cons

I agree but some of those are invisible to me. ;)

Kev: Would that hold even if you were writing one from scratch?

Yes.

Ok

Then I'll just type up a summary of this and yesterday's discussion for the mailing list.

As a server author, I also don't want to have ids that I need to index in some way being assigned to me instead of having me generate them (applies to resources as well as MAM, in fact) :)

with current mam:2 the whole process is not elegant but it works

so indeed there are other things we could spend energy on

you already do Kev , JIDs for example

Not quite the same.

it's an arbitrary string you have to index and search on

pretty sure it's exactly the same

I promise it's not.

SaltyBones, as a client author, I prefer bouncing another stanza ID around over using timestamps for querying

timestamps are the most awful thing

:)

this trustico certificate business is the best entertainment I've seen for awhile

Anyone got any good arguments on this topic? https://mastodon.xyz/@HerraBRE/99605039095553757

Good arguments for which side? ;)

that's just dumb

it's public knowledge that google etc just mines everyone's data, it's in their TOS

he is saying a friend/family that hosts a server can also do that, which is true

the solution is to use a protocol that lets you hide as much data as possible, so you can trust anyone else as little as possible

Isn't the argument more that your friends/family are more likely to violate your privacy so being a needle in a haystack (aka using gmail vs a email hosting a family/friend setup and maintains) you probably are less likely to have your privacy violated

Yes, and that the data mining by Google is less harmful than snooping spouses. At least short term that s probably true

That's btw why I like e2e. I don't have access anymore. Awesome!

yeah, great :)

It's probably true that the negative consequences of someone snooping are far more likely to occur with friends/family. Google might read my email and find out i'm cheating on my wife but all they care about is knowing i'm a good candidate to advertise 2 star motels.

jjrh: That is a wonderful example!

jjrh, except it's public knowledge google violates *everyones* privacy all the time as a matter of business

Incentives

so your likliehood of getting privacy violated on google is 100%

seems like it could be less than 100% elsewhere...

That's why I said the negative consequences of that.

yea so if you are cheating on your spouse, you probably shouldn't use a server your spouse has access to

but do we have to spell out obvious things?

Other than E2EE, is there anything that can be done in a world of federated friends&family servers wrt incentives for doing the right thing?

E2EE? end to end encryption?

Y

I think the problem is backwards. :)

We are using F&F because we trust these people more than Google.

this is a frustrating argument

this is a frustrating evening

well e2e but there is also things we can do to hide metadata

jonasw: Have you caught some common cold variant too?

that I haven't proposed yet but might get around to some day :P

jonasw: yoga?

Zash, nah, just Qt

Ah

(Qt (a) doesn’t support libnotify for whatever f*ing reason there might be and (b) does awful and illogical things to my icons when shoing them in the systray)

moparisthebest, I think it's more the grey area where you're not doing something obviously wrong but for various reasons may not want your wife to know.

then you shouldn't use a server ran by your wife

that's simple common sense

The point is, trust relationships change but sometimes you notice too late.

However, very often they don't.

besides if you live with a server admin and use their server

and switch to using google, they can also just mitm you or hack your computer

so what's the point here

Having the server admin within a stones throw could serve as an incentive... :)

So, I run my server with a friend who lives in a different country. Your argument simply does not apply.

moparisthebest, different levels of criminal energy needed

jonasw: maybe, all those things are pretty easy once you go down that road ;)

Probably a more likely scenario is your wifes aunt runs a email server and snoops most likely unintentionally. The point is more that just because someone at google is - as you said constantly violating your privacy - the likely hood of a - at least immediate - negative impact is far lower

setting up a sophisticated MitM proxy, installing a rogue CA certificate and ensuring that it can’t be reasonably circumvented requires much more criminal energy compared to grep -Rni "interesting thing" /var/lib/prosody/

jonasw: just installing $snooping_app is also pretty trivial.

I mean I run a server for my family that lives in this house, plus my mom who doesn't

but I also handle all the stuff on my mom's computer too

whether I snoop on the server is irrelevent

also fun fact: i recently heard a fun story from employees at a *large* international payment processor. apparantly it’s common to find some amusement in the transaction comments, especially since some .. uhm .. adult recreational toy? stores appear to put your whole order list in there :)

jjrh: What bothers me about this is that long term all this data collection about us might have negative consequences. And then it will be very hard to fix. :)

if this is a problem for you the solution is e2e not switch to google

that's insane

SaltyBones, yea it's just harmless data until it gets you and generations of your descendents murdered https://jacquesmattheij.com/if-you-have-nothing-to-hide

jjrh, precisely the reason why I hate to debug email issues. it often involves looking at logs or data i don’t even want to see.

I'm by no means saying it's better to use google/be a needle in a haystack. Just that the arguement holds some validity that it's probably true privacy violations with negative impacts are more likely from friends and family.

well that entirely depends on the specific situation you are in though

cheating on your wife - true

planning to blow up a power plant - false

That's true and really we are basing the idea it's more likely off the assumption the majority of murders/sexual abuse are from friends and family equates to privacy

Which sounds reasonable but I don't actually know if that's true or not.

if your family is the murdering/abusive type then maybe consider using a different provider

OR MAYBE MOVE AWAY OR SOMETHING MORE SENSIBLE THAN CONSIDERING CHAT PROVIDERS

it’s not always as simple as that, I bet

It's never easy

relationships are much more tricky than "don’t do that"

I tend to want to implicitly trust someone. If I can't trust that you won't ignore the email client I left open when you're checking something unrelated why would I associate with you?

Society is built on lots and lots of implicit trust in others.

Crypto is actually kinda weird in that regard

Not really - if we could actually trust everyone no one would think about crypto

I mean, a locked door isn't really all that secure, but it's a social signal and you trust most people to respect that most of the time.

.

Net-hickup

I mean if no one stole anything we wouldn't lock doors

I know people who still don't

I think that's a little dumb, but it's never been a problem yet...

The lock itself is only a part of why.

Morality, the justice system and insurance

The locks themselves just need to be enough of a road block that someone who gets past it clearly demonstrated intent

well there are people that would take something if it wasn't locked, but would never break a lock

that saying a lock keeps an honest man honest or something

https://www.youtube.com/watch?v=MLjifumRk3Q

-w can

E2EE won't solve the abusive admin problem, because the admin will just look for your metadata

again totally depends on what you expect to remain private

and I think we can do more to minimize metadata in xmpp, in combination with e2e

Which point on the security vs convenience scale do you want?

it's nice to be able to choose

nah

Choice is hard

moparisthebest: most people can't choose what they want, not even people from this MUC.

have you seen that chat system someone made that requires 3 computers at each end that communicate over 1-way optical links ?

kthxno

I'm trying to find it but failing...

anyway, that's the 'secure' end of the scale

Let's have that quantum entanglement thing, that'll probably solve all problems!

I need a quantum bingo

It's more what the default should be.

majority of users will use what's default

found it https://github.com/maqp/tfc/

Tinfoil Chat

Send a physical letter!

the diagrams and entire system really is amazing

It's got way better legal protections afaik

Would be better with photocell and led's. I don't trust optocouplers black box.

yea I think he said the original design had that

or that he based it off that or something

you might as well go all the way if you are going this far I think

yeah