-
jonasw
after reading https://gultsch.de/converse_bookmarks.html, I think we should adapt the security considerations of XEP-0223 to include a strong hint that discovering support is vital for security
-
Ge0rG
jonasw: that or doing the probing limbo dance
-
jonasw
probing limbo?
-
Ge0rG
Where you publish with options set and then query what the server did out of that
-
Ge0rG
BBL
-
jonasw
and then your data is already public?
-
Zash
Trying with non-sensitive data first?
-
jonasw
not convinced
-
jonasw
discovering the feature seems more reasonable to me
-
Zash
Of course.
-
Zash
Are the required features recent additions or what's the issue here?
-
Zash
(assume I've lost all memory)
-
jonasw
no, people just apparently don’t check✎ -
jonasw
no, people just apparently don’t check if the service actually supports publish-options ✏
-
Zash
I approve of big angry warning in 223
-
Ge0rG
Zash: PR or didn't happen
-
jonasw
Ge0rG, #608
-
jonasw
:P
-
jonasw
https://github.com/xsf/xeps/pull/608
-
flow
jonasw, +1
-
jonasw
I was slightly shocked that a XEP which puts private data in pubsub boldly claimed that there were no security considerations above those in '60 and '163. I haven’t checked if "everything’s gonna be public" has been mentioned there, but not mentioning it in '223 anyways feels like negligent
-
Ge0rG
jonasw: 👍 Also I remember documentation somewhere on how to publish to PEP in a secure way, but probably it predated the latest publish-options
-
jonasw
Ge0rG, daniel has some on his site
-
Ge0rG
Yeah, that
-
jonasw
this one probably: https://gist.github.com/iNPUTmice/7c52785ed69787516abb60e31703dbd2
-
Ge0rG
I was looking into crawling all my contacts' PEP for their bookmarks for a while, but I never was sufficiently good at scripting xmpp
-
daniel
Ge0rG, just subscribe to the node
-
jonasw
does that give you a push when you come online?
-
daniel
yes that'll push you all your contacts bookmarks
-
jonasw
neat
-
jonasw
lemme try that
-
daniel
aehm +notify i mean
-
jonasw
sure
-
Ge0rG
daniel: you mentioned that, yes. But it still requires code to subscribe and to process events
-
jonasw
heh
-
jonasw
lemme aioxmpp that for you
-
Ge0rG
If somebody writes a script that...
-
Ge0rG
jonasw: yes please
-
Zash
`storage:bookmarks+notify` ?
-
Ge0rG
Are there any other use cases of private PEP?
-
daniel
i justed added that to Conversations very quickly. that was like two lines of code
-
daniel
when i tested that last month
-
Zash
Just tried using clix. Boring, got nothing but disco#info queries at me.
-
daniel
yeah it's not very widespread it seems. nobody uses converse.js (to publish! bookmarks) and in poezio it's just a rare corner case
-
Zash
What's `urn:xmpp:inbox`
-
jonasw
Ge0rG, aioxmpp git pull && cd examples && python3 listen_pep.py --namespace storage:bookmarks
-
jonasw
stop it with Ctrl+C
-
jonasw
I tested it with urn:xmpp:avatar:metadata
-
Zash
Uh, taking a thing that's meant for *broadcasting public data* and using it for storing private data?
-
jonasw
it revealed the depressing amount of people using xep-0084
-
Zash
About a quarter of my contacts, it seems
-
daniel
note that you wont receive pep notifications for offline contacts on ejabberd servers
-
daniel
that might distort what ever you are 'testing'
-
Zash
jonasw: Nice caps2 you got there
-
jonasw
:)
-
jonasw
the resource tells you why
-
Ge0rG
jonasw: ModuleNotFoundError: No module named 'aioxmpp' 😞
-
Zash
jonasw: Does it offer like an XML console/REPL hybrid thing? (like `clix raw`)
-
Zash
If not, make one, it's the best thing since sliced bread
-
jonasw
Ge0rG, enter our jabbercat virtualenv✎ -
jonasw
Ge0rG, enter your jabbercat virtualenv ✏
-
Ge0rG
Oh, yes.
-
jonasw
Zash, yeah, it’s tricky to do that with asyncio though
-
jonasw
like, really tricky
-
jonasw
readline + asyncio doesn’t mix
-
Zash
Can't pretend that stdin is a socket somehow?
-
jonasw
that’s not the main problem
-
jonasw
writing things on stdout asynchronously and expecting readline or whatever’s handling your input to cope by redrawing is "nope"
-
jonasw
I messed with that for some time and then gave up
-
jonasw
closest thing I can do is something based on urwid (pure-python ncurses-like thing)
-
jonasw
not to mention that doing actual raw XML is super-hard with aioxmpp
-
Zash
clix doesn't use readline, just the bare io lib for reading stdin, and some clever lies told to the network server
-
Ge0rG
jonasw: so it's idling there after I entered my password. Does that mean everybody I know is safe?
-
jonasw
Ge0rG, yeah
-
jonasw
modulo what daniel said
-
Zash
I usually wrap it in rlwrap. Not that it gets happy about showing new stanzas while you are typing something...
-
Ge0rG
ah, urn:xmpp:avatar:metadata happens to return a bunch of things.
-
jonasw
Zash, yeah, that can probably be done easily, but that goes against my perfectionism ;-)
-
Ge0rG
I demand a zemlyanka frontend.
-
jonasw
a what
-
Ge0rG
that used to be a TUI binding for one of the large X11 toolkits. GTK I think
-
jonasw
creepy
-
Ge0rG
I am waiting for a use case that mandates a resurrection of TurboVision
-
Link Mauve
“13:27:28 Steve Kille> Ge0rG: military users like to have lots of tabs, so they can monitor many chats at once, with keyword highlighting to draw attention to things they care about. I have been told of an operator with 64 rooms displayed”, damn, I should get into this business, they’d see my poezio with 216 tabs (currently)!
-
jonasw
216 is a great number
-
Link Mauve
About half of those are private discussions, the rest are MUCs.
-
Zash
Link Mauve: You are promoted to General. Report to the president at once. ;)
-
Seve/SouL
Haha
-
Link Mauve
Zash, it’s with the very concept of war that I have an issue, so sadly I can’t make use of my great poezio skills that way.
-
jonasw
Link Mauve, sabotage them from the inside!
- rion just implemented optional session in Psi.
-
Martin
Any Boardies about?
- MattJ waves
-
Martin
Hi MattJ
-
MattJ
ralphm, Guus
-
ralphm
I'm here, but also in a telco
-
ralphm
Can somebody else take the lead for this meeting?
-
Martin
I can
-
MattJ
Thanks Martin
-
Martin
1. Roll Call:
-
Martin
Me, MattJ, and ralphm in his peripheral vision
-
Martin
2. Minutes.
-
Martin
Any volunteers?
-
MattJ
I'd rather not volunteer, as I already have outstanding commitments...
-
Guus
I'm half here
-
jonasw
I would, but I can’t promise that I don’t have to disappear in the next 30 minutes, sorry.
-
Martin
OK, I'll try and scribe after the fact
-
Martin
3. Topics for decisions
-
Martin
3.1 Board Priorities
-
Martin
From last week's minutes, seems like there's a meeting that needs arranging
-
Martin
Anyone know where that's at?
-
Guus
Nyco has asked me for availablity a couple of times
-
Guus
Don't know the current state.
-
Martin
OK, let's kick it along the road to next week
-
Guus
At some point, I think we should give up on this.
-
Guus
Sooner rather than later.
-
MattJ
wfm
-
Martin
Let's give it another week, then see where we are
-
Guus
K
-
Martin
3.2 Bus factor / bank account
-
Guus
I failed to ping Peter
-
Guus
Still waiting on feedback from the bank, AFAIK
-
Martin
OK
-
Martin
4. Commitment list
-
Martin
4.1 Board priority meeting: dealt with above
-
Martin
4.2 Membership survey, MattJ?
-
MattJ
Not finished, but I may send a draft for feedback to the board list in the next day or two
-
Martin
Cool
-
Martin
4.3 Prepare discussion points regarding the Fundraising and Financing discussion.
-
Martin
Guus?
-
Guus
I did not plan to be here today (I sent apologies) and did not prepare for that.
-
Martin
OK, no problem
-
Guus
Next week
-
Martin
5. Items for discussion
-
Martin
5.1 Fundraising & finance
-
Martin
I'm guessing we should postpone this topic given the above?
-
MattJ
+1
-
Guus
Yup
-
Martin
6. AOBs
-
Martin
Any?
-
MattJ
None here
-
Guus
Not from me
-
Martin
Righto
-
Martin
6. Date & time of next? Everyone OK with +1W, 14:30 UK time? (I know some DSTs kcik in)
-
MattJ
wfm, I think everyone is going to switch at the same time anyway
-
Guus
It's 14:30 always, right?
-
Martin
Guus: It is indeed
-
Guus
Wfm
-
Martin
Excellent, then I think we're all done. Thanks all!
-
MattJ
Thanks Martin :)
-
Guus
Tx
-
Maranda
. . .
-
Maranda
. .
-
Maranda
.
-
Maranda
Pidgin still uses legacy sessions? Oh rly?
-
Zash
Everything uses them
-
Zash
Some servers required it, and there wasn't any way to know that it was optional.
- Maranda eyes Neustradamus.
-
Zash
So it must be used if offered.
-
Zash
Or you risk not being able to login at all
-
Maranda
And what if not offered?
-
jonasw
yeah, learnt that the hard way with aioxmpp
-
Maranda
Pidgin breaks? yay.
-
Zash
If not offered then ???
-
Holger
Now there is an <optional/> tag right ...
-
Zash
Probably some clients will do it anyways because reasons, and shoot themselves right in the connection.
-
Maranda
if not offered then pidgin = "borked" end
-
Maranda
XD
-
jonasw
classic pidgin
-
Maranda
Neustradamus, what you made me do :P
-
Zash
Holger: In an expired draft...
-
Holger
Zash: Well, yeah.
-
Zash
Prosody does add optional tho.
-
Maranda
Holger, I (re-)added the optional and changed the default to not offer legacy sessions by default and guess what... An e-mail this morning stating someone using Pidgin can't login.
-
Maranda
woohoo
-
Zash
Heh, https://hg.prosody.im/trunk/rev/0bbbc9042361
-
moparisthebest
actually that might be good
-
Zash
Praise waqas
-
Zash
That might predate the draft
-
moparisthebest
if they can't login with pidgin, then it's "pidgin sucks", if they login with pidgin successfully then it's "xmpp sucks"
-
Zash
moparisthebest: whoever touched it last gets the blame
-
Holger
moparisthebest: I think XMPP sucks if we break interop for no good reason.
-
Zash
First rule of Internet protocols: It has to work.
-
moparisthebest
that's if you define pidgin's xmpp implementation as 'working otherwise'
-
Holger
Depending on the use case it works just fine of course.
-
moparisthebest
for the use case of work like AIM in 1999 sure
-
Holger
That's the #1 strength of XMPP. We can add a ton of modern stuff without breaking Pidgin.
-
Holger
moparisthebest: Yes for many of my co-workers that use case hasn't changed.
-
moparisthebest
I'm not so sure, whenever someone says 'XMPP Sucks' if you ask enough questions it usually boils down to 'Pidgin Sucks'
-
Holger
Saying it's good to break stuff for them because Pidgin doesn't fit your use cases is going for Matrix.
-
Zash
> If it ain't broke, don't fix it. Common saying about things that appear to work, but are actually horribly broken.
-
Holger
If I wouldn't care about compat I'd ditch XMPP and start from scratch.
-
Holger
moparisthebest: I'm sure he'll love XMPP if you break Pidgin's ability to initiate a session altogether.
-
Zash
Maybe even Pidgin with GTalk
-
moparisthebest
I'm just saying virtually every time I've had a discussion with someone that said xmpp sucks, they meant pidgin connected to gmail sucks
-
moparisthebest
luckily half of that is gone now
-
Zash
Is it really tho?
-
moparisthebest
I thought it was?
-
Zash
Federation is dead
-
jjrh
I think the solution for pidgin is either: A) Fix pidgin's xmpp support or B) convince distributions to ship something else by default.
-
Holger
moparisthebest: I do not doubt that. The thing I don't understand is how you come to the conclusion that breaking Pidgin helps with that problem.
-
Zash
jjrh: Too attractive to ship one thing, get all the protocols
-
jjrh
Zash, I'd be interested in how many people actually use pidgin for much other than XMPP and possibly IRC.
-
moparisthebest
pidgin user's should be used to stuff breaking, lync support always broke when I used pidgin for it
-
moparisthebest
of course official lync client isn't much better...
-
Zash
moparisthebest: Have you tried suggesting alternative clients when you reach the conclution that pidgin is the problem? Assuming they understand or admit it themselves?
-
moparisthebest
yea, every one I've convinced to try Conversations really likes it
-
jjrh
I mean ummm 5 or so years ago pidgin was okay. You could connect to a bunch of chat systems with it. These days everything has broken their support. I migrated to bitlbee for a while then gave up and just open browser tabs
-
Zash
moparisthebest: because that's probably one of the times they'd be most receptive to it
-
Zash
it sure doesn't work to say something like "your thing sucsk, try mine"
-
Holger
Even less so if your thing was a desktop client and mine runs on Android.
-
jjrh
Pidgin dev is pretty dead by the looks of things. :P
-
Holger
Sure.
-
jjrh
Last news update was 2016
-
Holger
So what? It's not like I recommend Pidgin to anyone, ever. It's just that I don't fancy breaking Pidgin for no good reason, that's all.
-
Holger
(And Pidgin just being an example, of course.)
-
moparisthebest
not for no good reason, but you also wouldn't want to hold everything else back just for pidgin compat
-
moparisthebest
it's a balance I guess
-
Zash
Last commit seems to be less than a month ago tho
-
jjrh
No I agree - breaking a client isn't a good idea. My point is more the reason pidgin is used - even if it's ONLY for xmpp - is because it's installed by default on the majority of popular distributions.
-
Holger
moparisthebest: This was about offering <session/> (as a no-op). This doesn't hold back anything.
-
Zash
It can't really be removed at this point, but adding <optional> allows it to be skipped by aware clients
-
Holger
Yes I'm all for <optional/> (and ejabberd adds it as well).
-
Holger
Without <optional/> it does hold back saving that round trip of course.
-
Maranda
Holger I don't think Pidgin cares about optional.
-
Maranda
:P
-
Zash
Clients that don't know about <optional> pay the round trip price.
-
Holger
Maranda: Of course not.
-
Maranda
And it will say "error initializing session" if it's not offered as well lol.
-
Holger
Maranda: Yes. Optional is the way to allow modern clients to save the round trip without breaking old ones.
-
Holger
(Am I not stating the obvious?)
-
Maranda
I'm not sure if I should change the default of legacy session offering back to true.
-
Holger
Why not?
-
Maranda
I suppose so.
-
Maranda
Holger, I didn't consider Pidgin would break, I should have probably.
-
Holger
Well I'm obviously not complaining about an oversight, just about an "it's fine to break old clients" attitude.
-
Maranda
Holger, oh I didn't want to break anything I didn't expect it to break :P
-
Zash
Can we fight over dialback instead?
-
fippo
zash: you can fight with me!
-
Holger
Zash: It should die who cares about old servers!!
-
Zash
Kill it with fire!
-
Zash
Or at least get xep-0178 to match whatever current consensus is
-
Holger
Yeah 0178 should be fixed.
-
Holger
Next issue we ran into with Dialback is 0198 feature negotiation.
-
Zash
Because it's not advertised on unauthenticated connections? And there's no advertising at all after authentication-by-dialback
-
Holger
0198 says "negotiate when authenticated" Dialback says "go go go when authenticated!".
-
Holger
Zash: Right.
-
Zash
Which means it has to be advertised before auth
-
Zash
Or limited to connections with SASL EXTERNAL
-
Zash
I wonder if BIDI didn't have some similar issue
-
Zash
In at least one of those cases I just went with EXTERNAL-only
-
Holger
Yeah I think I'm going for limiting it to SASL EXTERNAL. So I'm back to "burn Dialback with fire".
-
Maranda
well yes you can't use db on the same stream for bidi.
-
Maranda
You need to open another.
-
fippo
holger: mind you, in the past when those specs were written the percentage of servers that had usable certificates was single-digit
-
Holger
fippo: Yes, sure :-)
-
Holger
Some things do improve.
-
Maranda
Holger, or it's even worse maybe....
-
Maranda
no it's not.
-
Holger
(Then again, if the attacker can mess with DNS to circumvent Dialback he can also get a Let's Encrypt cert, no?)
-
fippo
holger: dialback is online. getting a certificate is an offline attack.
-
Zash
Did anyone ever formalise "samecert"?
-
fippo
zash: dwd and me talked about it. i might even have implemented it but not sure if i ever pushed it somewhere
-
Maranda
<<Pidgin client working with Lightwitch again (starting ~11:30am CT). Thanks! >>
-
Maranda
aww
- Maranda rolls eyes.
-
Maranda
well if you have BIDI and dialback you need to support dialback errors because the BIDI XEP mandates so anyways
-
Zash
fippo: I might have done a plugin with half of it (in one direction if there's already an open session in the other)
-
Zash
and d-w-d
-
Maranda
so if you don't... well I'm not sure what you need to do since db support is advertised right on the stream header yay.
-
Maranda
So pretty
- Maranda just supports db errors, and opens another stream to do dialback if it's a BIDI stream.
-
Maranda
brb
-
moparisthebest
if a server only supported the latest state of the art of everything, and no legacy, it probably would interop just fine with all somewhat recently updated servers right?
-
Maranda
a server?
-
Zash
Disable dialback and see what happens
-
Maranda
yeah
-
Maranda
although most servers now do SASL external since alle the free certificateness.
-
moparisthebest
I guess what I'm asking is, if you were writing a server from scratch today, would you support dialback?
-
moparisthebest
I'm thinking you wouldn't have to
-
Maranda
yes
-
Maranda
moparisthebest, you need it if SASL external fails for whatever reason.
-
Zash
Security related failure, let's proceed anyways!
-
moparisthebest
well or you just, fail
-
Maranda
Zash, *security* le like self-signed certificate? CA error? Let me think. Hmm yes let's continue anyways.
-
moparisthebest
how many servers today don't have valid CA signed certs that you actually want to communicate with?
-
moparisthebest
I would hope few to none
-
jonasw
could grep through xmpp.net database
-
Zash
moparisthebest: 1/3 according to xmpp.net/stats
-
jonasw
or ask holger to grep through his one on messaging.one
-
jonasw
oh neat
-
moparisthebest
sure I bet there are a couple with IBR enabled from 2005 or whatever, but you explicitly do not want those to s2s with you
-
moparisthebest
well I said "that you want to communicate with" :)
-
jonasw
https://xmpp.net/reports.php#trust
-
Maranda
because if your CA isn't included in someone's OS does it make "not valid"? Just saying trust is one thing validity another me thinks.✎ -
Maranda
because if your CA isn't included in someone's OS does it make it "not valid"? Just saying trust is one thing validity another me thinks. ✏
-
jonasw
moparisthebest, probably you want to communicate with all of them, otherwise you’re like microsoft who think that blacklisting whole IP ranges is okay.
-
moparisthebest
there is essentially 1 CA list, and that's whatever mozilla/google uses
-
Maranda
Yay
-
moparisthebest
I'm not really sure what's going on on the reports.php page
-
moparisthebest
is the trust numbers only of those servers that do TLS
-
moparisthebest
because you don't want to talk to any non-TLS ones anyway
-
moparisthebest
ha, or the 1 with the 512 bit RSA key lol
-
moparisthebest
but yea my point is there are whole classes of servers you do not want to s2s with, look at the ones using SSLv2, even SSLv3
-
MattJ
Just because someone is on a server that uses SSLv2, do I not want to communicate with them?
-
moparisthebest
yes, all decent servers shouldn't communicate them so they'll fix it or move
-
MattJ
Yes, it has weak/no transport security, but does it automatically follow that I would never want to communicate with them? :)
-
Maranda
moparisthebest, I think you're confusing security with trust.✎ -
Maranda
moparisthebest, I think you're confusing security with identity trust. ✏
-
moparisthebest
they are 2 different issues, but both lead me to not want to interop with that server
-
Maranda
when dialback got dished out I think it was more about asserting and authenticating identity but that's me, and while the two things may go hand in hand someone may say.✎ -
Maranda
when dialback got dished out I think it was more about asserting and authenticating identity but that's me, and while the two things may go hand to hand someone may say. ✏
-
moparisthebest
well it also allows for insecure connections, so it's a bit of a mixed bag
-
Maranda
Encrypted streams when Jabber was Jabber?
-
Maranda
:P
-
Maranda
or following short after?
-
Maranda
or even now? *eyes cisco.com*
-
moparisthebest
I haven't been around it that long :P
-
moparisthebest
and maybe that's the reason I view it like this
-
moparisthebest
but things that made sense then like dialback, haven't made sense now for a long time, and I see no reason to support legacy code to interop with a server last updated in 2005
-
Zash
moparisthebest: lucrative customer wants to talk to you. they use an ancient jabberd release from the 1800s and support only SSL 3. what do you do?
-
moparisthebest
I guess you could say "I'll talk to you only if we upgrade your server" :P
-
moparisthebest
I once dropped a contracting side job because they wouldn't drop windows XP
-
Maranda
moparisthebest, to talk with cisco.com I need dialback, to talk with M-Link I often need dialback because it complains the purpose of my certificate is wrong I suppose (YAY).
-
Zash
ah yes, LE certs aren't technically/strictly valid for XMPP s2s or somesuch
-
moparisthebest
seems like a lot of work to talk to legacy systems that need to burn
-
Holger
Zash: I think they are. Or at least they don't miss that bit that the StartSSL certs missed.
-
Zash
Holger: The bit saying "This is ok as client certificate"?
-
Holger
Yeah.
-
Holger
Web Client Whatever Something.
-
Zash
TLS Web Client Authentication
-
moparisthebest
hmm does xmpp.net not say what IP it's connecting to? or at least v4 vs v6 ?
-
jonasw
moparisthebest, I think it can only do v4
-
jonasw
due to deployment fubar
-
moparisthebest
ah ok, would be nice eventually to test both like http://ssllabs.com/ does for https
-
Zash
Is anyone aware of any remaining Group Chat 1.0 clients?
-
Zash
Or is can we get rid of that without breaking anything
-
Ge0rG
Zash: didn't you plan to write something to log GC1 joins?
-
Ge0rG
Maybe combined with version-querying the respective client, so we can check if it's just presence desync
-
Ge0rG
I volunteer to run that code on yax.im for a week, and then to make a PR against 0045.
-
Ge0rG
[I feel lucky]
-
Zash
Well I did add some logging already.
-
Ge0rG
Is it already deployed on my server? :>
-
Zash
Probably not
-
Ge0rG
Can I deploy it without restarting the server?
-
Zash
Not running trunk with debug logging enabled right?
-
Ge0rG
Zash: [version yax.im]✎ -
Ge0rG
Zash: {version yax.im} ✏
-
Zash
sans bot
-
Bunneh
Zash: yax.im is running Prosody version 0.10 nightly build 460 (2018-02-03, 980d2daf3ed4) on Linux
-
Ge0rG
quoting. It drives me crazy.
-
Zash
Hm, I thought I had that code excracted out already
-
Zash
Ge0rG: Link Mauve did report some numbers that I didn't write down, unscientific as I am.
-
Zash
Or did I dream that?
-
Link Mauve
Wait, let me read the backlog.
-
Ge0rG
Zash: I remember that as well.
-
Ge0rG
I think the number of GC1 clients reported was 0
-
Link Mauve
Ah right, over a period of one week (our debug log retention time) we saw 47 GC1.0 joins, zero of which from a client which didn’t support MUC.
-
Link Mauve
(And only from two bare JIDs in total, but multiple times.)
-
Ge0rG
I'd like to replicate the measurement on my server
-
Neustradamus
https://xmpp.org/rfcs/ <-- a lot of RFCs are missing no?
-
Guus
which ones?
-
Neustradamus
RFC 8284 RFC 8266 RFC 8048 RFC 7700 RFC 7702 RFC 7712 RFC 7622 RFC 7590 RFC 7572 RFC 7573 RFC 7395 RFC 7340 RFC 7248 RFC 7247 RFC 7259 RFC 7165 RFC 7081 RFC 5437 RFC 4979
-
Neustradamus
-> RFC 7395 (WebSocket)
-
Guus
kindly add a PR?
-
Neustradamus
I do not know ^^
-
Neustradamus
I have already notified too the missing XMPP logo with XMPP text
-
Neustradamus
Maybe some messages are lost in the XMPP network