XSF Discussion - 2018-04-09


  1. edhelas

    https://techcrunch.com/2018/04/07/rss-is-undead/

  2. edhelas

    > I think the solution is a set of improvements. RSS as a protocol needs to be expanded so that it can offer more data around prioritization as well as other signals critical to making the technology more effective at the reader layer. This isn’t just about updating the protocol, but also about updating all of the content management systems that publish an RSS feed to take advantage of those features.

  3. edhelas

    Pubsub :-° ?

  4. Andrew Nenakhov

    I've read that article in my RSS reader. To me, RSS is pretty much alive.

  5. edhelas

    Andrew Nenakhov don't wanna use Pubsub :D Movim is my news reader B-)

  6. edhelas

    https://nl.movim.eu/?node/news.movim.eu/TechCrunch

  7. jonasw

    GDPR meeting in 5

  8. jonasw

    according to my clock and calendar at least

  9. winfried

    jonasw: according to mine too ;-)

  10. jonasw

    neat.

  11. jonasw

    pep., Ge0rG, you there?

  12. Ge0rG

    jonasw: kind of

  13. Ge0rG

    I fixed my poezio, but this is still the worst monday I've had this year

  14. jonasw

    yet.

  15. Ge0rG

    right.

  16. jonasw

    Ge0rG, set up a disk quota for your borg things so that they can’t eat all the disk space.

  17. jonasw

    disk quotas aren’t deep magic

  18. Ge0rG

    jonasw: good point. But then I couldn't prune the old backups any more because pruning would exceed the quota

  19. jonasw

    also allows you to disable/unset the quota while pruning when you need that

  20. jonasw

    it’s all a matter of invoking edquota and increasing the limit temporarily :)

  21. Ge0rG

    I didn't even anticipate the backups to grow that large.

  22. jonasw

    or maybe use that cuteborg alpha software which schedules prunes automatically. (shameless plug)

  23. pep.

    My computer has decided to be angry at me this morning, should be here soon

  24. jonasw

    okay, now I’m getting wary, why hasn’t any of my stuff failed today.

  25. winfried

    bad digital karma today, what did we do to our computers to make them so upset?

  26. pep.

    made it!

  27. jonasw

    \o/

  28. jonasw

    I’m not up for chairing or anything, having mild headache.

  29. winfried bangs a gavel and looks around in mild bewilderment, what to do now?

  30. pep.

    !

  31. winfried

    Would it be ok, to slowly progress through the list at the wiki?

  32. jonasw

    seems good

  33. pep.

    Ah I haven't updated with last week's

  34. Ge0rG

    Yes please

  35. winfried

    Ge0rG: you mentioned there are discussions about ip-adresses being pii or not, maybe we should settle that one first

  36. Ge0rG

    winfried: I don't think we should.

  37. jonasw

    I don’t think that’s useful.

  38. pep.

    Can _we_ settle anything?

  39. winfried

    ok, we don't settle it ;-)

  40. Ge0rG

    winfried: in our context it's best to consider them as PII

  41. jonasw

    first, what pep. says, lots of laywers have been fighting over that already before the GDPR, and second I think that would let us lose ourselves in details.

  42. Ge0rG

    winfried: my point was just to show the ambiguity of the legal framework

  43. winfried

    Ge0rG: clear and good course of action

  44. winfried

    Q1.1d, do we dig into that one further?

  45. Ge0rG

    For the logs and newcomers: https://wiki.xmpp.org/web/GDPR

  46. Ge0rG

    winfried: I think we weren't done with 1.1c for s2s

  47. winfried

    ok, 1,1c it will be

  48. pep.

    I want s/Archiving/user content/ on the notes to make it just like the others

  49. pep.

    I would s/Archiving/user content/ on the notes to make it just like the others

  50. Ge0rG

    Yes please

  51. winfried

    +1

  52. Ge0rG

    We are also lacking logs of 1.1b s2s in the wiki

  53. pep.

    yes, let me put last week's in there

  54. Ge0rG

    Maybe somebody could paste from the minutes

  55. Ge0rG

    So that we can proceed from there

  56. winfried

    maybe it is good to make clear: transfer itself is a processing, but needs explicitation about what data is transfered, what processing is done on the other side and with what purpose...

  57. jonasw

    can we know the processing on the other side, really?

  58. jonasw

    since there’s no contract or something which would be binding for the other side.

  59. pep.

    I don't think we can

  60. jonasw

    they could store the message forever even without advertising MAM

  61. pep.

    I think we'd best assume the worst once the messages are gone over s2s

  62. jonasw

    yes. the question is: how do we tell the users?

  63. pep.

    Just as I did? :/

  64. winfried

    maybe we can define a xep & service discovery that just says: this server keeps to these rules....

  65. jonasw

    and how do we tell the users in a way that they can give consent properly, and don’t wander off to silo services?

  66. jonasw

    winfried, hmm, you mean the GDPR-policy-XEP pep. wanted to write for c2s could be used for s2s too?

  67. jonasw

    interesting.

  68. jonasw

    question is, would a user still have to consent for each remote domain?

  69. pep.

    Also, I trust my own server, I'm not sure I trust many others

  70. Ge0rG

    jonasw: I tend to slightly disagree

  71. winfried

    jonasw: think that in many cases it does't, but it is our task to find out

  72. jonasw

    Ge0rG, with what exactly? I think I mostly asked questions at this point :D

  73. Ge0rG

    as winfried said last time, this is handing off of data to another controller. The other controller is also bound by GDPR rules, so they can't just do anything they want with the data. In theory

  74. winfried

    pep.: yeah, we move to the delicate field legal trust...

  75. jonasw

    Ge0rG, sooo... if one federates with servers which have users which are inside the EU you’re under GDPR?

  76. jonasw

    Ge0rG, sooo... if you federate with servers which have users which are inside the EU you’re under GDPR?

  77. Ge0rG

    What I'd like to know more about is whether we need some explicit legal framework for handing off data, or if this is covered by the user's implicit consent of wanting the message delivered

  78. Ge0rG

    jonasw: basically, yes.

  79. jonasw

    neat

  80. jonasw

    so everything is under GPDR now.

  81. Ge0rG

    jonasw: as if it wasn't before

  82. jonasw

    yeah, with "now" I mean "when it takes effect"

  83. Ge0rG

    winfried: I suggest we have a look at the "incoming s2s" situation first, and then try to reverse the approach for "outgoing"

  84. winfried

    Ge0rG: smart!

  85. Ge0rG

    obviously, with incoming s2s we are already required to be GDPR compliant.

  86. winfried

    Ge0rG: if you are situated in the EU or if you are targeting EU users

  87. Ge0rG

    We receive data via s2s (s2s meta-data, user content, user meta-data), and we are kindly asked to process that data in some way that was implied by the user

  88. Ge0rG

    winfried: s/targeting/not explicitly blocking/ ;)

  89. winfried

    Ge0rG: hmmm... my reading up to now was targeting, but that maybe the old legal framework....

  90. jonasw

    you can’t block EU users s2s-wise

  91. jonasw

    but also you can’t really target EU users s2s-wise

  92. jonasw

    so I’m like 😕

  93. pep.

    jonasw, not like it's impossible

  94. Ge0rG

    winfried: targeting is implied if you don't exclude them explicitly, AFAIU

  95. Ge0rG

    winfried: but back to the topic.

  96. winfried is diving in his bible

  97. pep.

    When does a service become "accepting EU users" exactly? Say as an EU citizen I go to a japanese website, with their server located in Japan, there's not GDPR applying is there

  98. pep.

    (I'm here to ask the dumb questions)

  99. Ge0rG

    I'd say that processing of received data is covered by Art6 1.f "processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party" - the legitimate interest is to deliver the message to the appropriate user

  100. jonasw

    if LQ1 evaluates to "yes", it’s more tricky than that though

  101. winfried

    We are moving a bit forward and backward trough the topics...

  102. Ge0rG

    This means two things basically: a) we are allowed to do everything appropriate to deliver the content; b) we are not allowed to do anything that's not directly required for that

  103. jonasw

    winfried, okay, where were we?

  104. Maranda processing hints mandatory *coughs*

  105. Ge0rG

    GDPR hints.

  106. pep.

    Maranda, we can see for technical details later

  107. winfried

    1.1c s2s wasn't it?

  108. Ge0rG

    winfried: yes please

  109. winfried

    incoming and outgoing

  110. winfried

    incoming

  111. winfried

    - store in roster of peer

  112. Ge0rG

    We should cover each one of these: s2s meta-data (IPs, hostnames, sessions, server logs?) - GDPR probably doesn't apply user meta-data (presence, subscriptions, message routing) user content (messages, pubsub, etc.) MUC history, MUC MAM Remote components (e.g., roster management)

  113. winfried

    Ge0rG: yes that was what I was looking for

  114. Ge0rG

    s2s meta-data: R49 if at all

  115. jonasw

    user metadata: minimal: forwarded to receiving users connections typical: stored while receiving user is online (to avoid having to send out probes for new resources)

  116. Ge0rG

    jonasw: subscription requests and roster info is stored

  117. jonasw

    Ge0rG, that’s content though?

  118. jonasw

    from the categories in Q1.1b

  119. pep.

    (update the wiki I added 1.1c from the minutes)

  120. Ge0rG

    jonasw: ah, right

  121. jonasw

    user content: minimal: forwarded to receiving users connections if online; storage of roster-related things with account. typical: minimal + offline-storage if offline or even MAM for undefined period of time for messages

  122. Ge0rG

    I'm not sure if A in user B's roster is subject to user B's privacy laws, user A's or both'.

  123. jonasw

    probably mostly B

  124. winfried

    yes

  125. jonasw

    I can have you in my phone book and you can’t force me to erase that, I think, due to private use.

  126. winfried

    but the transfer to jurisdiction B is a processing

  127. Ge0rG

    jonasw: but I can get you fined it you upload my phone number to whatsapp.

  128. jonasw

    Ge0rG, yes.

  129. pep.

    Which is what's happening here

  130. jonasw

    Ge0rG, but the roster is my phone book in this case.

  131. pep.

    Well not whatsapp

  132. Ge0rG

    jonasw: so maybe I can also get you fined if you store my JID and name on your server?

  133. jonasw

    mmm

  134. pep.

    Ge0rG, so what do you propose? When a user calls for their right to erasure, that's propagated to every other server? And they magically disappear from everybody's roster at the same time?

  135. winfried

    no, when I am uploading pii of somebody else to a server without consent from that somebody I can be fined. Not because of that server but because of the uploading

  136. jonasw

    sooo..... spammers are in violation of the GDPR?

  137. winfried

    s/consent/groud for processing/

  138. jonasw

    because they upload my email adress to some server?

  139. winfried

    jonasw: yes

  140. pep.

    That wouldn't really surprise me

  141. pep.

    It's not like they weren't already in violation of any other laws

  142. Ge0rG

    we have two s2s data specials not yet covered in 1.1c: - MUC (is that different from plain s2s?) - remote roster management

  143. jonasw

    hm, delivering a message is probalby "ground for processing"

  144. winfried

    jonasw: it is needed for delivering a service you have agreed to (or not, in the case of spam)_

  145. jonasw

    I think for (semi-)anonymous MUCs, we really need to show users a message that the MUC is anonymous and they have to assume that all messages are public?

  146. jonasw

    For (semi-)anonymous MUCs, do we need to show users a message that the MUC is anonymous and they have to assume that all messages are public?

  147. pep.

    What about adding 170 when MAM MUC is enabled

  148. jonasw

    because we can’t have any type of s2s-consent in that case because we don’t know to which domains the messages may go

  149. jonasw

    pep., mandatory, IMO

  150. pep.

    worksforme

  151. pep.

    I asked something similar on jdev@ not so long ago

  152. pep.

    And I think maranda also did talk about that

  153. Maranda

    👌🧝‍♂️

  154. jonasw

    the exact definition is:> Inform occupants that room logging is now enabled

  155. jonasw

    the exact definition is: > Inform occupants that room logging is now enabled which fits this use-case exactly.

  156. jonasw

    (note that it does not include "public")

  157. jonasw

    (we might want to have a different status code for *public* logging)

  158. jonasw

    (as opposed to members-only MUC MAM access)

  159. Ge0rG

    jonasw: MAM is subject to the same rules as room access

  160. Ge0rG

    in theory.

  161. jonasw

    Ge0rG, yes.

  162. Maranda

    Gajim does exactly that for status 170/171 without making dumb distinctions

  163. Ge0rG

    I wouldn't be surprised if some implementations make MAM access public ;)

  164. winfried

    so a possible processing may be "publicising the MUC logs on different channels or to non-members"? (bringing it back to 1.1c)

  165. jonasw

    winfried, yes.

  166. Maranda

    Aka just "room logging" enabled/disabled

  167. pep.

    Nothing prevents a muc owner from changing the member-only policy though, and suddenly everything that's been said before is public

  168. Ge0rG

    pep.: nothing prevents a muc owner to publish their local log of the MUC in the New York Times

  169. winfried

    maybe some laws prevent that?

  170. Ge0rG

    I would consider that all these deliberate actions by a MUC participant to leak data fall under their respective responsibility

  171. jonasw

    winfried, one processing is at least "store the whole conversation on the MUC service"

  172. Ge0rG

    and not under "s2s data processing"

  173. jonasw

    +1 Ge0rG

  174. winfried

    +1

  175. pep.

    k

  176. Ge0rG

    so it's "store on the service and make it available to room members"

  177. winfried

    and it /may/ be also publishing it

  178. jonasw

    I’d like to have a status code for that, btw

  179. jonasw

    because that could save us from 9.1 trouble (there’s something about "manifestly made public" in there, and if we can get clients to show "THIS ROOM IS PUBLICLY LOGGED", we’re out of trouble there I think)

  180. jonasw

    do we have a technical ToDo list?

  181. winfried

    jonasw: not yet ;-)

  182. pep.

    Can make one

  183. jonasw

    pep., that’d be great

  184. pep.

    I can add EULA XEP in there :x

  185. jonasw

    I wouldn’t act on this right away, but instead keep it a WIP until we figure that we really need it.

  186. jonasw

    I wouldn’t act on the ToDo list right away, but instead keep it a WIP until we figure that we really need it.

  187. winfried

    (BTW one of my cats is hunting my phiysical mouse, the other one the cursor on the screen, am a bit distracted)

  188. winfried

    jonasw: +1

  189. pep.

    jonasw, the status code you're talking about is 170 or similar right

  190. jonasw

    pep., yes

  191. jonasw

    winfried, pics or it didn’t happen ;-)

  192. winfried

    jonasw: my cats have their privacy, I am not publishing them on the internet!

  193. pep.

    So.. what do we have atm, 1.1c S2S is split in two,

  194. Maranda

    And attach those to the Meeting Minutes.

  195. Maranda

    (cat pictures)

  196. Ge0rG

    Don't forget remote roster management. It's technically well designed, so no problems there, but we need to mention it

  197. winfried

    Ge0rG: +1

  198. pep.

    Ge0rG, what about it

  199. winfried

    it is a nice example of privacy by design, but it is a possible processing of the s2s case

  200. winfried

    thinking about it, it is also a processing of the c2s case...

  201. winfried

    we need to list it and mention it is covered by explicit consent

  202. jonasw

    RRM ist really good, taking a look at it for the first time now

  203. pep.

    I'm not sure I get all these comments. How is it privacy by design

  204. pep.

    What changes from normal roster management

  205. jonasw

    except that it has XMPP-technical flaws

  206. jonasw

    pep., the roster is managed by an entity which may be outside the domain of the user

  207. jonasw

    read-write

  208. pep.

    jonasw, yeah I get that, so it's worse possibly

  209. pep.

    I mean GDPR-speaking

  210. pep.

    Than normal c2s

  211. jonasw

    pep., but the entity has to ask permission and it gets only the roster entries related to their own domain, so that’s neat

  212. winfried

    it is privacy by design because the spec demands explicit consent

  213. winfried

    I lost my overview over 1.1c

  214. winfried

    have we covered the s2s cases there?

  215. pep.

    jonasw, I see

  216. pep.

    just inbound?

  217. pep.

    And even then I'm not sure

  218. Ge0rG

    winfried: I think so

  219. Ge0rG

    the difference to c2s is probably that there are different retention times for data, and no explicit consent from the user

  220. Ge0rG

    oh, there is also the "transport component" use case

  221. jonasw

    mmm, a whatsapp transport <3

  222. jonasw

    for super fubar

  223. Ge0rG

    If I register with icq.evildomain.com, it will store/process my ICQ credentials

  224. winfried

    Ge0rG: that is an interesting one

  225. pep.

    Isn't that another normal s2s case?

  226. jonasw

    credentials, right

  227. pep.

    "We don't know what can happen on the other side"

  228. winfried

    pep.: that one is

  229. pep.

    And they won't get more than what we give them

  230. winfried

    but whatsapptransport.trusteddomain.com is different

  231. jonasw

    I wonder if we want a way to give consent to the processing done by an s2s domain. then there could be something pubsubby where clients can query which s2s domains the user consented with and show that in the UI. warn the user when sending a message to a non-consented domain with "review the privacy policy" and offer doing the in-band consent thing as per the EULA XEP.

  232. winfried

    because trusteddomain is transfering it to a third server

  233. jonasw

    fwiw, I’m going to head out in four minutes.

  234. pep.

    How long do you want to go btw?

  235. pep.

    jonasw, I see value in that, I'm not sure it's not going to be an annoying process though

  236. pep.

    It's the annoying "yes I agree" that everybody is going to overlook in the end

  237. jonasw

    could be simplified in the UX of course, but technically we might need something like that

  238. jonasw

    and the server could even block stanzas to non-trusted s2s domains in strict deployments.

  239. winfried

    maybe set a next session? Maybe we should wrap up this one and move on to the interesting stuff....

  240. pep.

    yep

  241. pep.

    Date of next?

  242. jonasw

    following weeks this time won’t work for me

  243. jonasw

    (I know I’m special with scheduling and I’m sorry)

  244. pep.

    I can do any

  245. Ge0rG

    winfried: actually I'd argue that a remote transport is subject to a direct relationship with the user as a data controller

  246. Maranda

    Can I make an addition to s2s message processing? If hints are made mandatory that could pose a disclaimer caveat, in which if a user doesn't give explicit consent to treatment by a remote entity and I flagged all messages with "no-store" or "no-permanent-storage" it could be argued the responsibility falls directly on the 3rd uncompliant party

  247. pep.

    Tomorrow? Wed 12:30 or 13:30CEST? (like before)

  248. Maranda

    Because that'll be an impeding problem for sure

  249. jonasw

    pep., tomorrow is Tue in my calendar

  250. jonasw

    Wed won’t work for me

  251. pep.

    jonasw, yes it was two questions :p

  252. jonasw

    I’d prefer the time we did today actually, I can arrange that any day except mondays.

  253. winfried

    both work for me

  254. pep.

    If same time, I can't do Tue/Thu

  255. jonasw

    (and wednesdays, sorry)

  256. jonasw

    but 12:30 CEST also works, except on wednesdays

  257. pep.

    Tue 12:30CEST then?

  258. jonasw

    wfm

  259. winfried

    wfm

  260. Ge0rG

    wfm

  261. jonasw

    \o/

  262. pep.

    *bang*

  263. jonasw

    okay, gotta head out, see you folks

  264. winfried

    cu!

  265. winfried

    thanks

  266. pep.

    I need my coffee now

  267. pep.

    You guys caught me early

  268. winfried

    pep.: :-D

  269. winfried

    pep.: are you taking notes/logs again? maybe coordinate who puts them in the Wiki

  270. pep.

    I'll try to come up with the minutes before noon

  271. pep.

    If you can put that on the wiki that'd be great :p

  272. winfried

    I'll try, won't be home from work meetings till 0:30 today, but I will have some time in trains...

  273. Ge0rG

    trains. The place where you can work on the really important things, while telling your employer that you were too tired to do the after-meeting reports.

  274. winfried

    Ge0rG: watch out, this MUC has a public log :-D

  275. daniel

    > trains. The place where you can work on the really important things, while telling your employer that you were too tired to do the after-meeting reports. Trains. Those things that don't run if there is a signal failure. What ever that means. A rat bit through a cable maybe? Because apparently something as important as signals doesn't have redundancy

  276. Ge0rG

    winfried: my employer isn't paying overtime. Sometimes I have days when I need to get out of bed at 4AM, have some 12hrs of train time with a business meeting in the middle. They can't expect me to work 16hrs ;)

  277. Ge0rG

    daniel: the most frequent cause of delay at Deutsche Bahn is copper theft, I've heard.

  278. Ge0rG

    https://www.n-tv.de/panorama/Kupferdiebe-kosten-Zeit-und-Geld-article10436256.html

  279. winfried

    daniel Ge0rG here in the netherlands it is / was a major cause for delays too. They do have more theft-proof infrastructure nowadays

  280. Ge0rG

    winfried: do you have any news regarding the 112 app?

  281. Maranda

    And from my point of view, after glancing at it, GDPR is made to "make it impossibile" for complex decentralised environments to exist, so whatever will be done here will be for naught beside that when a user registers he'll get a message stating "do you give consent to treatment of your data by third parties", "I give consent" == s2s enabled, else s2s disabled.

  282. Maranda

    Fin.

  283. Ge0rG

    Maranda: your point of view is cynically pessimistic.

  284. Ge0rG

    Like with the cookie directive. The intention was to inform users and to allow them to opt out. Then it was perverted by the "content providers" to blame the EU

  285. Maranda

    Ge0rG: too bad that it looks to me that for what we could ever attempt to do to be compliant, due to the nature of xmpp we could never fully be.

  286. Maranda

    But we will see as usual

  287. winfried

    Ge0rG: yes, I have the interview done and a concept-blog, still working on the whitepaper. They have to check with their security persons I don't publicise any confidental information before I can show you the results

  288. Ge0rG

    winfried: I'm a security person. I can do a closed-group review ;)

  289. winfried

    Ge0rG: :-D

  290. winfried

    Ge0rG: I got a fascinating insight in the world of Belgian organisation and security. I can already reveal the organisation operating *all* of the telecom infrastructure in Belgium has more firewalls then employees ;-)

  291. winfried

    (all of the governmental telecom infrastructure)

  292. Ge0rG

    winfried: that sounds like much better data hygiene than T-Mobile Austria

  293. jonasw

    > winfried: my employer isn't paying overtime.

  294. jonasw

    > winfried: my employer isn't paying overtime. […] have some 12hrs of train time with a business meeting in the middle. Ge0rG, you’re not good at advertising.

  295. Ge0rG

    jonasw: my employer will gladly pay for the hotel room so you can arrive on the day before and have a pleasant day on site. I just prefer to sleep in my own bed.

  296. jonasw

    I hate hotels, exactly.

  297. Kev

    I often take my own pillow with me when I go to the office, if I'm driving (not so much with carrying it on the train).

  298. Ge0rG

    I don't hate them. I just love to sleep at home

  299. jonasw

    Ge0rG, yeah, that’s what i meant.

  300. jonasw

    also see what I wrote in the other muc.

  301. Ge0rG

    I'm still catching up with last night.

  302. jonasw imagines Ge0rG MAM-syncing into his head

  303. winfried

    Ge0rG: I was pretty impressed with the data infrastructure they are using, they even build a (rudimentary) application firewall for XMPP!

  304. jonasw

    does conversations get consent from the user for using google cloud push? :)

  305. jonasw

    okay, so since I have merge powers, I need advice on what to do with this: https://github.com/xsf/xmpp.org/pull/425

  306. jonasw

    I was actually happy that pidgin dropped off the list and was silently hoping that it wouldn’t re-appear.

  307. jonasw

    but apparently that didn’t happen

  308. jonasw

    so what to do now?

  309. jonasw

    possibly a question for board

  310. Ge0rG

    jonasw: the right way would be for the Board or some other Official Entity to say "no" to this request. The loophole workaround would be to reject the PR until it's vouched for by an identified pidgin developer

  311. jonasw

    Ge0rG, maybe you should add your "ceterum pidgin delendam esse" to board agenda instead of council ;)

  312. Ge0rG

    jonasw: I don't have the power to add things to Board's agenda

  313. Ge0rG

    jonasw: and I don't have the karma either. Whatever I wanted from Board so far was vetoed.

  314. jonasw

    Ge0rG, ask Guus or MattJ to add "Vote for elimination of all pidgin references from xmpp.org" to it :)

  315. jonasw

    Ge0rG, the laws of probability say that this time it’ll work!!k

  316. jonasw

    Ge0rG, the laws of probability say that this time it’ll work!!1

  317. flow

    Ge0rG, I note that there is a carbons plugin for libpurple: https://github.com/gkdr/carbons

  318. jonasw

    plugins for libpurple are always good.

  319. jonasw

    they rarely break anything or introduce security issues or something like that.

  320. Ge0rG

    flow: do you want to explain to my aunt how to install it?

  321. Kev

    BTW, I think the easiest way to (potentially) resolve the Pidgin thing is to ask the project if they mind not being listed.

  322. Kev

    If they say "Yeah, that's fine, it's not very current", there's no need to make difficult decisions.

  323. jonasw

    Kev, they made a release a few weeks ago

  324. Kev

    Does that contradict anything I said? :)

  325. jonasw

    dunno

  326. jonasw

    I’m not awake.

  327. Ge0rG

    Kev: the easiest way is to require somebody from the project to raise their voice in that PR.

  328. Ge0rG

    Kev: which is even less work than asking them, and which is what I implied in my PR comment and described above as a "loophole"

  329. Maranda

    So, dead-end for GDPR is.. 25th May again?

  330. jonasw

    yeah

  331. jonasw

    towel day

  332. Maranda

    And I see Ge0rG with an avatar feels strange compared to the usual "G"

  333. Maranda

    jonasw, ok I suppose I'll go with my cynical, pessimistic idea, until I see more definite developments.

  334. Maranda

    (which I do not)

  335. Ge0rG

    Maranda: I suppose I need to restart prosody to get rid of it.

  336. Maranda

    Ge0rG: oh?

  337. Ge0rG

    Dave Cridland: I'd like to put up "kill GC1.0" onto the Council agenda for this week. I've collected some numbers, and I'll write a mail if I manage somehow.

  338. Ge0rG

    I'm also sure there was some other thing I promised / intended to PR.

  339. Ge0rG

    https://arstechnica.com/tech-policy/2018/04/hours-after-zuck-deletion-scandal-facebook-announces-new-unsend-feature/ - this totally triggers the GDPR

  340. Ge0rG

    "You can't delete sent or received messages from someone else's device." -- unless you are Mark Zuckerberg.

  341. Andrew Nenakhov

    What's next, unsend email? 😂

  342. Andrew Nenakhov

    I always thought that features like last message correction are just silly

  343. Ge0rG

    Andrew Nenakhov: that's old. https://support.office.com/en-us/article/recall-or-replace-an-email-message-that-you-sent-35027f88-d655-4554-b4f8-6c0729a723a0

  344. Ge0rG

    LMC is utter shit.

  345. Ge0rG

    LMC is actually useful in most cases.

  346. MattJ

    /load display_corrections

  347. Andrew Nenakhov

    Ge0rG, > Message recall is available after you click Send and is available only if the recipient has an Exchange account within the same organization. Not really working in federated environment

  348. Ge0rG

    Andrew Nenakhov: tough luck.

  349. Zash

    I motion that we all get ice cream! (everyone says +1) /correct I motion that we do evil things!

  350. Maranda

    Ge0rG sucks.

  351. Maranda

    toads.

  352. Maranda

    🤔

  353. Ge0rG

    so.... everyone licking ice cream, except for Maranda who's licking toads?

  354. Maranda

    Ge0rG, who knows maybe they'll turn into something else, or kill me, or both.

  355. waqas

    I haven't had ice cream in days…

  356. Andrew Nenakhov

    I get a feeling that xsf has entered a steep decline

  357. Ge0rG

    I have a fridge full of ice cream at my old home, and no sensible logistic way to get it into the new home.

  358. Ge0rG

    Andrew Nenakhov: the xsf MUC is not representative of the XSF.

  359. waqas

    Ge0rG: "sensible"

  360. Maranda

    Ge0rG, it's not?

  361. Maranda

    :O

  362. Ge0rG

    Andrew Nenakhov: the only decline the XSF is facing is that of available time of its members.

  363. Maranda

    Disclaimer 😚 ™

  364. Maranda

    :P

  365. jonasw

    I just came back from having ice cream.

  366. jonasw

    that’s relevant, r ight?

  367. Zash

    /topic Ice Cream

  368. jonasw

    that’s relevant, right?

  369. Ge0rG

    Luckily there is no XMPP off-topic MUC.

  370. jonasw

    /topic Chips

  371. Ge0rG

    Damn, I'm hungry. Only had some waffles for breakfast and no lunch. Time to make a break

  372. Maranda poked out a "pessimistical" mod_gdpr.

  373. Maranda commits.

  374. moparisthebest

    what does it do?

  375. moparisthebest

    guess I could just peruse code...

  376. Maranda

    for now just disables s2s if you don't agree to conditions and 3rd party treatment of your data.

  377. lovetox

    if a XEP says stuff like : Given the foregoing discussion, it is evident that an entity could receive any combination of iq:register, x:data, and x:oob namespaces

  378. lovetox

    then i know im in for a lot of fun

  379. moparisthebest

    what are email providers doing with their identical S2S problem?

  380. Maranda

    https://github.com/maranda/metronome/blob/6044add55d8acfef86f4210ceae27cd6ca178a3f/plugins/mod_gdpr.lua --> completely untested, though it should be portable to Prosody easily enough.

  381. jonasw

    moparisthebest, nobody knows

  382. jonasw

    moparisthebest, but the expectations might be different for email which might be relevant for law stuff

  383. moparisthebest

    why would expectations matter? they are 100% identical as far as I can tell

  384. jonasw

    moparisthebest, I’m not sure. people might not expect their IM to be stored indefinitely on some server. for mail, this might be different.

  385. moparisthebest

    why? maybe they think everyone uses pop3 and has the 'delete from server' box ticked?

  386. Zash

    moparisthebest: wasn't the box for "don't delete from server"?

  387. moparisthebest

    depends on the client I guess :)

  388. moparisthebest

    I'm just saying from a technical perspective, with regard to s2s issue, email and xmpp are identical, and since email is far more widely used by much bigger companies, I feel like we should just see what they are doing

  389. Maranda

    Identical me... thinks not.

  390. Maranda

    Comparing mail data with a xmpp s2s stream is weird at best.

  391. Maranda

    One it's just a singler envelope the other... is... a stream? With potentially much more data passing by.

  392. Maranda mutters says the word.

  393. moparisthebest

    Maranda, sorry, how is it not identical?

  394. Maranda

    I just said.

  395. moparisthebest

    you send individual messages to a federated server

  396. moparisthebest

    they may or may not keep them

  397. moparisthebest

    the 'potentially more data' seems totally wrong too

  398. Maranda

    You just send individual messages? Oh rly?

  399. moparisthebest

    how often do you send/recieve xmpp messages with 25mb attachments sent with bob or whatever :P

  400. jonasw

    I tend to agree that they’re pretty much identical regarding the data which passes.

  401. moparisthebest

    that happens regularly with email

  402. Maranda

    I repeat "You just send individual messages? Oh rly?"

  403. moparisthebest

    yes, both email and xmpp just send individual messages, right?

  404. Maranda

    Hmmm nay, but okay.

  405. moparisthebest

    Maranda, how do you think they are different? because xmpp often sends multiple messages over a single connection?

  406. moparisthebest

    because smtp does that too, and so does imap, pop3, etc

  407. Maranda

    <incoming-routed presence="2078391" message="644568" iq="1050302"/> <outgoing-routed presence="428397" message="152432" iq="985607"/>

  408. Maranda coughs.

  409. moparisthebest

    that's 2 messages I guess, still not getting the point

  410. Maranda

    .

  411. SamWhited

    Please try to explain with words and not just examples, because I don't understand what you mean either.

  412. Maranda

    I don't think I have to explain XMPP (says even just XMPP) isn't just about messages, and you don't send exactly just messages actually you send much more of the other two.

  413. Maranda

    And there's a lot of data in *those two*

  414. moparisthebest

    when you boil it all down though, it's just message passing

  415. Maranda

    if you say so.

  416. moparisthebest

    are you saying you also send presence and things?

  417. moparisthebest

    how is that different than an email like 'hey, I started work today' or whatever

  418. Maranda

    Maybe I don't operate the sending directly which poses *much* of a difference compared to e-mail since those are completely (or almost) abstracted from users UI wise

  419. Kev

    I think when you're potentially talking about clients broadcasting your current location to all of your contacts, or whether you're WFH or in the office, that *is* a different use case than email.

  420. Maranda

    and still for GDPR we have to take that data/meta-data in account

  421. Maranda

    so if you keep saying xmpp is like e-mail okay.

  422. moparisthebest

    ok, so you are saying extra types of data get sent with xmpp without user intervention than email?

  423. moparisthebest

    *that's* an argument I can follow

  424. moparisthebest

    still, I believe normal message sending should be the same as email, so we could copy email providers for that, and maybe your mod_gdpr could just filter everything but normal messages or something?

  425. jonasw

    ... except that lots of stuff doesn’t work with only normal messages.

  426. jonasw

    like OMEMO.

  427. Maranda

    mod_gdpr blocks everything going s2s, before user consented to the agreement and mainly 3rd parties treatment of his data passing by s2s.

  428. jonasw

    how does the user consent, and which agreement?

  429. moparisthebest

    yep, but perhaps you can sort some things out to what leaks (meta)data or not

  430. Maranda

    https://github.com/maranda/metronome/blob/master/plugins/mod_gdpr.lua#L19

  431. Maranda

    jonasw, ^

  432. Ge0rG

    Maranda: you need to gain consent for each individual s2s domain, and link to their respective data privacy policy.

  433. moparisthebest

    that seems utterly impossible Ge0rG

  434. Maranda

    Ge0rG, do I? Me thinks that the above is legally valid.

  435. Ge0rG

    Also, I don't understand how email and xmpp are different either, from a data protection / data retention point of view

  436. jonasw

    .oO(plot twist: user is currently negotiating for a power exchange relationship and replies with "I consent" to the wrong message.)

  437. jonasw

    Maranda, I don’t think that works either. you need to make the user aware of the specific data and metadata which may be sent to the remote domain.

  438. jonasw

    users might not be aware that the timestamp of their last online presence would be shared for exampale

  439. Maranda

    Ge0rG, it's implicit that if a from capuleti.is user chooses to have a contact to romeo.is then whatever data gets shared with romeo.is is *his/her sole* responsibility and that the data going to romeo.is will be treated by romeo.is

  440. Maranda

    jonasw, that is already done by the ToS

  441. jonasw

    Maranda, which ToS?

  442. Maranda

    The one which I'll add options to add you can't cover everything In-Band, else I need to send a never ending wall.

  443. Maranda

    The one which I'll add options to add you can't cover everything In-Band, else I need to send a never ending wall of text.

  444. jonasw

    that’s why we were discussing the EULA XEP

  445. Maranda

    jonasw, which brings to the problem good luck getting every implementation and expecially every server federating to compliant by the 25th.

  446. moparisthebest

    yea that's really insane

  447. moparisthebest

    shouldn't it, at most, be an explanation of federation?

  448. moparisthebest

    (if you send something to bob@example.org refer to example.org for how they manage your data)

  449. moparisthebest

    again, what are email providers doing? they won't be doing 'federated eulas' I can almost guarantee

  450. jonasw

    moparisthebest, true, but they may be gambling on the fact that nobody is going to risk to burn down all of email with a lawsuit.

  451. Maranda

    Problem is that the deadline is too near now we should have moved as soon as GDPR got out in 2016 imho

  452. jonasw

    yeah

  453. moparisthebest

    that's a fine bet for my person email, but gmail/hotmail surely would just have to pay germany a few trillion dollars or something

  454. Maranda didn't even know about it before just recently.

  455. moparisthebest

    and they've surely had lawyers on this for years?

  456. moparisthebest

    federated EULAs sound like a friggin nightmare too

  457. moparisthebest

    "XMPP sucks so bad, I need a lawyer every time I have to add a new contact"

  458. Zash

    What about plain ol' IP routing?

  459. Maranda

    but still as soon as there's a draft of "EULA" xep I'll link to that jonasw (obviously)

  460. moparisthebest

    that's true Zash , every IP/port combo needs another EULA, also from every switch/router along the way, right?

  461. Zash

    Yes

  462. jonasw

    Zash, yeah

  463. moparisthebest

    I think even the concept of a EULA xep is a terrible idea for the above reason

  464. moparisthebest

    if widely implemented, it'd kill xmpp

  465. jonasw

    I was thinking about that too during the last meeting. I wonder if we’re colossally missing something here.

  466. jonasw

    moparisthebest, fundamentally, the EULA XEP was meant not for federation but for in-band registration

  467. moparisthebest

    does anyone know anyone that works at gmail or hotmail or something?

  468. jonasw

    unfortunately not

  469. moparisthebest

    jonasw, ah well for in-band registration it's a good idea, it's just a terrible idea for federation

  470. Maranda

    an EULA xep could not need implementation

  471. Maranda

    if it's just a descriptive xep

  472. Maranda

    like what data types are there, how to act in case of data transiting from a to b, who to contact in that case etc.

  473. Maranda

    like what data types are there, how to act in case of data transiting from a to b, who to contact in that case, who is responsible of what when etc.

  474. Maranda

    there's a fair amount of documents like that XEP wise

  475. jonasw

    Maranda, the idea was to have an additional IQ exchange before/during registration, where the key points of a GDPR-EULA (e.g. retention times, data which is persisted/not persisted ,…) is presented as structured data (XML). this allows clients to format the key points neatly. in addition, the full terms can be provided via one or more URLs.

  476. moparisthebest

    and then you've made the protocol user-hostile for what some non-lawyers think some lawyers wrote in a jurisdiction that controls a small fraction of the internet

  477. moparisthebest

    sounds like a terrible plan

  478. Maranda

    Which is good if the deadend wasn't in a month and a half

  479. jonasw

    moparisthebest, how is that user-hostile?

  480. Maranda

    Or less

  481. jonasw

    I think being aware of what the service does with your data is very user-friendly.

  482. moparisthebest

    jonasw, "XMPP sucks so bad, I need a lawyer every time I have to add a new contact"

  483. jonasw

    I am not talking about federation, moparisthebest.

  484. moparisthebest

    "with whatscrap I just type in a contact and start chatting"

  485. Maranda

    So at the very least we should have a document to link at, me thinks

  486. moparisthebest

    well again, for user registration I totally agree

  487. SamWhited

    FWIW, XEP-0389 was designed with EULAs in mind. You could probably implement it already with that.

  488. jonasw

    moparisthebest, I am not talking about federation.

  489. Maranda

    No time for xep-0389

  490. moparisthebest

    ok, then I think it's a good idea

  491. Maranda

    I feel

  492. moparisthebest

    I just really don't want federation crippled due to some legislators with a superiority complex, and a likely wrong reading of the law by non-lawyers

  493. Maranda

    Well I don't have 200k

  494. Maranda

    😎

  495. moparisthebest

    try voting for better people, or move :)

  496. moparisthebest

    I mean we aren't writing code to cripple XMPP to china or russian standards

  497. jonasw

    moparisthebest, I like the legislation actually.

  498. Maranda

    All I want as a server operator is at least a blanket covering most of my ass

  499. moparisthebest

    why write code to cripple XMPP to EU standards

  500. Maranda

    That's all we need in the immediate time anyways

  501. Maranda

    Because as I redundantly said: there's not much time left

  502. Maranda

    moparisthebest, we need to get informative documentation done first, the most problematic bits are the data types descriptions, behaviour and garden-to-garden transits

  503. moparisthebest

    not sure exactly what you mean, but are you still just talking about registration?

  504. moparisthebest

    in general when I've had to present lawyer-stuff to users, they like to lay stuff out themselves, and I always end up providing text as written

  505. moparisthebest

    just a giant wall of text...

  506. Maranda

    No, I said it anything protocol dependant wont see the light by the 25th

  507. moparisthebest

    just turn off IBR and make them sign up with a web page?

  508. moparisthebest

    the free world can continue to support IBR

  509. Maranda

    Because beside the servers, there's clients and the "Pidgin" effect

  510. pep.

    moparisthebest: make them sign up what with a web pave

  511. pep.

    Page*

  512. pep.

    Please do provide input during the meetings if you have insight

  513. Maranda

    The registration method is irrelevant we need documentation, and stuff to add to single service agreements

  514. Maranda

    In the mean time

  515. pep.

    moparisthebest: and it's not just to new users

  516. moparisthebest

    well, web page registration lets you display a proper terms of service, and record them agreeing to it?

  517. pep.

    Yeah but what goes into the EULA

  518. Maranda

    moparisthebest, yes

  519. pep.

    That's the whole poiny

  520. moparisthebest

    pep., ask your lawyer

  521. pep.

    Point

  522. Maranda

    But we need to know what to add to the service agreements...

  523. moparisthebest

    hopefully just explaining how it works would be good enough, but who knows, IANAL

  524. Maranda

    And if there's a descriptive EULA xep at least we can link that

  525. pep.

    Well we're trying to see if we can figure parts of it by ourselves. Ultimately yes, we'll ask lawyers

  526. pep.

    And then try to provide templates for operators out there, with the usual disclaimers

  527. moparisthebest

    if you are in the 'writing code to solve it' phase then you are too far, should have already asked a lawyer

  528. pep.

    We're not

  529. moparisthebest

    some people are :) https://github.com/maranda/metronome/blob/master/plugins/mod_gdpr.lua

  530. Maranda

    That's a draft

  531. Zash

    > The software is provided "as is", without warranty of any kind etc...

  532. Maranda

    And it's very "user friendly" as it's not protocol dependant

  533. Maranda

    (problem is the relevant bits to add there)

  534. Maranda

    Zash, if it was that easy

  535. Maranda

    Apparently it's not

  536. Maranda

    moparisthebest, but yes essentially that module should cover the edgy cases, in where if users stay in your garden it's "easy". When they get outside it's troubles they wrote the regulation specifically that way

  537. Maranda

    (And they'll get prompted the first time they try to cross the wall)

  538. pep.

    What really annoys/confuses me, is that everybody talks about companies when this is going to reach a lot more than that

  539. moparisthebest

    that's the problem, they seem to have written the legislation to specifically target walled gardens like facebook/whatsapp etc

  540. moparisthebest

    and it does a good job at that

  541. moparisthebest

    but they totally ignored federated systems, and it seems to almost outright ban federated systems

  542. moparisthebest

    which, ignoring xmpp is something I could see legislators doing, ignoring email is not

  543. moparisthebest

    except they probably think 'email' and 'gmail' are the same thing...

  544. Zash

    Has anyone reached out to those involved in drafting this and asked "how does this relate to email?"

  545. Zash

    IIRC they used Outlook (with web thing)

  546. Zash

    OWA?

  547. Zash

    The FOSS-friendly people I stayed with were developing something to make it usable with Thunderbird

  548. moparisthebest

    davmail is what I used to use for that

  549. Ge0rG

    The new CLOUD Act allows US agencies to obtain data hosted in Europe. I wonder how many days it will take for Russia to create a comparable legal framework.

  550. lovetox

    but i read EU wanted to do this frist

  551. lovetox

    but i read EU wanted to do this first

  552. lovetox

    get data stored in US

  553. lovetox

    so everybody gets all the data :)

  554. moparisthebest

    the solution is for everyone to run their own server in their house lovetox :P

  555. Zash

    \o/

  556. lovetox

    im already using no smartphone, facebook, i just have to get rid of gmail somehow

  557. lovetox

    then im underground

  558. moparisthebest

    lovetox, I cut the gmail cord in 2013, just setup postfix/dovecot on your house-server

  559. moparisthebest

    you can still have gmail forward mails to your new address, and you can have postfix send outgoing mails from your gmail through gmail's servers until you have everything fully migrated

  560. lovetox

    im have my own domain, but i fear spam a bit

  561. lovetox

    nothing goes over google spam filter

  562. moparisthebest

    it's not that bad, spamassasin+amavis

  563. moparisthebest

    thunderbird pretty much always gets whatever leaks through those

  564. lovetox

    how nice would it be if we had all pgp encryption on email

  565. lovetox

    google announced some kind of plugin for gamil years ago

  566. moparisthebest

    it's not as easy as setting up an xmpp server, there are more parts, and they tend to be crustier

  567. moparisthebest

    but you only have to do it once

  568. Maranda

    well it's tricky to be spam proof, but not impossible.

  569. Maranda

    (for e-mail)

  570. lovetox

    but with email is like, even if you host youself, 40% of all your mails are sent to gmail adresses anyway

  571. lovetox

    so they still get all emails

  572. Maranda

    hmmm lovetox

  573. pep.

    lovetox: that's true, though if we say that we might as well give up already

  574. pep.

    Even for xmpp

  575. lovetox

    why google dropped xmpp support :D

  576. lovetox

    we are save here

  577. Zash

    Extensible Mango and Potato Planters

  578. pep.

    I mean it's not just true for email but for lots of things.. If I thought it wasn't worth setting up my own mail service because "40% goes through Google anyway", I think giving up on life wouldn't be really far ahead :x

  579. pep.

    Lots of things go through Google, Facebook and whatnots

  580. pep.

    Zash: I'm going to signup for this giant meteor party I think

  581. Zash

    I'm not running my own email to keep Google from seeing my emails. I'm doing it so that I don't have to care about some provider shutting down.

  582. lovetox

    i would run my own server if it was just my email

  583. Zash

    To have control over my own ifrastructure. To not have to wait for someone else to fix my problems.

  584. lovetox

    but whole family uses the same domain

  585. pep.

    Zash: sure I'm not saying that's why I do it, or the only reason

  586. lovetox

    they will not understand if it doesnt work because i fucked it up again ^^

  587. Zash

    My mom uses my email server. Most recent issue she had was some unexplained issue that I'm going to write off as "Android weirdness"

  588. Zash

    "It doesn't work" - I try, it works fine.

  589. Maranda

    Zash, that's not Android Weirdness, it's called "Mom Weirdness"

  590. Maranda

    It's common to every mom (mine too), with the exact same symptoms: "It doesn't work" - I arrive, try it works fine.

  591. Maranda

    :P

  592. pep.

    Not sure a CC from members to operators is great, they can't all reply otherwise

  593. pep.

    Well they can break remove members@ ~

  594. pep.

    I'll just go to sleep..