XSF Discussion - 2018-05-07

hello everyone

I've implemented xep-0153 this weekend, quite simple, I was wondering what is the recommended XEP for handling avatars (with xep-0084) ?

XEP-0084 is preferred, but XEP-0153 required for backward compatibility and MUCs

okay

Publish your own with pep, provide read access for vCard avatars and let your server do the conversion

daniel, what do you mean with "provide read access"

how would i do this from a client

lovetox, if you don’t find an avatar in PEP, try vcard transparently

ah, only read support, i get it

i do it the other way around, read/write vcard, only read for 0084 (for servers that dont support conversion

I mean technically you don't _try_ because both are pushed to you. Either via pep or via hash in vCard

So you pretty much know ahead

But yes

I don’t think we rely on pep notifications to work

we use it to build a local cache, but when asked for an avatar && we haven’t seen a pep notification, we’ll still try

I wouldn't consider it good practice to fire 300 avatar request on launch

I rather rely on pep

Which is kinda working OK most of the time

displaying a avatar is not so critical that i would start requesting it

different story with a omemo key for example 🙂

daniel, avatars aren’t requested until in-view, so there’s some time for pep to fill the gaps

When is the next gdpr event again. If it was today I'm sorry I'm sick in bed. I don't know about tomorrow..

pep.: next is tomorrow, 12:30 CEST

gdpr event?

*GDPR Party

General Data Protection Rave

SaltyBones, there have been a series of meetings discussing the impact of GDPR on XMPP operators

Groovy Drunken Party Rave

oh cool

that's a great idea I hope the results are documented somewhere? :D

They are

https://wiki.xmpp.org/web/GDPR

<3

so that page says "The GDPR is applicable to anyone offering services from EU, or to EU citizens, paid or non-paid and to anyone explicitly targeting EU inhabitants. "

which directly contradicts https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/application-regulation/who-does-data-protection-law-apply_en

which says "Provided your company doesn't specifically target its services at individuals in the EU, it is not subject to the rules of the GDPR."

right?

cc pep. jonasw winfried ^

The first link on https://xmpp.org/about/xsf/jabber-trademark/whats-required.html ("actual license language") is dead, FWIW.

RIP

but as far as anyone knows right now, there is no actual document from cisco granting that, at least last time I talked to peter he said he would look for it

moparisthebest: So the last sentence on https://xmpp.org/about/xsf/jabber-trademark/background is wrong?

A lot of links are dead since the XMPP.org server crash

Wasn't there a giant issue collecting them all?

Holger, so if you read it, it was a trial agreement for 12 months, at which time they would make another agreement

that other agreement either 1) never happened or 2) no one knows where it is

peter said he would look for it, I haven't followed up

oh right, and after the 12 months JINC was supposed to transfer the trademark to the JSF, which obviously never happened, right?

moparisthebest: Can't find any of this in https://xmpp.org/docs/Trademark_License_Agreement.pdf but whatever.

Holger, https://xmpp.org/docs/Trademark_Enforcement_Agreement.pdf section 3. Term and Termination

So the Enforcement Agreement supersedes the License Agreement?

it came after?

It's not about a different topic (using the trademark vs. administering it)?

I'm not a lawyer, it's just clear https://xmpp.org/docs/Trademark_Enforcement_Agreement.pdf is no longer in effect right?

Maybe, but I thought you were saying nothing is in effect.

I don't know, it all seems very questionable though

I'd kind of wager no one currently at cisco knows anything about it

Legal stuff always feels fragile to me.

It is

It's code that runs on PEOPLE

I feel like the XSF should probably look into it and answer these questions before handing out any more sublicenses or recommending using the term

is there an official way to pester the board about this? :)

Haxxor the Trello?

hmm seems easier to just crash the next board meeting

if I happen to be lurking at the same time

Holger, it says it 'conteplates the grant to the JSF by JINC of a perpetual royalty-free license to use the jabber trademark'

and it's no longer in effect

seems to me unless there is another agreement the JSF lost that license after a year?

again who knows, I'm a programmer, meh

OH wait I think I get it

https://xmpp.org/docs/Trademark_License_Agreement.pdf allows the JSF to *use* the trademark, it explicitly says it is NOT allowed to sublicense it

then https://xmpp.org/docs/Trademark_Enforcement_Agreement.pdf allows sublicensing for a trial period of 12 months

is that right?

moparisthebest: IIRC that trial is automatically converted into a full license after the year

Ge0rG, where does it say that?

Upon termination of this Agreement other than in connection with the transfer of the ownership of the mark to the JSF, JINC shall again become soley responsible for administration of the mark.

that's section 3 of https://xmpp.org/docs/Trademark_Enforcement_Agreement.pdf

so I think we can all agree the ownership did not transfer right?

moparisthebest: I've read through all of these documents last year, and I wanted to make the sub license process easier. I failed on stpeter

which I think means that agreement is no longer in effect

moparisthebest: but my reading is that the xsf is actually legally allowed to sublicense

as I read it, XSF has no right at all to sub license, after May 2nd, 2004

where Ge0rG ? not saying you are wrong, just that I don't see that part

moparisthebest: stpeter will know

we talked about it in here, he said he'd look for the next agreement

but in the meantime, handing out sublicenses based on "we think someone has the contract in a filing cabinet" is pretty shaky

moparisthebest: that's a Board topic. I tried it multiple times and failed, but with different questions

moparisthebest: old question, three ways you can be subject to the GDPR: 1) you are EU based 2) you target EU citizens 3) you collect on a large scale (millions) data on EU citizens

Ge0rG for board?!

winfried, so the xmpp wiki is wrong, you aren't subject if you provide services to EU citizens as long as you aren't specifically targetting them?

that would be good to correct, as then it wouldn't affect basically any xmpp servers outside EU

Ge0rG, I agree with you re: board topic, maybe an email to members@ would get it on their radar? idk

moparisthebest: if you aren't targeting them and AND you don't collect on a large scale data on them, then it wouldn't affect you. Thanks for pointing out the issue with the wiki!

that's great news for small friends+family xmpp servers

If it's a small friends+family server it doesn't matter anyways unless you think your friends or family are likely to file a complaint about your handling of their data.

well I've given random xmpp devs accounts to test stuff

I don't really want to even consider GDPR there, turns out I don't have to, which is good

You probably don't either way unless you're worried that they'll ask you to delete your data, you'll say no, and then they'll report you.

SamWhited: personal use is not subject to the GDPR, and the GDPR is *way* more relaxed to small scale data processing. If your name is Google, Facebook or Palantir, you should worry.

Right, but not if you're hosting a server for friends and family and a few random devs.

SamWhited: exactly

SamWhited: family and friends are exempt, unless you take money