Ge0rGDaniel: how about https://op-co.de/tmp/xep-0280.html#example-11
DanielThe paragraph above that is also new?
DanielYeah that's probably a good improvement
Ge0rGDaniel: but you can't link to paragraphs
Ge0rGand I didn't want to link to example 10
DanielMakes you question why that wasn't in there before
Ge0rGDaniel: because XEP authors aren't security consultants
DanielMaybe we want to go so far and in the security section say in <strong> *This has been exploited several times*
DanielAnd link to the CVE
DanielProbably a separate PR
Ge0rGit would mark my third PR for 0280 today.
DanielI mean it is absolutely ridiculous that this has struck so many times in three different iterations
Ge0rGI suppose it is enough to have a negative example for "received", without one for "sent".
Ge0rGDaniel: do you have the link to the initial incarnation?
DanielThis predates my involvement in xmpp
Link Mauvehas left
Licaon_Kter [cnvrs]has joined
jonas’Ge0rG, a PR thing would be even better than an issue thing
Douglas Terabytehas left
Douglas Terabytehas joined
Ge0rGjonas’: yeah, but my work.
Licaon_Kter [cnvrs]MattJ Any reason this room does not _warn the user that the discussions are logged_ ?
ralphmAs for RFCs, I suppose it could be in errata, but then again, who reads those.
Danielup until recently i didn’t even know they existed
ZashLicaon_Kter [cnvrs] looks like it only sends the signal when archiving is enabled or disabled.
ZashAnd also the semantic difference between archiving and logging.
pep.Maybe you should have two messages? :P
ZashLink is in the subject and I /think/ also in some room metadata.
pep.Some clients don't really show subjects in a prominent place anymore :(
Licaon_Kter [cnvrs]Zash Subject/Title aside, Converse.js shows them, but will also show_"groupchat logging is now enabled"_ as per https://xmpp.org/extensions/xep-0045.html#enter-logging so, is Prosody not honouring that?
Umm https://hg.prosody.im/trunk/file/tip/plugins/mod_muc_mam.lua#l99 maybe
pep.he just answered you
Licaon_Kter [cnvrs]I, obviously, did not undestand a thing 🙂
pep."when [it] is enabled or disabled."
ZashIt is missing a thing for when you join
Licaon_Kter [cnvrs]Ok, right...
ZashReport issue. Patches especially appreciated 🙂
ZashBut the public logs are provided by a separate module. Should that one add the tag?
ZashIIRC both of them should only let you get logs/archives if you could join the room and get them yourself
Douglas Terabytehas left
Douglas Terabytehas joined
lovetox_If the user is entering a room in which the discussions are logged to a public archive (often accessible via HTTP), the service SHOULD allow the user to enter the room but MUST also warn the user that the discussions are logged.
lovetox_So Zash this explicitly mentions http based logs
lovetox_i would argue it does not matter how the server logs, what counts is that is publicly available, and the user should be warned about it
Licaon_Kter [cnvrs]FYI, I only noticed this because ejabberd is announcing it every time Converse.js mysteriously dis/reconnects
Licaon_Kter [cnvrs]has left
Licaon_Kter [cnvrs]has joined
Ge0rGlovetox_: so it's also true for MAM
Danielbtw i've requested a CVE. i was a bit unsure on the how given that dino technically had no releases yet; but let's see if it gets accepted
balu_der_baerDaniel, Requested a CVE for which issue exactly?
Danielbalu_der_baer, I put roster, carbons, and mam in one
Danielprobbaly not worth creating different ones
Ge0rGIt would make sense to ask for one for Converse, though.
Danielbalu_der_baer, i can credit you on the carbon one
pep.Right. JC also just fixed an issue in converse
Ge0rGOr is it just the 2017 one revamped?
pep.It looks like it
Ge0rGpep.: but it was fixed back then
pep.In these clients
Danielwas converse hit back then?
Ge0rGpep.: converse was one of the clients, yes
balu_der_baerI think the converse is the relevant one, given it is actually released software and not some "I compiled code from the internetz and is has bugz"
pep.Isn't that the case for all software
Danielbalu_der_baer, yes probably. dino is in debian and some other distros tho
KevI think dino has been released hasn't it? It's in Debian and stuff.
Danieland in fairly wide use
Ge0rGpep.: I've heard that there is software that you need to type from a book
Kevpep.: https://packages.debian.org/search?keywords=dino-im - different project?
pep.But no release
KevThen it's been released.
Danieland that kids is why you dont make packages for git
pep.look at the version string
ZashHey kids wanna get into a semantics discussion? What is a release?
KevI'm not saying that upstream say it's stable.
KevI'm saying that it has been released. I.e. it is available to users.
pep."It's in Debian so it's released!"
pep.Ok let's leave the semantic discussions for later
KevPretty much the definition of released is that it's available, yes.
pep.Upstream hasn't cut a release yet, is all I'm saying.
pep.Distributions do whatever they want with it
Danielit is probably worthwhile to get a CVE for. and it has already been requested
Danielso we don’t need to argue about it :-)
KevI understand that upstream may not have yet tagged a stable release. Just that that's largely irrelevant to users if they can apt install it.
pep.So is it fine if I package it myself for my own use? Can I also say the software has been released? :)
KevI also understand that if someone uploaded it to Debian before upstream said it was ready for use, that sucks for upstream.
pep.Or as long as it's published
Ge0rGKev: that sucks for debian
Danielit sucks for everyone
pep.Ge0rG, you mean for Debian's users
Danielupstream. debian. the users
Ge0rGSoftware releases are hard. Let's go shopping!
Ge0rGalmost wrote "shipping"
Nameless RTL personhas left
Danielam i seeing this correctly that converse has different mam/carbon parsing code for muc vs 1:1
Danieland it hit only muc because of that
balu_der_baerI know that Dino developers tell people to not use the debians "release" build but always use the latest nightly instead. And my guess is that those patches are caused by them preparing for a first real release
balu_der_baerDaniel assessing Dino to be vulnerable to the MAM issue predates the commit time of the fix to Dino master by 5 minutes. Either they were super fast, Daniel told them before writing here or they actually knew before 🤔️
Ge0rGA conspiracy within a conspiracy?
Danielbalu_der_baer, we were in here talking about how it is most likely vuln
Danielbut i was out for a midnight snack before i could be bothered to actually verify
pep.They also have access to this muc :)
Danieland also if you have just before that fixed the roster and carbon issue the mam fix could easily be done in 5 min
Danielit's the exact same lines of code copy pasted
balu_der_baerIs anyone filing a CVE for the stanza id bug in Prosody I discovered yesterday?
Danielis it prosody not filtering out?
Danieli didn’t catch you mentioning that
Danielso i'm guessing
Danielobvious bugs are obvious
Danieljust get one yourself i guess?
balu_der_baerI didn't mention any of the bugs, I left this task to you guys.
Danieldid it not filter in general? or just under certain conditions
Danielwell how would the stanza-id thing manifest itself?
Danielaside from MAM catchup being fucked
balu_der_baerI guess as long as nobody tries to use them for anything, it won't...
Danielalso there is code to do it…
balu_der_baerI leave it to you or any other dev to find out when and why it doesn't work, I am not into Lua
Danielwell i'm not yet sure the bug exists
balu_der_baerHow would one find out?
pep.balu_der_baer, hint? around what time?
pep.I could go through the logs..
balu_der_baerThis one maybe?
Danielthis room doesn’t claim to do the cleaning
Danielas a client you are supposed to parse the sid only if the server announces that
pep.I'm somewhat happy poezio didn't display the second message, "Or this one"
Danielso if you find a client that uses this for catchup (or anything) then you have your bug
balu_der_baerWhen a message is archived, the server MUST add an stanza-id element as defined in Unique and Stable Stanza IDs (XEP-0359)  to the message, which informs the recipient of where and under what ID the message is stored. When doing this the server MUST follow the business rules defined in XEP-0359.
pep.That first message was cut in poezio.
pep.Because of the <stanza-id /> :/
pep.<message xml:lang="en" type="groupchat" to="email@example.com/poezio-C7iY" from="firstname.lastname@example.org/balu_der_baer" id="b23f6efec2cf4ac2ad23d7da18fb7367"><body>When a message is archived, the server MUST add an <stanza-id /> element as defined in Unique and Stable Stanza IDs (XEP-0359)  to the message, which informs the recipient of where and under what ID the message is stored. When doing this the server MUST follow the business rules defined in XEP-0359.</body><stanza-id xmlns="urn:xmpp:sid:0" by="email@example.com" id="2019-09-11-e360996b290c9aae" /><origin-id xmlns="urn:xmpp:sid:0" id="b23f6efec2cf4ac2ad23d7da18fb7367" /></message>
balu_der_baerI admit, it's funny to see how different clients screw up different things. None of them seems to be really solid about anything so far.
jonas’le fuck wat
jonas’balu_der_baer, which client is that?
pep.version string says Movim 0.15
jonas’report an issue against movibm
ZashThere's the @by. This server needs some upgrades, but that part looks correct?
balu_der_baerjonas, openssl s_client
jonas’report an issue against movim
balu_der_baerWas using Gajim before, but it's XML console does too many sanity checks for doing such evil things
pep.Maybe poezio's /rawxml doesn't :-°
jonas’I’ll just leave now
Danielhow is <body>foo <bar/> something</body> supposed to render?
KevIt's not, because that's illegal.
Danielnot render the entire message?
KevThe server is allowed to bounce it, even. But if it gets through to a client, anything's fair game, I think.
flowthat's what I would do, and as server close the client session (of course configurable, so that if you really want to support broken clients)
balu_der_baerThe body element MUST NOT contain mixed content (as defined in
Section 3.2.2 of [XML]).
flowbalu_der_baer, IIRC this is not even mixed content
Kevflow: It's not?
flowmaybe it is
KevIf it's not then my understanding of mixed content is off.
flowI just though thtat mixed content is text content + element
flowand not text content + element + text content
balu_der_baerAn element type has mixed content when elements of that type may contain character data, optionally interspersed with child elements.
flowluckily there is a reference where I can lookup this and refresh my memory
flowor I let balu_der_baer do the work ;)
MattJafaik mixed just means multiple types are used (both element and text nodes), it doesn't mean a specific order or number of nodes
KevThat's certainly how the XMPP specs have used the term, yes.
flowyep, convinced, and we don't do that in xmpp
Danieli mean cutting your own c2s when your server sends you this is probably not ideal
flownobody suggested this
Danielno. i was just thinking out loud if i need to do something different in Conversations
KevDaniel: No, especially as servers are allowed to send you crap. But I don't think we're suggesting that.
balu_der_baerDaniel, You need to fix the <body xmlns="broken"> thing
Danielbalu_der_baer, already made a note
pep.I also opened issues in poezio.
pep.Though that's probably in slixmpp
flowbackground? implementations do not consider the namespace of body elements?
larmaI have the feeling its super productive if random people just push random stanzas in xsf@ 😉
pep.let's do that more often
Ge0rG> None of them seems to be really solid about anything so far.
Nobody has complained about yaxim so far. But don't even try to put different xml:langs into the game ;)
MattJAn ancient one is simply putting in multiple <body> (same namespace and xml:lang)
MattJSome clients would render the first, some the last
Ge0rGyeah, having multiple elements with the same name in any kind of hashmap is a well known security issue
balu_der_baer⚠ Your client renders a first body when it shouldn't
MattJWhat should it render?
balu_der_baerNothing, it's an invalid message
mathieuiI think a few clients have a history of trying to fix received namespaces to work around very old bugs
pep.Why do we try to keep compat with broken stuff? :(
pep.Then we in turn we end up broken
flowpep., some do, some avoid workarounds for broken implementations
KevYou don't have a lot of choice dealing with broken stuff.
pep.I wish we'd do that as a collective effort to push broken stuff away
KevAt least not in an open ecosystem.
flowI am in the latter camp FWIW
pep.I also am
KevYou might not try to 'fix up' the broken content, but you have to deal with it.
flowKev, I don't think this is true.
pep.Kev, you do, you can just ignore them
Kevpep.: Which is dealing with it.
pep.Yes, while some others try to keep compat
MattJWhen we began Prosody, many of the other servers were "broken" in various ways... nobody would have used Prosody if we hadn't added workarounds for them
flowKev, sounded more like you meant that we don't have a choice besides adding workarounds into our code
Kevflow: Yes, that's right.
MattJNot being able to s2s to 99% of the existing network was not an option :)
pep.MattJ, now that you're a bit more notorious, here's your time :)
KevLike when ejabberd's PEP module sent tonnes of spurious messages, and if you wanted to avoid annoying your users you had to do something about them.
MattJRight, I'm just pointing out that you can't just make that your blanket stance towards issues like this
Kev(ignore them, in fact, but it took code to ignore them)
Ge0rGIs there consensus that a client MUST NOT render any bodies from a message that contains multiple bodies?
Ge0rG(assuming equal xml:lang)
KevGe0rG: You mean multiple bodies in the stream namespace, without distinguishing xml:lang, which might itself come from the stream?
flowMattJ, true, it is always a per case decission, but to often that decission is "just add a workaround"
MattJIn Prosody our policy is to avoid workarounds, and if that's not feasible then we add the workaround with a 'COMPAT' comment that explains when it was added and why (referencing bug reports, etc.)
Zashpep.: Right when we're a bit behind on compliance features in core? Are you working for P1? ;)
KevIn which case, no, I don't think there's anything in 612 that suggests a client would have to do that.
MattJand then we periodically review these and remove old ones that are no longer needed (as much?)
Ge0rGKev: I'm pretty sure it's illegal, and the question arises which of the bodies will end up rendered
Ge0rGWith a dozen of actively used XMPP implementations, and a tail distribution of less widely used ones, how am I supposed to know that blocking "invalid" messages won't break the interop with some of them?
MattJIt probably will
MattJBut if everyone agreed to be strict, that tail would soon be fixed (or rightly let die)
flowThe question is if the outcome is better than being liberal in what to accept
MattJAnd not everyone has to agree to be strict, just the dominant players
pep.Just like when people went TLS
MattJProsody fixed many client bugs by being more strict in what it accepted than any of the existing servers
pep.Except dominant players didn't.. at the time
MattJand we don't even go very far
Ge0rGMattJ: but I don't have any leverage on those implementations. And people will blame me for the bugs
MattJI feel your pain, many of us have experienced that
MattJand as I said, we have put in (clearly marked) workarounds for things like that
lovetox_what is the problem about body with different namespace? so what i dont check the namespace of body if i dont have to, this is certainly no security issue
pep.Ge0rG, or on deployments..
MattJwhile simultaneously trying to get it fixed
Licaon_Kter [cnvrs]has left
pep.lovetox_, I can include a message that only gajim users will see and not others
lovetox_yeah and? its a feautre i would say
flowlovetox_, I am not sure if I can't be exploited somehow. The main problem is that implementations treat an element as body when it is not
MattJlovetox_, it's a potential human security issue - if people disagree on what to render for a message, the logs will be showing one thing, clients will be showing another
flowBut I can only come up with very constructed scenarious how this could cause an security issue
MattJdespite it being a pretty poor messaging application that can't agree on how to render a text message :)
flowLike a bot which accepts commands via <body/> and a screening service checking that the commands in <body/> are safe
MattJXSF board meeting logs could all be faked by board members, and someone will put <body>+1</body><body>-1</body> to make people think they voted one way on a contentious issue, but the chair would see them voting a different way
MattJConsistency is good, inconsistency is bad
MattJConsistency in a distributed open network isn't always easy
MattJBut if we at least specify the right way to do things, that's a great start
MattJRight now nobody can even claim any particular client is buggy, because there is no correct decision about what to render (which may include nothing)
MattJ(or an error)
MattJI'll note that even excluding potentially-illegal <body> constructs, this issue will still exist for multiple <body> with different xml:lang (I can show different versions of the same message to different languages, they don't have to say the same thing)
MattJBut at least in that case a client could indicate to the user that other versions of the message exist, and allow them to view them
DanielMhh I now have uncommitted code that skips messages with body of the same language. Not really sure if I should commit that. I mean it's definitely illegal. And it probably won't happen on accident
Ge0rGflow: do I need to pull a CVE number for Smack delivering the first of multiple equally xml-langed bodies?
DanielGe0rG: is that a security issue?
Ge0rGDaniel: what MattJ wrote. <body>+1</body><body>-1</body>
Ge0rGDaniel: if there is only one implementation rendering the _last_ body from that list, it is a security issue
jonas’Ge0rG, what else are you supposed to do?
KevThat's a user confusion/unreliability issue. I'm not convinced it's a security issue.
jonas’aioxmpp will take one, which one is officially undefined (but it will be the lastmost in the stanza)
Ge0rGjonas’: tear down s2s!
jonas’Ge0rG, seriously though. what should I do as a client library?
jonas’send back an error?
jonas’I see how this is a problem, I just don’t know the correct course of action
Ge0rGjonas’: me neither
Danielthat will get you kicked from the muc lol
flowand presence leak
MattJKev, I'm surprised that in the environments you're involved in, you don't see user confusion as a security (or safety) issue
Danieljonas’, i just opted for ignoring it
Danielwill happen infrequently enough to not be a real issue
MattJEspecially if you add enforcement or auditing tools to the mix, which might disagree about which <body> to use/allow
Ge0rGMattJ: maybe because it's scoped to the sending user.
jonas’flow, uh--- that’s an interesting one, I think you can make aioxmpp auto-reply to a message if you violate the schema hard enough
Ge0rGIf somebody wants to play mind tricks with you, the impact is limited to what you'd believe them
flowjonas’, take the stanzas out of the stream, send an error back if the sending entity is subscribed to your presence and log an error
pep.Why has it been specified that a MUC should kick us on message @type=error btw?
jonas’Daniel, so you drop the entire stanza if there is more than one <body/> with same-language?
Danielbecause if your session dies?
jonas’flow, yeah, no, the part which sends errors back wouldn’t know about that type of stuff
pep.Ge0rG, am I onto something?
flowjonas’, I never said it is easy ;)
Danieljonas’, i mean no; i return the body as null. it might run through other paths
Ge0rGpep.: I was going to elaborate, but Daniel came first
jonas’for all languages or only for the buggy one, Daniel?
pep.if my session dies?
Danielgood question 🙂 no for all messages
flowjonas’, remember when we talked about providing a callback to the user which informs him what exactly went where wrong in the incoming processing chain?
Ge0rGpep.: yes, the MUC needs to kick you out if your client silenty disconnected
jonas’flow, exists, but that is not an error condition yet
pep.But what if my client doesn't silently disconnect and I'm just trying to point out errors to others
jonas’and I’m not sure what type of error condition it should be
Ge0rGpep.: send a PM
Ge0rGpep.: yes, those won't get you kicked IIRC
Ge0rGI have no idea how clients will behave ;)
jonas’Ge0rG, so auto-reply woudln’t get me kicked either since that would go to the full JID
pep.I guess this + ignoring a message should be good
jonas’Ge0rG, so auto-reply from the library woudln’t get me kicked either since that would go to the full JID
Ge0rGpep.: presence leak
pep.Can you stop finding issues
Ge0rGSo can we now decide whether it's a security issue or not?
Ge0rGlife would be boring otherwise. Also, blame balu_der_baer
pep.But that's probably going in the logs anyway and not actually visible by the user.
DanielI'll "fix it" in that i will ignore it in the future but i wont rush out another release
pep.I would like if a client would tell me "There is an error" (and aggregate them) "please report that to the dev"
Ge0rGDaniel: can you rush out releases again? Or is Play store still imposing multi-day delays?
Danielyes i could
Danielwas meaning to tweet that
Danieli fixed the PS issue
Danielbut i was doing so much tweeting lately
Ge0rGMy other app is broken on Android 10 because Google finally removed the deprecated Apache HttpClient library which is used by... the Google Maps v1 library.
Ge0rGDaniel: as much as @xmpp?
Danielnot as annoying as @xmpp
Danielmy tweets are super high quality
Ge0rGI've been struggling to convey this message to the person responsible, for some days now.
jonas’doesn’t someone else have access to that account and can single-handedly change the password?
pep.I think we'd rather fix this socially
Ge0rGjonas’: nobody knows who that "someone else" is
Danielaccess yes. can’t change the pw though
Ge0rGpep.: full agreement here.
KevWhich account what where?
Danieli mean sometimes i do tweet on @xmpp. but when i do it's only the best tweets
Ge0rGMaybe I should just stop trying though, I'm probably the least empathetic person to attempt it
pep.Daniel, of course
jonas’Ge0rG, Daniel, actually I think we just need to agree on *which* of the multiple bodies to show and it’s a non-issue, right?
KevIs that the XSF's one? I thought I had credentials for the XSF Twitter (although 1password is failing me)
Danielwell rfc says it's illegal. so just dropping it is easier?
KevI wonder why I don't currently have it.
Ge0rGDaniel: I'm sure some clients/bots will end up sending a default body and one in an explicit language, and the explicit language accidentally being the default one
flowjonas’, coming up with a selection algorithm could be hard
Danielso we know it's not Kev whos doing the annoying tweets…
flowjonas’, first in XML?
Ge0rGLinkedHashMap to the rescue!
flowjonas’, what if "first" is different per recipient
jonas’flow, how is that supposed to happen?
flownothing gurantees that the order of the elements is stable when a stanza passes a hop
jonas’flow, the order of elements with the same namespace-uri/local-name pair?
jonas’I think we’d be in trouble already if that was violated.
flowespecially the order of those elements yes
KevHmm. Looks like my tweetdeck doesn't have it either. I'm finding this very confusing.
pep.> Ge0rG> Daniel: I'm sure some clients/bots will end up sending a default body and one in an explicit language, and the explicit language accidentally being the default one
Let's agree to fix these bots?
flowjonas’, like where?
jonas’flow, [thinking ...]
Ge0rGKev: escalate to the A-team?
jonas’it’s not strictly required there, but would be a major UX pain if the elements were reordered there
floware child elements of <x/>
flowI am taking just about first level child elements of stanzas
jonas’flow, oh, you’re only talking direct children of the stanza?
jonas’why would that follow different rules?
flowwell mostly, for forms the order is actually important
flowfor first level stanza childs it is usually not
KevRight. I have control of @xmpp.
KevAwaiting further orders :)
jonas’change the password until someone has found the person spamming newsletter ads on it ;)
flowI believe it to be at least unspecified that it has to be stable when processing a stanza, and while most implementations may keep the order, we should not depend on unspecified behavior
KevChanging the password won't help, people are granted access via tweetdeck.
KevI mean, unless it's genuinely compromised.
pep.Kev, you can probably access analytics though? I think that came up yesterday in commteam@
jonas’looks more like "well meant but went too far"
Ge0rGjonas’: I know who that person is
pep.And they're not hiding it either
KevIf someone from Board tells me to, I'll strip access down in tweetdeck.
Danieli think it has stopped anyway
pep.Daniel, no it hasn't, it won't, read commteam@ :)
Ge0rGKev: yeah, can you check analytics for the number of new followers vs. gone followers since September 3rd?
KevNo clue, can I?
Ge0rGregarding the twitter activity, there was some wiki acitivty: https://wiki.xmpp.org/web/index.php?title=Special:RecentChanges&days=1&from=
Ge0rGKev: it was said to be on https://analytics.twitter.com
KevI do not believe I can get past stats on follower counts.
Kev28 day summary sees tweet count up, impressions up, mentions up, profile visits down 17%, followers I think stable, unless I'm misreading, or unless it's not giving the info.
Ge0rGIn that case, it looks like the spam strategy is working out
Danielassuming this are good metrics…
KevI can only report what's in front of me.
ralphmFor clarity, as discussed in commteam@, those news letter tweets were sent by nyco. Some of the conversation might have been a bit harsh on him, as he is just trying to help.
Ge0rGI'm very sorry that I hit the wrong notes in trying to talk to him :(
ralphmTo be honest, I was the one raising the issue in that room, and here before that, but I think we can take a lesson in seeing things from other perspectives, as well trying out things.
ralphmIn the mean while, should you have interesting stuff that could be (re-)tweeted from @xmpp, do let them know.
KevI don't think I've (deliberately, at least) passed any judgement other than offering to do what I'm told.
ralphmScheduled tweets interspersed with other stuff would already be a lot better.
ralphmKev: not calling anyone out specifically. And not even just on this topic.
KevAh, my stats were September.
Danielyes. we actually have a lot of things going on in the community to increase # of tweets w/o repeating ourselves
ralphmI assume everyone tries their best.
KevSo for August we lost followers, and for July we gained (more) followers.
KevIn fact, as far back as we've got stats, August is the only time we've lost followers rather than gaining.
Danielalso 'we' probably react more sensitive to obvious advertisment than a regular person would
Ge0rGDaniel: or without uttering things that look like cheap SEO
Link Mauvehas joined
KevI'm back in 2017, and we've gained double-digits of followers each month, other than losing them in August.
KevI'm going to stop looking at stats now.
jonas’how about re-tweeting https://twitter.com/iNPUTmice/status/1171678611897835520 ?
Ge0rGjonas’: it lacks hashtags
Danieli literally loled
Ge0rGspeaking of high-quality content
Danieljonas’, fwiw i usually RT my own tweets with xmpp if i consider them neutral and quality enough
Danielgood morning you should update dino did not make my own quality standards
jonas’I like it actually
ralphmHad Daniel's mentioned that you should because of security issues, I would have retweeted it right away.
jonas’that’s not to diminish dino, but it’s the kind of near-sarcastic security black humor I’m into
Danielto my defense I did wrote that before i had coffee
jonas’that’s not to diminish dino, but it’s the kind of near-sarcastic security black humor I’m into w.r.t. announcements
ralphmNoted. Daniel: don't 🐦 before ☕
pep.Well on that note, you should also update converse. Maybe we can have a tweet with all of them.
pep.And then retweet! When we get CVEs assigned
pep.All PR is good PR right
jonas’FTR, Docker Hub is an awful thing
jonas’> Created 44 minutes ago
> Queue time 1 minute
> Duration 0 min
jonas’> Logs are not available yet
jonas’what kind of infrasturcture is this?
KevA free one?
mathieuiA terrible one
Dele (Mobile)has left
Dele (Mobile)has joined
Dele (Mobile)has left
Dele (Mobile)has joined
pep.Ge0rG, re MUC & errors / presence leak, a client could theoretically (not saying I'm going to do it) buffer these error messages going out, and only send them when the user sends chatstates or messages in the MUC.
pep.What about chat markers btw, are they also used in MUC? receipts are this I know. Isn't that a good enough presence leak already?
ralphmWhy would you send errors after a while? A server is likely not going to have anything it wants to do at that point?
pep.Sending error to the participant jid, in hope that that gets logged by the clients and there's some kind of hint displayed to the user to actually contact devs. (Yes I'm pretty hopeful)
pep.By that time the user could be gone for sure
pep.Surelike they could be gone when I connect and fetch messages
pep.Just like they could be gone when I connect and fetch messages
ralphmCorrelation is not fun with random long delays, maybe.
pep.But then people shout "presence leak"
Danielwhat is a presence leak?
Danieli previously thought of it as a resource leak
pep.Daniel, you connect, your client fetches archive from MUC, finds an error and attempts to send that to the participant jid responsible for it. You're then effectively telling them you just came online
pep.(or that you're somehow available)
Danielin a group chat?
ralphmIs presence leak really a thing for MUC (as opposed to MIX)?
Danieldidn’t you just did the same by joining?
pep.I wasn't the one to shout "presence leak"!
pep.But yeah, I actually agree. let me dismiss that issue then
pep.Maybe combined with MSN? One of your clients didn't notice, the other connects and you send these errors. But then oh well
ralphmNow, in theory, for MIX this is a bit different. There, sending presence can be optional.
ralphmBut then you might have markers or somesuch.
pep.It's fine I'm not concerned about MIX for now, poezio doesn't have an implementation :)
ralphmThis is the XSF channel though, and not jdev 🤣
pep.So you can do MIX PR just fine? :P
jonas’Kev, (moving this from council@), but what stops me from sending you a random type=error (think spam)?
jonas’if you make swift show a popup and interrupt the user, that’s bad design IMO
flowDaniel> i previously thought of it as a resource leak
It is the same, but "presence leak" is the term rfc6120 uses
ralphmI guess that also dismisses most of the recent discussions on Unicode and security issues in implementations. 😃
Danielyes. but by that definition sending chat markers does not leak your resource
Danielchat markers leak that you are present
Danielbut that's not what the term means
Daniel(at least that what i've thought)
Kevjonas’: I never said anything about popups (Swift policy is to never trigger popups from protocol).
KevBut if you start receiving errors from someone, it'll tell you in the chat log with that person.
jonas’Kev, that, I think, is fine
jonas’even with CC-all-the-errors
jonas’it shows that something you did on your phone went wrong and that you might want to pay attention (essentially)
KevBut not if it's bare-JID errors.
flow> Daniel> chat markers leak that you are present
Depends on the situation i'd say. Client should usually not send stanzas to other clients that are otherwhise unable to determine if you are online, that's what I'd call a "presence leak".
Steve Killehas left
Link Mauvehas left
Steve Killehas joined
Dele (Mobile)has left
Link Mauvehas joined
lovetoxi dont understand the benefit of the token XEP
lovetoxit says something about that the password can be stolen
jonas’lovetox, maybe on-list?
lovetoxbut a token is the same, if its stolen, i can change the account password
jonas’I haven’t read it yet and I have to go AFK now
lovetoxat least its nice that the xep gives the user some knowledge about what devices have access to the account
DanielYou could simply not allow that
lovetoxyou mean the server?
lovetoxso how would then someone change his password
Ge0rGtokens are opaque and properly randomized; also they are not often stored on a stick-it note ;)
Ge0rGthere is also very much value in one-time tokens to on-board a new device to your account
Ge0rGwithout having a password in a URL or QR code
lovetoxbut this is not about one-time tokens, so why are you mention it?
lovetoxbecause its also a "token"?
lovetoxits basically a password replacement that has absolutley the same propertys, full access to the account
lovetoxso as i said i think it adds value because you know what devices are in use, it does not really provide any additional security
ZashHm? Per-device passwords?
DanielPer device passwords
lovetoxand it was always weird for me that the register xep does not have an option where the server can demand your current password
ZashYou somehow logged into the account
DanielI mean per device passwords is not necessarily a bad thing. I don't know if the xep is a good implementation of that
DanielI haven't read it yet
DanielBut I wouldn't dismiss per device passwords on principle
ZashI wonder if you can hijack the authzid for something like that
lovetoxi didnt dismiss it Daniel if you got that from what i said
lovetoxthe XEP talks a bit about security
lovetoxso thats what i questioned
lovetoxits definitly nice to know what device are connected and beeing able to remotley log them off and revoke them
Daniel> its definitly nice to know what device are connected and beeing able to remotley log them off and revoke them
Ge0rGI wouldn't be opposed to tokens that have limited permissions behind, like not being allowed to change the password or to issue further tokens; also a limit to one connection per token
Link Mauvehas left
Link Mauvehas joined
Link Mauvelovetox, in SASL EXTERNAL with client certs (XEP-0257 IIRC), it is said that if the user tries to change their password, they should get an error and then asked for the previous password first.
Ge0rGYes, with a data form
Link MauveIn the non-error part of an error iq. ;_;
Daniel> Yes, with a data form
Data forms are definitely in the top five of my favorite forms
Link Mauvehas left
Link Mauvehas joined
larmaI think auth tokens could be reusing RFC7628 and in general be more OAuth compatible