XSF Discussion - 2020-02-17

does someone want to double-check whether I’m right to say "fix your deployment" here: https://github.com/horazont/aioxmpp/issues/324 ?

Yes

I mean it would probably also work if he just sets localhost as a hostname

Not sure if and how aioxmpp supports that

the setup is weird

I think it’s truly remote, but still uses 127.0.0.1 as JID domain

told them before that that’s a bad idea

we had a very fun thread here already: https://github.com/horazont/aioxmpp/issues/322

I mean in any case your verifier isn't wrong

I wanted to say that their certificate isn’t for localhost, but for some real internet name

Though in Conversations it'll accept the hostname as well when you specify it somewhere

The important bit is that the user entered it somewhere

yeah

I could implement that, and I probably should at some point, but it’s a bit tricky (as outlined in my comment) because the way how you can override the hostname is also the way aioxmpp for example stores the SM recnonection point.

and that’s where the security implications of trusting the hostnames in that list become slightly more tricky

Yeah for a library you can also probably just have the user inject their own verifier

You need that anyway if you want to accept self signed certs

oh, they could do that, too. but that’s much crazier.

and easy to get wrong

so I hesitate to recommend that

Well given the scope of their crazy deployment...

hm, the hostname does indeed not resolve

I mean if it’s purely local, they can just set no_verify=True and call it a day

FWIW, for self-signed certs we have the Pinning verifier built-in. It allows for a callback to check the certificate; since that’s interactive it’s disabled by default.

Oh. It's a Cisco thing

Obviously

pubsub.127.0.0.1. I like it :-D

yeah…

About the inbox XEP on omemo file upload. They're planning on changing the initialisation vector.

I don’t know of an inbox XEP on OMEMO file upload

jonas’: https://github.com/xsf/xeps/blob/master/inbox/omemo-media-sharing.xml

This one probably?

Which is not changing the length of the Iv by the way

which is also irrelevant

because it was rejected

(irrelevant standards-wise, either way)

It's somewhat relevant because tons of people are using it

yeah

I mean maybe not for the xsf

but it’s not changing anything, it hasn’t been touched in a while

#SuperInbox

Everything is horrible

Welcome to software!

s/software/humanity/

Errare humanum est.

It's not though

, perseverare autem diabolicum. ✏

Is that the new for a new hot sauce?

It is the continuation of the saying, that translates as "but to persist (in error), is diabolical".

Make of that what you will.

ralphm: isn't there a rule against languages which are not English?

L.S. I'd make an exception for a bit of Latin now and then. I.e. languages like English, French, Dutch, etc. are full of Latin phrases. E.g. the one above.

There is also a certain kind of people who are full of Latin phrases.

medecins

Ge0rG: I'll use simpler words.

I need someone to remind me out-of-band that I need to reapply.

I totally missed the emails on members@, I’m going to set a calendar reminder, but I know I often unintentionally ignore/miss those, too

Oh, thanks

Daniel, too

Roadtrip‽

I'd be up for another roadtrip!

jonas’: do you consider xmpp as in band or out of band?