arnaudj I'm writing the newsletter currently, will ping you once I'm done, if you'd like to translate
arnaudj
hi jc !
arnaudj
thank you for pinging me!
jc
Sure! 🙂
arnaudj
what is the estimated date of publication?
jc
Today, this afternoon
jc
We always publish on the last Friday of the month
jc
"always' being interpreted loosely
arnaudj
OK :-)
jc
Sorry that you don't get much time
jc
Ideally we should write the newsletter throughout the month
arnaudj
no problem
jc
That would also make it easier for you and require less crunch time at the end of the month
jc
but so far I haven't been able to get into the habit of doing it like that
jc
By nature I procrastinate until the last minute
SouL
What I wanted to add to this newsletter
SouL
was to mention the section of translated newsletters
SouL
I also wanted to translate some, so we would have more content
SouL
apart from French
arnaudj
I've added a reminder in my calendar, to put some time aside every last Friday
jc
cool
jc
Would you guys describe Movim as an XMPP client?
jc
Or should it be mentioned under "Other software"? 🙂
jc
I'm adding this month's releases
vanitasvitaehas left
vanitasvitaehas joined
vanitasvitaehas left
vanitasvitaehas joined
arnaudj
jc: I asked edhelas
jc
tx
jc
This has been a good month, lots of stuff happening
arnaudj
he said "other" is perhaps the best choice
arnaudj
since it's a bit more than a client
jc
ok thanks, I thought so
jc
arnaudj, SouL: Here's the latest newsletter https://github.com/xsf/xmpp.org/blob/newsletter-2018-11-30/content/posts/newsletter/2018-11-30.md
jc
I would appreciate a proofread. I'll take a break and then read it again myself
SouL
THe Monal..
SouL
Just that capital H
MattJ
jc, the link in the Monal part to "empty state screens" appears to have the incorrect URL
MattJ
It links to feeds.opkode and prompts for auth
jc
Thanks SouL and MattJ. Fixed
SouL
Sorry for not better proofread, I'm ina meeting I can't escape :(
jc
no problem
arnaudjhas left
jc
Guus is worried about this section: https://github.com/xsf/xmpp.org/pull/484/files#diff-45ce3b70f855ee8884f189d7b4742fa6R28
jc
That it might look like XMPP is insecure, even though their server might have been hacked in all kinds of ways unrelated to XMPP
jc
Any suggestions on how to change the wording?
jc
I personally think it's kind of OK the way it is
vanitasvitae
jc: are you sure iron chat is a conversations fork?
vanitasvitae
It doesn't look like that at all
jc
I read it in twitter
jc
I can remove that part
MattJ
jc, the problem was users not verifying fingerprints, at the end of the day
jc
MattJ: Yes, that's mentioned in the paragraph
jc
That and the fact that their server (the OS) was somehow compromised
MattJ
Every end-to-end encryption method is vulnerable to this (you need to identify the other end somehow)
MattJ
No, I don't think that covers it
arnaudj
I read the newsletter and did not find any error
MattJ
OTR and OMEMO are precisely valuable because they can remain secure in the event of server compromise
jc
In theory 🙂
vanitasvitae
Wasn't there an essay by a gchq guy recently who proposed to make mitm the new standard way of intercepting comms?
jc
But as was shown here... users don't verify so they get compromised
MattJ
jc, in practice, if users verify fingerprints
jc
I think the fact that the server was compromised is relevant though
jc
Because it's a necessary (but not sufficient) first step
MattJ
In practice, they don't. And I think this is the point that should be called out in the newsletter, the server compromise is not the weak point
jc
Ok but did you read the paragraph? I do mention that they didn't verify
MattJ
As far as preventing any perception that XMPP is insecure
jc
I can update it further
jc
I'm being called for lunch now though 🙂
MattJ
Oh, I didn't see that when I read it earlier
MattJ
I'll work an an alternative proposal for that paragraph
MattJ
Another source online says IronChat was based on Xabber
MattJ
iirc the Xabber author confirmed this in xsf@
vanitasvitaehas left
vanitasvitaehas joined
pep.
"jc> I think the fact that the server was compromised is relevant though" < I think it's very important to specify that, if this gets in the newsletter. Not verifying fingerprints is one thing and we know users don't care anyway but still want e2ee [blah blah], but if the server wasn't under an $evil party in the first place, they would have had to break TLS. (or use the law)✎
pep.
"jc> I think the fact that the server was compromised is relevant though" < I think it's very important to specify that, if this gets in the newsletter. Not verifying fingerprints is one thing and we know users don't care anyway but still want e2ee [blah blah], but if the server wasn't maintained by an $evil party in the first place, they would have had to break TLS. (or use the law) ✏
pep.
As I understand it the police (or gouvernment entity) controlled the server right?