XSF Communications Team - 2023-02-04


  1. lbocquet

    Hi all, there is a problem, impossible to edit the new pad: https://pad.nixnet.services/oHnY_ZvLT8SoFyCqIC2ung

  2. pep.

    I think it's on purpose for this link

  3. pep.

    What's the issue

  4. lbocquet

    On https://yopad.eu/p/xmpp-newsletter-365days -> https://pad.nixnet.services/oHnY_ZvLT8SoFyCqIC2ung Here: "<emus> We have a new online pad, please only use the new one from now :-) https://pad.nixnet.services/oHnY_ZvLT8SoFyCqlC2ung" But it is locked by xsfcommteam.

  5. pep.

    And is there anything you want to correct? What's the issue with it?

  6. lbocquet

    It is locked by xsfcommteam, we can not edit.

  7. pep.

    What do you want to edit?

  8. emus

    ouh, maybe i put the published link

  9. emus

    lbocquet: thx

  10. emus

    https://jabbers.one:5281/upload/gMg4IrRrw_c324umaxy4qTTN/20230204_121616948_80f3..jpg

  11. emus

    have you tried selectingvthe pencil?

  12. nicola

    I see the file content here https://pad.nixnet.services/oHnY_ZvLT8SoFyCqIC2ung

  13. emus

    have you tried selecting the pencil?

  14. emus

    lbocquet:

  15. nicola

    Indeed, although I click on the pencil, I cannot write because the file results locked

  16. nicola

    https://share.nicfab.chat/upload/StiHsGUC45IS1cZ0yc81rhw4/sshot_2023-02-04_12.21.57.jpg

  17. lbocquet

    I understand, we must to click on "Publish" https://pad.nixnet.services/oHnY_ZvLT8SoFyCqIC2ung/publish to open a new window and after click on the pen to edit...

  18. nicola

    > I understand, we must to click on "Publish" https://pad.nixnet.services/oHnY_ZvLT8SoFyCqIC2ung/publish to open a new window and after click on the pen to edit... It doesn’t work

  19. lbocquet

    I understand, on https://pad.nixnet.services/oHnY_ZvLT8SoFyCqIC2ung, we must to click on "Publish" https://pad.nixnet.services/oHnY_ZvLT8SoFyCqIC2ung/publish to open a new window and after click on the pen to edit...

  20. emus

    I will check in a few minutes when I arrive at fosdem

  21. ralphm

    Hi

  22. emus

    Hello

  23. pep.

    https://indieweb.social/@joinjabber/109807298904396408 < https://joinjabber.org overhaul !

  24. Licaon_Kter

    pep.: nice design, but at migrate.modernxmpp.org runs in your browser, right MattJ? So _"Please be aware that it currently requires your user-credentials to function, so giving those to an external service might be problematic for you."_ is FUD

  25. Licaon_Kter

    pep.: nice design, but at migrate.modernxmpp.org runs in your browser, right MattJ? So _"Please be aware that it currently requires your user-credentials to function, so giving those to an external service might be problematic for you."_ is FUD :)

  26. Licaon_Kter

    Here https://joinjabber.org/docs/servers/#migrating-accounts

  27. pep.

    It's never really clear to the user what happens tbh.. Unless they're tech-savvy. But sure we'll change that

  28. Licaon_Kter

    The site, once opened, says as much.

  29. Licaon_Kter

    Yes, a matter of trust.

  30. pep.

    So it's not FUD is it? :P

  31. Licaon_Kter

    :)

  32. pep.

    We'll try to make it slightly less alarmist, but we're keeping the bulk of it

  33. pep.

    (just discussed in the JJ room)

  34. Licaon_Kter

    pep.: danke/merci :)

  35. MattJ

    I don't really know what to do about that. Yes, I made it safe, but no, I don't want to train users that it's okay to enter your XMPP credentials in any random web form

  36. MattJ

    But it's just an in-browser XMPP client. It's no different to signing into Converse.js, xmpp-web or any other JS web client

  37. Licaon_Kter

    Yes, MattJ I was thinking about that. Not sure how to train/explain that sometimes it can be safe but most of times it's not Β―\_(ツ)_/Β―

  38. pep.

    Yeah. Also why I wouldn't want to propose a web client with account login

  39. pep.

    But, but..

  40. MattJ

    Okay, so you would also warn users away from web clients, I was going to asj

  41. MattJ

    Okay, so you would also warn users away from web clients, I was going to ask

  42. pep.

    I mean I wouldn't want to personally host that

  43. MattJ

    Because?

  44. pep.

    I don't know. Many people use web clients and are happy with them. Look at Mastodon..

  45. MattJ

    It's a HTML file. Would it be better if people downloaded it and ran it from file://?

  46. pep.

    Even though really here you're using the client of the service hosting you

  47. pep.

    MattJ, for security purposes, definitly. For convenience no that would be terrible :P

  48. MattJ

    (I don't think that actually works in modern browsers though)

  49. MattJ

    Why is it better for security purposes? πŸ™‚

  50. pep.

    hmm, you're right it may not be. It's the same issue.

  51. MattJ

    Whether you load the code from the server or from your disk, it is the same code, right

  52. pep.

    Though.. you may only have to check the file once

  53. pep.

    Whether when it's served to you it can be different every single time

  54. MattJ

    Okay, tell the users to check the source before they use it. And every app they install πŸ™‚

  55. MattJ

    Sorry, I don't have good answers

  56. pep.

    I don't either

  57. MattJ

    And neither does anyone, really

  58. MattJ

    Signed web apps would be nice

  59. MSavoritias (fae,ve)

    except the browser is completely controlled by the developer and has an always on internet connection

  60. MSavoritias (fae,ve)

    compared to local apps which dont have to have an internet connection and you can customize/override behavior

  61. MSavoritias (fae,ve)

    also at least you have the option to check the source locally. Thats why non-browser stuff should be reccomended most of the time

  62. MSavoritias (fae,ve)

    i wish we had migration built into the clients

  63. pep.

    It's like one could also host Movim locally :-Β°

  64. MSavoritias (fae,ve)

    yeah which would be better than in a remote data center

  65. MSavoritias (fae,ve)

    but not sure if its doable

  66. MattJ

    Running Movim locally is absolutely doable

  67. MSavoritias (fae,ve)

    with docker whatever yeah

  68. MSavoritias (fae,ve)

    without it Im not sure if any person that starts to self host would be able to do it

  69. pep.

    Anyway, re the original sentence on the website, I think I'd want to make the user aware that they're giving away credentials and that there's no good way to make sure it's safe. But no clue how to do that without sounding alarmist of not scaring away many of them or the opposite, encouraging them to do so..

  70. MattJ

    Well, do you want them to use it or not? πŸ™‚

  71. MattJ

    I don't think having a thing saying it's there but don't use it is really going to achieve anything other than confusion

  72. pep.

    Sure, but why would they trust me when I tell them "this one is ok" "this one isn't", and what if I'm wrong

  73. MattJ

    "Trust no-one"

  74. Licaon_Kter

    Wait so what about, hold on, _Migrate the Electron App_? Only 144Mb /jk

  75. Licaon_Kter

    Wait so what about, hold on, _Migrate - the Electron App_? Only 144Mb /jk

  76. pep.

    MattJ, which I know isn't also the best answer. Users be even more confused.

  77. MattJ

    Even with a hypothetical Electron app, it changes practically nothing from a security perspectice

  78. MattJ

    Even with a hypothetical Electron app, it changes practically nothing from a security perspective

  79. MSavoritias (fae,ve)

    yeah

  80. MattJ

    I don't have an opinion on whether you should link to it. I wrote it as a prototype, and last resort for people who don't have any other way to get/migrate their data. I hope it serves the needs of people who require it. I know it's secure, but I don't know any magical way to prove that to users, so... it just is what it is πŸ™‚

  81. MattJ

    If someone wants to wrap it in Electron, Tauri, or similar... go ahead. And/or pester client devs to implement the same thing into clients directly.

  82. pep.

    Best would be for operators themselves to host it

  83. MattJ

    I guess, yes

  84. MSavoritias (fae,ve)

    agreed

  85. MattJ

    Thankfully it couldn't be easier to do πŸ™‚

  86. pep.

    (I don't understand ^)

  87. MattJ

    I mean that it is extremely easy to do

  88. MattJ

    So there are no barriers to operators hosting it

  89. pep.

    Yeah no, apart from them actually hosting it

  90. singpolyma

    MSavoritias (fae,ve): I run movim locally with just php. No docker, no web server or reverse proxy

  91. singpolyma

    You do need postgres installed but I apt install postgres on my workstation always anyway

  92. pep.

    I liked when sqlite was a thing

  93. singpolyma

    Sqlite is a thing. It's like the most popular thing in tech news the last year or so it seems

  94. pep.

    I mean for movim

  95. singpolyma

    But I wouldn't want to use it when I have a choice