Hi all, there is a problem, impossible to edit the new pad: https://pad.nixnet.services/oHnY_ZvLT8SoFyCqIC2ung
pep.
I think it's on purpose for this link
goffihas left
pep.
What's the issue
goffihas joined
lbocquet
On https://yopad.eu/p/xmpp-newsletter-365days -> https://pad.nixnet.services/oHnY_ZvLT8SoFyCqIC2ung
Here: "<emus> We have a new online pad, please only use the new one from now :-)
https://pad.nixnet.services/oHnY_ZvLT8SoFyCqlC2ung"
But it is locked by xsfcommteam.
pep.
And is there anything you want to correct? What's the issue with it?
I understand, we must to click on "Publish" https://pad.nixnet.services/oHnY_ZvLT8SoFyCqIC2ung/publish to open a new window and after click on the pen to edit...✎
nicola
> I understand, we must to click on "Publish" https://pad.nixnet.services/oHnY_ZvLT8SoFyCqIC2ung/publish to open a new window and after click on the pen to edit...
It doesnβt work
lbocquet
I understand, on https://pad.nixnet.services/oHnY_ZvLT8SoFyCqIC2ung, we must to click on "Publish" https://pad.nixnet.services/oHnY_ZvLT8SoFyCqIC2ung/publish to open a new window and after click on the pen to edit... ✏
emus
I will check in a few minutes when I arrive at fosdem
pep.: nice design, but at migrate.modernxmpp.org runs in your browser, right MattJ? So _"Please be aware that it currently requires your user-credentials to function, so giving those to an external service might be problematic for you."_ is FUD✎
Licaon_Kter
pep.: nice design, but at migrate.modernxmpp.org runs in your browser, right MattJ? So _"Please be aware that it currently requires your user-credentials to function, so giving those to an external service might be problematic for you."_ is FUD :) ✏
Licaon_Kter
Here https://joinjabber.org/docs/servers/#migrating-accounts
Titihas left
Titihas joined
PeterWhas joined
pep.
It's never really clear to the user what happens tbh.. Unless they're tech-savvy. But sure we'll change that
Licaon_Kter
The site, once opened, says as much.
Licaon_Kter
Yes, a matter of trust.
pep.
So it's not FUD is it? :P
lenaahas left
lenaahas joined
Ramiro Romanihas left
Ramiro Romanihas joined
Licaon_Kter
:)
pep.
We'll try to make it slightly less alarmist, but we're keeping the bulk of it
pep.
(just discussed in the JJ room)
PeterWhas left
Licaon_Kter
pep.: danke/merci :)
eevvoorhas left
papatutuwawahas joined
neoxhas joined
singpolymahas left
singpolymahas joined
wh0has left
singpolymahas left
singpolymahas joined
Titihas left
la|r|mahas joined
Titihas joined
Titihas left
Titihas joined
MattJ
I don't really know what to do about that. Yes, I made it safe, but no, I don't want to train users that it's okay to enter your XMPP credentials in any random web form
MattJ
But it's just an in-browser XMPP client. It's no different to signing into Converse.js, xmpp-web or any other JS web client
Licaon_Kter
Yes, MattJ I was thinking about that. Not sure how to train/explain that sometimes it can be safe but most of times it's not Β―\_(γ)_/Β―
pep.
Yeah. Also why I wouldn't want to propose a web client with account login
pep.
But, but..
Ramiro Romanihas left
MattJ
Okay, so you would also warn users away from web clients, I was going to asj✎
MattJ
Okay, so you would also warn users away from web clients, I was going to ask ✏
pep.
I mean I wouldn't want to personally host that
MattJ
Because?
pep.
I don't know. Many people use web clients and are happy with them. Look at Mastodon..
MattJ
It's a HTML file. Would it be better if people downloaded it and ran it from file://?
pep.
Even though really here you're using the client of the service hosting you
pep.
MattJ, for security purposes, definitly. For convenience no that would be terrible :P
MattJ
(I don't think that actually works in modern browsers though)
MattJ
Why is it better for security purposes? π
pep.
hmm, you're right it may not be. It's the same issue.
MattJ
Whether you load the code from the server or from your disk, it is the same code, right
pep.
Though.. you may only have to check the file once
pep.
Whether when it's served to you it can be different every single time
MattJ
Okay, tell the users to check the source before they use it. And every app they install π
MattJ
Sorry, I don't have good answers
pep.
I don't either
MattJ
And neither does anyone, really
MattJ
Signed web apps would be nice
MSavoritias (fae,ve)
except the browser is completely controlled by the developer and has an always on internet connection
MSavoritias (fae,ve)
compared to local apps which dont have to have an internet connection and you can customize/override behavior
MSavoritias (fae,ve)
also at least you have the option to check the source locally. Thats why non-browser stuff should be reccomended most of the time
MSavoritias (fae,ve)
i wish we had migration built into the clients
pep.
It's like one could also host Movim locally :-Β°
MSavoritias (fae,ve)
yeah which would be better than in a remote data center
MSavoritias (fae,ve)
but not sure if its doable
MattJ
Running Movim locally is absolutely doable
MSavoritias (fae,ve)
with docker whatever yeah
MSavoritias (fae,ve)
without it Im not sure if any person that starts to self host would be able to do it
pep.
Anyway, re the original sentence on the website, I think I'd want to make the user aware that they're giving away credentials and that there's no good way to make sure it's safe. But no clue how to do that without sounding alarmist of not scaring away many of them or the opposite, encouraging them to do so..
papatutuwawahas left
MattJ
Well, do you want them to use it or not? π
papatutuwawahas joined
MattJ
I don't think having a thing saying it's there but don't use it is really going to achieve anything other than confusion
pep.
Sure, but why would they trust me when I tell them "this one is ok" "this one isn't", and what if I'm wrong
MattJ
"Trust no-one"
Licaon_Kter
Wait so what about, hold on, _Migrate the Electron App_? Only 144Mb
/jk✎
Licaon_Kter
Wait so what about, hold on, _Migrate - the Electron App_? Only 144Mb
/jk ✏
pep.
MattJ, which I know isn't also the best answer. Users be even more confused.
MattJ
Even with a hypothetical Electron app, it changes practically nothing from a security perspectice✎
MattJ
Even with a hypothetical Electron app, it changes practically nothing from a security perspective ✏
MSavoritias (fae,ve)
yeah
PeterWhas joined
MattJ
I don't have an opinion on whether you should link to it. I wrote it as a prototype, and last resort for people who don't have any other way to get/migrate their data. I hope it serves the needs of people who require it. I know it's secure, but I don't know any magical way to prove that to users, so... it just is what it is π
PeterWhas left
MattJ
If someone wants to wrap it in Electron, Tauri, or similar... go ahead. And/or pester client devs to implement the same thing into clients directly.
pep.
Best would be for operators themselves to host it
MattJ
I guess, yes
MSavoritias (fae,ve)
agreed
MattJ
Thankfully it couldn't be easier to do π
pep.
(I don't understand ^)
MattJ
I mean that it is extremely easy to do
MattJ
So there are no barriers to operators hosting it
pep.
Yeah no, apart from them actually hosting it
pablohas joined
PeterWhas joined
PeterWhas left
SouLhas left
gooyahas left
gooyahas joined
SouLhas joined
pablohas left
SouLhas left
SouLhas joined
la|r|mahas left
la|r|mahas joined
singpolyma
MSavoritias (fae,ve): I run movim locally with just php. No docker, no web server or reverse proxy
singpolyma
You do need postgres installed but I apt install postgres on my workstation always anyway
pep.
I liked when sqlite was a thing
singpolyma
Sqlite is a thing. It's like the most popular thing in tech news the last year or so it seems
pep.
I mean for movim
singpolyma
But I wouldn't want to use it when I have a choice