XMPP Council - 2025-03-11

It is time

1) roll call

here

singpolyma, larma you around?

(we don’t have anything on the agenda so no worries if you aren’t)

👋

Note from peanut gallery copy/pasted from xsf@ > So https://xmpp.org/extensions/xep-0172.html is stable, but security considerations say "you SHOULD do it like https://xmpp.org/extensions/xep-0165.html" which is deferred/experimental :/ > > Might be something for council to look at

2) Agenda Bashing no agenda this week. just here to catch up and eventually prompt for AOB

Hi

3) Editors update

editor has published 503: spaces

4) Items for voting

none

5) Pending votes

none

6) Date of Next

I have to watch my timezones but +1w wfm

+1w wfm

+1w wfm

7) AOB

should we quickly discuss what moparisthebest said?

Will be at IETF +1w

personally I think the security considerations of User Nick seem a bit strict?

Probably could be renamed to privacy consideration mostly

Conversations for example does a lot of what 165 suggests wrt to highlighting irregular unicode chars

but i don’t think we can reasonably apply the same strictness to nicknames which inherently aren’t unique

i mean I can highlight the weird 'a' in 'Daniel' but nobody can stop anyone from just copying the name without the weird 'a'

sorry, I'm lost here. What are you refering to?

Oh I see what you're saying. Right. I think if you show jid or something always alongside an untrusted nick it's ok

yes. and/or at least show the jid where it matters(tm)

but yes Conversations for example doesn’t use the nick for 'strangers' but always shows the jid

For reference what made me look again was a new gajim commit to do that (display "$nick ($jid)") but no length limits on nick so it might end up hiding $jid with lots of whitespace

It's an ever present footgun....

but that said I guess we can also LC 0165

goffi, see the quote from moparisthebest a few lines above

which in turn is a quote from the xsf room from a few days ago

Oh right, sorry I've several things happening at the same time today.

moparisthebest, sure but then "don’t show username for 'untrusted' chats' might still be a better security consideration than "highlight unicode chars"

but if council doesn’t have a concrete suggestion we could try a mailing list thread?

> moparisthebest, sure but then "don’t show username for 'untrusted' chats' might still be a better security consideration than "highlight unicode chars" Agree ↺

I linked the conversations commit that did that and lovetox said he didn't see why contacts should be more trusted... so kinda hard to push

i mean the primary reason i’m not showing user nicknames in Conversations for untrusted chats is that I was worried someone would set their nick to 'daniel@gultsch.de' (instead of trying to clash on 'Daniel')

yep

as I’m not seeing other council members jumping into the discussion I will start a thread on the mailing list

any other AOB?

doesn’t seem to be the case

8) Close

thank you all. see you next week

Thanks daniel, thanks all.

i mean security considerations aren’t normative, no? so lovetox could just say "i've considered these securities and did something else"

sure, I think the concrete standards problem is a stable standard referring to an experimental one

Certainly not the end of the world but feels odd

Oh yes certainly. I assumed everyone was agreeing to that. I was trying to get a discussion started on how we fix this

I think replacing it with a statement about the actual consideration "consider that a user might try to spoof your UI by setting their nickname do a Jabber ID, especially for untrusted users" might be enough

I tend to agree, could additionally note "beware Unicode lookalikes" but meh