jdev - 2019-09-06

by any chance, do some of you will attend januscon.it later this month? I'm asking because as I read some emails/discussions around jingle/call-related stuff... Wondering if we can meet and have some drinks if that's the case :)

marc0s, no. but let me know in case there is ever a more open source focused conference in italy. i'd love to go, maybe even give a talk

Daniel, no that I'm aware of right now. Will ping you if I know of something. Not living in Italy, though :)

i'm on the process of adding XEP-0402 support to stanzajs and was wondering how a client should actually determine how to store its bookmarks given the server supports both private storage and pep/pubsub. Any ideas/comments/warnings? :)

xep 402 is only specified to work with pep

but pep and publish options as well as private xml have features announcments on the account disco

but, given that disco announcements offer all the options, what should a client use?

As not many clients (none?) use 402 yet, you probably also want to support the other pep bookmark thing?

(48?)

what i do (but that's only for bookmarks 1); is to check if my server supports the conversion xep and if it does i use pep because it's more efficient. and if not i publish to private xml because that's more widely used

that would be a safe route, yes

i haven’t found a strategy to incorperate bookmarks 2 into the mix

probably have the conversion xep also convert into bookmarks 2

Bookmarks Conversion 2: The seriousening

I'm not fully aware of the XEP processes, but it does not sound crazy to me to make 411 take 402 into account

I think that 402 should mandate backend-side conversion between all the stores.

402 still lacks a lot of things

it should probably also mention that the node needs to be configured

should we then need Bookmarks 3: The Good One :)

Like I mentioned the other day, node item count limits will be fun

Bookmarks: Revolution

Zash, yep :)

XEP-0927: Bookmarks 2000: This time we finally got it right!

im not convinced on 402, i think it makes the bookmark implementation alot more complex

right now i request on start my bookmarks, i get all, and if another device changes one, i also get all, and thats it there are only these 2 things to think aobut, request, and notification

with a items based approach, you suddenly have to think about stuff like, what if another device deletes on item? do i get a deletion notification once i come online? no .. what if a device adds 2 items while im offline, do i get 2 items when i come online? no .., so im back to requesting all bookmarks items on start anyway, this time with a more overhead as each bookmark is in its own item

lovetox, and with one item, you have to think about: what if another device modifies/adds the same item at the same time, e.g. in response to an invite or something

what if the modifications aren’t identical

so it seems the only benefit is, that if a device adds a bookmark while im online, i get only one item instead of all

or rather, what if two devices concurrently edit two different items

i would consider this if i modify my bookmarks 50 times per hour

but realisticly its probably 3 times a day

jonas’, this is highly unlikely, server processes events in order

invite means both clients modify the same item in the same way

lovetox, i ran into problems with deleting multiple bookmarks in quick sucession

meaning delete the second one while the first one is still in flight

yes Daniel i can see the problem, especially with ejabberd

as it notifys the issuing device with a pep notification

if you take this notification serious, you add back the bookmark that you just deleted

yes

we should fix that in ejabberd though, prosody doesnt do this

i'm not sure that ejabberd is broken in that regard?

yes, if i issue a publish, and i get a result that it was ok

i dont see a reason why i need a pep notification

its not "broken"

its just useless and leads to problems as we can see

lovetox, yes, server processes events in order, but clients have latency to the server

useless maybe. but i'm not willing to by that this is the cause of the problem

this is just what makes you notice the problem

*to buy

i feel we just exchange some kind of problems with other kind of problems with 402

i mean this is just the most obvious race. but as jonas’ pointed out there are other (unlikely?) races in there as well that involve multiple clients

lovetox, what problems do you see with 402 aside from the upgrade path

as i wrote above, it just mentions the benefit, that you can modify one item at a time, but it should have much more on implementation notes, probably because no one implemented it yet

stuff like, if you start, you get the last bookmark item that was published

probably should ignore it, until you requested all bookmarks

stuff like node configuration

lovetox, yes bookmarks 2 is not done yet. and you can just configure the node to not send the last item

which i agree the xep should do

whith what id do we publish, or does the server choose ids

how do we make sure we dont overwrite items

lovetox, the id is the jid. i think the xep says that

ah kk, what i want to say is, i dont see a big problem with the xep, just it obviously was never implemented

and my problems with bookmarks1 are not that big, that i jump into the cold water :)

also the XEP needs to do something about max items

so there are things in the xep that are underspecified a bit

but fixing the race seems to be worth while to me

also; if you ever wanted to do something like shared bookmarks on the server side (which customers ask about all the time) having multiple items that the server can modify or inject without editing xml seems like a big benefit to me as well

> also; if you ever wanted to do something like shared bookmarks on the server side (which customers ask about all the time) having multiple items that the server can modify or inject without editing xml seems like a big benefit to me as well Customers ask for this? As in, read-only bookmarks, shared be a group of people?

guus.der.kinderen: well the ask for can we put people into group chats by default

Like when they first open the app

And bookmarks seems like one way of doing that

Openfire has a plugin for that. It doesn't do anything fancy, only injects additional bookmarks in a persons bookmarks collection.

Daniel: yeah that's what we use it for, by adding autojoin bookmarks

guus.der.kinderen: yes and server side that seems less messy with bookmarks 2

It's pretty clean in any form. You simply add a list of shared entries to the personal list, and subtract that list while editing.

You could then properly reject the deletion. Instead of having it just magically Reeapear

Right

Ok, gotta put the kid to bed. Afk.

Daniel, do you send always set SNI ext, even for starttls?

lovetox: why do you ask? I think I didn't but my last refractor yesterday might have accidentally set it

im asking because i contemplate doing this

gmail xmpp server mandates it

it needs sni even on starttls

and it would make my code less complex

Oh right. Yes now that you mention it I think I did that

i dont really care about gmail

Well since yesterday my setup tls socket code is the same for starttls, direct tls and tor

So it's not more code. Is what I wanted to say

I've been trying to make Prosodys certificate and TLS management code treat STARTTLS and TLS+SNI the same.

Daniel, how are you doing DNS for tor ?

moparisthebest: not at all. You have to specify the hostname

(if your server doesn't a record to the same machine)

hmm, then how do you know direct TLS or STARTTLS

you dont

you expect the server to offer stuff on the standard ports

You can enter port 5223 or 443 and then it will assume that this is direct tls

Which is debatable for 443 but who cares

when you run a tor exit node you get to pick what outgoing ports you support, I feel like more might support 443, but I'm not sure

also moparisthebest some servers have .onion adresses

which you can put in DNS SRV records

.onion adresses have DNS records?

Yes. I was about to say. If you are serious about tor I'd recommend you put in the onion address in the hostname field

That's what I would recommend to my users

lovetox, no, but I can put a .onion in the SRV record for moparisthebest.com for example

how does that help someone that wants connect to a server and only have the .onion adress?

why would a hidden tor service, link itself to a non-hidden srv domain record

why not?

because you are not anonym anymore then

moparisthebest: someone like that would care about leaking the SRV lookup

don't leak it, look it up over TOR

anyway, to support TOR the server admin has to be aware of it

How does that help when you can't do SRV over Tor?

and a onion service even more so

I mean even if you put the onion in dns how are you going to discover it?

DoH to the rescue!

No

you can, do DoT or DoH to 1.1.1.1 or even regular DNS over TCP to port 53 of dns4torpnlfs2ifuz2s2yf3fc7rdmsbhm6rw75euj35pac6ap25zgqad.onion

(which cloudflare runs)

So I should hard code cloud flare ips in my app? Is cloud flare still going to exist tomorrow?

maybe, you can hard-code a few, or run your own

moparisthebest, if you are serious about TOR, you will *not* DNS anything

you will just pass the onion adress to the tor proxy

thats it

the moment you involve cloudflare, this degrades TOR seriously

Yeah if you want to use Tor take 3 minutes to figure out the histename / onion address of your server

wouldn't it be nice if a user of regularservice.com that happened to have tor could just connect over it automatically without typing .onion addresses though?

And maybe go read the privacy policy of your provider while you are at it

moparisthebest, i dont think you get the idea of TOR

the idea of TOR is that nobody but you yourself and your machine, knows where you gonna connect to

this rules out asking anyone for any information regarding your connection target

because then you leaked your intent

I don't think so, after all HTTPS over tor asks for A records right?

how is this different?

im not a tor expert but im pretty sure the tor network makes the dns request

not your machine

the intent is my ISP doesn't know where I'm connecting to

the built in tor DNS supports A and CNAME and nothing else though, asking an .onion address for SRV records is essentially the same

Tor is not only to hide your intent from your ISP

it *can* only be for that though?

if that would be the case you would not need tor, just DoH

and a proxy

that sounds harder than tor, and also not as secure/the same

if you make a dns request via tor, probably it routes it through the tor network

means nobody in theory can trace it back to you

not even cloudflare

and thats the goal

not exchaning your ISP for cloudflare trustwise

its you trust no one

and if you ask cloudflare's .onion for a SRV record they also can't trace it to you, right?

in fact it never even crosses the clearnet for anyone

yes, if we could ask a SRV record over the tor proxy this would work

but it doesnt, because TOR just does not support SRV

but asking an .onion is asking over the tor proxy

lovetox: it does. If you ask cloud flare over tcp

you propose to do the dns request yourself

Yes

yes that would work, never done anything like that though, so dont know how complex this is

yes, just like DNS-over-TLS, DNS-over-HTTPS, and DNS-over-XMPP proposes

but sounds complicated

I'm already doing my normal dns requests myself ✏

i mean there are libraries and dns lookup tools

it's annoying enough that you should probably just use a library

you cant use them, so you have to implement the whole dns request protocl yourself

It's not rocket science. But I won't bother any time soon

Because > Yeah if you want to use Tor take 3 minutes to figure out the histename / onion address of your server

asking an .onion should be as quick as possible, it's not going through any exit nodes anyhow

And > So I should hard code cloud flare ips in my app? Is cloud flare still going to exist tomorrow?

moparisthebest, its not about quick, its about implementing another protocol

time to expose an unbound port over a tor hidden address ran by conversations.im :D

wait why can't you use existing dns lookup libraries/tools lovetox ?

conversations uses minidns or something if I recall

i just doubt they let you use them over a tor proxy

but never used one

it's just a socks5 proxy, they should...

i know that i cant use python inbuilt one

moparisthebest: fwiw minidns doesn't support dns over TLS or https

you can just do regular TCP on an .onion though, or I can put in a PR to swap minidns out for https://github.com/moparisthebest/jDnsProxy lol (not really)

moparisthebest, maybe you missed it, i already agreed with you that it is possible

but as Daniel said, the people who want to use TOR are 1% of the users

and they can take the 2 minutes to get the onion adress

im not going to jump through hoops programming wise to save them those 2 minutes

that's fair, I'd kind of like it to be seamless to have regular users connect over tor too, but other people probably disagree

We are also only talking about the subset of tor users on providers that don't listen on the a record

FYI this is the cloudflare .onion reference https://developers.cloudflare.com/1.1.1.1/fun-stuff/dns-over-tor/

I'll be running a public, anonymous-login-supporting DNS-over-XMPP on clearnet and .onion whenever I get back around to finishing setting it up...

?

whoever 'jdev@muc.xmpp.org/💋ᵐyᵃᵇᵃᵇᵉᶻ💋' is please change your nic

it's making my software freak out

how did you even join this muc with that nick? It should be invalid

Why?

because it's using invalid characters or encoding

It's UTF-8, but there are barely any other limits

it’s valid

and it works here ✏

Valid UTF'8 that passes resourceprep and isn't entirely whitespace, so legal under those rules.

Altho, it does not pass Prosodys resourceprep if I recompile it without USPREP_ALLOW_UNASSIGNED, but I think it's using Unicode from 1997 or something then.