jdev - 2020-03-31


  1. sonny has joined
  2. Sam Whited has left
  3. Sam Whited has joined
  4. sonny has left
  5. sonny has joined
  6. amnesia has left
  7. Martin has left
  8. Martin has joined
  9. lovetox has left
  10. amnesia has joined
  11. lovetox has joined
  12. amnesia has left
  13. strar has left
  14. strar has joined
  15. DebXWoody has joined
  16. SouL has joined
  17. strar has left
  18. strar has joined
  19. moparisthebest has left
  20. Guus has left
  21. Guus has joined
  22. adrien has left
  23. adrien has joined
  24. strar has left
  25. strar has joined
  26. Marc has left
  27. Marc has joined
  28. kikuchiyo has joined
  29. pulkomandy has left
  30. goffi has joined
  31. pulkomandy has joined
  32. DebXWoody has left
  33. kikuchiyo has left
  34. kikuchiyo has joined
  35. strar has left
  36. kikuchiyo has left
  37. kikuchiyo has joined
  38. asterix has joined
  39. wurstsalat has left
  40. wurstsalat has joined
  41. strar has joined
  42. asterix has left
  43. asterix has joined
  44. pulkomandy has left
  45. kikuchiyo has left
  46. pulkomandy has joined
  47. kikuchiyo has joined
  48. kikuchiyo has left
  49. kikuchiyo has joined
  50. asterix has left
  51. asterix has joined
  52. asterix has left
  53. asterix has joined
  54. asterix has left
  55. asterix has joined
  56. kikuchiyo has left
  57. pulkomandy has left
  58. kikuchiyo has joined
  59. pulkomandy has joined
  60. pulkomandy has left
  61. kikuchiyo has left
  62. lovetox has left
  63. kikuchiyo has joined
  64. pulkomandy has joined
  65. asterix has left
  66. asterix has joined
  67. asterix has left
  68. asterix has joined
  69. DebXWoody has joined
  70. kikuchiyo has left
  71. kikuchiyo has joined
  72. kikuchiyo has left
  73. dendang has joined
  74. asterix has left
  75. asterix has joined
  76. asterix has left
  77. asterix has joined
  78. kikuchiyo has joined
  79. lovetox has joined
  80. debacle has left
  81. kikuchiyo has left
  82. larma has left
  83. larma has joined
  84. asterix has left
  85. asterix has joined
  86. larma has left
  87. larma has joined
  88. asterix has left
  89. asterix has joined
  90. kikuchiyo has joined
  91. kikuchiyo has left
  92. asterix has left
  93. asterix has joined
  94. kikuchiyo has joined
  95. kikuchiyo has left
  96. asterix has left
  97. asterix has joined
  98. amnesia has joined
  99. pulkomandy has left
  100. pulkomandy has joined
  101. kikuchiyo has joined
  102. Martin has left
  103. asterix has left
  104. asterix has joined
  105. Martin has joined
  106. Martin has left
  107. Martin has joined
  108. Martin has left
  109. Martin has joined
  110. paul has left
  111. paul has joined
  112. Martin has left
  113. Martin has joined
  114. Martin has left
  115. amnesia has left
  116. Martin has joined
  117. pulkomandy has left
  118. pulkomandy has joined
  119. Martin has left
  120. Martin has joined
  121. Martin has left
  122. Martin has joined
  123. Martin has left
  124. Martin has joined
  125. asterix has left
  126. Martin has left
  127. amnesia has joined
  128. asterix has joined
  129. Martin has joined
  130. Martin has left
  131. Martin has joined
  132. amnesia has left
  133. amnesia has joined
  134. Martin has left
  135. asterix has left
  136. asterix has joined
  137. Martin has joined
  138. Martin has left
  139. Martin has joined
  140. Martin has left
  141. Martin has joined
  142. Martin has left
  143. Martin has joined
  144. Martin has left
  145. Martin has joined
  146. Martin has left
  147. Martin has joined
  148. Martin has left
  149. Martin has joined
  150. Martin has left
  151. Martin has joined
  152. Martin has left
  153. Martin has joined
  154. debacle has joined
  155. asterix has left
  156. asterix has joined
  157. tsk has joined
  158. asterix has left
  159. asterix has joined
  160. moparisthebest has joined
  161. asterix has left
  162. pulkomandy has left
  163. asterix has joined
  164. pulkomandy has joined
  165. debacle has left
  166. asterix has left
  167. asterix has joined
  168. asterix has left
  169. asterix has joined
  170. tsk has left
  171. amnesia has left
  172. pulkomandy has left
  173. pulkomandy has joined
  174. tsk has joined
  175. Sam Whited Was anyone here around during the JSF days? I'm trying to get a sense of how its mission was different from the XSFs since my understanding is that it was more software focused
  176. pulkomandy has left
  177. pulkomandy has joined
  178. amnesia has joined
  179. Kev Sam Whited: Very few people who're still active. Alex, Edwin, Ralph. Me just about. Not sure about Dave, but I suspect not.
  180. Kev Peter, obviously.
  181. Kev I've probably forgotten someone, but it's that sort of number of people, I think.
  182. Sam Whited Kev: thanks, I'll reach out to them directly
  183. Ge0rG Sam Whited: are you going to make a history write-up? That'd be very interesting
  184. pulkomandy has left
  185. Sam Whited Ge0rG: I wasn't planning on it, but that would be fun if I learn anything interesting
  186. Ge0rG As somebody who is very interested in having a JSF 2.0 of sorts today, I'm probably too biased to do such a thing.
  187. amnesia has left
  188. Sam Whited Ge0rG: I've been vaguely thinking about that which is why I asked. I'd like to have something like Apache but for XMPP projects. Something that can act as a fiscal sponsor to help projects raise money, provide a common set of guidelines and dev practices and infrastructure for stuff under its umbrella, etc. but before I ask people what they'd want out of it I figured I'd see what existed before. I'm also not convinced that there is enough interest in XMPP in general to even make it possible, but you never know. Anyways, just doing very preliminary research.
  189. Wojtek has joined
  190. jonas’ Sam Whited, you should attend board meetings more often
  191. jonas’ also maybe become a member again so that you see what’s going on on members@
  192. Sam Whited jonas’: I still don't see the point of being a member of the XSF.
  193. jonas’ so that you get a say on that matter
  194. Ge0rG Sam Whited: nobody is _against_ creating such an organization, but the XSF isn't it, and looks like so far nobody had the resources to actually start it.
  195. Sam Whited Ge0rG: right, that's why I was thinking about doing it separate from the XSF.
  196. jonas’ you’re most definitely not the first one with that thought
  197. Ge0rG I think that the XSF (and XMPP overall) would vastly benefit from having it, though.
  198. Sam Whited yah, probably not
  199. Sam Whited jonas’: a say in what matter?
  200. jonas’ Sam Whited, the direction of the XSF and how funds are used.
  201. Sam Whited jonas’: I don't think this should be the XSF, they should be two separate organizations.
  202. jonas’ MattJ, cc @ you, I think you brought something like that up in one of the more recent board meetings, too ^
  203. jonas’ Sam Whited, yes, and I think such an organisation should have its roots in the XMPP and XSF communities
  204. Sam Whited jonas’: I agree, but like I said, this is just me doing some preliminary research.
  205. pep. !
  206. jonas’ I’m saying there’s already efforts in that direction and I suggest you join them. the more the better.
  207. MattJ I bring it up all the time
  208. pep. I'm also interested fwiw
  209. MattJ to anyone who will listen, or who thinks the XSF is capable of doing all the things people want it to do :)
  210. pep. "jonas’> Sam Whited, yes, and I think such an organisation should have its roots in the XMPP and XSF communities", I agree
  211. pulkomandy has joined
  212. MattJ Well it's unlikely to have its roots in the Matrix community, I agree :)
  213. pep. No but it could be perceived as a "FU the XSF, it doesn't work, we're doing our own thing"
  214. MattJ I almost thing, so what if it is? (which is unlikely if you're up-front about the goals)
  215. MattJ I almost think, so what if it is? (which is unlikely if you're up-front about the goals)
  216. MattJ Modern XMPP also has/had that risk
  217. MattJ Even the name and domain :)
  218. Ge0rG I'm pretty sure it won't, because the XSF is very clear about its razor-sharp focus on Protocol.
  219. MattJ (XSF should register legacyxmpp.org on 1st April)
  220. Ge0rG MattJ: you could do it right now.
  221. MattJ Oh look, that's tomorrow
  222. asterix has left
  223. MattJ Must finish my MAM update in time
  224. asterix has joined
  225. Sam Whited I kind of forgot about modern XMPP, I'm glad to see this exists. I like the goal of providing docs and UI/UX guidelines and what not.
  226. Ge0rG MattJ: because you want it to appear on the Humorous track?
  227. asterix has left
  228. asterix has joined
  229. pulkomandy has left
  230. MattJ With DNS-over-XMPP on the Standards Track and MAM on the Humorous track we'll be good
  231. amnesia has joined
  232. asterix has left
  233. asterix has joined
  234. MattJ Hmm, I wonder how many libraries/clients would get tripped up by an iq type='get' in one namespace, and the result having a payload with a different namespace
  235. jonas’ ... why would they
  236. MattJ Because people make assumptions
  237. pulkomandy has joined
  238. jonas’ why do tehy?
  239. jonas’ why do they?
  240. MattJ :)
  241. Sam Whited seems like the easiest thing to do would be to match based on ID then just decode whatever is in the result, and I would assume most people would do the easiest thing and it wouldn't cause problems
  242. Ge0rG MattJ: you'd be surprised how many implementations ignore the xmlns altogether
  243. flow well it does
  244. flow if you only match on the id, then you are potentially open to spoofed replies
  245. asterix has left
  246. MattJ You match on (jid, id) though
  247. asterix has joined
  248. Zash and type
  249. Zash (jid, id, type=(result|error))
  250. Ge0rG Monal won't work on my account because I have a Cisco user on my roster who has a Cisco-namespaced <presence> element inside the jabber:client <presence> element
  251. jonas’ or have a sufficiently unpredictable ID :)
  252. pep. I'm just patching our minidom implementation in Rust to force namespaces everywhere. It's just not possible to retrieve an element without specifying a namespace, unless you loop over everything all the time
  253. flow and even (jid, id) is not that trivial as it seems, since there could be multiple values for jid
  254. flow including, in some cases, nil
  255. jonas’ don’t get me started on the ambiguity of an absent @to/@from on stanzas
  256. flow so you may simply want to generate "good" IDs and be done…
  257. Sam Whited Why would there be multiple values for JID? Do you just mean the server being the domain or the empty attribute?
  258. jonas’ Sam Whited, that’s not what empty attribute means
  259. Zash jonas’, when is it ambigous?
  260. jonas’ absent attribute refers to your *account*, not to the server domain.
  261. Sam Whited oh right, that one. Is that what you menat?
  262. jonas’ yes
  263. jonas’ Zash, you can’t simply match on the verbatim string, you have to take into account your currently bound-to JID after resource binding, since some servers will always do one thing (present or absent attribute) even if you always send present/absent
  264. Sam Whited yah, that's irritating. I just have my library normalize that on all incoming stanzas
  265. jonas’ so you have to, in your processing loop, alias empty jid to locally bound bare JID, which is annoying to do
  266. jonas’ I recall having issues with normalising that actually
  267. Ge0rG jonas’: nothing wrong with empty @from/@to... Until you send a message to yourself and the Carbon copy you receive doesn't have one of those set, but it means a different thing ;)
  268. Zash Just don't find the text that suggests that empty to/from is different from the bare account jid.
  269. flow jonas’, do you remember which issues you had exactly?
  270. jonas’ (also, of course it requires the stanza broker to know your local JID, because we all hate self-contained things)
  271. jonas’ I’ll have to check the git log
  272. Sam Whited What is a "stanza broker"?
  273. jonas’ Sam Whited, the thing which takes the stanzas from the XML stream and hands it to handlers
  274. jonas’ I think it’s called mux in mellium
  275. Sam Whited Oh, that's not what does the noramlization in my case (I don't think, if it does it shouldn't be, I can't remember)
  276. Sam Whited The session (or connection) knows your JID, and whenever any tokens are read from it it can normalize them
  277. jonas’ my point is that there’s *no* layer which should need to know about your locally bound JID in the stanza processing pipeline
  278. Ge0rG Sam Whited: are you also normalizing <forwarded> stanzas? :D
  279. Sam Whited Ge0rG: I don't remember how that works, but those are wrapped in an actual stanza, no? I should probably look, if not I'm probably breaking something there
  280. jonas’ flow, possibly the normalisation issues were purely in aioxmpp
  281. Ge0rG Sam Whited: yes they are, but they are also <message/> stanzas and there are no guarantees whatsoever on them having @from/@to set correctly
  282. Sam Whited Ge0rG: I don't do any automatic handling at all of those right now, my library is a bit low-level for that. If a package was ever written to handle them, it would have to do its own normalization to remain self contained.
  283. Zash I like to think of it as stanzas inheriting the logical to/from of the parent stream.
  284. Zash After resource binding one could think of those as from=full jid to=bare jid
  285. Ge0rG Zash: that's the logical thing indeed, except that for some people it's not obvious that you have a stream to your account.
  286. jonas’ Zash, however, as a client, you set @to to the domain, not to the bare account JID
  287. jonas’ Zash, however, as a client, you set stream:stream/@to to the domain, not to the bare account JID
  288. Zash jonas’: Imagine that it changes during resource binding
  289. rion has left
  290. rion has joined
  291. jonas’ that does make no sense to me
  292. Zash I kinda wish resource binding was a stream restart thing
  293. jonas’ changing on SASL, that’d make sense, because that actually binds you to a JID
  294. jonas’ changing on SASL, that’d make sense, because that actually binds you to a bare JID of some kind
  295. debacle has joined
  296. Zash Drop the resource binding iq hack, server tells you to/from in the post-sasl restart
  297. jonas’ that’d be kind of sexy, except that the client speaks first on stream resets
  298. Zash Myeah
  299. Zash + SASL2 gets rid of the stream restart
  300. Zash Tho you could just drop the to/from that the client sends. The server knows who you are after auth and it knows who you authed to.
  301. Zash And by drop I mean the server ignores it.
  302. asterix has left
  303. Sam Whited I'm always torn about the restarts. On the one hand, they're logical and they're probably good from a security perspective. On the other hand, the entire connection process takes forever on a crappy network and anything we can do to speed that up makes me happy.
  304. asterix has joined
  305. Zash I did something like that in an experimental CBOR protocol once. No stream restarts, just a message that updates top-level properties like to/from
  306. jonas’ I don’t even know what stream restarts are supposed to do. the @to is only interesting for client->server really pre-STARTTLS as an SNI-surrogate
  307. jonas’ aren’t they?
  308. flow jonas’, rumar is that they are supposed to reset the xml parser state
  309. flow jonas’, rumor is that they are supposed to reset the xml parser state
  310. Zash and thus throw away auth related state that might linger
  311. asterix has left
  312. Zash which is why it's weird to me that SASL2 drops the restart
  313. jonas’ flow, ah, that makes sense
  314. asterix has joined
  315. jonas’ I’ll probably forget that again, but it *does* make sense
  316. pulkomandy has left
  317. MattJ Pretty sure there have been protocol security problems in the past that didn't apply to XMPP because we do restarts
  318. pulkomandy has joined
  319. Zash Also older SASL mechanisms can negotiate encryption and stuff, which requires a clear point where it's activated.
  320. flow I think it's not that bad to have them
  321. flow not sure about the motivation to drop them in sasl2 though
  322. Kev You need a stream restart after integrity is negotiated.
  323. Kev Both starttls and SASL can negotiate integrity, I think.
  324. jonas’ Kev, see, that argument I don’t get
  325. amnesia has left
  326. Zash Never seen it used in SASL tho, only seen the traces of it in DIGEST-MD5
  327. jonas’ I can see the argument that you want to throw away an XMPP parser/serialiser after having done auth with it, or that you don’t want to keep an XML pipeline hooked up to a stream potentially in the middle of a TLS handshake. But I don’t get that integrity argument
  328. Sam Whited realizes that as we speak I am extremely far behind on my phone because the connection got dropped and on this crappy mobile network it takes ages to be re-established.
  329. Sam Whited I'm always confused when I walk up to my laptop and there's a ton of new messages I hadn't seen.
  330. paul has left
  331. tsk has left
  332. Kev jonas’: Because if you assume pre-integrity that things might have been injected into the stream, people could have mangled your to/from and stream id, as well as injecting things into your XML parser.
  333. jonas’ right, so to/from/stream id are 100% irrelevant, aren’t they?
  334. Kev So you're potentially doing authorisation based on injected data.
  335. Kev I don't believe they are, no.
  336. jonas’ you authenticate the server with TLS/SASL, likewise for the client.
  337. jonas’ I never saw the stream ID used for anything
  338. paul has joined
  339. Zash It's used in dialback
  340. asterix has left
  341. asterix has joined
  342. jonas’ that’s more interesting
  343. asterix has left
  344. asterix has joined
  345. jonas’ (maybe my view is too client-centric?)
  346. Kev I think it might be :)
  347. jonas’ but clients are most hurt by stream restarts either way
  348. Zash Didn't the non-SASL auth also use the stream id?
  349. Zash > SHA1-encrypted Hmmm
  350. Zash > SHA1(concat(sid, password))
  351. Zash Obsoleted nearly 12 years ago? Why do we still ship code for this?
  352. Zash Altho I fondly remember typing https://xmpp.org/extensions/xep-0078.html#example-3 into a telnet console once upon a time
  353. moparisthebest I think it should be brought back, just the PLAIN though, and only over TLS of course
  354. moparisthebest if it's good enough for HTTP why not XMPP
  355. Zash eugh
  356. moparisthebest SASL made sense before TLS was mandatory, I don't really think it brings any advantages nowadays though
  357. Zash This notion makes me sad
  358. moparisthebest unless you see "complexity" or "not being able to upgrade ever" as an advantage
  359. moparisthebest are there actual advantages to SASL ?
  360. lovetox you mean SASL SCRAM?
  361. Kev There's an advantage to having a choice of mechanisms, if that's the question. And once you've got a choice of mechanisms, why not use SASL.
  362. lovetox yeah there is more than sasl scram
  363. lovetox you need a protocol to tell the server how you are going to auth
  364. lovetox may it be via 2FA or external via client cert or even PLAIN
  365. Zash "good enough for http", but the web uses a lot of OAuth and stuff that only works if you're a browser
  366. moparisthebest client cert can be handled at the TLS layer, 2FA can just be a token appended to your password which makes it the same as PLAIN
  367. moparisthebest fair re: oauth ugh
  368. Zash Also, I sure hope you're not making the argument that popular == good
  369. asterix has left
  370. asterix has joined
  371. pulkomandy has left
  372. pulkomandy has joined
  373. paul has left
  374. paul has joined
  375. dendang has left
  376. dendang has joined
  377. moparisthebest no, I'm arguing that PLAIN user+pass is "good enough" and KISS and sasl-scram and friends is needless complexity for no gain
  378. dendang has left
  379. dendang has joined
  380. dendang has left
  381. dendang has joined
  382. asterix has left
  383. asterix has joined
  384. asterix has left
  385. asterix has joined
  386. lovetox i agree about sasl scram over tls is probably not very useful
  387. lovetox but not about getting rid of extendable protocol that can define any kind of auth mechanism
  388. Ge0rG it's useful because you don't need to store the password on the client
  389. Zash or on the server
  390. Zash or send it over the wire
  391. Zash even if TLS helps there
  392. Sam Whited More useful than not having an upgrade path if SHA-1 gets broken?
  393. Zash and it's cheap to verify for the server, even if you did a billion rounds of PBKDF2
  394. Zash Does this exact discussion with these exact words get repeated every couple of months?
  395. Sam Whited Unrelated: but is Apache Vysper still being developed? Randomly wound up on its Git page and there are a bunch of recent commits by names I don't recognize. That is suprising
  396. sonny has left
  397. Zash https://github.com/xsf/xmpp.org/pull/592#issuecomment-514935602
  398. Sam Whited yah, they're not wrong, it's not easy to find. Good to know.
  399. Zash Looks like they did a bunch of stuff last year
  400. SouL Hmm, is it a XMPP server?
  401. Zash Yes
  402. SouL I thought it had something different to it (a reason to make it active again that other XMPP servers do not have or something)
  403. asterix has left
  404. asterix has joined
  405. lovetox moparisthebest, fyi you cant do the full client cert spec without sasl
  406. lovetox a cert could be valid for more than one account
  407. lovetox so you need a way to tell the server the account you want to auth with
  408. lovetox don't know though if anyone does that
  409. asterix has left
  410. asterix has joined
  411. moparisthebest Ge0rG, and how is not storing the password on the client useful?
  412. moparisthebest your xmpp account password should already only be used for xmpp, so if someone has access to your account, it doesn't really matter if they have the password or not
  413. jonas’ moparisthebest, that’s a pretty strong "should" there
  414. jonas’ first: user reality begs to differ. second: single-sign-on systems *do* exist.
  415. moparisthebest should be a MUST , we need to stop catering to idiots
  416. moparisthebest if someone uses "password" or "mustang1" across all their accounts, it doesn't really matter that the xmpp client doesn't store it locally
  417. jonas’ if someone uses "7GvdunCpiwkUKty9dj3/u8l5" for their company single-sign-on which also has an XMPP client, it does matter though
  418. jonas’ if someone uses "7GvdunCpiwkUKty9dj3/u8l5" for their company single-sign-on which also has an XMPP service, it does matter though
  419. Zash Uh in those cases you can't use SCRAM anyways since you need to send that password in plain text to some validation service.
  420. asterix has left
  421. asterix has joined
  422. asterix has left
  423. asterix has joined
  424. jonas’ shush
  425. Zash ... unless it's some OAuth-derivative thing
  426. asterix has left
  427. asterix has joined
  428. alexis has left
  429. sonny has joined
  430. asterix has left
  431. asterix has joined
  432. moparisthebest jonas’, does it? cause their browser stores it in plaintext in that case, also probably outlook
  433. asterix has left
  434. asterix has joined
  435. pulkomandy has left
  436. pulkomandy has joined
  437. Martin has left
  438. asterix has left
  439. asterix has joined
  440. Martin has joined
  441. Martin has left
  442. Martin has joined
  443. pulkomandy has left
  444. pulkomandy has joined
  445. Martin has left
  446. Martin has joined
  447. jonas’ moparisthebest, "others are bad, let’s also be bad"
  448. Martin has left
  449. Zash burning coal works just fine, let's do more of that!
  450. Martin has joined
  451. moparisthebest jonas’, yep, if it provides no benefit in any case and brings complexity, let's not bother
  452. moparisthebest so far we've established it's useless if it's unique to the xmpp account, or in the case of single sign on, where is it useful then?
  453. jonas’ I don’t agree with your assessment of the SSO situation
  454. Zash I don't agree that there's no benefit.
  455. Martin has left
  456. Martin has joined
  457. Martin has left
  458. Martin has joined
  459. Martin has left
  460. asterix has left
  461. asterix has joined
  462. Martin has joined
  463. Martin has left
  464. Martin has joined
  465. asterix has left
  466. asterix has joined
  467. tsk has joined
  468. pulkomandy has left
  469. asterix has left
  470. asterix has joined
  471. Martin has left
  472. Martin has joined
  473. pulkomandy has joined
  474. asterix has left
  475. asterix has joined
  476. tsk has left
  477. DebXWoody has left
  478. rion has left
  479. rion has joined
  480. strar has left
  481. strar has joined
  482. dendang has left
  483. Marc has left
  484. Marc has joined
  485. asterix has left
  486. asterix has joined
  487. alexis has joined
  488. pulkomandy has left
  489. pulkomandy has joined
  490. pulkomandy has left
  491. pulkomandy has joined
  492. alexis has left
  493. Martin has left
  494. Martin has joined
  495. adrien has left
  496. adrien has joined
  497. alexis has joined
  498. adrien has left
  499. adrien has joined
  500. asterix has left
  501. asterix has joined
  502. alexis has left
  503. alexis has joined
  504. alexis has left
  505. alexis has joined
  506. alexis has left
  507. asterix has left
  508. asterix has joined
  509. kikuchiyo has left
  510. kikuchiyo has joined
  511. alexis has joined
  512. kikuchiyo has left
  513. asterix has left
  514. goffi has left
  515. wurstsalat has left
  516. Wojtek has left