jdev - 2021-08-24


  1. georgeorwell

    Are there any clients or libaries implementing MIX except of these from Tigase?

  2. Link Mauve

    slixmpp implements most of MIX, but I haven’t tested it against a server yet.

  3. Link Mauve

    There is also some MIX support in xmpp-rs IIRC.

  4. Link Mauve

    As for clients, Kaidan had some code at some point.

  5. Link Mauve

    Perhaps Conversations too?

  6. MattJ

    Conversations had an experimental branch, yeah

  7. jonas’

    I started something in aioxmpp but then got distracted by the outdated server support on ejabberd

  8. hiran

    I realize that I spend a lot of time explaining to users what XMPP is and get an account setup just so they can start using the application I am writing. Thus I am now thinking of a wizard that guides through the account setup. It would rely on XEP-0077 In-Band Registration. As I am using the Smack API, is there support for this usecase or do I have to construct and send stanzas myself? Can someone point me to some example?

  9. jonas’

    hiran, you might want to look into the invite-based stuff, too

  10. MattJ

    https://blog.prosody.im/great-invitations/

  11. hiran

    I browsed the great-invitations, and the concept looks good. But I am not owning or operating a server. So how could I have such invites being sent?

  12. MattJ

    If the target server has open XEP-0077 then simple register URIs (with no invite token) work with many apps already

  13. MattJ

    xmpp:example.com?register

  14. hiran

    Sounds good. I am writing an application (or more extending a game to exchange messages via XMPP), It is based on Smack. Is there something already to support XEP-0077 or would I have to do this myself?

  15. jonas’

    hiran, might be worthwhile to ask in the smack room

  16. hiran

    There is one? I was not aware...

  17. jonas’

    xmpp:smack@conference.igniterealtime.org?join

  18. jonas’

    not wanting to drive you away, I'm just assuming that the signal/noise ratio w.r.t. smack content is better there.

  19. hiran

    thx

  20. southerntofu

    hiran, just curious what game is it? i heard free software gamedevs recently talk about integrating XMPP/matrix into their ecosystem, if that can interest you :)

  21. hiran

    I am experimenting with Oolite. What is matrix?

  22. hiran

    Ah, the JSON based protocol. When I had a look briefly it sounded good, but then there were no servers, not to talk about missing clients. Therefore I preferred a stable and feature-rich client like Smack...

  23. flow

    I am pretty sure that matrix has a lot of servers and clients

  24. hiran

    Well, I am neither a professional game developer nor a professional XMPP developer. Just giving some effort for something I like. I may have investigated too little on Matrix. However if need be that stuff can probably still be migrated. In the meantime I am quite happy with Smack... :-)

  25. Sam

    flow: lots of clients, but just one or two that are sort of feature complete and only one working server overall were my impressions? I might be wrong, but it hasn't been that long since I tried to look

  26. southerntofu

    Sam, yes that's about it. clients are slowly implementing features and two alterntative servers are maturing (dendrite and conduit, golang and rust respectively)

  27. southerntofu

    hiran, XMPP/matrix from your gamedev perspective answer the same needs so if you're happy with smack just go with it :)

  28. southerntofu

    (we are, after all, in a Jabber/XMPP dev chatroom :P)

  29. southerntofu

    (i was simply pointing out that athenaeum project for free-software game launcher wants to integrate matrix not XMPP despite my technical criticism of that)

  30. southerntofu

    hiran, if you are oolite dev or know them, i had a hard time to find the source link on http://www.oolite.org/ and HTTPS doesn't seem supported

  31. southerntofu

    good luck with that project anyway that's pretty cool!

  32. Sam

    No office hours today, but I'm bored and trying to procrastinate so I thought I'd start the room anyways in case anyone wants to doodle or co-work or anything: https://socialcoop.meet.coop/sam-pku-dud-niv

  33. hiran

    I am no Oolite dev, the source code to that project is https://github.com/OoliteProject/oolite but my code is currently just hosted on my site. It's in a very early stage...

  34. hiran

    my site -> my side. It is nowhere online

  35. southerntofu

    say i want to list all servers who can reach back to me because i'm using a .onion vhost, can i just use XMPP pings for that?

  36. Zash

    Should do

  37. southerntofu

    is it considered correct to just establish random s2s sessions and run a ping? or would some servers ocnsider that spam? or not implement XMPP pings at all?

  38. Zash

    From a client perspective you'd just send the pings

  39. southerntofu

    ah you'd recommend not to setup a test server dedicated to that but using an existing one?

  40. Zash

    Or is this a research ethics question?

  41. southerntofu

    it's both a technical and netiquette question yes

  42. Zash

    As a server developer rather than a philosopher, I'm more qualified for the technical bits

  43. jonas’

    southerntofu, the core of the question should be how you obtain a list of servers to test.

  44. Zash

    You would likely need an established server that can accept incoming connections in order to receive the pongs, to know whether the pings were successful

  45. jonas’

    I know that at least one server operator was annoyed by s.j.n so that I had to prevent their server from being contacted (despite it ending up in the index from time to time for $reasons)

  46. Zash

    Sending a ping from a vacuum is .. hard.

  47. southerntofu

    Zash, yes i was thinking of using a dedicated prosody vhost for that

  48. southerntofu

    jonas’, i was thinking to reuse one of those many "xmpp server lists" :)

  49. Zash

    https://xmpp.net/reports.php#onions

  50. southerntofu

    the idea is not to accurately measure the entire ecosystem but just to get a rough idea of the proportion of publicly-reachable servers

  51. southerntofu

    who can federate with onions

  52. southerntofu

    Zash, this is a list of servers who have their own onion, i'm interested in who can reach me back if i use an onion on my side

  53. Zash

    Mhm

  54. southerntofu

    some more onion questions were discussed on HN in case that topic is of interest to implementers here: https://news.ycombinator.com/item?id=28279131

  55. moparisthebest

    > Another example is if you wish to login as user@foobar.com by reaching foobar.onion.

  56. moparisthebest

    southerntofu, this *just works (tm)* with SRV records right ?

  57. southerntofu

    yea maybe that example isn't the best, but that's still a common pattern unfortunately

  58. southerntofu

    because that's the only way to ensure client-side which address you're connecting to

  59. southerntofu

    (instead of blindly trusting the DNS)

  60. Zash

    moparisthebest, Tor users hate DNS as much as you hate ports other than 443 😉

  61. moparisthebest

    tor users should be doing dns-over-(tls/https/xmpp) over tor to resolve SRV records

  62. moparisthebest

    and EVERYONE should be doing DNSSEC

  63. Zash

    Hurr durr, why DNSSEC when HTTPS protects us from the cloud??? /s

  64. moparisthebest

    but in that particular case, where dns for foobar.com says contact foobar.onion, you aren't blindly trusting DNS, foobar.onion must have a valid TLS cert for foobar.com so it's fine

  65. southerntofu

    yes but even DNSSEC has shortcomings and most people are not doing it yet

  66. southerntofu

    moparisthebest, actually i didn't think about it but i believe you are right, let me check the spec real quick

  67. Zash

    What spec?

  68. moparisthebest

    it would be a giant security bug if you didn't make an onion SRV target have a valid TLS cert for the jid domain

  69. moparisthebest

    unless DNSSEC is involved, that is

  70. southerntofu

    > Client or server MUST set SNI TLS extension to the JID's domain part. (XEP-0368: SRV records for XMPP over TLS)

  71. Zash

    Unrelated, was there something getting certificates for .onion domains?

  72. Zash

    Unrelated, was there something for getting certificates for .onion domains?

  73. moparisthebest

    you can pay big money for them

  74. southerntofu

    yeah for HTTP we have to use the ugly Onion-Location hack but since XMPP supports SRV records you are correct that's a fixed problem, my bad and one more point for XMPP ecosystem :D

  75. southerntofu

    Zash, usually EV certs yes, but one provider has started to distribute DV certs for cheap but not free

  76. southerntofu

    that's pretty recent developments though

  77. Zash

    I also wonder if you can generate a certificate out of the .onion service spec + key such that it .. makes sense

  78. moparisthebest

    if JID domain part is .onion, just connect PLAIN or do STARTTLS and ignore cert

  79. moparisthebest

    otherwise no special .onion handling required

  80. moparisthebest

    I think that's right...

  81. southerntofu

    moparisthebest, yeah some special handling because if onion is top priority in SRV records then clients who don't understand that will leaks onion address on DNS which is against the threat model of using onion services client side (see Brave browser leaking onion in DNS scandal)

  82. moparisthebest

    not proper clients

  83. southerntofu

    and if it's lower priority then clients need special treatment if they support tor to move it top of the list

  84. moparisthebest

    onion is a reserved TLD like .local that should never be sent to DNS

  85. southerntofu

    moparisthebest, .onion reserved name is recent (a couple years?) most software did not implement that yet

  86. southerntofu

    like you still find localhost beingresolved over DNS in many software, decades later lol

  87. moparisthebest

    "software has bugs" I agree :P

  88. moparisthebest

    that's not at all specific to xmpp though

  89. jonas’

    if your security model relies on unaffiliated software doing or not doing something, your security model is seriously flawed

  90. moparisthebest

    I also disagree that clients should ignore SRV priorities and move tor to the top of the list by default

  91. moparisthebest

    jonas’, I'm saying you can't fix clients not following standards with more standards

  92. Zash

    But they do that with Direct TLS?

  93. southerntofu

    moparisthebest, then would you accept negative priorities (if that's even allowed by RFC?) as positive priorities but where it's not standard TCP/IP so the client must pick the names they're able to resolve?

  94. jonas’

    (no)

  95. Zash

    unsigned integers

  96. jonas’

    that

  97. moparisthebest

    southerntofu, it is standard TCP/IP

  98. southerntofu

    moparisthebest, you know what i meant :P

  99. southerntofu

    it's TCP used on top of a protocol lots of clients/server don't speak

  100. southerntofu

    so tey need to be able to differentiate somehow and clients who understand it should opt-in

  101. southerntofu

    the same is true for .i2p, GNS, etc

  102. southerntofu

    it's not a tor-specific issue

  103. moparisthebest

    if the computer is set up properly, it's just another domain

  104. moparisthebest

    if you mean special handling to connect to a local tor socks proxy, ok

  105. southerntofu

    the latter, yes

  106. southerntofu

    server-side leaking onions into DNS is less of a problem than client-side where it's personally-identifiable and probably logged by ISP

  107. Zash

    But that's not a problem anymore because DNS over (whatever you want), brought to you by Cloudflare

  108. southerntofu

    i agree with your point and sarcasm, but DoH is widely undeployed apart from firefox users

  109. moparisthebest

    are we talking about a theoretical xmpp client that uses it's own dns library that doesn't implement the DNS RFC's correctly ?

  110. Zash

    I only found out _today_ how to do SRV queries using libc

  111. southerntofu

    moparisthebest, no we're talking about 99% of operating systems installed worldwide whose stub resolver doesn't treat .onion specially and happily forwards to the recursive resolver

  112. moparisthebest

    which operating systems ? sounds like they should be fixed

  113. jonas’

    southerntofu, what's the problem with that?

  114. moparisthebest

    jonas’, that's illegal https://datatracker.ietf.org/doc/html/rfc7686

  115. southerntofu

    moparisthebest, everyone. i don't know a single system that handles that gracefully YET

  116. Zash

    report them! https://www.rfc-editor.org/rfc/rfc8962.html

  117. southerntofu

    but maybe time has passed and i'm wrong now :)

  118. southerntofu

    haha love that april's fools RFC

  119. jonas’

    moparisthebest, sure, but so is forwarding .local I guess. what's the problem?

  120. southerntofu

    and that's why programming and building specifications should be done defensively ^^"

  121. southerntofu

    (a sad state of things when you think of it)

  122. moparisthebest

    looks like unbound's default config doesn't forward onion https://www.nlnetlabs.nl/documentation/unbound/unbound.conf/

  123. southerntofu

    nice, implemented in 2016!

  124. southerntofu

    i'm happy to be proved wrong (although i doubt most stub resolvers are so compliant)

  125. jonas’

    unbound isn't exactly a stub resolver.

  126. southerntofu

    anyway we're going off-topic somewhat, happy to continue discussing onions in privacy@joinjabber.org room

  127. moparisthebest

    dnsmasq does not appear to special-case onion

  128. moparisthebest

    oh lord why arch why https://github.com/archlinux/svntogit-packages/blob/packages/systemd/trunk/PKGBUILD#L103

  129. moparisthebest

    you ever regret digging into source code ?

  130. jonas’

    yeah

  131. jonas’

    what the flying

  132. jonas’

    u drunk

  133. Zash

    9.9.9. ... 10

  134. southerntofu

    :( :( :(

  135. jonas’

    .10 is the one without DNSSEC validation

  136. jonas’

    why would they do that

  137. jonas’

    ah, because there's no quad9 choice for !filtering && dnssec

  138. southerntofu

    assuming onion discovery via SRV, maybe leaking onion query isn't that bad in fact?

  139. moparisthebest

    systemd-resolved doesn't seem to special-case onion either

  140. southerntofu

    since the resolver already knows the DNS address you're trying to reach (for which you made an SRV query)

  141. moparisthebest

    hopefully DNS resolving libraries do but I think I'll go bury my head in the sand now

  142. southerntofu

    moparisthebest, aaaaaand that's why we need more compliance suites/tests :D

  143. southerntofu

    worst case would be if you enter user@foobar.onion, then a leak would be dangerous but unfortunately that can only be controlled client-side by special-casing .onion

  144. emus

    What would you people think of renaming the channel into for example "Jabber Development"?

  145. moparisthebest

    > ./src/lib/ares_search.c: /* Per RFC 7686, reject queries for ".onion" domain names with NXDOMAIN. */ > ./src/lib/ares_search.c: if (ares__is_onion_domain(name)) THANK YOU C-ARES

  146. moparisthebest

    now I will log off hoping all other DNS libraries are equally good... :)

  147. jonas’

    reasonable plan

  148. jonas’

    good night

  149. southerntofu

    emus, you'd like to remove XMPP from the name or?

  150. southerntofu

    not sure where my client displays the room name but i think it's "Jabber/XMPP Development" (or is that the start of description?)

  151. Zash

    I don't think this channel has a title

  152. southerntofu

    ah :)

  153. Zash

    "Jabber/XMPP Development" as description and there's a longer subject/topic

  154. southerntofu

    i've never really understood the difference between topic/description

  155. southerntofu

    is there one at all?

  156. Zash

    There is a slight semantic difference

  157. southerntofu

    yes but in practice is this difference reflected in client UX?

  158. Zash

    description is shown to those on the outside and would describe the channel, while topic is shown to current participants and would reflect the current topic

  159. southerntofu

    is there a server-side setting either in room config or server-wide to "sync" both entries?

  160. Zash

    Never heard of such a thing

  161. Zash

    They're for different audiences

  162. southerntofu

    sounds troublesome to edit both at the same time, when they're supposed to be the same (i don't think i've ever used different topic/description intentionally but i definitely have by accident)

  163. Zash

    They're _not_ the same

  164. Zash

    I don't think I've ever seen a room that had the same topic as description

  165. southerntofu

    well unless you'd like to send the same message to both audiences which is my usecase.. is that "wrong"?

  166. Zash

    There's no right or wrong

  167. Zash

    Except what you suggest!!!!1!1 😛

  168. southerntofu

    :P

  169. Zash

    This has been discussed in the past, but there was consensus on keeping all 3 fields.

  170. Zash

    IIRC MIX doesn't have subject, instead lets you pin messages. Unless I dreamed that.

  171. southerntofu

    sure i'm not saying it should be outright deprecated on the protocol level, but i always found it confusing personally.. for a long time i thought /topic was a shortcut to edit room description, and i was wondering why i would get inconsistent topic depending on where i see it from (because they're different things!)

  172. Zash

    Join because reasons! goes in description Stay because reasons! goes in topic 🤷️

  173. southerntofu

    Zash, i don't remmeber anything about pinning but you're correct about subject https://xmpp.org/extensions/xep-0369.html#not-subject

  174. Zash

    The discussion may have been in context of MIX, maybe

  175. southerntofu

    i also believe that subject is inherited from IRC-like experience where there was a single field for all information, and it may predate name/description (wild guess!)

  176. Zash

    name comes from xep-0030 probably

  177. Zash

    oh yes, there's name AND title!

  178. Zash

    Those are generally the same string tho

  179. southerntofu

    wait where's title in all there?

  180. Zash

    In the disco#info response

  181. Zash

    name is part of disco#items listings

  182. southerntofu

    my browser doesn't find anything on XEP-0030 when i search for "title" (well it finds stuff in appendix)

  183. Zash

    https://paste.debian.net/hidden/39204b09/

  184. southerntofu

    ah yes in here it's the same as name

  185. southerntofu

    so how crazy would it be to do the same with topic/description if a setting is enabled?

  186. Zash

    I think that's actually some fallback behavior in Prosody that sets it to the localpart if it's empty

  187. southerntofu

    ah

  188. Zash

    Well for someone who doesn't expect that, it would leak something they expect to be limited to those who can and have joined

  189. Zash

    ... to the public

  190. Zash

    or at least to anyone who can send a disco query to the right address

  191. southerntofu

    in my view it sort of makes sense? "can room be listed publicly?" -> topic is public

  192. Zash

    🤷️

  193. Zash

    Color me sceptical

  194. southerntofu

    i don't understand the usecase where you want your room listed publicly (so others can join) but not a public topic :D

  195. Zash

    Trivial to do of course

  196. Zash

    Hm

  197. Zash

    The topic/subject is broadcast to everyone on change

  198. Zash

    Title, description and other room config changes are just broadcast as a single "the room config changed" signal

  199. Zash

    So interested clients can re-disco#info if they want to

  200. Zash

    But if you sync them, you'd get the same data twice

  201. southerntofu

    yeah that's also something i always found confusing, a diff insead of a clueless message would be nice

  202. southerntofu

    (although i believe that message is broadcast even when no change occurred)

  203. Zash

    Maybe some sort of publish-subscribe based thing for mediating exchange of messages?

  204. Zash

    and other info

  205. southerntofu

    haha that sounds so good

  206. southerntofu

    is there a working group / MUC dedicated to MIX implementation?

  207. Zash

    Title+Description also gets published on https://search.jabber.network/

  208. me9

    Which xmpp.org muc is the most fitting to ask about and discuss XEPs? This one?