jdev - 2024-02-14


  1. dwd

    moparisthebest, POP3 and IMAP lacked any way for years, but ended up with at least two - and I think there's a third. ACAP, which never really took off, SRV records, which I think I saw in the wild once, and I seem to recall some well-known thing that I'm not sure ever got standardized.

  2. Zash

    xml stuff on a subdomain like 'autoconfigure.example.com/some.xml' iirc, predating well-known

  3. Ge0rG

    Guus, MattJ: loading pubsub_serverinfo in prosody makes it add a second <x xmlns="jabber❌data" type="result"> form to the XEP-0157 response instead of adding the serverinfo-pubsub-node into the response from server_contact_info, and that freaks out some parsers. yax.im seems to be a live example right now

  4. Guus

    Ge0rG: :/

  5. Guus

    I'm guessing that it competes with another module that adds that form? I'm not sure how to fix that. Even if we can, would that need changes in both modules?

  6. Zash

    Complexity :/

  7. Zash

    Why not a separate form btw?

  8. Ge0rG

    Guus: yes, mod_server_contact_info

  9. MattJ

    > Why not a separate form btw? The service discovery extensions XEP says so, and it makes sense because the form is extensible anyway...

  10. Zash

    This breaks the prosody module then

  11. gidepi

    jdev sounds like a fun project. "prosody" module names, ten points.

  12. Ge0rG

    MattJ: so is the double-form a bug on prosody side or do clients have to parse all the forms?

  13. MattJ

    Ge0rG, it's a bug

  14. MattJ

    There should be one form, it should have all the serverinfo options, including this one

  15. Ge0rG

    MattJ: what can I do about it?

  16. MattJ

    Learn you some Lua for great good

  17. Ge0rG

    MattJ: what _else_ can I do about it?

  18. MattJ

    File a bug report?

  19. Ge0rG

    that's two community modules, isn't it?

  20. MattJ

    Just file one about the duplicated form, and we can figure out the solution

  21. Ge0rG

    MattJ: thanks, https://issues.prosody.im/1841

  22. MattJ

    Thanks

  23. Guus

    I'm guessing Openfire suffers from the same bug in theory

  24. moparisthebest

    pep., MSavoritias (fae,ve): here's a really good account of what not to do with joinjabber that you might like to read https://blog.koehntopp.info/2024/02/13/the-matrix-trashfire.html

  25. pep.

    Read it already

  26. MSavoritias (fae,ve)

    that doesnt seem to be only jj does it tho

  27. MSavoritias (fae,ve)

    it involved xsf at the very least :)

  28. pep.

    Yeah it's the whole XMPP community really

  29. pep.

    I think it already applies to XMPP in many ways. Except maybe some kind of excuses as VectorIM is somewhat vertical (controls many parts of the network), and has funding.

  30. pep.

    Plus they're indeed promoting easy onboarding

  31. Ge0rG

    MSavoritias (fae,ve): ironically, the XSF is not focused on that part of the experience, it's mainly about the protocol.

  32. moparisthebest

    Excellent read right? Good to keep around for when you get down about things that aren't quite perfect in XMPP 🤣 at least it's not that bad...

  33. Ge0rG

    moparisthebest: I'd argue it's even worse in xmpp

  34. pep.

    Ge0rG, that's where the XSF is wrong IMO, but I know many disagree.

  35. Zash

    but, but, but worse is better!!!1eleven

  36. moparisthebest

    > moparisthebest: I'd argue it's even worse in xmpp I don't see how you possibly could, but I'm willing to watch you try

  37. pep.

    (Note that the XSF doesn't have to do it all by itself, but it can certainly influence in many ways)

  38. MSavoritias (fae,ve)

    its even worse on xmpp yeah

  39. MSavoritias (fae,ve)

    much worse

  40. pep.

    Yeah I agree it is too

  41. MSavoritias (fae,ve)

    and i say this as a person in jj :)

  42. pep.

    Apart maybe from Snikket

  43. moparisthebest

    hard disagree, with XMPP you download Conversations from your store and are chatting in seconds

  44. pep.

    (well you can't, anymore, but I'll give you that :P)

  45. Zash

    moparisthebest, not anymore apparently?

  46. pep.

    (well you can't from the play store, anymore, but I'll give you that :P)

  47. moparisthebest

    jmp.chat is onboarding people who don't know about XMPP to their own Snikket server daily

  48. moparisthebest

    "your store" is f-droid right? :)

  49. pep.

    Mine yeah, not the one of many people I know

  50. pep.

    But anyway that's changing the debate :)

  51. moparisthebest

    Yes I did read about evil Google being evil again though, I'm sure it's only temporary this time again but will surely repeat... 💀

  52. pep.

    As for Conversations, maybe, but it's not the only OS out there.

  53. moparisthebest

    Sure, but it's likely the only OS with 3 billion active users

  54. pep.

    And you do have to know what client to install already, not like there aren't many Conversations forks in the play store. heck for some reason even in F-Droid I've always seen Conversations' green logo appear way after others when searching for it (no clue why) causing some people not to click on it :x

  55. Ge0rG

    pep.: we should found the Jabber Software Foundation.

  56. pep.

    It's called JoinJabbernow

  57. pep.

    It's called JoinJabber now

  58. moparisthebest

    Yes you have to know the client to search for... Like every other chat system ever?

  59. Ge0rG

    moparisthebest: hard disagree, you need to pay for Conversations, and you don't even know what to look for in the first place, and then you don't know how to add your contact

  60. moparisthebest

    I'm not sure I want to join https://www.webex.com/downloads/jabber.html ? But I digress...

  61. pep.

    We know your love for Jabber(tm) :)

  62. Ge0rG

    pep.: I just clicked through joinjabber and landed in https://joinjabber.org/de/docs/servers/all-in-one/

  63. moparisthebest

    Ge0rG: and yet the same is true of WhatsApp

  64. pep.

    Ge0rG, yeah don't tell me.. I rant every day on this website :p

  65. pep.

    Probably a case of missing translations here

  66. Ge0rG

    moparisthebest: "contact me on whatsapp" -> search google play for whatsapp, install -> opt in into surveillance -> chat

  67. moparisthebest

    I proposed a fix and even wrote the automation for it but it was rejected https://joinxmpp.moparisthe.best/

  68. Ge0rG

    moparisthebest: "contact me on xmpp" -> search google play for xmpp, find aTalk and AstraChat, and a bunch of abandonware. try four different clients until you shell out $$ for conversations -> choose a provider (by which criteria?) -> register -> empty roster

  69. moparisthebest

    > moparisthebest: "contact me on whatsapp" -> search google play for whatsapp, install -> opt in into surveillance -> chat Ge0rG: so explain why this is different if you say Conversations instead of WhatsApp

  70. meson

    The linked Mastodon instance on joinjabber is dead?

  71. pep.

    meson, is it?

  72. pep.

    I'm looking at it

  73. singpolyma

    Ge0rG: well don't say "contact me on xmpp". I never ever ever say XMPP to a new contact, or regular users in general. "Contact me using Conversations" for example

  74. meson

    pep.: here it says server not found. Maybe an DNS issue then

  75. moparisthebest

    I'd just like to interject for a moment. What you're referring to as Jabber, is in fact, XMPP, or as I've recently taken to calling it, XMPP not Jabber. Jabber is not an internet protocol unto itself, but rather another proprietary product owned by Cisco. XMPP instead is a fully functioning free protocol made useful by standardization and extensibility.

  76. Ge0rG

    singpolyma: "conversations" is even more useless to search for on google play

  77. pep.

    moparisthebest, you do you. That's likely never gonna change on JJ anyway

  78. Zash

    I searched for "xmpp" and got a list of matrix clients, whatsapp, ms teams etc. Thank glob Yaxim was at the top tho

  79. singpolyma

    if you search for "jabber id" yaxim is also at the top, heh. play store likes yaxim

  80. pep.

    moparisthebest, I'm the one responsible as I own the domain I guess, so good luck for them to attempt to get any money from me.

  81. Ge0rG

    https://upload.yax.im/upload/OPcxdUHErHnCavWt9NXLa9SX/google-play-conversations.png

  82. singpolyma

    Ge0rG: not useless. normally it takes you straight to the app

  83. pep.

    moparisthebest, I'm the one responsible as I own the domain I guess, so good luck for them to attempt to get any money from me (which I don't have).

  84. singpolyma

    not right now obviously since the app isn't there

  85. Ge0rG

    also looks like we have six different "join jabber" projects

  86. Ge0rG

    all of them imperfect in a different way

  87. Zash

    as is tradition

  88. pep.

    Criticism and help welcome in xmpp:chat@joinjabber.org?join

  89. pep.

    This is not an XSF project

  90. moparisthebest

    > moparisthebest, I'm the one responsible as I own the domain I guess, so good luck for them to attempt to get any money from me (which I don't have). pep.: Yea I don't think you'll have that problem either, it's just pure user confusion, if you search jabber the entire first page is Cisco jabber, and no one clicks to page 2

  91. singpolyma

    if you try a search for Cheogram or Snikket you'll see what used to happen with Conversations also, it just goes right to the app not even to a search result page

  92. singpolyma

    I don't know if anyone ever does that, they probably just click the link, but it's pretty nice that it works

  93. pep.

    > for some reason even in F-Droid I've always seen Conversations' green logo appear way after others when searching for it Is it something that can be fixed btw? C's logo too heavy or something?

  94. pep.

    hmm, looks like it got slightly better.. Plus it doesn't show Element alongside anymore, just Conversations

  95. MSavoritias (fae,ve)

    question: can a jid look like this? -> X4SGCMCFQDCNTHQ19HNXBZ6BJWHF8HV0YWVRRQDTGYS0T28JT8HG

  96. MSavoritias (fae,ve)

    ?

  97. Ge0rG

    MSavoritias (fae,ve): yes, but it would be a host JID on the local network

  98. pep.

    A Jid has a domain part

  99. pep.

    Ah

  100. pep.

    right

  101. MSavoritias (fae,ve)

    ok thats what i thought. reading the rfc

  102. pep.

    Yeah that can't be a localpart

  103. Ge0rG

    it looks like a valid unqualified hostname, as it's <64 chars

  104. pep.

    Yeah that can't be a localpart by itself

  105. MSavoritias (fae,ve)

    its a gnunet ego/peer thing

  106. MSavoritias (fae,ve)

    to connect to others over gns

  107. MSavoritias (fae,ve)

    so good that it also fits :D i was afraid it wouldnt

  108. moparisthebest

    Are they reinventing Tor ?

  109. MSavoritias (fae,ve)

    no. they are reinventing the internet. replacing tcp/quic, dns, ethernet everything :)

  110. MSavoritias (fae,ve)

    including ips

  111. moparisthebest

    How does it compare to cjdns, yggadrasil and all that?

  112. MSavoritias (fae,ve)

    both of them use IPs

  113. moparisthebest

    eh, kinda but not really, Tor certainly has no IPs

  114. MSavoritias (fae,ve)

    also i dont think yggdrasil has something like GNS

  115. MSavoritias (fae,ve)

    although GNS can be used seperately tbh

  116. MSavoritias (fae,ve)

    right yggdrasil is a routing protocol. which from what i understand means it only deals with how to get to places. nothing more

  117. moparisthebest

    I only remember cjdns, you get a IPv6 addresse derived from a public/private key and then can just directly contact anyone else on the network

  118. moparisthebest

    Why would X4SGCMCFQDCNTHQ19HNXBZ6BJWHF8HV0YWVRRQDTGYS0T28JT8HG be preferable over something that looked like an IPv6 address? Equally (not at all) memorable or typable by humans right? :/

  119. Zash

    Zooko's triangle strikes again

  120. singpolyma

    Yeah cjdns is pretty cool

  121. moparisthebest

    I think I read yggadrasil was the continuation of it but I haven't looked...

  122. MSavoritias (fae,ve)

    yggdrasil is supposed to solve cjdns scalabity problems btw

  123. MSavoritias (fae,ve)

    with a different routing algo

  124. MSavoritias (fae,ve)

    > Why would X4SGCMCFQDCNTHQ19HNXBZ6BJWHF8HV0YWVRRQDTGYS0T28JT8HG be preferable over something that looked like an IPv6 address? Equally (not at all) memorable or typable by humans right? :/ i imagine mainly because they are not tied to organizations handling out ip subnets

  125. MSavoritias (fae,ve)

    the issues is that afaik anything but GNS is early days so we will see if it will actually work

  126. moparisthebest

    >> Why would X4SGCMCFQDCNTHQ19HNXBZ6BJWHF8HV0YWVRRQDTGYS0T28JT8HG be preferable over something that looked like an IPv6 address? Equally (not at all) memorable or typable by humans right? :/ > i imagine mainly because they are not tied to organizations handling out ip subnets MSavoritias (fae,ve): same with private IPv6 ranges though...

  127. dwd

    > I'd just like to interject for a moment. What you're referring to as Jabber, is in fact, XMPP, or as I've recently taken to calling it, XMPP not Jabber. Jabber is not an internet protocol unto itself, but rather another proprietary product owned by Cisco. XMPP instead is a fully functioning free protocol made useful by standardization and extensibility. I read this assuming it was an RMS parody for most of it.

  128. MSavoritias (fae,ve)

    its a moparisthebest saying XD

  129. pep.

    :D

  130. pep.

    Can someone ELI5 certificate auth? (sasl external, ???, profit?)

  131. MattJ

    You just explained it quite well

  132. moparisthebest

    pep.: You know how you validate the servers cert when you connect to it? This is you also sending your cert in that connection, then them validating it the same way

  133. pep.

    I see, it's part of tls then?

  134. moparisthebest

    Also called "mutual authentication" lately...

  135. moparisthebest

    Yep!

  136. Zash

    mTLS?

  137. Zash

    it's the latest invention by node.js visionaries!

  138. pep.

    The association of the cert with the device/user is oob though?

  139. moparisthebest

    Oh, I thought you were talking about s2s...

  140. MattJ

    Generally, yes. There is a XEP defining a protocol for clients to manage those, but it's weird in practice.

  141. moparisthebest

    For c2s it's the same but yes the server will need to give the client a cert or sign a csr for them etc etc

  142. MattJ

    I almost went with TLS client auth before FAST was a thing, but it's practically unusable by web clients

  143. Zash

    meanwhile, OAuth is where mTLS is being hyped... how's that fair?

  144. Zash

    How the client certificate is issued and validated etc is ... the big implementation detail you get to solve. good luck!

  145. moparisthebest

    > I almost went with TLS client auth before FAST was a thing, but it's practically unusable by web clients MattJ: like when using websockets or something? Lots of websites use client cert auth...

  146. MattJ

    moparisthebest: example?

  147. Zash

    https://tracker.debian.org/ does, I know because I get a modal password popup if I so much as think of it

  148. moparisthebest

    MattJ: remember the website that gave out free certs before letsencrypt ? But nowadays okta and AWS stuff

  149. pep.

    « I know because I get a modal password popup if I so much as think of it » so much this

  150. MattJ

    Exactly

  151. moparisthebest

    I authenticate with client certs in the browser daily, but I could totally see browsers not supporting it with conversejs trying to do websockets with another domain allowed by CORS or something

  152. moparisthebest

    Has anyone tried? :/

  153. MattJ

    I know that the APIs do not exist that would be required to implement the correct UI/UX (which FAST allows)

  154. MattJ

    But they are not mutually exclusive

  155. MattJ

    Client cert auth would be a nice addition for the web because of the lack of channel binding

  156. Zash

    But proxies!

  157. MattJ

    But MITMs!

  158. Zash

    7 layers of reverse proxies adding and removing TLS at each point!

  159. Zash

    I seriously doubt you can get a client cert trough such a maze

  160. moparisthebest

    That at least is true, that many many many standard web setups would preclude client cert auth from working

  161. moparisthebest

    Someone told me matrix doesn't do this even for s2s, but instead does magic key stuff (which has massive downsides), I always wondered why and meant to look, but now that you mention it I bet this is why :/

  162. Zash

    Also IIRC because they sign events and payloads and stuff

  163. Zash

    ActivityPub is similar too IIRC

  164. Zash

    XMPP s2s is really the nicest thing that exists

  165. moparisthebest

    Indeed, hence all the new buzz about "mTLS" being the best thing since sliced bread