jdev - 2024-03-07


  1. debacle

    The number one reason of my friends stopping to use Jabber: They forget their password! Is there any XEP for adding an email address/phone number for password reset/recover via mail/SMS? So that it works with IBR, without the hazzle of web registration.

  2. debacle

    The number one reason of my friends stopping to use Jabber: They forget their password! Is there any XEP for adding an email address/phone number for password reset/recover via mail/SMS? So that it works with IBR, without the hassle of web registration.

  3. pep.

    IBR already supports extra fields, just that many clients don't implement it

  4. moparisthebest

    Also get them a password manager

  5. singpolyma

    adding an email or phone number is easy, and supported by ibr for sure. But servers would also need to implement a password recovery flow.

  6. pep.

    Well as long as there's a mail/phone number registered somewhere, admins can at least do something with that manually. Sure it can be automated too but that's a first step

  7. singpolyma

    I think a lot of public server admins feel they don't want the security hole that comes from password resets. but it's tough for sure. we have to do full jabber id migrations for customers sometimes because they forget their password and their provider won't recover

  8. wgreenhouse

    I understand the desire for it but also wish more people understood that password recovery being possible at all is, indeed, a security hole

  9. singpolyma

    I guess it's pretty common to have only one device though, and devices fail

  10. pep.

    Password recovery without a mail address is even worse, and it's a thing..

  11. singpolyma

    looks like prosody has an un/under documented option additional_registration_fields and the data is at least stored if provided

  12. debacle

    I totally agree, that password recovery is a *huge* security hole. But it is hard enough for me to convince friends to use Jabber and I will absolutely not teach them about IT security and password managers. There are easier ways to get rid of friends, but no faster ways.

  13. debacle

    I have two friends and one family member (interestingly all on iOS) who have their third/fourth Jabber account now.

  14. singpolyma

    password manager doesn't help anyway if the manager is on your phone and the jabber client is on your phone and you drop your phone in a lake

  15. singpolyma

    debacle: maybe you should run a snikket instance and put them all on that so you have the power to reset their passwords ;)

  16. singpolyma

    I don't have any non technical friends or family on servers where I can't do password resets for them myself

  17. debacle

    singpolyma Yes, that is what I will do (not Snikket, but bare prosody plus invitations). But I *hate* to run a service for friends and family and I typically do not recommend it. Worst privacy problems are (contrary to geek mythology) not problems with CIA or what not, but with family members, partners, ex-partners etc.

  18. moparisthebest

    Get a password manager or don't bother me with your self inflicted problems imho :P

  19. debacle

    moparisthebest Yes, I can tell them that. Fast way to get rid of friends or at least fast way to get them off Jabber.

  20. moparisthebest

    XMPP is the least of their problems, without a password manager they'll also be losing access to their email and bank and "getting hacked" etc etc

  21. singpolyma

    I can't imagine having family members on public servers. But I agree public servers should consider optionally collecting anything as part of ibr

  22. moparisthebest

    Friends don't let friends use "hunter2" as a password across all services

  23. singpolyma

    yeah, I don't know how people handle password resets on email...

  24. singpolyma

    bank they totally forget all the time and have to go into branch

  25. moparisthebest

    Those people just get a new email constantly I think

  26. singpolyma

    well, but if you get a new email you have to get a new *everything*

  27. debacle

    moparisthebest Somehow they seem to manage that. They have probably services with email or SMS password reset. Jabber is probably the only one without that function.

  28. moparisthebest

    If a friend kept burning their house down I'd be oddly insistent they get a fire extinguisher and learn to use a stove, idk

  29. wgreenhouse

    the one-device thing is real

  30. wgreenhouse

    > contrary to geek mythology debacle: could've also just said "having never experienced intimate partner violence or stalking"

  31. singpolyma

    I'm not sure if ejabberd supports other fields on ibr or not, I don't see in docs but neither did I for prosody but the prosody source is easier for me to read heh

  32. moparisthebest

    Sure one device but everything is on Google or Apple's cloud no?

  33. wgreenhouse

    moparisthebest: maybe? except that's tied to an email they can't get into either

  34. debacle

    singpolyma I'm not sure how I can guarantee a functioning service with a lorry factor of *one*. I'm an urban cyclist and like to have friends and family coordinate my burial party over Jabber.

  35. wgreenhouse

    people like this do indeed burn emails constantly

  36. wgreenhouse

    used to have them as clients

  37. singpolyma

    debacle: oh yeah, when I die things might be bad. but I'll be dead by then

  38. debacle

    wgreenhouse That! Stalking, abuse, violence etc. are real problems and typically are *inside* families.

  39. debacle

    singpolyma What about *your* burial party then? Organized over WA? :-)

  40. moparisthebest

    Your server isn't gonna turn off when you die

  41. moparisthebest

    How long are your arrangements gonna take

  42. wgreenhouse

    indeed, as long as the bills are paid it shouldn't stop working

  43. moparisthebest

    Hopefully my kids are running the server by then...

  44. debacle

    You never know. But luck and Murphy and so on.

  45. debacle

    You never know. Bad luck and Murphy and so on.

  46. debacle

    I'll probably move them to my own server anyway, but I do really, really do not like that.

  47. debacle

    Fortunately, most of my Android using friends use Quicksy.

  48. singpolyma

    > singpolyma What about *your* burial party then? Organized over WA? :-) hopefully they'll be sensible and not have one

  49. singpolyma

    > Fortunately, most of my Android using friends use Quicksy. does it have password recovery?

  50. debacle

    People should dance on my grave ;-) Yes, because your phone number is your Quicksy JID local part, you can reset your password by SMS as long as you have the same phone number, AFAIK. If you lost your device, you probably can get a new SIM with the same number from your provider, so that works.

  51. wgreenhouse

    debacle: yes, this is how we ended up with the very horrible "phone numbers as authentication" antipattern

  52. singpolyma

    so we need to (a) find out if ejabberd supports more ibr fields (b) write best practises for public servers to add ibr fields for email and/or tel (c) actually implement some automated reset stuff

  53. debacle

    wgreenhouse Unfortunately, it is the best working scheme XMPP has to offer right now.

  54. wgreenhouse

    debacle: no, it's not. it's good in _only_ this respect

  55. wgreenhouse

    account recovery at any cost

  56. moparisthebest

    As we all know phone numbers prove identity and humanity and can never be stolen

  57. moparisthebest

    šŸ˜“

  58. singpolyma

    unless they are voip!!!

  59. debacle

    Yes, phone number ids are horrible, but there seems to be no standard strategy (XEP) for password recovery. I agree with the a/b/c by singpolyma. Maybe there is a better way than the simple "I can get your email, so it's safe". Ideas welcome!

  60. moparisthebest

    I'm not sure why there would be a XEP for it, does anything have a standard for password recovery?

  61. moparisthebest

    Websites don't and people don't have a problem, why is this different

  62. singpolyma

    automated account recovery always requires either a secondary auth mechanism ("recovery phrase" or whatever) or a contact mechanism

  63. debacle

    recovery phrases are even more likely to get lost than passwords

  64. debacle

    so contact is the way to go IMHO

  65. singpolyma

    we *might* need a xep because with sasl-non-plain there is no way to have multiple passwords. but maybe we can re-use fast for the recovery tokens or have another sasl mech or whatever we want to do to select auth via a token that isn't my main password

  66. debacle

    moparisthebest A standard is only necessary, if some interaction between server and client is necessary for password reset or recovery. I'm not sure, if that will be necessary.

  67. debacle

    singpolyma Will that help in the "lost my only device" scenario?

  68. singpolyma

    unless we use recovery https links for the resets. which I'm obviously against because xmpp servers should not contain a web server. but no one else seems to agree hehe

  69. debacle

    I do, singpolyma ;-)

  70. singpolyma

    debacle: sure, because you get emailed or sms'd a token and then you fill it in to your client somehow (or it's an xmpp uri you tap) to trigger account recovery

  71. moparisthebest

    I mean if they can't remember the password why would they remember the domain part of their JID ?

  72. debacle

    moparisthebest Because *I* can tell them.

  73. singpolyma

    indeed. I have had several people tell me they "gave up on xmpp because they could never remember what server they used"

  74. debacle

    I know the JIDs of my contacts, they are in my roster.

  75. singpolyma

    which seems like a branding problem or something to me, but I'm not sure

  76. singpolyma

    debacle: yes, sure, that's true

  77. moparisthebest

    Give them a password to use too, store it in your password manager lol

  78. debacle

    Maybe I should just ask all my friends to hand me over their Jabber passwords.

  79. singpolyma

    I'm not sure that's more safe than you running their server ;)

  80. debacle

    moparisthebest Same idea ;-)

  81. debacle

    I'm not sure, if that's a good idea, just loud thinking: $USER lost their device. They ask for password recovery on the server. At least [1, 2, 3] people in their roster must somehow "agree" for the act of recovery. They are supposed to be informed oob by $USER, of course. Kind of WoT.

  82. singpolyma

    set your recovery jid to bob's jid, you trust bob

  83. moparisthebest

    I think you just invented Bitcoin multisig

  84. wgreenhouse

    debacle: so now 3 of my friends know I put my phone in the toilet?

  85. singpolyma

    wgreenhouse: new phone, who dis?

  86. wgreenhouse

    true, that is a classic for a reason

  87. debacle

    wgreenhouse $USER will invent three different excuses for three friends ;-)

  88. debacle

    Problem is: Never heard of anyone having problems with their signal or whatsapp or telegram id. Only Jabber makes such a mess :-( Don't remember what Matrix does, though.

  89. singpolyma

    I mean, my grandma has three or four facebook accounts and 6 google accounts so it definitely is not just us

  90. singpolyma

    but I agree we need a nonzero account recovery story especially on public servers

  91. moparisthebest

    My mom asks me for a new XMPP password whenever she gets a new phone

  92. moparisthebest

    public servers shouldn't exist, only small single or family sized ones, problem solved (in some future utopia hopefully...)

  93. debacle

    moparisthebest I strongly disagree, because of forementioned reasons (domestic violence, family quarrels, etc.) There are people who would trust even Mark Z. and the whole NSA more than their own family.

  94. moparisthebest

    But yea for the crappy current time period, an email recovery form on a website seems to be good enough for everything else... Servers can do that now, I think some do?

  95. debacle

    moparisthebest Yes, it works with some servers, if you create the account via web page. But not via IBR, AFAIK, at least I'm not aware of any.

  96. moparisthebest

    debacle: woah, are you saying domestic violence exists so family servers shouldn't? That seems like a crazy overreaction

  97. moparisthebest

    If people are in those kind of relationships they should get out, I don't think an XMPP server will make a difference in any way

  98. debacle

    moparisthebest No, I don't say family servers should not exist, but I say, that it is not the best option for some/many families.

  99. debacle

    And because of lorry factor, family servers are not an option for the many "zero-to-one-geek families".

  100. singpolyma

    I mean, most public servers are bus factor 1 or 2 also

  101. moparisthebest

    I think it's the best for all families, ones that are violent or whatever just shouldn't be families anymore

  102. moparisthebest

    But I don't necessarily mean family in the traditional sense, groups of friends, apartment buildings, neighborhoods whatever

  103. debacle

    singpolyma That is true, unfortunately, but at least some servers are run by companies, clubs or cooperatives with at least a plan in case of dead admin.

  104. moparisthebest

    Large public servers are bad in numerous ways, not sustainable, scalable, huge single points of failure etc etc etc

  105. debacle

    I don't think, that the discussion about public servers vs. small/private ones is very productive in the context of password recovery/reset (or lack of). The problem does not exist on small servers, true, but IRL there are too many valid reasons, why they don't exist for everyone. (In my case also: I do not *want* to have that addional work and responsibility.)

  106. debacle

    0077 defines fields for email, phone number etc. How would I need to setup a server (ejabberd, prosody), that the fields are used and actually stored? Which clients do support the additional fields?

  107. singpolyma

    prosody has a setting for it

  108. singpolyma

    ejabberd I am not sure

  109. singpolyma

    so that's a question that needs to be asked

  110. debacle

    Could other additional fields be used for "proof" of identity? I.e. password reset via email, but user has to enter their ZIP and date of birth?

  111. debacle

    Not so secret, not good against targetted attack, but at least relatively safe in case of random hacker from the internet.

  112. moparisthebest

    That means servers would need to store that too :/

  113. singpolyma

    maybe. I mean banks do that :P

  114. singpolyma

    moparisthebest: optionally yes

  115. moparisthebest

    Social security number, mother's maiden name

  116. singpolyma

    you can choose to not give the server anything but then no recovery for you. that's a choice you made at that point

  117. debacle

    moparisthebest All that information should be optional. E.g. *I* know how to use `pass` and will not give that information to any random server.

  118. moparisthebest

    Will the server store it hashed at least :'(

  119. singpolyma

    depends what it's being used for

  120. debacle

    moparisthebest As an admin, I would not use a server that does not hash that information. Too much responsibility.

  121. moparisthebest

    I thought it was being used for recovery

  122. singpolyma

    hash of zip code is the same as zip code anyway ;)

  123. debacle

    Same for birthday, I guess.

  124. moparisthebest

    Indeed, also dob

  125. debacle

    And phone number.

  126. singpolyma

    email slightly less so, but realistically also easy to bruteforce in practise

  127. moparisthebest

    See all of this has terrible consequences and considerations

  128. moparisthebest

    If you are requiring *all* of email/dob/zip code you could concatenate and hash them, would be better anyway...

  129. singpolyma

    not requiring any of them

  130. debacle

    Btw. I share a secret now: I use a "standard birthday" which is not my real one for all services which ask for it, but are not linked to my id card or similar ;-)

  131. moparisthebest

    I mean, requiring all of the ones entered for recovery

  132. singpolyma

    oh sure, I have a "city where I was born" and such also

  133. debacle

    But I use always the same dob, otherwise I would not know it ;-)

  134. debacle

    But I use always the same fake dob, otherwise I would not know it ;-)

  135. wgreenhouse

    > Problem is: Never heard of anyone having problems with their signal or whatsapp or telegram id. Only Jabber makes such a mess :-( Don't remember what Matrix does, though. debacle: whatsapp actually is a context where I see this constantly, even though I only talk to like 3 people there one is constantly destroying their phone. they can still log in, but their e2e key changes always

  136. debacle

    moparisthebest Hashing all fields together sounds good. That can even be possible without requiring them all.

  137. debacle

    wgreenhouse At least they don't lose all their contacts. OMEMO keys would be lost, too, in case of lost device.

  138. singpolyma

    can't do hashes for stuff you want to use for contact though

  139. debacle

    singpolyma Sure.

  140. moparisthebest

    It's still not foolproof, just better than nothing

  141. moparisthebest

    I think the best sites let you specify questions and answers

  142. singpolyma

    I expect this kind of user has bigger problems than if server operator knows their current phone number

  143. moparisthebest

    Answers are just like extra passwords

  144. singpolyma

    yes

  145. debacle

    Phone number for SMS recovery has the drawback of cost. Daniel is pretty annoyed by having to pay a lot for Quicksy SMS.

  146. moparisthebest

    And stored like them, not a quick hash, an expensive one

  147. singpolyma

    cost per message is pretty low. but yeah it's not free

  148. moparisthebest

    scrypt or whatever the kids are using these days

  149. singpolyma

    argon

  150. debacle

    afk for now, but I'll probably dream of password recovery tonight ;-)

  151. debacle

    nightmares...

  152. moparisthebest

    Oh no sorry debacle

  153. debacle

    moparisthebest No worries ;-)

  154. Martin

    debacle: https://modules.prosody.im/mod_password_reset.html could be used for what you have in mind.

  155. Link Mauve

    wgreenhouse, moparisthebest, I also run a full ArchLinuxARM on a OnePlusĀ 6T phone, no chroot needed since the phone is well-supported in mainline. :)

  156. Link Mauve

    wgreenhouse, moparisthebest, I also run a full ArchLinuxARM on a OnePlusĀ 6T phone, no chroot needed since the hardware is well-supported in mainline. :)

  157. Link Mauve

    Only camera is still missing reverse engineering.

  158. MSavoritias (fae,ve)

    is there plans to support multilingual rooms in MUC? reading the MUC xep it seems to say that one room can be only in one language ``` <field var='muc#roominfo_lang' type='text-single' label='Natural Language for Room Discussions'/> ```

  159. singpolyma

    Just return text-multi with two values and see what breaks

  160. MSavoritias (fae,ve)

    heh

  161. MSavoritias (fae,ve)

    well it was tested and doesnt seem to work in gajim. if you have only "en" it says English. if you add "en,fr" it says just "en,fr" with nothing else

  162. MSavoritias (fae,ve)

    so stuff already breaks

  163. MSavoritias (fae,ve)

    im just wondering if its something we plan to fix

  164. MSavoritias (fae,ve)

    from what i understand MIX already handles this: > MIX allows specification of a number of human readable strings associated with a MIX channel, in particular the name and description information of a MIX channel. These strings MAY have language set using an xml:lang attribute, and multiple values MAY be set provided that each one is distinguished using xml:lang.

  165. singpolyma

    Whad do you mean it says en,fr? Is sees both values?

  166. MattJ

    It sees them but does not interpret them

  167. MSavoritias (fae,ve)

    ^

  168. singpolyma

    I'm just confused by the comma

  169. MattJ

    whereas "en" appears as "English" and "fr" appears as "French"

  170. MSavoritias (fae,ve)

    gajim is not clear how i should put two languages there

  171. MSavoritias (fae,ve)

    and Kris saw that the xep actually doesnt account for two languages to exist there to begin with

  172. MSavoritias (fae,ve)

    hence why i am here asking

  173. singpolyma

    Doeskit really show a comma?

  174. singpolyma

    Does it really show a comma?

  175. MSavoritias (fae,ve)

    > When MSavoritias changed it, Gajim displayed it as ā€œen, frā€ instead of original ā€œEnglishā€.

  176. MSavoritias (fae,ve)

    > Gajim detects MSavoritias' change as ā€œen, frā€, but not ā€œEnglish, Frenchā€.

  177. MSavoritias (fae,ve)

    > Yes, I know. When I set it to ā€œzhā€, Gajim detects and displays it as ā€œChineseā€, not wrong.

  178. singpolyma

    So you didn't put a comma anywhere and gajim read two values with no comma and displayed them comma separated?

  179. MSavoritias (fae,ve)

    i did put a comma. i added "en,fr" in the language box

  180. singpolyma

    Oh. That's not two values then

  181. singpolyma

    That's one value with a comma

  182. MSavoritias (fae,ve)

    that comment then made me check and ask here > Xep-0045 speaks of language in singular and the example is only one language

  183. MSavoritias (fae,ve)

    > That's one value with a comma hmm let me try

  184. singpolyma

    They won't have UI for two values i assume, I was speaking at a protocol level

  185. MSavoritias (fae,ve)

    doesnt work > ā€œen frā€

  186. MSavoritias (fae,ve)

    ah right

  187. MSavoritias (fae,ve)

    but the xep says seem to account for two language at all no?

  188. singpolyma

    Did you put a space that time?

  189. MSavoritias (fae,ve)

    yep

  190. MSavoritias (fae,ve)

    at least its not as explicit as MIX

  191. singpolyma

    Right. So still not two values

  192. singpolyma

    I strongly suspect that if the server returns two values most clients will just show the first one

  193. MSavoritias (fae,ve)

    hmm probably. would it be backwards incompatible to add it to MUC?

  194. MSavoritias (fae,ve)

    so that it can have mutlilingual rooms

  195. MSavoritias (fae,ve)

    as in an arbitary number of languages returned for a room

  196. singpolyma

    You mean to change the field type in the xep? That's a council question i guess

  197. singpolyma

    I expect implementation doing it to not break much, but would need testing

  198. MSavoritias (fae,ve)

    yeah. change were it says: ``` <field var='muc#roominfo_lang' type='text-single' label='Natural Language for Room Discussions'/> ```

  199. MSavoritias (fae,ve)

    ideally to what MIX has

  200. Zash

    But text-multi will likely be treated as a single value too

  201. singpolyma

    I mean two <value/>

  202. MattJ

    Right, but text-multi isn't quite "multiple pieces of text" - it's defined as a single multi-line value

  203. MattJ

    It's a bit weird that way

  204. singpolyma

    Yes, true. I was thinking of open but with language actually list-multi with <open/> would be more right anyway

  205. MattJ

    Just specify it as a comma/space separated list and be done :)

  206. MSavoritias (fae,ve)

    it shouldnt be just two. it should be multiple languages

  207. singpolyma

    šŸ˜¬

  208. MattJ

    The format isn't specified at all right now afaik

  209. MattJ

    It's just one of those "examples" in the room config form

  210. MSavoritias (fae,ve)

    also it would be nice to have mutliple descriptions by language imo

  211. MSavoritias (fae,ve)

    now its one description

  212. MattJ

    along with showing presence from offline users

  213. singpolyma

    Is it just an example or a registered field?

  214. MattJ

    Yeah

  215. MattJ

    oh

  216. MattJ

    It's registered with the FORM_TYPE

  217. singpolyma

    So it's normative

  218. lovetox

    I add something that splits on coma or space and maps it to languages

  219. lovetox

    Add a issue on the Gajim tracker if you like

  220. lovetox

    It currently expects one language code and if it does not map to anything as a fallback we simply show the string

  221. singpolyma

    Splitting on comma when we have list types in the language seems... Nit awesome

  222. singpolyma

    Splitting on comma when we have list types in the language seems... Not awesome

  223. MSavoritias (fae,ve)

    agreed

  224. MattJ

    It really doesn't bother me. It only bothers me that it's underspecified.

  225. lovetox

    <field var='muc#roomconfig_lang' type='text-single' label='Natural Language for Room Discussions'/>

  226. lovetox

    whats wrong with this?

  227. lovetox

    it gives the user a field to write into it whatever he wants

  228. lovetox

    why would we replace this with something more complicated like multiple value field

  229. MSavoritias (fae,ve)

    fair. but then gajim needs to improve the implementation

  230. MSavoritias (fae,ve)

    and speficy how to list mutliple languages there

  231. lovetox

    im pretty sure we give you a field where you can write into whatever you want

  232. lovetox

    just write into it "German, English and some others"

  233. MSavoritias (fae,ve)

    you do. but gajim: 1. shows different things depending on what is written. en -> English but en,fr -> en,fr instead of English,French 2. the example on the left is wrong

  234. Ge0rG

    if you can't add Klingon, it's not worth it :P

  235. MSavoritias (fae,ve)

    also as i wrote we dont speficify how to actually write multiple values currently

  236. Zash

    you can't, is how

  237. Zash

    There can be only one!

  238. lovetox

    its a free text field

  239. lovetox

    you have to ask yourself the question why did you think you can write language codes into it?

  240. MSavoritias (fae,ve)

    gajim told me :D

  241. MSavoritias (fae,ve)

    and also i assume search engines use it to search by language

  242. lovetox

    ah you mean the server told you via config form help text?

  243. MSavoritias (fae,ve)

    ah its the server that shows the message?

  244. lovetox

    https://share.hoerist.com/philipp/YFUM6iJVcWxvSPIs/bf9e81c3-64b0-429e-8d5c-6986db4c11e2.png

  245. lovetox

    so its a misleading help text of the prosody muc config form :D

  246. MSavoritias (fae,ve)

    it says language tag for room (en,fr,etc)

  247. MSavoritias (fae,ve)

    ah its all prosody's fault!

  248. MSavoritias (fae,ve)

    never mind then

  249. lovetox

    we can now follow up and ask why prosody devs think this filed needs to be filled with a "language code"

  250. lovetox

    or tag

  251. lovetox

    rather then a free text field

  252. MSavoritias (fae,ve)

    ejabberd just says Natural language for room Discussions

  253. MSavoritias (fae,ve)

    which is wrong but more right than prosody

  254. MSavoritias (fae,ve)

    but i still dont understand why gajim changes en to English instead of just mirroring what the text field says

  255. lovetox

    its funny that as i often use prosody always, didnt check this, and assumed the spec says it needs to be filled with a language code

  256. lovetox

    and implemented the code for mapping the codes to names

  257. lovetox

    :D

  258. MSavoritias (fae,ve)

    ah ok fair fair :P

  259. lovetox

    i think because historically because of that prosody text, many mucs added a language code

  260. lovetox

    and to make this more pretty i implemented the mapping for *one* lang code

  261. Zash

    I don't remember why, but the field does indicate that its type is the RFC 5646 format.

  262. Zash

    And MattJ added text that says it's meant to be the primary language of the room

  263. MSavoritias (fae,ve)

    > and to make this more pretty i implemented the mapping for *one* lang code XD

  264. MSavoritias (fae,ve)

    a search in the muc xep doesnt mention 5646 rfc at all

  265. Zash

    Could have something to do with https://search.jabber.network/ so it can parse the language code and e.g. translate the name of the language to whatever display language is used

  266. Zash

    If you want free form info, put it in the description.

  267. MSavoritias (fae,ve)

    it makes more sense not to use language codes then. so i will go with that

  268. Zash

    If it is a valid language code, it can be used as xml:lang attribute

  269. lovetox

    Zash, that help text was there way before jabber.network existed

  270. lovetox

    i dont know that really, its just a guess, and i would be shocked if not :D

  271. Zash

    I meant https://hg.prosody.im/trunk/rev/1c709e3d2e5e

  272. Zash

    I meant https://hg.prosody.im/trunk/rev/1c709e3d2e5e#l4.1 - the bit about "the primary language"

  273. lovetox

    i mean from a technical perspective language codes make more sense than free text, obviously for any other further computer processing of that field

  274. Zash

    the MUC search thing has commits going back to May of 2018, around the same time as the language field was added to Prosody itself (tho there had been a 3rd party addon earlier)

  275. MSavoritias (fae,ve)

    > If it is a valid language code, it can be used as xml:lang attribute in what sense? translations of messages?

  276. MSavoritias (fae,ve)

    if it has a usecase as an xml:lang attribute then sure i am all for codes

  277. Zash

    ah yes https://hg.prosody.im/trunk/rev/9c90cd2fc4c3 https://issues.prosody.im/1149

  278. Zash

    Hah, ejabberd enforces the language tag syntax?

  279. Zash

    What are you all complaining about Prosody for thenā€½

  280. MSavoritias (fae,ve)

    oh jesus. so ejabberd is wrong then in the description

  281. MSavoritias (fae,ve)

    it should say to add language tags

  282. MSavoritias (fae,ve)

    codes*

  283. MSavoritias (fae,ve)

    specifically

  284. Zash

    > (tho there had been a 3rd party addon earlier) oh, no, that was made at the same time, for earlier prosody versions

  285. Zash

    I'd love to have a way to specify multiple, but XEP-0004 makes it awkward.

  286. Zash

    I'd love to have a way to specify multiple languages, but XEP-0004 makes it awkward.

  287. MSavoritias (fae,ve)

    i want multiple languages, descriptions, and synopsis if that helps :)

  288. Zash

    But now there's only one title and one description so only one language makses sense

  289. MSavoritias (fae,ve)

    yeah. which goes to my original question here: can we add that to MUC

  290. Zash

    Yes We Can

  291. Zash

    But how?

  292. MSavoritias (fae,ve)

    let me rephrase that: do we want to?

  293. MSavoritias (fae,ve)

    is it backwards compatible

  294. Zash

    and how awkward would that make the UIs?

  295. MSavoritias (fae,ve)

    from reading the xep it seems we need to do something here: ``` <field var='muc#roomconfig_roomname'> <value>A Dark Cave</value> ```

  296. MSavoritias (fae,ve)

    at least thats what MIX is doing. its basically multiple values its one prefixed with xml:lang > MIX allows specification of a number of human readable strings associated with a MIX channel, in particular the name and description information of a MIX channel. These strings MAY have language set using an xml:lang attribute, and multiple values MAY be set provided that each one is distinguished using xml:lang.

  297. MSavoritias (fae,ve)

    > and how awkward would that make the UIs? you can can keep it exactly as today. you just add a button under the description or next to it that says "add another language" or something

  298. lovetox

    or keep it english in international rooms and be done with it

  299. pep.

    No thanks

  300. MSavoritias (fae,ve)

    yeah this is a protocol bug imo. and should be fixed

  301. MSavoritias (fae,ve)

    its about time we start using xml:lang more anyways

  302. moparisthebest

    > If you want free form info, put it in the description. This

  303. moparisthebest

    xml:lang is a huge anti-feature, neat in theory for protocol nerds, horrific in practice for real world use

  304. moparisthebest

    *especially* in a multi-user chatroom

  305. MSavoritias (fae,ve)

    you mean multiple languages in a room?

  306. moparisthebest

    No multiple languages in a room is fine and normal, I'm in quite a few such rooms without problems

  307. moparisthebest

    If people started declaring the language they were using at the protocol level these rooms would become unusable

  308. moparisthebest

    Would I start not seeing non-english messages? Would the Spanish speakers not see mine? What about all the messages with both languages? Etc etc

  309. MSavoritias (fae,ve)

    why

  310. MSavoritias (fae,ve)

    that sounds like a ui issue

  311. moparisthebest

    Most people write messages in both languages, now you gotta flip a toggle each time? That's insanity

  312. moparisthebest

    It works perfectly as is

  313. singpolyma

    MSavoritias (fae,ve): the only question is if we can keep using the same var with a different type, really. I suspect it would break almost nothing and degrade to showing just the first language, but of course the safest would be a new var. No protocol changes are needed though and so long as clients are using a generic form render no client changes either. Well, we may want to get support for <open/> in gajim, I want that anyway

  314. MattJ

    moparisthebest, I'm pretty sure a lot of XMPP implementations (surprisingly) already use xml:lang correctly

  315. MattJ

    Well, as correct as they can (I'm not sure that any actually ask the user what language they are typing a message in)

  316. MattJ

    But translated data forms, etc. work

  317. moparisthebest

    Yes and that's a use case it's good for

  318. moparisthebest

    But not sending messages between humans

  319. Zash

    > Most people write messages in both languages, now you gotta flip a toggle each time? That's insanity If you have spell checking enabled, you'd probably want to have that switch.

  320. Zash

    I only ever saw multi-language spell checking in Nokia devices from over a decade ago

  321. MattJ

    I used to be enthusiastic about offering stuff in multiple languages simultaneously, but these days I'm less sure (i.e. not sure that what MIX defines is the right way to go)

  322. MSavoritias (fae,ve)

    i plan to ask the languages a person knows when they start using the app

  323. MattJ

    At best it's confusing, at worst it's a security issue

  324. MSavoritias (fae,ve)

    so thats how i will "know"

  325. MSavoritias (fae,ve)

    and then inherit the xml:lang from the message replied to or the person has to change the language manually yeah

  326. MSavoritias (fae,ve)

    idk if i can detect it automatically

  327. MattJ

    There are language-detection tools, though of course they aren't 100% reliable, especially on shorter text

  328. MSavoritias (fae,ve)

    yeah so better manually probably

  329. Zash

    I would expect that 90% of the time, it stays the same per chat/contact

  330. MSavoritias (fae,ve)

    probably. but i am giving the option :)

  331. MattJ

    But then what I observe is that in multilingual rooms, the conversation can flip/flop between multiple languages organically

  332. MSavoritias (fae,ve)

    same way i plan to make xml really accesible to look at. even though its going to be seen rarely

  333. MattJ

    I think that's fine, people can do what they want to do, the protocol doesn't need to make that more work for them

  334. MSavoritias (fae,ve)

    yeah. it would be nice to have the option. if people use it or not its up to them

  335. Zash

    I would observe that many posts on Mastodon are language-tagged with the wrong language, probably where the author forgot to change the default.

  336. MSavoritias (fae,ve)

    true sometimes its annoying.

  337. moparisthebest

    > But then what I observe is that in multilingual rooms, the conversation can flip/flop between multiple languages organically This is 100% what happens

  338. moparisthebest

    roughly I think xml:lang in human-to-human chat is pretty much always an attack, there is no use-case for it that isn't

  339. moparisthebest

    data-forms yes, announcements or the like yes, chat, no

  340. moparisthebest

    all XMPP libraries I've seen and I'm guessing most clients have a `getBestBody(lang)` function, because we are protocol nerds, and this is easy, but it's wrong to use in chats

  341. Holger

    Generally server-to-user communication (e.g., error messages).

  342. MSavoritias (fae,ve)

    a usecase could be simpler ui

  343. MSavoritias (fae,ve)

    because you can show only the descriptions/titles the person can actually read

  344. MSavoritias (fae,ve)

    and when you add threads there the situation can get much more interesting

  345. MSavoritias (fae,ve)

    and filtering languages can help if there are a lot of languages and you just cant read some of them

  346. moparisthebest

    example: I'm a troll, I join #poezio where I know all the mods are french, I send: <message> <body lang='fr'> poezio is really nice software, thanks for everyone who made it! </body> <body> everyone in here is a scumbag with a dog for a mother!!!!!! </body> </message>

  347. MSavoritias (fae,ve)

    the more people you have in a chat the more the chances that some people speak a language other people dont

  348. moparisthebest

    you can troll like that right now and chances are the mods will never see it, pretty great feature of XMPP right?

  349. MSavoritias (fae,ve)

    and?

  350. moparisthebest

    also your idea of "what languages do you speak" doesn't really work either, I would never say I speak spanish, but I'm in rooms where most of the conversation is spanish, and I can glean enough to get by, I wouldn't want to *not* see those

  351. MSavoritias (fae,ve)

    my app is a f2f network

  352. MSavoritias (fae,ve)

    so in that context it makes sense :)

  353. moparisthebest

    > and? therefore xml:lang is an anti-feature in human-to-human chat

  354. moparisthebest

    what's f2f

  355. MSavoritias (fae,ve)

    friend to friend. you can call it also consent network

  356. Zash

    sometime it would be nice to have AFK language Accept headers

  357. MSavoritias (fae,ve)

    > also your idea of "what languages do you speak" doesn't really work either, I would never say I speak spanish, but I'm in rooms where most of the conversation is spanish, and I can glean enough to get by, I wouldn't want to *not* see those and you can easily add any languages you want or see all messages. it doesnt make sense to forbid people from controlling their space

  358. MSavoritias (fae,ve)

    their space = the app a person is using

  359. moparisthebest

    so you can't use this network to make new friends? sounds sad and boring

  360. MSavoritias (fae,ve)

    thats besides the point. my point was that the trolls are drastically reduced there

  361. MSavoritias (fae,ve)

    but anyway. i will leave it here. since we are going into other topics

  362. moparisthebest

    and accounts magically never get hijacked there? you can never make assumptions about remote parties on the internet no matter what

  363. moparisthebest

    tl;dr clients should always show all language tags in chats like this, and even 1:1, because any more than 1 is probably an attack

  364. lovetox

    ... oh i forgot in my database layout, multiple bodys

  365. singpolyma

    And multiple subjects probably

  366. singpolyma

    And multiple html? Has anyone ever done that?

  367. Zash

    complexity explosion?

  368. singpolyma

    I would probably just store the stanza for such things

  369. singpolyma

    Not everything needs to be a column