jdev - 2024-06-21


  1. edhelas

    https://mov.im/node/pubsub.movim.eu/Movim/195d732f-a7b7-44ba-b0cc-caa68b6b4426

  2. edhelas

    :)

  3. cal0pteryx

    Nice

  4. MSavoritias (fae,ve)

    noob question: would you reccomend a SAX or a DOM parser for xml?

  5. MattJ

    For XMPP, always SAX

  6. MattJ

    Opinions may differ, you can work with a DOM API if you're prepared to do handle some XML lexing yourself, but I wouldn't implement it that way if I had a choice

  7. MSavoritias (fae,ve)

    ok. apparently guile offers just a simple example of a DOM parser and then a toolkit to build your own with SSAX

  8. MSavoritias (fae,ve)

    so i will have to build my own parser anyway it seems. and i have the options of: > (sxml ssax) is a package of low-to-high level lexing and parsing procedures that can be combined to yield a SAX, a DOM, a validating parser, or a parser intended for a particular document type.

  9. moparisthebest

    XMPP over websocket is made so you can use a DOM parser

  10. MattJ

    Sounds like quite the toolbox :)

  11. MSavoritias (fae,ve)

    > Opinions may differ, you can work with a DOM API if you're prepared to do handle some XML lexing yourself, but I wouldn't implement it that way if I had a choice right. it also says SAX is more efficient it says so

  12. MattJ

    Yeah, you can (should) definitely do DOM-only parsers with websockets

  13. MSavoritias (fae,ve)

    ah i dont plan to support websockets

  14. MSavoritias (fae,ve)

    i think at least so i should be okay

  15. MSavoritias (fae,ve)

    > Sounds like quite the toolbox :) its a functional toolbox it says with a bunch of monads seems interesting :P

  16. moparisthebest

    Just be careful about using an off the shelf XML parser for XMPP, you have to disable a ton of things or it'll be insecure. Processing instructions, comments etc etc etc

  17. MattJ

    So SAX will give you a stream of events like "A tag was opened", "A tag was closed", etc. and most implementations use these to update a stanza object

  18. singpolyma

    Ignore moparisthebest :P

  19. MattJ

    After the final tag of the stanza is closed, it then processes the stanza

  20. moparisthebest

    > Ignore moparisthebest :P Are you saying you don't need to disable those...

  21. MSavoritias (fae,ve)

    > Just be careful about using an off the shelf XML parser for XMPP, you have to disable a ton of things or it'll be insecure. Processing instructions, comments etc etc etc at least it seems the simple one they have is not security sound to use

  22. MSavoritias (fae,ve)

    it just says: > The (sxml simple) module presents a basic interface for parsing XML from a port into the Scheme SXML format, and for serializing it back to text.

  23. singpolyma

    moparisthebest: of course. The fact that any spec even implies you should is brain damage

  24. MSavoritias (fae,ve)

    which doesnt sound very encouraging

  25. MSavoritias (fae,ve)

    at least they have SSAX which means i can define something special case for me

  26. MattJ

    XML has a bunch of additional features... which aren't used (or even permitted) in XMPP, so disable everything you don't need, which is basically everything except namespaces

  27. singpolyma

    Any sax parser should do the job. Obviously if it has insane XML extensions enabled like HDD disable those, but most don't even support that stuff to begin with

  28. MSavoritias (fae,ve)

    or wait actually i think its unrelated. i need that one to write xml in scheme

  29. singpolyma

    Any sax parser should do the job. Obviously if it has insane XML extensions enabled like DTD disable those, but most don't even support that stuff to begin with

  30. singpolyma

    You would probably benefit from having it shoot out chunks of sxml per stanza or something, but it depends on the use case

  31. MSavoritias (fae,ve)

    makes sense. since i dont want to get everything together

  32. MSavoritias (fae,ve)

    also the moment i am thinking of parsing stanzas i understand how important framing is :/

  33. singpolyma

    Luckily we have framing built in and the sax parser does the counting for you šŸ™‚

  34. MSavoritias (fae,ve)

    what is the built in framing?

  35. singpolyma

    XML

  36. singpolyma

    Stanza start to stanza end is unambiguous

  37. MSavoritias (fae,ve)

    ah. i meant that i have no idea how big the stanza is going to be ahead of time

  38. singpolyma

    No, that's true. We have boundaries not sizes

  39. singpolyma

    I guess you will be sort of a server right because p2p?

  40. MSavoritias (fae,ve)

    yep

  41. MSavoritias (fae,ve)

    gnunet says > The size of an elementā€™s data is limited to around 62 KB.

  42. singpolyma

    So if the size gets past your limit mid-stanza you have to close the connection

  43. MSavoritias (fae,ve)

    so i guess 62kb

  44. singpolyma

    Ah, if you limit it to single elements in your protocol then you may not have this issue yeah

  45. MSavoritias (fae,ve)

    yeah i was thinking i dont need to manage it if the layer underneath does it

  46. MSavoritias (fae,ve)

    since xmpp will be over gnunet. specifically cadet

  47. MSavoritias (fae,ve)

    i think its bigger than current federated xmpp limits anyways

  48. singpolyma

    Smaller. Usual limit is ~256kb

  49. MSavoritias (fae,ve)

    damn. there goes my idea :/

  50. moparisthebest

    singpolyma: you have to disable those things or you'll get https://en.wikipedia.org/wiki/Billion_laughs_attack and a ton of other things

  51. moparisthebest

    MSavoritias (fae,ve): XMPP over websocket is framed ;)

  52. MSavoritias (fae,ve)

    heh

  53. singpolyma

    moparisthebest: that attack and others like it are based on things like DTD which aren't part of base xml

  54. MSavoritias (fae,ve)

    and from reading gnunet doesnt seem to be framed so i cant delegate it there exactly :/ but maybe i can hack something since the 64kb is basically the equivalent layer of ethernet frames

  55. jonasā€™

    singpolyma, DTD is part of XML 1.0, it's not an extension (nitpick).

  56. jonasā€™

    which is why many parsers actually do support it.

  57. jonasā€™

    (it's worth pointing this out so that people actually go and check for that, instead of thinking that $niecheParser won't support it)

  58. jonasā€™

    (this notably includes entity declarations, i.e. billion laughs)

  59. moparisthebest

    singpolyma: all I said was you shouldn't grab any off the shelf XML parser and use it with XMPP, you likely need to disable things or if they don't have toggles it's unsafe to use

  60. moparisthebest

    I don't think *that* can be ignored

  61. jonasā€™

    exactly

  62. jonasā€™

    and again, DTD *is* part of base XML

  63. jonasā€™

    (unlike XML Schema)

  64. jonasā€™

    source: https://www.w3.org/TR/REC-xml/#NT-doctypedecl

  65. moparisthebest

    Feel free to ignore be when I say things like you should only use purpose built XMPP XML parsers if you want since that's an opinion you are free not to share :)

  66. moparisthebest

    Feel free to ignore me when I say things like you should only use purpose built XMPP XML parsers if you want since that's an opinion you are free not to share :)

  67. jonasā€™

    and here's the grammer for the dreaded entity declarations (read: billion laughs), right there in XML 1.0: https://www.w3.org/TR/REC-xml/#NT-EntityDecl

  68. singpolyma

    > (it's worth pointing this out so that people actually go and check for that, instead of thinking that $niecheParser won't support it) Yes this is fair. If you're building a server double check the DTD thing for sure

  69. jonasā€™

    also as a client.

  70. jonasā€™

    in IBR or SASL ANON there's not much of a trust relationship to the server.

  71. jonasā€™

    (and even then, trust is nice, but people _will_ laugh at you if your client breaks with billion laughs in 2024.)

  72. moparisthebest

    MSavoritias (fae,ve): rather than rolling your own from scratch you could also use bindings to a good one like https://codeberg.org/jssfr/rxml just throwing it out there...

  73. jonasā€™

    awww

  74. MSavoritias (fae,ve)

    thanks will keep it in mind

  75. MSavoritias (fae,ve)

    although it wouldn't be completely from scratch apparently

  76. moparisthebest

    Even if you trust your server, servers have bugs too... Here's an example of remote code execution in a client because the server let bad XML through that it shouldn't have https://bugs.chromium.org/p/project-zero/issues/detail?id=2254

  77. moparisthebest

    Why *should* it be completely from scratch :)

  78. MSavoritias (fae,ve)

    so probably framing is not the answer and i would have to do other checks anyway

  79. jonasā€™

    moparisthebest, yeah, why would *anyone* write an XML parser from scratch? only madpeople do that!

  80. jonasā€™

    (looking at you and me)

  81. jonasā€™

    (and yes, your stanza counting this qualifies in my view :P)

  82. MSavoritias (fae,ve)

    maybe not try to add framing anyways then

  83. moparisthebest

    Doing that is a fun learning experience sometimes but not something you should do normally

  84. moparisthebest

    jonasā€™: to be fair if rxml had existed first I probably would have used it so really it's your fault šŸ˜œ

  85. MSavoritias (fae,ve)

    heh if i say half the projects i am writing around my xmpp library its all a mad sciense experiment XD

  86. jonasā€™

    moparisthebest, I refuse to take the blame for that :P

  87. moparisthebest

    Doesn't stop me from giving it...

  88. jonasā€™ casts deflect blame (and fudges the git commit timestamps in early rxml)

  89. moparisthebest

    Oh no the loophole...

  90. Schimon

    You might be interested at this matter: > Jabber / XMPP Ā· Issue #541 Ā· betrusted-io/xous-core > https://github.com/betrusted-io/xous-core/issues/541

  91. MSavoritias (fae,ve)

    (xmpp-rs is not good apparently for them)

  92. moparisthebest

    What does XMPP have to do with a kernel/operating system?

  93. Martin

    > Core files for the Xous microkernel operating system. I don't even get what XMPP has to do with this OS.

  94. moparisthebest

    Yea nothing at all as far as I can see

  95. wgreenhouse

    Xous is the firmware for the precursor/betrusted

  96. wgreenhouse

    so I guess someone might be interested in using it as a highly secure xmpp dumb phone

  97. Schimon

    > I don't even get what XMPP has to do with this OS. Martin: It appears that they are integrating telecommunication protocols for messeging, so I suggested to consider XMPP.

  98. Martin

    Ah ok.

  99. Schimon

    MSavoritias (fae,ve), I have asked them to join to groupchat XMPP in Rust and ask for references there. You can convince them.

  100. Schimon

    Martin: By the way, I have had the same question when I have read the description of Xous for the first time.

  101. Schimon

    Martin: I have had the same question when I have read the description of Xous for the first time.

  102. wgreenhouse

    the device in question is a prototype of a dedicated messaging platform or secure enclave (betrusted.io), as an alternative or adjunct to a cell phone

  103. wgreenhouse

    it doesn't really have a general purpose OS

  104. MSavoritias (fae,ve)

    > MSavoritias (fae,ve), I have asked them to join to groupchat XMPP in Rust and ask for references there. You can convince them. im not using rust. I posted as an interesting bit from the issue comments

  105. moparisthebest

    Where is messaging mentioned https://github.com/betrusted-io/xous-core ?

  106. MSavoritias (fae,ve)

    more informative https://www.crowdsupply.com/sutajio-kosagi/precursor

  107. MSavoritias (fae,ve)

    its for this ^

  108. MSavoritias (fae,ve)

    the xous thing

  109. wgreenhouse

    yeah, precursor is the hardware

  110. moparisthebest

    xmpp-rs isn't suitable for them in the same way that you'll find it hard to do XMPP if you don't have a networking stack

  111. MSavoritias (fae,ve)

    lol they think that thing will run matrix XD

  112. Schimon

    moparisthebest, I think i twould better be to state, how would they be able to add XMPP to Precursor.

  113. moparisthebest

    They need to finish implementing their OS before they can move on to that

  114. moparisthebest

    If it can do http or matrix it can 100% do XMPP

  115. moparisthebest

    It's not something lacking in XMPP or xmpp-rs but something in their (currently) toy OS

  116. Schimon

    moparisthebest, we shall tolk with them, and hopefully they would prioritize XMPP. This is what I think would be best to do.

  117. Schimon

    Prioritizing IRC would also be good.

  118. jonasā€™

    yeah, when I think "secure communication platform", I immediately think "IRC" /sarcasm

  119. wrath

    > more informative https://www.crowdsupply.com/sutajio-kosagi/precursor That's pretty cool

  120. wrath

    FPGAs are so interesting

  121. wgreenhouse

    not by any means fast computer, but for the role it's intended to be safe computer

  122. wgreenhouse

    saferer computer