-
edhelas
https://mov.im/node/pubsub.movim.eu/Movim/195d732f-a7b7-44ba-b0cc-caa68b6b4426
-
edhelas
:)
-
cal0pteryx
Nice
-
MSavoritias (fae,ve)
noob question: would you reccomend a SAX or a DOM parser for xml?
-
MattJ
For XMPP, always SAX
-
MattJ
Opinions may differ, you can work with a DOM API if you're prepared to do handle some XML lexing yourself, but I wouldn't implement it that way if I had a choice
-
MSavoritias (fae,ve)
ok. apparently guile offers just a simple example of a DOM parser and then a toolkit to build your own with SSAX
-
MSavoritias (fae,ve)
so i will have to build my own parser anyway it seems. and i have the options of: > (sxml ssax) is a package of low-to-high level lexing and parsing procedures that can be combined to yield a SAX, a DOM, a validating parser, or a parser intended for a particular document type.
-
moparisthebest
XMPP over websocket is made so you can use a DOM parser
-
MattJ
Sounds like quite the toolbox :)
-
MSavoritias (fae,ve)
> Opinions may differ, you can work with a DOM API if you're prepared to do handle some XML lexing yourself, but I wouldn't implement it that way if I had a choice right. it also says SAX is more efficient it says so
-
MattJ
Yeah, you can (should) definitely do DOM-only parsers with websockets
-
MSavoritias (fae,ve)
ah i dont plan to support websockets
-
MSavoritias (fae,ve)
i think at least so i should be okay
-
MSavoritias (fae,ve)
> Sounds like quite the toolbox :) its a functional toolbox it says with a bunch of monads seems interesting :P
-
moparisthebest
Just be careful about using an off the shelf XML parser for XMPP, you have to disable a ton of things or it'll be insecure. Processing instructions, comments etc etc etc
-
MattJ
So SAX will give you a stream of events like "A tag was opened", "A tag was closed", etc. and most implementations use these to update a stanza object
-
singpolyma
Ignore moparisthebest :P
-
MattJ
After the final tag of the stanza is closed, it then processes the stanza
-
moparisthebest
> Ignore moparisthebest :P Are you saying you don't need to disable those... ↺
-
MSavoritias (fae,ve)
> Just be careful about using an off the shelf XML parser for XMPP, you have to disable a ton of things or it'll be insecure. Processing instructions, comments etc etc etc at least it seems the simple one they have is not security sound to use
-
MSavoritias (fae,ve)
it just says: > The (sxml simple) module presents a basic interface for parsing XML from a port into the Scheme SXML format, and for serializing it back to text.
-
singpolyma
moparisthebest: of course. The fact that any spec even implies you should is brain damage
-
MSavoritias (fae,ve)
which doesnt sound very encouraging
-
MSavoritias (fae,ve)
at least they have SSAX which means i can define something special case for me
-
MattJ
XML has a bunch of additional features... which aren't used (or even permitted) in XMPP, so disable everything you don't need, which is basically everything except namespaces
-
singpolyma
Any sax parser should do the job. Obviously if it has insane XML extensions enabled like HDD disable those, but most don't even support that stuff to begin with✎ -
MSavoritias (fae,ve)
or wait actually i think its unrelated. i need that one to write xml in scheme
-
singpolyma
Any sax parser should do the job. Obviously if it has insane XML extensions enabled like DTD disable those, but most don't even support that stuff to begin with ✏
-
singpolyma
You would probably benefit from having it shoot out chunks of sxml per stanza or something, but it depends on the use case
-
MSavoritias (fae,ve)
makes sense. since i dont want to get everything together
-
MSavoritias (fae,ve)
also the moment i am thinking of parsing stanzas i understand how important framing is :/
-
singpolyma
Luckily we have framing built in and the sax parser does the counting for you š
-
MSavoritias (fae,ve)
what is the built in framing?
-
singpolyma
XML
-
singpolyma
Stanza start to stanza end is unambiguous
-
MSavoritias (fae,ve)
ah. i meant that i have no idea how big the stanza is going to be ahead of time
-
singpolyma
No, that's true. We have boundaries not sizes
-
singpolyma
I guess you will be sort of a server right because p2p?
-
MSavoritias (fae,ve)
yep
-
MSavoritias (fae,ve)
gnunet says > The size of an elementās data is limited to around 62 KB.
-
singpolyma
So if the size gets past your limit mid-stanza you have to close the connection
-
MSavoritias (fae,ve)
so i guess 62kb
-
singpolyma
Ah, if you limit it to single elements in your protocol then you may not have this issue yeah
-
MSavoritias (fae,ve)
yeah i was thinking i dont need to manage it if the layer underneath does it
-
MSavoritias (fae,ve)
since xmpp will be over gnunet. specifically cadet
-
MSavoritias (fae,ve)
i think its bigger than current federated xmpp limits anyways
-
singpolyma
Smaller. Usual limit is ~256kb
-
MSavoritias (fae,ve)
damn. there goes my idea :/
-
moparisthebest
singpolyma: you have to disable those things or you'll get https://en.wikipedia.org/wiki/Billion_laughs_attack and a ton of other things
-
moparisthebest
MSavoritias (fae,ve): XMPP over websocket is framed ;)
-
MSavoritias (fae,ve)
heh
-
singpolyma
moparisthebest: that attack and others like it are based on things like DTD which aren't part of base xml
-
MSavoritias (fae,ve)
and from reading gnunet doesnt seem to be framed so i cant delegate it there exactly :/ but maybe i can hack something since the 64kb is basically the equivalent layer of ethernet frames
-
jonasā
singpolyma, DTD is part of XML 1.0, it's not an extension (nitpick).
-
jonasā
which is why many parsers actually do support it.
-
jonasā
(it's worth pointing this out so that people actually go and check for that, instead of thinking that $niecheParser won't support it)
-
jonasā
(this notably includes entity declarations, i.e. billion laughs)
-
moparisthebest
singpolyma: all I said was you shouldn't grab any off the shelf XML parser and use it with XMPP, you likely need to disable things or if they don't have toggles it's unsafe to use
-
moparisthebest
I don't think *that* can be ignored
-
jonasā
exactly
-
jonasā
and again, DTD *is* part of base XML
-
jonasā
(unlike XML Schema)
-
jonasā
source: https://www.w3.org/TR/REC-xml/#NT-doctypedecl
-
moparisthebest
Feel free to ignore be when I say things like you should only use purpose built XMPP XML parsers if you want since that's an opinion you are free not to share :)✎ -
moparisthebest
Feel free to ignore me when I say things like you should only use purpose built XMPP XML parsers if you want since that's an opinion you are free not to share :) ✏
-
jonasā
and here's the grammer for the dreaded entity declarations (read: billion laughs), right there in XML 1.0: https://www.w3.org/TR/REC-xml/#NT-EntityDecl
-
singpolyma
> (it's worth pointing this out so that people actually go and check for that, instead of thinking that $niecheParser won't support it) Yes this is fair. If you're building a server double check the DTD thing for sure ↺
-
jonasā
also as a client.
-
jonasā
in IBR or SASL ANON there's not much of a trust relationship to the server.
-
jonasā
(and even then, trust is nice, but people _will_ laugh at you if your client breaks with billion laughs in 2024.)
-
moparisthebest
MSavoritias (fae,ve): rather than rolling your own from scratch you could also use bindings to a good one like https://codeberg.org/jssfr/rxml just throwing it out there...
-
jonasā
awww
-
MSavoritias (fae,ve)
thanks will keep it in mind
-
MSavoritias (fae,ve)
although it wouldn't be completely from scratch apparently
-
moparisthebest
Even if you trust your server, servers have bugs too... Here's an example of remote code execution in a client because the server let bad XML through that it shouldn't have https://bugs.chromium.org/p/project-zero/issues/detail?id=2254
-
moparisthebest
Why *should* it be completely from scratch :)
-
MSavoritias (fae,ve)
so probably framing is not the answer and i would have to do other checks anyway
-
jonasā
moparisthebest, yeah, why would *anyone* write an XML parser from scratch? only madpeople do that!
-
jonasā
(looking at you and me)
-
jonasā
(and yes, your stanza counting this qualifies in my view :P)
-
MSavoritias (fae,ve)
maybe not try to add framing anyways then
-
moparisthebest
Doing that is a fun learning experience sometimes but not something you should do normally
-
moparisthebest
jonasā: to be fair if rxml had existed first I probably would have used it so really it's your fault š
-
MSavoritias (fae,ve)
heh if i say half the projects i am writing around my xmpp library its all a mad sciense experiment XD
-
jonasā
moparisthebest, I refuse to take the blame for that :P
-
moparisthebest
Doesn't stop me from giving it...
- jonasā casts deflect blame (and fudges the git commit timestamps in early rxml)
-
moparisthebest
Oh no the loophole...
-
Schimon
You might be interested at this matter: > Jabber / XMPP Ā· Issue #541 Ā· betrusted-io/xous-core > https://github.com/betrusted-io/xous-core/issues/541
-
MSavoritias (fae,ve)
(xmpp-rs is not good apparently for them)
-
moparisthebest
What does XMPP have to do with a kernel/operating system?
-
Martin
> Core files for the Xous microkernel operating system. I don't even get what XMPP has to do with this OS.
-
moparisthebest
Yea nothing at all as far as I can see
-
wgreenhouse
Xous is the firmware for the precursor/betrusted
-
wgreenhouse
so I guess someone might be interested in using it as a highly secure xmpp dumb phone
-
Schimon
> I don't even get what XMPP has to do with this OS. Martin: It appears that they are integrating telecommunication protocols for messeging, so I suggested to consider XMPP.
-
Martin
Ah ok.
-
Schimon
MSavoritias (fae,ve), I have asked them to join to groupchat XMPP in Rust and ask for references there. You can convince them.
-
Schimon
Martin: By the way, I have had the same question when I have read the description of Xous for the first time.✎ -
Schimon
Martin: I have had the same question when I have read the description of Xous for the first time. ✏
-
wgreenhouse
the device in question is a prototype of a dedicated messaging platform or secure enclave (betrusted.io), as an alternative or adjunct to a cell phone
-
wgreenhouse
it doesn't really have a general purpose OS
-
MSavoritias (fae,ve)
> MSavoritias (fae,ve), I have asked them to join to groupchat XMPP in Rust and ask for references there. You can convince them. im not using rust. I posted as an interesting bit from the issue comments
-
moparisthebest
Where is messaging mentioned https://github.com/betrusted-io/xous-core ?
-
MSavoritias (fae,ve)
more informative https://www.crowdsupply.com/sutajio-kosagi/precursor
-
MSavoritias (fae,ve)
its for this ^
-
MSavoritias (fae,ve)
the xous thing
-
wgreenhouse
yeah, precursor is the hardware
-
moparisthebest
xmpp-rs isn't suitable for them in the same way that you'll find it hard to do XMPP if you don't have a networking stack
-
MSavoritias (fae,ve)
lol they think that thing will run matrix XD
-
Schimon
moparisthebest, I think i twould better be to state, how would they be able to add XMPP to Precursor.
-
moparisthebest
They need to finish implementing their OS before they can move on to that
-
moparisthebest
If it can do http or matrix it can 100% do XMPP
-
moparisthebest
It's not something lacking in XMPP or xmpp-rs but something in their (currently) toy OS
-
Schimon
moparisthebest, we shall tolk with them, and hopefully they would prioritize XMPP. This is what I think would be best to do.
-
Schimon
Prioritizing IRC would also be good.
-
jonasā
yeah, when I think "secure communication platform", I immediately think "IRC" /sarcasm
-
wrath
> more informative https://www.crowdsupply.com/sutajio-kosagi/precursor That's pretty cool ↺
-
wrath
FPGAs are so interesting
-
wgreenhouse
not by any means fast computer, but for the role it's intended to be safe computer
-
wgreenhouse
saferer computer