jdev - 2025-03-01

  1. Link Mauve

    moparisthebest, why that, “especially in python”?

  2. moparisthebest

    Link Mauve: just because https://docs.python.org/3/library/pickle.html

  3. Link Mauve

    moparisthebest, we kept the pickle compatibility in the new JID implementation in slixmpp 1.9.0, don’t worry.

  4. Link Mauve

    So even if you parse it as a resourcepart with all of the resourceprep, it will work.

  5. Link Mauve

    Although, I don’t think we expose a specific resourcepart type atm.

  6. moparisthebest

    Not sure what you mean, I'm just saying a private pep node is an untrusted source so pickle shouldn't be used on it

  7. Link Mauve

    Does pickle support XML as a source or destination? I thought it was only a binary serialization of Python objects.

  8. moparisthebest

    Pickle > base64 > pep node; seems like something python might do

  9. Link Mauve

    Python doesn’t do stupid things on its own, you have to very knowingly do such a thing. And shouldn’t.

  10. moparisthebest

    I think that's all I said?

  11. lovetox

    No you said "python might do"

  12. edhelas

    I'm promoting Gajim in the list of alternative clients in Movim now :)

  13. edhelas

    https://upload.movim.eu/files/9d94237298995552fa13436420195fbca436dce7/PHSlSUIqlNGk/chat_image.png

  14. cal0pteryx

    That's great :) thanks a lot

  15. lovetox

    Fully featured is sadly a bit of an overstatement in recent times

  16. singpolyma

    More than any other client still 🙂

  17. lovetox

    Really? If I think about any feature related to jingle, Gajim is now at zero.

  18. lovetox

    I guess it depends on what you need.

  19. qy

    other than cheogram, does gajim miss any features another client has?

  20. lbocquet

    edhelas: Can you update the copyright year?

  21. cal0pteryx

    qy: you can check with https://xmpp.org/software/software-comparison/

  22. cal0pteryx

    Though we need to update Gajim's DOAP file

  23. singpolyma

    qy: just A/V

    👍 1
  24. qy

    > qy: just A/V 👍

  25. edhelas

    Soon ™

  26. moparisthebest

    > No you said "python might do" Right. Certain languages are notoriously vulnerable to RCE during deserialization due to having vulnerable methods in the stdlib to do it. Python, PHP, and Java are examples.

  27. lovetox

    Guus, does openfire store message timestamps with sub second precision?

  28. Guus

    lovetox, in what/where? MAM?

  29. lovetox

    yes

  30. Guus

    last recorded timestamp in the database is 1740859932353

  31. Guus

    that's milliseconds

  32. lovetox

    great

  33. lovetox

    thanks

  34. Guus

    np

  35. Guus

    (unsure if it _communicates_ with the same precision, but that's likely_

  36. lovetox

    yeah, i guess thats easy to fix if it would not be the case

  37. Guus

    why are you looking into this?

  38. lovetox

    if you "backload" MAM history, means you have already messages from today, but you want to load more messages from yesterday, and you store these messages into a local client database, its very complex to load them later back into the GUI with the correct order of messages

  39. lovetox

    This becomes easy if you can depend on that each message has a different timestamp

  40. lovetox

    i know subsecond precision not exactly gives this guarante, but in practices it will almost never happen, close enough

  41. Guus

    ... that. :)

  42. Guus

    but why look at Openfire specificially?

  43. lovetox

    the problem is with only second precision, it happens daily

  44. lovetox

    because ejabberd, and prosody already have subsecond precision

  45. lovetox

    and i wanted to check other server implementations, if most of them have it, i would try to implement it

  46. Guus

    ah, ok