jdev - 2025-06-05

  1. dwd

    Anyone about who knows/writes/etc slixmpp?

  2. dwd

    So, should anyone pass by: I'm trying to connect to a custom host/port with direct_tls, and that seems to be unsupported now. I can turn off TLS, but not turn it on, because - if I follow the code right - it assumes any custom host/port is plaintext connect with possibly starttls.

  3. lissine

    xmpp:slixmpp@muc.poez.io?join

  4. dwd

    Thanks!

  5. lovetox

    a user asked for a feature to hide the app identity, so app name and version

  6. lovetox

    both can be requested via xep 0092, which is rather easy to deactivate

  7. lovetox

    though the app name is also in disco info identity, of course i could remove it there as well, but i wonder if that is viable

  8. moparisthebest

    don't forget FAST

  9. lovetox

    FAST?

  10. lovetox

    i dont care to hide it from the server operator to be honest

  11. lovetox

    but we dont implement FAST yet so ..

  12. lovetox

    the question is, is it viable to not answer disco requests at all, and if not, would it not be trivial for someone to determine that its Gajim simply by looking at the features in disco info

  13. lovetox

    what breaks if i dont answer disco info requests, is probably the question

  14. lovetox

    ah we need disco info for pubsub subscriptions, so yeah thats out of the question

  15. moparisthebest

    > i dont care to hide it from the server operator to be honest why not?

  16. lovetox

    because the server operator is probably the 5 % that costs 90% of the effort

  17. lovetox

    or whatever that ratio was :D

  18. lovetox

    i could block disco info requests form jids which are not my own server

  19. lovetox

    then pubsub sub works

  20. Goot the ticklegoblin!

    > the question is, is it viable to not answer disco requests at all, and if not, would it not be trivial for someone to determine that its Gajim simply by looking at the features in disco info Some clients return disco info sorted into alphabetical order, but Gajim does not

  21. Goot the ticklegoblin!

    Of course that on its own wouldn't be enough to determine it is, in fact, Gajim

  22. lovetox

    i agree its trivial if you receive disco info even without name to determine its Gajim

  23. lovetox

    thats why im thinking about to not return disco info at all

  24. lovetox

    i think its only problematic for the Jingle XEPs?

  25. lovetox

    but should be fine with JMI?

  26. moparisthebest

    client disco should have been deprecated ages ago, burn it!

  27. moparisthebest

    It's always a bug to ask and base decisions on "what features are supported by client(s) they have connected right now"

  28. lovetox

    yes, but i have users that want things to work

  29. lovetox

    so better to ask the question what could break

  30. moparisthebest

    what would break? I think only things that are already broken

  31. doge

    > It's always a bug to ask and base decisions on "what features are supported by client(s) they have connected right now" Based

  32. singpolyma

    > client disco should have been deprecated ages ago, burn it! Some of us actually like XMPP 🙂

    💯 1
  33. moparisthebest

    I think all of us here do

  34. doge

    " I would like to be unable to try to call my contact if my device thinks, often mistakenly, that they don't currently have any devices online that support calls" said no user ever.

  35. singpolyma

    doge: not remotely what was being talked about

  36. moparisthebest

    That's actually exactly what I was talking about

  37. lovetox

    singpolyma, i would also disagree, thats what historically we used disco info for, mostly jingle

  38. lovetox

    some XEPs even say you should check and dont send something like a marker request, or chatstates etc

  39. moparisthebest

    and in some distant past that made sense, but is now a bug

  40. singpolyma

    Having a button for calls or not is a UX decision. Disco is a protocol thing not a UX thing

    🙄 1
  41. singpolyma

    And we need it for lots of stuff. As already mentioned for pep at least

  42. lovetox

    yes, nobody says burn disco alltogether

  43. moparisthebest

    > Having a button for calls or not is a UX decision. Disco is a protocol thing not a UX thing 🙄

  44. lovetox

    the proposal was burn it between user clients

  45. moparisthebest

    Correct

  46. lovetox

    of course we want disco from a service, or server

  47. singpolyma

    There's no reason you should be able to tell if I'm a client or a server anyway

  48. lovetox

    so you think it will cause no problems if Gajim answers disco info requests from other user clients with an error?

  49. lovetox

    that was my initial question

  50. singpolyma

    I think that's impossible to do

  51. singpolyma

    And also not sensible to want as a seperate thing

  52. lovetox

    im aware you cannot make a statement for the whole world, but maybe for the client you develop

  53. lovetox

    will something stop working if gajim answers disco info requests to cheogram with an error

  54. singpolyma

    I don't know

  55. lovetox

    will something stop working if gajim answers disco info requests from cheogram with an error

  56. lovetox

    :/

  57. Goot the ticklegoblin!

    It's not the job of the entity generating the error to handle the error.

  58. lovetox

    the question was, how another client handles the error

  59. moparisthebest

    Try it?

  60. Goot the ticklegoblin!

    If an entity replies to a service discovery request saying that it does not support service discovery, then it stands to reason that a client would assume that the entity does not support service discovery. This would naturally preclude other features that require an entity to support service discovery in order to advertise support for it.

  61. theTedd

    lovetox, is the request "I don't want it to be obvious that I'm using Gajim" or is it "it should not be possible for a determined adversary to deduce I'm using Gajim" ? -- the former is easy and limited, the latter is possibly more trouble than its worth. Also consider what does Gajim do if a client returns error for a disco request?

  62. lovetox

    what does that help me, i know what my client does, i want to know what others do :D

  63. lovetox

    it should not be easy to determine that i use Gajim, i think its nearly impossible to hide it completely, it depends how much effort an attacker puts in

  64. Goot the ticklegoblin!

    <body>hey what client are you using</body>

  65. lissine

    lovetox, singpolyma, some clients have a unified flow for adding contacts and joining rooms.

  66. lissine

    It works by doing a disco on the jid, to check the available features and guess if it's a room or not.

  67. lissine

    But that (should?) work even when the contact is offline. So I guess the server is replying on behalf of the client in that case?

  68. lissine

    Oh never mind. The client identity should only be returned when doing a disco against a full jid

  69. lissine

    The scenario I mentioned involves disco queried against bare jids

  70. lissine

    The scenario I mentioned involves disco queries against bare jids

  71. jjj333_p (any pronouns)

    > it should not be easy to determine that i use Gajim, i think its nearly impossible to hide it completely, it depends how much effort an attacker puts in gajim literally sets the resource name to gajim.randomstring 🤔

  72. jjj333_p (any pronouns)

    as in jjj333@pain.agency/gajim.something

  73. singpolyma

    > It works by doing a disco on the jid, to check the available features and guess if it's a room or not. Not guess. Know 🙂

  74. singpolyma

    > But that (should?) work even when the contact is offline. > So I guess the server is replying on behalf of the client in that case? When you disco (or any iq) a bare jid server always replies to that