jdev - 2026-01-16

badrihippo: (continuing discussion from commteam@) > That webassembly part was making me a bit nervous until I read "and how to verify its origin". I assumed that means the blob will be cryptographically signed by the gateway in some way? Yeah that the idea. The goal is to have it like a repository, you have authors that you trust or not (like you trust Debian devs with your packages for instance).

That makes sense. I suppose it's an extension of having to trust the gateway software anyway if you're going to use it (and afaict it still doesn't require trusting the server right?)

> That makes sense. I suppose it's an extension of having to trust the gateway software anyway if you're going to use it (and afaict it still doesn't require trusting the server right?) Indeed it doesn't require to trust the server. It's the blob dev team that you trust (who may or may not be the same team as the one doing the gateway). So it's really important to have signature, and to have the source of the blob, and it must be reproducible (So you can check what you actually run if you need to). ↺

why would this xml not get embedded by gajim? Thu 15 Jan 2026 11:43:01 PM - sunglocto: ```xml <message id="98fae006-e59d-4f63-a741-a323915b3039" to="x@sunglocto.net/KvfPu1qgvKmi" from="chaos@group.pain.agency/Video Embed" xml:lang="en" type="groupchat"> <body>https://0.vern.cc/hg.webm&#xA;</body> <stanza-id xmlns="urn:xmpp:sid:0" id="019bc62e-3ee8-735a-af29-946e286f0e03" by="chaos@group.pain.agency"></stanza-id> <x xmlns="jabber:x:oob"> <url>https://0.vern.cc/hg.webm</url> </x> <occupant-id xmlns="urn:xmpp:occupant-id:0" id="gdm2jOwk3xX9qeNWdoSsNbp8HbYwHItOjAQXjvO3ZKw=" xmlns="urn:xmpp:occupant-id:0"></occupant-id> </message> ```

The oob url and the message body need to be equals

In this example, the message body has a few characters at the end (&#xA) that are not in the oob url

>> That makes sense. I suppose it's an extension of having to trust the gateway software anyway if you're going to use it (and afaict it still doesn't require trusting the server right?) > Indeed it doesn't require to trust the server. It's the blob dev team that you trust (who may or may not be the same team as the one doing the gateway). So it's really important to have signature, and to have the source of the blob, and it must be reproducible (So you can check what you actually run if you need to). I don't understand why there are so important? So that the blob can't, what, lie to you about what your messages say I guess? ↺

Or run code to read to encrypt the message properly but also run through your entire address book and send it to some third party? Or is that not how webassembly works

Indeed webassembly blob could not do that

It can't do any io at all

Pure function of whatever string input you give it and return some other string is probably all you'd ever allow for this use

It also won't encrypt or decrypt anything right? Just encode/decode stuff inside the crypto.

goffi, can you clarify on that? So, the crypto is still handled by more traditional means?

Something has to get the keys etc somehow. No way the blob can do that unaided at which point I don't know why it would do any cryptography at all

>> Indeed it doesn't require to trust the server. It's the blob dev team that you trust (who may or may not be the same team as the one doing the gateway). So it's really important to have signature, and to have the source of the blob, and it must be reproducible (So you can check what you actually run if you need to). > > I don't understand why there are so important? So that the blob can't, what, lie to you about what your messages say I guess? that alone isn't an important enough reason? ↺

> I don't understand why there are so important? So that the blob can't, what, lie to you about what your messages say I guess? It may voluntarily badly encrypt so that it can be decrypted for instance. You have to trust the code run. ↺

So you are proposing to have it involved in cryptography sometimes?

> Or run code to read to encrypt the message properly but also run through your entire address book and send it to some third party? Or is that not how webassembly works That's sandboxed. The webassembly code can be either given a well-defined and limited API or just be a function without access to anything but the data to encrypt. ↺

>>> Indeed it doesn't require to trust the server. It's the blob dev team that you trust (who may or may not be the same team as the one doing the gateway). So it's really important to have signature, and to have the source of the blob, and it must be reproducible (So you can check what you actually run if you need to). >> >> I don't understand why there are so important? So that the blob can't, what, lie to you about what your messages say I guess? > > that alone isn't an important enough reason? I mean maybe. Every gateway can already do that ↺

> So you are proposing to have it involved in cryptography sometimes? Yes, the webassembly get the incoming data (for instance the <message> that would be sent normally over XMPP), take the data it needs, format it (e.g. as an email for email gateway) and encrypt it. The encrypted data is then sent to the gateway which routes it. ↺

But anyway, it will all be more clear once I'll propose the protoXEP.

>> >> that alone isn't an important enough reason? > > I mean maybe. Every gateway can already do that not for stuff inside encryption ↺

The app host needs to know how to get and manage all they keys etc right? I'm not sure what is gained by having the webassembly do cryptography. Formatting for sure that's a great use

I thought that was the entire point? So all clients can do new encryption instantly without code changes

remote code execution as a service \o/ ✏

I though the point was so I can use PGP or MLS with email or something using mls and not have to implement their JSON payloads in every app

manually implementing all the different encryption but not json payloads seems unhelpful?

Why? I have to implement these encryptions anyway

> The oob url and the message body need to be equals Thank you ↺

> Why? I have to implement these encryptions anyway I don't think so? ↺

Is there a standard way to report a status for a user, rather than a device?

There are a few

For example the user activity xep is likely what you want. But maybe user mood

ok yeah 0108 does look relevant

vpzom: the answer is not really

Its a feature missing currently

Forget mood and activity it's too limited and not supported by many (any?) client

I don't see how it's limited at all. It's got free form text after all

And if we only implemented things other clients had we'd never move forward

When I look at what other non xmpp apps are doing it's basically all one of these two XEPs or a combination thereof

The one thing I see missing is a way to synchronize the <show> values

That's rather a different thing. I would say show values don't make sense at an account level really

online/away make sense per device, but the others not so much

XA is just "really really away" and free to chat is "really really online" so seems the same

i'd just treat it as like an enum, and choose the highest value of sorts, with offline being 0, xa being 1, and free to chat being the highest

well no, being "free to chat" has no relation to which of my devices I'm using

> i'd just treat it as like an enum, and choose the highest value of sorts, with offline being 0, xa being 1, and free to chat being the highest Yes that's what everyone has done since before we called it xmpp almost ↺

I would ideally be able to set that on one and remove it later from another

> well no, being "free to chat" has no relation to which of my devices I'm using generally clients should/could automatically set to away then xa after some amount of time ↺

> Yes that's what everyone has done since before we called it xmpp almost ah sorry if im being captain obvious ↺

I'll admit I don't think free to chat should have been added. It was popular in some silos at the time and just sort of copied. But it's not a disaster or anything

If you want the equivalent at user level you can use a user activity that means the same

> I'll admit I don't think free to chat should have been added. It was popular in some silos at the time and just sort of copied. But it's not a disaster or anything the main thing i see it being useful for would be indicating when you have the client fully open, but chatstates are probably more appropriate for that (i wish more clients automatically sent and displayed the full set of chatstates) ✏ ↺

Yeah. I think chat state is better there if you want that

Chat states are per conversation though, right? The way I would interpret the chat show state is "I want to talk to someone, I don't care who"

One thing I could imagine doing is having clients mirror the activity state into their presence broadcasts for compatibility

Yes that is what I am going to do

presence/status was really neat last time it was relevant 18 years ago

The intention behind "free to chat" was as an explicit invitation for people to message you (please, I'm bored!), while people were less likely to randomly message you just because you were online for fear of bothering you.

moparisthebest, just because you don't use something, doesn't mean nobody else sees any value in it

sure, never said otherwise

thinking back I think it was SMS that killed it? haven't seen anything use it since

which I guess means in places that didn't fully go SMS maybe kept it? Need Europeans to chime in

SMS started in Europe, so I'm not sure what "fully SMS" means

My understanding is that SMS is still to this day very expensive in most of Europe so it never really took off? vs US and others where it went unlimited and free in mid/late 00s and became the de-facto chat platform because of that

It was charged per message, so possibly not used as extensively, but still fairly popular

yep I remember here it was like 25 cents per message, then 10, then free

I think most people have unlimited SMS now as part of their monthly usage

To this day SMS is the default here, 80 year olds use it, 5 year old kids use it, wild

> Chat states are per conversation though, right? The way I would interpret the chat show state is "I want to talk to someone, I don't care who" yeah which would probably be more appropriate for what i was talking about, e.g. indicating if someone had the chat open ↺

also theory if you had a multi-window client you could pretty trivially send chatstates to all the chats in windows, perhaps indicating which one is selected or something

That is what 'active' is supposed to represent

> To this day SMS is the default here, 80 year olds use it, 5 year old kids use it, wild seems to be becomming less so in my age group (20-25 year olds), i have the discord/snapchat/signal of several of my friends but dont actually know their phone numbers ↺

just no one seems to have agreed on a defacto replacement, such as whatsapp is for most places in the world

> presence/status was really neat last time it was relevant 18 years ago Tell that to every new chat platform since they always seem to think it is important to add it ↺

> just no one seems to have agreed on a defacto replacement, such as whatsapp is for most places in the world I mean, Facebook Messenger is pretty popular as is iMessage. But luckily I've rarely had someone insist to only contact me that way ↺

Each social group tends to have their preference, which largely spreads by Network Effect

> I mean, Facebook Messenger is pretty popular as is iMessage. But luckily I've rarely had someone insist to only contact me that way oh right i forgot about imessage. i find i mainly use that with relatives or official stuff ↺

iphones are pretty near universal where i live so sms/rcs is almost never used

Luckily (for me) my family are all too poor for iPhones

my parents in particular refuse to use anything but apple devices and apple software

iMessage uses phone numbers though, right? So if someone shares that as a communication method then you could also send SMS/MMS/RCS?

they dont really care about imessage vs sms but at least imessage is e2ee when set up right so when they text me sensitive things casually itll be less bad

(they even use only safari lol)

> iMessage uses phone numbers though, right? So if someone shares that as a communication method then you could also send SMS/MMS/RCS? yes, but on iphone only imessage has encryption ↺

they didnt implement rcs with encryption

ive also told the tale here before, but basically with my carrier (mint mobile) in my area (hawaii) rcs is extremely unreliable and its almost worth just going in and disabling and going back to sms/mms

like plaintext messages go through fine but if you attach anything of significant size (like the main reason youd want rcs over mms) during high activity hours of the day it will just wait 5 minutes then fail

the state of ios is getting so bad that my next phone will prob be android and ill just tell my family to get lost if they send sensitive shit over text