XMPP Service Operators - 2022-02-21


  1. moparisthebest

    rozzin: cockroachdb is just postgresql from your application's pov

  2. moparisthebest

    Supposed to be a drop in replacement

  3. rozzin

    moparisthebest: looks like "mostly drop-in" I guess https://github.com/processone/ejabberd/issues/3074

  4. moparisthebest

    wonder if any of those incompatibilities went away on the cockroachdb side since then, 2019 is basically the dark ages no ?

  5. rozzin

    I guess? Though the issue a the top looks like "cockroachdb has additional keywords that need to be quoted". I guess cockroach could have made their parser smarter about context or something? Too deep for me to dig right now ๐Ÿ˜ซ๏ธ

  6. rozzin encourages Sapotaceae to try it out ๐Ÿ˜๏ธ

  7. Ellenor Bjornsd.

    Huh, there's such a thing as yugabytedb? Maybe I should try it out

  8. moparisthebest

    the ones I know about are CockroachDB (postgresql but distributed) and TiDB (mysql/mariadb but distributed)

  9. Ellenor Bjornsd.

    yes, this is supposed to compete with cockroach

  10. Ellenor Bjornsd.

    https://github.com/yugabyte/yugabyte-db

  11. rozzin

    Sapotaceae: > Is there any Foss server that supports geographic failover This sounds like what you wanted? https://mongooseim.readthedocs.io/en/3.1.1/modules/mod_global_distrib/

  12. rozzin

    Maybe I should migrate to MongooseIM?

  13. Licaon_Kter

    rozzin: latest is 5 https://esl.github.io/MongooseDocs/latest/modules/mod_global_distrib/

  14. zdream

    Hi

  15. Licaon_Kter

    zdream: Hi there. What brings you to this corner of the admin ecosystem?

  16. zdream

    > ๆ˜ŸๆœŸไธ€, 21 ไบŒๆœˆ, 2022 > [17:45:56] Licaon_Kter: > zdream: Hi there. What brings you to this corner of the admin ecosystem? I was looking for a tutorial on building an xmpp service on the Internet, so I found it here.

  17. Licaon_Kter

    There are many such tutorials. Peruse the Newsletter ;) https://xmpp.org/categories/newsletter/

  18. zdream

    Thank you.

  19. Licaon_Kter

    Do chime in zdream and ask for help if you need it. But be detailed in use case and suchp

  20. Licaon_Kter

    Do chime in zdream and ask for help if you need it. But be detailed in use case and such.

  21. Licaon_Kter

    Stay safe and... TLSA/DANE? https://medium.com/s2wblog/post-mortem-of-klayswap-incident-through-bgp-hijacking-en-3ed7e33de600

  22. croax

    Yep, that's why relying on automated CA has huge downsides... But everyone seems happy to have a big LE ruling the world. I hope we consider a better support for DANE in servers / clients

  23. croax

    (still relying on centralized infrastructure... but ICANN domain names are, per se)

  24. croax

    (still relying on centralized infrastructure... but like ICANN domain names, per se)

  25. croax

    By the way, to help adoption of DANE, although lots of us are using LE, we can add the "--reuse-key" option to preserve at renewal the key associated to the LE certificate so we can publish an unchanging TLSA value in DNS zone. Otherwise it's much more complex to maintain.

  26. moparisthebest

    croax: yes, but how to get people to drop their .im domains?

  27. croax

    HTTP permanent redirection ๐Ÿ‘€ [joke]

  28. savagepeanut

    What's wrong with .im domains?

  29. croax

    No DNSSEC

  30. moparisthebest

    croax: did you notice the attacker didn't use LE

  31. savagepeanut

    Huh. I didn't know dnssec was dependent on the tld.

  32. moparisthebest

    savagepeanut: completely dependent on the TLD, that's basically what has held back adoption imho

  33. MattJ

    Especially .im in the XMPP realm

  34. savagepeanut

    What was the reason for that? I don't know of any technical reason to not have it as an option everywhere.

  35. moparisthebest

    Laziness

  36. moparisthebest

    It'd be more work for .im to set up and run so they just don't

  37. savagepeanut

    Lol I should have guessed

  38. croax

    moparisthebest: > did you notice the attacker didn't use LE Right, probably it was not possible to do this with LE for some reasons (while OK with ZeroSSL). But the problem remains :-) Don't forget to define CAA records in DNS zone too! It would have forbid zero SSL to provide a valid cert.

  39. moparisthebest

    Yep!

  40. moparisthebest

    LE does challenges from multiple widespread geographic locations, which is literally the best that can be done without dnssec, I don't know what zero SSL does

  41. moparisthebest

    But in the dark ages of manually aquiring certs this would have been easy too

  42. Licaon_Kter

    PSA: https://nakedsecurity.sophos.com/2022/02/18/irony-alert-php-fixes-security-flaw-in-input-validation-code/

  43. junaid

    thanks Licaon_Kter!

  44. moparisthebest

    bigger PSA, what all servers use expat ? only prosody or ? https://www.openwall.com/lists/oss-security/2022/02/19/1

  45. jonasโ€™

    mmmmmmmmm

  46. mimi89999

    I started the discussion on CAs and BGP hijacking: https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/lxiA7zcKLws