XMPP Service Operators - 2023-03-14

has the certificate for conference.trashserver.net expired?

you could test it with testssl.sh. it support xmpp starttls

indeed it is > Mon, 13 Mar 2023 23:15:49 GMT

> has the certificate for conference.trashserver.net expired? _My old enemy, we meet again_

> Connection from trung.fun to conference.trashserver.net failed ! > Cert hash: 09b505c082bba39e68f584ba55e3518221cdafd6 > Error: Error with certificate 0: certificate has expired.

Sad

It's back already

🎉

Looks like the admin forgot, but fixed it directly after waking up: https://metalhead.club/@thomas/110020016870184893 (sorry for strudel)

If only there existed a service that kept verifying acme-based volunteer ran free community services for their expiry weekly and warned 30 days in advance! We run into this in many other communities regularly. ✏

There is: https://observe.jabber.network/

It monitors connectivity as well as certificate expiry warnings

MattJ, seems to be down ... is it?

It is not

And does it contact the owners?

Yes

Hm. So we need a down detector for the down detector then!

> It is not I was able to reach it on the 3rd try ... weird

Works fine for me on both IPv4 and v6

By the way, only warning _after_ the certificate is expired is way too late. If you have an ACME setup that is good for 90 days, you usually renew after every 60 days. If it is not renewed by day 61, the cron job is already failing and there is no use in waiting until day 91. They also send an email at that time and if you don't act within a few days, you probably either don't have an email registered or it is going to spam. ✏

I agree, that's why it warns in advance

For Prosody admins, there is also https://modules.prosody.im/mod_checkcerts

Had a cron cert update fail last week, randomly/luckily seen it. _It was DNS_

Always

> <MattJ> I agree, that's why it warns in advance That's why _what_ warns in advance?

observe.jabber.network

Don't y'all already get emails from LE?

9.42% of operators don't.

The problem with `observe` is that not all communities are running XMPP servers on their domain.

> The problem with observe is that not all communities are running XMPP servers on their domain. That's ok, easy to fix

As they haven't published the source code, I can't tell when they are actually sending an alert relating to certificates.

MattJ: > For Prosody admins, there is also https://modules.prosody.im/mod_checkcerts I think that's doesn't work, last I tried.. I will try again... It also says incompatible with prosody .10 But then again. Let's encrypt also sends warning emails if one doesn't disable that.. So one _can_ be warned anyway. It is included...

Yeah, I guess for me it's useful because I'm not always the contact of the LE account (e.g. for jabber.org)

Not everyone uses ACME. Not everyone uses Let's Encrypt for ACME. Not everyone has that email address enabled. Some email may go to spam or the specified mailbox only monitored manually instead of being forwarded to the pager/phone of a person. Some admins think that the warning is only intermittent if it was sent a single time and think it was resolved by cron on the node. Some star the incoming warning to deal with it later when they have time but forget about it due to email fatigue.

Some mistype their email address on the registration form (I don't think it is verified during the process).

bkil: nearly 100% if the expired certs just do that actually.. So you're technically correct.. But in reality it doesn't matter much.

If you setup something incorrectly it doesn't work yes... Also true for other checker software

By the way, my suggestion was a monitoring tool to help monitoring the community services hosted by _others_, not your own. I.e., most volunteer operators aren't that experienced in monitoring & alerting as I would like them to be. ✏

bkil, I'm no longer sure what point you're trying to make. The discussion started about expired XMPP server certificates, we're in the XMPP operators chat. It seems you're talking about some generic non-XMPP certificate checker? Such things exist too.

Like https://github.com/louislam/uptime-kuma

TL;DR, Could you please disclose how many days in advance observe.jabber.network will "alert" before a certificate expires?

bkil, I don't know, I would strongly suspect it's a configuration parameter

> As they haven't published the source code, I can't tell when they are actually sending an alert relating to certificates. Did you not even read the page? Lol (all source is published right there)

Way ahead of you. I have already read the source code of the _webpage_ before asking. But it's neither the source of the monitoring tool, nor its configuration, nor it's devops deployment recipe if I would like to reproduce it. ✏

Is this bridge forwarding remote message corrections (edits) towards XMPP?

Looks like it, if you're using the bridge ✏

Excellent! The XEP provides for only editing my last message, right?

Maaaybe

Many clients will forbit other edits and just don't show them

You mean only the original message will appear to them or it will be duplicated?

Both will be shown

It is a client feature clients can deside what they do

The protocol isn't technically limited to the last message, but it says that implementations should only allow editing the last message. Not all implementations agree with that, and there is talk about removing this restriction from the XEP's text.

bkil: then I'm afraid you didn't read it: > Free as in Freedom: All software components used, including this web frontend, are free and libre software. (The configuration management is currently not, and will most likely never be; this is because it is too tightly integrated in the entire other stack of services.) It also has links to everything

> _It's always DNS_ The error I've got was: _"DNS problem: SERVFAIL looking up CAA"_ Don't recall what I did, restarted local resolver I guess.

i see duplicate messages, where are you all even bridging from

Most people aren't bridging from anywhere

oh theyre individually-run bridges i see

I think a couple of people are from Matrix

i thought this chat was bridged thats all

> <opal> i see duplicate messages, where are you all even bridging from Probably the duplicates you see are from LMC

LMC last message correction?

If joining from XMPP

im guessing mam history doesnt preserve the edit flag for those messages?

> <diane> LMC last message correction? ✅

It seems to works for me, but I'm using dino. My other guess for repeated messages might be weirdness with stream resumption.

MAM should opal but for example Conversation usually tramples when fetching corrected messages from history

And shows duplicates

maybe dino is doing that here too

oh i havent updated dino in a bit either maybe i should rebuild

0.4 has got cool new stuff.

im on... 0.3.0~git18.20220517.f25bfb00 yeah a bit old

Now we have fancy emoji reactions

opal: no MUC MAM in 0.3 anyway, but in 0.4

ah

explains it then

One thing I'm curious about is one of Dino's recent screenshots in gnome-software seem to show a 3 person video call. Does that actually work?

Maranda: who protects the Edit? MAM or LMC? Eg. user leaves, bad user comes w/ same nick and tries to correct

diane: between Dino users, up to 4-5 etc, should be ok, afaik

diane: for this and many more click xmpp:chat@dino.im?join

https://xmpp.org/extensions/xep-0308.html says you're not supposed to allow JIDs to edit messages from before entering the room

so, server needs to be trusted basically

> <Licaon_Kter> Maranda: who protects the Edit? MAM or LMC? Eg. user leaves, bad user comes w/ same nick and tries to correct Usually both client/server should do some sanity check.

(fair assumption to have regardless of edits)

well i can say, im glad dino tagged a release, so i'll get that built soon

can move back off master

I'm unsure why bifrost shows almost a thousand people over the XMPP MUC. I can't quite see that many active around here.

i see ~60 but keep in mind most people lurk

bkil: because sync'ing XMPP ephemeral membership state is disruptive to the room state in Matrix ™️

Right. We should open a PR to bifrost that it should GC members after being offline for more than a week and send in their leave events in bulk each night (or even once a week).

there's precedent in how irc (namely libera) handles that with the matrix bridge so probably copying that as closely as possible would lead to least surprise for everyone

Nobody bothered to implement this in the IRC bridge either, hence the constant conflicts with all major IRC networks.

i think they wait like a month before DCing matrix clients

idk how it works the other way around ive seen dead irc nicks all the time so

>Now we have fancy emoji reactions its ... just an emote menu lol, not quite reactions

On the contrary, matrix-org got into an agreement with many big IRC networks that it will **kick** members out of the room after 30 days if they don't say anything (regardless whether their client updated their read receipt, presence, place reactji and even sent in other messages to the same network in other channels). This is very disruptive and had resulted in a loss of huge communities. It took me almost a year to reboot the Friendica community after I noticed this

I proposed a much better algorithm compared to this.

i already use ibus for emoji

bkil, damn that sucks

yeah its coming back to me i remember people getting confused over stuff

It ain't helping that it did include heuristics to detect online presence, but the matrix.org had to disable presence due to performance reasons within the Python implementation.

e_e they still sticking with python and theyre still probably open to new registrations LOL they arent exactly calculated

bkil: tbh that's already on the radar but there isn't exactly a "flawless" solution. So not sync'ing parts/technical parts for now is the best choice (otherwise kick/bans are immediatly sync'ed)

oh wow dino 0.4.1 completely ignores my gtk theme cool and now i see the reaction popup nvm its different from the emote menu

Got any screenshots to show off for us outsiders? ✏

Yeah I noticed I also noticed the theming changed with the jump to 0.4, and i think it's fair to call it a reaction because it replies to a post.

bkil, no because i cant even resize the damned chats on the left to hide them now

lmfao gtk4

yeah diane youre right they are reactions if replies are also a thing now

https://upload.ghic.org:5281/file_share/N2pzAQ5c1ZH6oALC9QzKqhHG/308228c5-10a8-4340-b56f-c7a71298ef42.png

a bit of the menu

There's more to the emoji menu but it's a popup that extends outside the dino window and I didn't feel like screenshotting the rest of my desktop

For my messages, if I hover over them there's 3 buttons, a pencil for editing, a left turn arrow for replying, and a face with a plus for emoji reaction

ok yeah the reactions work like any other platform

cool

singpolyma added stickers to cheogram (more featureful fork of conversations), and that looks like it'd be fun for kid & family members

Though I'm still waiting for it to show up in fdroid

> Right. We should open a PR to bifrost that it should Hey Maranda how many of your PRs have been merged? :))

Which XEP does reactji use? It doesn't seem to be bridged by bifrost.

bkil: > On the contrary, matrix-org got into an agreement with many big IRC networks that it OFTC ops were not singing the same song, kinda tired and annoyed by having 3k users that are... not real

opal, diane: go to Dino room, and I'll share the fix :)

how else are we supposed to get to the top of s.j.n?

Good one...

if you mean fix for the theme i'm already deep into the gtk4 config stuff so ill figure it out soon enough, just gnome devs keep changing everything for no good reason

> <Licaon_Kter> > Right. We should open a PR to bifrost that it should > Hey Maranda how many of your PRs have been merged? :)) None, and none will

> if you mean fix for the theme i'm already deep into the gtk4 config stuff so ill figure it out soon enough, just gnome devs keep changing everything for no good reason opal, https://www.youtube.com/watch?v=6n3pFFPSlW4

hosting XMPP on your own hardware offers tremendous latency improvements over virtual private servers

even when your hardware is set to use latency costing power saving like deep c-states and a lower context switching resolution, it's way more latenct then any cloud provider i've been on