-
luca
Hi, has anyone experienced that items on the https://xmpp.org/blog/index.xml RSS feed show up as unread once in a while? In particular it seems to happen to the XMPP Summit posts
-
cal0pteryx
I added some tags to those posts recently. Maybe that way they got updated in your feed
-
luca
How recently? It's been happening about once a day for a couple weeks now. I guess I can try to delete the cache and see if it helps
-
cal0pteryx
Not-so-recently
-
jjj333_p (any pronouns)
test
-
jjj333_p (any pronouns)
test 2
-
jjj333_p (any pronouns)
we're so back
-
jjj333_p (any pronouns)
https://downloadable.pain.agency/file_share/8ZNXzq97aZCLIJfQcJpl4Oin/67ED29EB-36F0-43E1-A0C7-62DDF3D545AA.jpg
-
Menel
Joinjabber.org sends Server sent policy-violation: No stream features to offer
-
jonas’
Menel, I suspect they may be aware, given that one of the admins dropped out of the MUC.
-
jonas’
Menel, though I still seem to be joined in chat@joinjabber.org, so I mentioned it there, thanks.
-
Tavi
Posting my manifesto here one more time: https://codeberg.org/divested/safeguarding-xmpp-2025 Any feedback would be appreciated. It is a serious proposal to push the ecosystem forward despite the jokes here about it in the past.
-
Tavi
for reference the last xmpp manifesto regarding security is 11 years old
-
Tavi
https://github.com/stpeter/manifesto/blob/master/manifesto.txt
-
Polarian
> It is a serious proposal to push the ecosystem forward despite the jokes here about it in the past. Shouldn't you be writing a XEP then?
-
Polarian
and posting it for the council to vote on?
-
jonas’
Tavi, why different size limits for c2s and s2s?
-
jonas’
Polarian, not everything related to the XMPP ecosystem needs to be a XEP, and it's also not uncommon to gather some feedback before submitting a XEP, especially for first-time authors.
-
Polarian
> Polarian, not everything related to the XMPP ecosystem needs to be a XEP, and it's also not uncommon to gather some feedback before submitting a XEP, especially for first-time authors. ah ok ↺
-
Tavi
jonas’: both prosody and ejabberd recommend different sizes
-
Tavi
For both c2s and s2s
-
Tavi
Prosody's however are 3x higher
-
Tavi
4*
-
jonas’
fascinating!
-
jonas’
I wasn't aware of that
-
Polarian
Does it matter what the limits are set to?
-
jonas’
Tavi, do you happen to know why?
-
jonas’
Polarian, yeah, your avatar can be at most roughly 75% of that size.
-
Polarian
> Polarian, yeah, your avatar can be at most roughly 75% of that size. lol ↺
-
Polarian
but security wise?
-
Polarian
does the limit make any improvement to security?
-
Tavi
Polarian: Mopar found it could be used for dos
-
jonas’
Polarian, yes, stanza parsing needs memory.
-
jonas’
bigger stanzas = more memory use
-
Polarian
If its a memory thing, then surely it differs based on platform?
-
Polarian
s/platform/server/
-
jonas’
Polarian, indeed, however, the XMPP network doesn't really work well if stanza size limits differ too much between servers. So recommending a specific limit is a good idea.
-
jonas’
(imagine your server allowing 2MB, you upload a 1.5 MB avatar, but remote servers only accept 1MB stanzas. Then whenever someone requests your avatar, the s2s link will break down.)
-
jonas’
(which is ... not great.)
-
Polarian
then surely an avatar size limit should be set too!!!
-
Polarian
~I haven't read the XEP, there might already be one~
-
jonas’
Tavi, when talking about IP blocking, you should probably specify what exactly that means for IPv4 and IPv6 (common approaches block /64 or even larger for IPv6 to prevent the blocklist itself from becoming a resource DoS vector)
-
Polarian
> then surely an avatar size limit should be set too!!! this is a good idea though, no? ↺
-
jonas’
Polarian, it's implied by the stanza size limit.
-
Polarian
but stanzas can contain anything
-
jonas’
Tavi, as it stands, I wouldn't sign that. It contains a bunch of unmotivated recommendations which are IMO too extreme (such as encrypted memory, requiring dedicated boxes for different services, SELinux, etc.). And yes, those are SHOULDs, buuuut SHOULDs are "do this unless you really really know why not", and I think that's too strong.
-
Polarian
explicitly ensuring avatars don't sprawl have other benefits... such as reducing the storage size on clients...
-
Polarian
> Tavi, as it stands, I wouldn't sign that. It contains a bunch of unmotivated recommendations which are IMO too extreme (such as encrypted memory, requiring dedicated boxes for different services, SELinux, etc.). And yes, those are SHOULDs, buuuut SHOULDs are "do this unless you really really know why not", and I think that's too strong. I pointed this one out in his own channel, should physical security come into the securing XMPP? ↺
-
Polarian
Where do you draw the line? Should you include what cloud providers to use or not to use? and how to configure them?
-
jonas’
very good point
-
Polarian
Then thats an entire can of worms... some people self host their own servers...
-
Polarian
should they CCTV their house for example?
-
ernst.on.tour
As I know there is an avatar-sizelimit of 72kB to keep stanzas below 100kB
-
Tavi
ejabberd recommends 65536 for c2s and 131072 for s2s prosody recommends 262144 for c2s and 524288 for s2s (bytes)
-
Tavi
ejabberd however notably does not actually set that as a default afaik
-
Menel
Once upon a time we talked about standard sizes and prosody did then deploy what ejabberd did (as I understsnd that time) but the docs say ejabberd actually uses infinity, and recommends something smaller. That's stramge. I remember prosody did set what ejabberd did at that time.
-
Menel
(was the release after the eatxmpp time)
-
Menel
https://prosody.im/security/advisory_20210512/ > Our recommendation (and the default in 0.11.9) is to adopt the same default size limits that are already enforced by ejabberd, one of the other major XMPP servers on the network.
-
moparisthebest
they at least used to but iirc it was the default in their config but not code or so