XMPP Summit - 2019-02-01

Good morning. Did everyone have a great party last night, or is Summit resuming the tech talks? :D

:D

!

Beh train stopped

everyone had a great snow-delayed train to diegem

The one time on this trip I leave to make it exactly on time and not early is the day there is a delay

jjrh, I think our train passed it on the way :)

Booo

Almost there now

i have 20 mina to next train :(

Pad is still at https://etherpad.wikimedia.org/p/XMPP_Summit_2019_Day1 today!

yeah...let's use that

also, I'd be nice if there was more contribution on the minutes

Ge0rG, we’re starting

anyone needing A/V

?

I can’t attend remotely this time

but Ge0rG might want to listen in?

pep. talks about Moved

Honestly it would be cool to at least being able to listen the discussion (maybe for next year), because I could listen to it but not participate

SouL, i think you _can_ listen today

or at least, it is technically possible for us to provide you with a stream.

Daniel: https://xmpp.org/extensions/xep-0068.html#approach-fieldnames

https://xmpp.org/extensions/xep-0077.html#usecases-cancel https://xmpp.org/extensions/xep-0077.html#example-16

Hey, you are editing the pad both at the bottom and at the top.

I did at the top since Tobias added day2 at the top

i thought reading it top to bottom, folks would notice it :)

I left my earpiece at home, so I can't listen in without offending the cow-orkers

Ge0rG, takeaways for <moved/> is, "offline servers" support as a separate XEP, not in the scope of our first draft. I think it's reasonable. We can still support scheduled shutdowns

pep.: any insights on the best protocol to use for embedding <moved/>? PEP? Messages? Presence? All of the above?

I've heard there are unmaintained servers without persistent PEP

Oh, also PEP access model: public --> potential for spam; roster --> your contacts lose access once one of the clients has completed the "moved" game

<error type='cancel'><gone/></error>

And we'd have a mechanism (IBR?) to be able to set the tombstone on your account

So the old server can even only send that gone error to your contacts

so this won't work on today's unmaintained servers, but only on tomorrow's ones, which support moved?

Indeed. But as you said that doesn't work on today's server without persistent PEP

today’s servers have persistent pep

(mostly)

pep.: backward compatibility is the toughest piece of any protocol

jonas’: you might be biased by only looking at the *popular* servers.

Ge0rG, ok, so I still don't know how to answer that.

And I guess you don't either

I guess we can have both PEP and <gone/> tbh

pep.: maybe a <message><moved> to all contacts in addition?

<message to=everyone type=chat><moved to="newjid"/><body>Hey, I'm moving to a new account, please add me there: newjid</body></message>

yeah backwards compatibility through natural languages in <body/>

Zash: https://op-co.de/tmp/xep-0283.html#message

pep.: ^

Ge0rG: Exactly :)

> The <body/> MUST NOT contain information unrelated to the account move. This allows a receiving client that understands the <moved/> element to discard the <body/> and use an appropriate internal presentation format.

heh, TIL of that document

pep.: ouch. sorry. Should have mentioned that earlier.

I've stopped short of introducing PEP

It's not even git-commited yet, just a stash in my $HOME

Delay tags can/are scoped by the delaying entity

hello people

sorry to ask again, what is the url of the webex meeting already ?

edhelas, https://cs.co/rudy maybe?

I don’t know for sure, I’m not listening in today

yes, https://cs.co/rudy works

it even had an XML snapshot slide a bit back

okay :) I'm in, but no video

let's try on chrome

edhelas: there is no video, AFAICS

oh ok

but maybe there is and my firefox is too old

Huh? Three is

There

tried with chrome/firefox, no video

Weird

oh actually I have the video stream of goffi now :)

so it's definitly an issue with the cameras in the room

Kev, room in the schedule for a very brief demo from me?

if there's still room left I can also do a demo :p

would it be possible to list Moya on the XMPP website ?

edhelas, I think you can submit a PR

or Daniel :)

i'm just a consultant/contractor for Moya. I don’t have decision power

can you share the screen ?

oh never mind. i missunderstood that question

edhelas, it's supposed to be

I can't see anything.

ralphm, ^

audio works, but no video/screen sharing

Ge0rG, https://jmp.chat/

MattJ: I never completed their onboarding, so I wanted to see it in action at least remotely.

Daniel's presentation worked.

yes I can confirm, like Ge0rG

https://gitlab.com/ossguy/sgx-catapult

ossguy: do you happen to have a video of what you've shown right now?

yes, I did a similar demo at DebConf that was recorded - let me get you the link a minute...

Ge0rG: it starts at 29:40 in https://saimei.ftp.acc.umu.se/pub/debian-meetings/2017/debconf17/live-demos.vp8.webm

(not sure if there's an easy way to add that time offset as a # thing in the URL)

ossguy: thanks, I'll watch it when I'm off my metered mobile connection.

you're very welcome

VIDEO!!!1!

VIDEO §§§

annndd it's gone

blame Link Mauve

Whatever you guys did, do it again please.

the video only turns on when Link Mauve is filmed

works now?

note how he made his "slides" in tmux tabs

We had Link Mauve's screen, then Link Mauve's face, and now it's gone again

> Video is not currently available due to low bandwidth or local computer conditions (such as CPU or RAM use). Video will resume automatically when conditions improve.

no video any more

I'm sure I have the bandwidth for it

edhelas, rust is too powerful for your computer

"worksforme" / ralphm

https://gitlab.com/xmpp-rs/xmpp-parsers/

mathieui :(

https://wiki.xmpp.org/web/Summit_23#Show-and-tell has some of the links

Sorry people, I don't know why it (sometimes?) doesn't work for you, but I've been constantly connected to the stream on my laptop, too, and see no issues there.

ralphm you're stealling all our bandwidth !

There is *at least* one writer thread *cough*cough*

XEP-xxxx: Sextoys over XMPP

Relevant https://media.ccc.de/v/35c3-9523-internet_of_dongs

I'm actually curious to know more about this integration in sextoys, they actually have a chip that can talk XMPP inside the object ?

edhelas, probably inside a smartphone app

Zash, that talk was quite disappointing

At one EuroOSCON many moons ago, we had a lengthy chat with someone using (amonst other open tech) XMPP for teledildonics.

and bluetooth on the other end

or inside a body

soon pacemakers powered by XMPP, better not miss a stanza there

edhelas: possibly related too: https://xmpp.org/extensions/xep-0132.html

poezio connection code inside pacemakers

please no

*reconnecting* *reconnecting* *reconnecting* *oops*

ralphm: that XEP even uses <gone/> ;)

https://ralphm.net/publications/xmpp_chat_voip

(don’t forget to edit your presentation description in minutes if you think it doesn’t do you justice)

https://matthewwild.co.uk/projects/scansion/

https://geekplace.eu/box/XmppNioTcpConnectionStateGraph-aQPiEKBwNk8pZK5V1lb5uYFjozeJfI.png

that's a nice flow

TIL teledildonics

what?

-vv

Same here ✏

jonas’: 12:23:09 intosi> At one EuroOSCON many moons ago, we had a lengthy chat with someone using (amonst other open tech) XMPP for teledildonics.

Ge0rG: Anything to say about xmpp developer foundation or somesuch?

https://xmpp-developers.foundation/about/

Zash: I'm not the right person for that. But I've heard somebody wanted to found a JSF

Ge0rG: JSF vs XDF - FIGHT!

why does it always have to be a vs. and not simply live and let live ;)

flow: its about the name

vanitasvitae, ahh, if this is the biggest issue, i am sure we can find something everyone is unhappy with

For everybody interested in IoT, please remember, that there is a MUC, that needs more participants and more discussion: xmpp:iot@muc.xmpp.org?join

Zimpy

Lets name the developer foundation matrix.org

flow, I’m also sure we can come up with an acronym with is massively misleading

ah, vanitasvitae did it already

You're welcome :)

Massive Advancement Towards Rapid Integration of XMPP

or something

Perfect!

Spld

*sold

jonas’, Massive Advancement Towards Rapid Integration of XMPP. Openly Regulated Guidelines

s/Integr/Implement/ ?

debacle, !

Planner Jabber is actually available on XMPP Pubsub https://nl.movim.eu/?node/news.movim.eu/PlanetJabber :) #eatyourownfood

jonas’: I thought MATRIX is Monolithic Awfully Trendy Re-Invention of XMPP (courtesy of debacle)

that’s the other Matrix

Sprint XYZ - presented by the XSF and XDF!

Speaking of marketing... "We bring the Pee into XMPP"

"Monolithic Awfully Trendy Re-Invention of XMPP" ← love it

Re planetjabber: it still contains philosophy posts

Ge0rG, please stay away from public relations in any form

https://www.ag-software.net/matrix-xmpp-sdk/ this Matrix?

That's the channel we've been idling in fwiw, xmpp:jsf@chat.cluxia.eu?join - jsf is probably not the name, and xdf came afterwards.

there is precedent for a Jabber®-named organization, and there is precedent for the JSF

And if we keep to the notion of "Jabber" being the federated IM network, a JSF kinda makes sense

Merry Band of Jabberers

pep.: look up

Just do a poll regarding the name

There is a xep for that, right?

Link Mauve is very quiet on the audio stream

There is also an ongoing effort to report spam-forwarding IBR servers to the admins and to the respective ISPs, to get them shut down

https://op-co.de:5281/upload/FPEZZRp7HmMoJXWQ/Screenshot_20180312-121844.png

Ge0rG has maaaany friends

but they all only speak Russian :(

Ge0rG, I thought you too (at least a bit)?

vanitasvitae: as I said, Planet Jabber is about People Doing Jabber/XMPP stuff. It is not about Posts About Jabber/XMPP.

ralphm, I think there is maybe a desire to change that

99.9% of current spam can be blocked by some easy heuristics and blocking of URLs from non-subscribers

flow: there's also Planet Jabber News which includes software update feeds

if the audio wasn't so bad, I'd contribute some insights too

Maybe we can pay the spammers *more* to not send any spam any more! 😁

:)

What could go wrong

Zash: Cobras

We need to hire a hitman

Thanks for explaining MattJ

Hmm, the discussion is dereailed it appears, was interersting to hear what Link Mauve explained, but right now I don't know where we are heading to

Spammers might be listening in this room, we need not to reveal our secrets

*raise hand* my spam solution isn't blocking all messages from foreigners

Ge0rG, alright...will proxy it

flow, i think a lot of people don’t know how spammers or spim work. so getting everyone on the same page (ie how does the threat vector look like exactly) is certainly valuable

pep. Good point. Maybe we should lay some false trails. How about I suggest that the spammers are easy to spot because they use plaintext whereas everyone else uses XHTML-IM?

Ge0rG, Link Mauve is explaining things in more detail

Tobias: Link Mauve is very quiet, so I'm missing out random fragments

dwd, sounds good to me

Daniel, true, but given the limited time I think it would be benficial to focus on what actually works regarding spam prevention

pep., Maybe a XEP that has a new element: <this-is-not-a-spam xmlns='urn:xmpp:spam:0'/> that we pretend we check for?

Ge0rG, next time i'll bring a megaphone

right. but to work out the solutions it is importants to understand how the problem actually looks like

Ge0rG, you need to tell Tobias to raise his hand for you :->

for example the information that there are only ~3 spamming services is interesting

Ge0rG, it's up

also the information that spammers can read

which apparently people weren’t aware of

Ge0rG, are you on audio? if not just write what you want proxied

Tobias: I'm on audio, just need to unmute myself and surprise you all with my voice

alright

We could ask spimmers to use https://xmpp.org/extensions/xep-0076.html

https://github.com/JabberSPAM/blacklist re what Link Mauve is saying

Ge0rG, PING

Yes Ge0rG

So according to https://github.com/JabberSPAM/blacklist/blob/master/blacklist.txt, the current size of the problematic services is 1

Doesn't look so bad

😛

flow, there is a due processes to get on that list and off that list

quite a few servers are about to get on that list

(which is what the document explains)

it just hasn’t happened yet

ahh, ok

messages bots domain ---------- ---------- ------------------------------------ 4307 3171 bunkertor.org 1984 628 jabber.cd 1950 1169 paranoid.scarab.name 1351 1044 darkengine.biz 1233 364 amtserver.com 1064 254 anyproxy.net 1061 251 securejabber.me 837 479 unstable.nl 771 258 biniou.net 676 267 default.rs

but they are close to being escalated

of my last 10 spam messages, 2 are on this list.

if Ge0rG isn’t DoS’d out of the internet first

jonas’, too late?

thanks Guus

Ge0rG*

I've seen spam from domains on this list as well.

(but thanks Guus for summit organization anyway I guess)

You're welcome 🙂

Some clients will block incoming messages/subscription requests until a captcha is solved

Like https://github.com/redsolution/xabber-android/issues/851

In case people remember stuff from the spam discussion that's missing on https://etherpad.wikimedia.org/p/XMPP_Summit_2019_Day1 , please add it

With the current level of sophistication of the spammers, there is NO NEED for captchas

Ge0rG: interesting observation.

Tobias: *raises hand* sometimes spam accounts are created, then not logging in for multiple weeks, then wake up and spam

yes.

often, yes

but i don’t think it matters to the pattern of suddenly sending messages to 1000s of people

Ge0rG, it's up

+1

that pattern should be blocked regardless of how old the account is

less-than-secret example from the firewall: ``` # outgoing messages to non-contacts need to be full-body-searched. KIND: message TYPE: chat|normal|headline NOT SUBSCRIBED? JUMP_CHAIN=user/bodycheck ```

from a fast skim of the rules, the only thing that's not coming from the message is the mutual subscription status

so the antispam server doesn't need the whole roster, just a boolean basically about the relationship between from and to

none/to/from/both

maybe the Rspamd protocol documentation can also provide some helpful input https://www.rspamd.com/doc/architecture/protocol.html ✏

Zash: the relevant question is: did the recipient authorize the sender before

would the blacklist being public be as problematic as the rules? I would think probably not?

singpolyma: the blacklist doesn't contain any black magic.

yet.

There are various public blacklists already

Ge0rG, that sounds like it could be feasiable to just put additional metainformation in the message send to the spam indendification service, versus the spam identification service asking for additional information from the xmpp server

I've only created my own one because none of the earlier ones had a due process

flow: yes.

flow: just a metadata flag

for sure. due process is a good thing that can help us from becoming like email

singpolyma: I wanted to be a _good_ RBL

Ge0rG, question is, will there be more metadata in the future? Probably, but then we question is "How much?"

Did I hear correctly :)

Tobias: jonas’ provided measurements from compression with different flushing aggressivity

https://blog.thijsalkema.de/blog/2014/08/07/https-attacks-and-xmpp-2-crime-and-breach/

jonas’' data on XMPP compression: https://github.com/horazont/aioxmpp/issues/249

aioxmpp test suite, sync_flush only (XEP-0138 as written): 40% rx, 20% tx aioxmpp test suite, full_flush after each stanza: 25% rx, 20% tx JabberCat startup (lots of mucs, lots of avatars), full flush after each stanza: 25% rx, 12% tx JabberCat startup (lots of mucs, lots of avatars), sync flush: 36% rx, 12% tx

(the percentage being the ratio of bytes saved; tx is from client to server, rx is from server to client)

so even full flush after every staza could be worth it *if* that is safe in your context

EXI!

you save 20% of traffic, but add some proper CPU load

also RAM

for sure

something something ROI

Ge0rG, which might be something of interest using a smartphone over an edge channel

As a server dev, I'm happy avoding the additional memory usage of compression

Tobias: ^

winfried: is there data on EXI vs compression similar to those numbers above?

damn, toolate

Ge0rG, sorry. we moved to the next item

Ge0rG in some cases compression actually reduces CPU load, because there is less data to TLS encrypt

debacle: I know

Is there somebody good at painting? We still need XMPP Compliance Badges

singpolyma: some years ago there were some japanese guys, who did metrics on EXI, it worked quite well

Yes! A lot of people!

Somebody writing that donw? Just to know what can we improve in the future for Summits and so on

Kev's writing this stuff down, yes.

I wish for a working A/V and *especially* better audio, and it would be great if it would work over XMPP

Seve/SouL, see etherpad

https://ctftime.org/writeup/12913 here is kind of compression oracle attack - it was created as hacking challenge but you can get the idea

He has a point though :)

Seve/SouL, Who?

Video worked and broke down synchronously for me and edhelas, so it must be on Cisco's end

dwd, working on the agenda before Summit (I don't know him unfortunately)

what's at the top of the board?

"agenda before reading"

Looks like "AGENDA FUR BY REAPING"

for?

something in between i bet,...ta

Having the agenda prior to the summit so you can read up on XEPs and whatnot

Ah

I had that experience last year, couldn't have maybe an exact opinion on something

That was suggested by Piotr of Erlang Solutions.

Ah I see, thanks dwd

What did happen to think about this information for new people attending?

Seve/SouL: What do you mean?

Zash, just curious about if this topic popped up because somebody did something wrong by mistake... Or something like that (Writing how the Summit works, I mean.) Anyway, I may have understood it in a different way, audio is ok but of course not real life.

Seve/SouL: No, we want to remember what was done well, so it's not forgotten and can repeated next year

Ok perfect, great

Thank you Zash

Seve/SouL: Assuming I understood your question

Secretary: Add ProtoXEP SEX to the XSF Summit 2020 agenda

Secretary: Vote for "ProtoXEP SEX" as agenda item

/invite Secretary

Secretary: Add XEP-1234 as recommended read for the "ProtoXEP SEX" agenda item

What is he selling?

so anyone, any plans for the rest of the evening?

. ✏

Plans?

ArchLinux food!

Zash: I would do something

Do something? After two days of meeting?

ArchLinux food!

so far I am improvising, that's the way to do things too

I'm up for food or drinks if people are meeting somewhere

jjrh: I am at some street, let me figure out which one

Lat 50.84829 Lon 4.35174

is there anybody going to delirium tonight?

goffi: I intend that but a bit later

alameyo66: yeah not now, I'm working on my talks anyway, won't go before 20:00 at best.

What's delirium?

jjrh: delirium café, where's the opening night is happening

Never been there but I have heard that is quite full

yes it is

I don't plan to stay long, but 2 or 3 beers would be nice

Damn 3000 beers to choose from

welcome to Belgium ;)

I am at the quartier du centre

BTW if anyone is missing a (big) Thinkpad charger, we found one in the Thon hotel lobby and left it at the reception

not me but I could always do with one more

https://wiki.xmpp.org/web/Minutes_of_the_2019_Summit:_Day_two

Thanks!

Oh wow, you typed up all the retro + action items too, I was going to do that... so double thanks :)

👍

"Your personal Google+ account is going away on April 2, 2019" oh no. Life will never be the same again.

.

Did anyone do a headcount?

jonas’: (Re compression) You didn't try the "flush when the to/from attr changes" approach to compression?

Felt like there were more than 30 people at peak, but maybe that was just the room layout

dwd: lovely small square clean antique red flowery Dutch wooden storage box

Oh no, the minutes pad has an infinite loop

ralphm: correct horse battery staple?

Discussion on the order of adjectives

Ah yes, that's got some specific order

goffi: We're there right now.

Zash did you just share your password? 😱