XSF Discussion - 2013-12-02

Simon: could you send me a copy of the e-mail you sent to Adewale. I was enjoying my weekend.

Getting to this thing tonight is not proving easy!

this thing = ?

London XMPP meeting.

Is anyone in here going?

At this point it's not clear it's worthwhile me trying to make it, as it'd be half seven or eight before I got there.

I don't think so

Ta.

all of the people I know who are going are already there for the IoT part

Kev - Lloyd is there

lloydwatkin@googlemail.com

chat with him while you still can :P

heh

power failure! oh no!

And I'm still in the office. I'm really not making this :/

Simon: Is that Lloyd's email addr. as well?

Kev: sorry to hear it :(

lloyd.watkin@surevine.com

Murky.

Kev: who's the slave driver keeping you there?

Circumstance.

Odd name

:)

1) avoid certain IETF mailing lists

2) avoid uncertain IETF mailing lists?

3) done

Peter - your last paragraph reads very oddly: "Ideally, Google would decide to either shut off federation with the XMPP network entirely or at least support unauthenticated TLS for server-to-server connections. The limbo we're in is unfortunate."

Makes it sound like it would be ideal for google to stop federating :)

It reads as if stopping federation is best, and if they can't do that then they could at least TLS.

Yes.

at this point, the lack of features and security in Google Talk is holding back progress, no?

I agree that I might not have expressed myself very well

If progress = more features then yes. If progress = user_count, then no.

Simon: weren't you the guy who wrote 'we tried to ignore as much of XMPP as possible'?

:-D

yes - because I think a lot of it is features that are irrelevent to 99% of end users.

progress = better security

(in this context)

Agree on better security. But it's a hard sell to server operators with paying customers and we might need to find a more nuanced solution. (/me really doesn't want opt-outs when it comes to TLS so I hope we can find a sensible way for Google to turn on TLS)

Simon: my point is that if you want to promote using XMPP for anything, this is not promoting it, either. Even if it makes sense for *your* use cases, others disagree.

As for Google, I don't give us a lot of odds getting this sorted out with them.

ralph: I'm talking about how we used it for our use case.

Simon: *I* understand the context. For other people you are 'one of those XSF Board members'.

eg - we ignore vcards, we ignore PEP, we ignore as much as possible

worthsmithing is not fun, but yeah

not in that email to Mozilla - I was very clear about how we used it for buddycloud. Buddycloud is not the XSF.

Simon: again, I see that difference.

Not saying people at Mozilla are stupid, but, you know, people are busy and have different contexts.

Did anyone hear back from any Google folk today? Peter - were you able to ping any of your contacts?

I shall do that now

Similarly, as someone mentioned before in the board meeting, people outside of the XMPP community might see the Manifest as an XSF thing, even though it technically isn't. We need to be aware of such perceptions.

Ralph - I hear what you are saying - but we have to also address the fear that XMPP=100s of XEPs that must be followed. We know that they are optional. But someone at Mozilla or any other developer will look at XMPP and fear that it's a huge set of specs.

Agreed

We should be clear about that - since we're discussing it here, at the Summit and at Board meetings then.

As I said, we need to be careful in how we word things.

I also wonder why people don't think of the IETF as 7000 of specifications you must implement to do anything on internet.

as someone said recently on Twitter, XMPP is the C++ of messaging protocols :P

I have to say it sounds a little odd having a security initiative and then following it up by saying this ISN'T endorsed by the XSF.

Nobody has said such a thing.

The XSF might, still.

then we should be talking about that now

I do know that one of the initial responses I got was that (large?) companies generally don't really like manifestos.

test day can be seperate from the manifesto

sure it can

large companies might not generally like security, either ;-)

Manifesto can be the trigger if that makes you feel more confortable. IMHO this is a really important selling point of XMPP and it's not quite right yet when you look at the results coming out of XMPP.net. (although getting better).

Well, I think that if you recently publicly stated that you are going to start encrypting all your inter-DC traffic, you kinda care.

ralphm: you might care about protecting your stuff but not your customer's stuff

ralphm - I hope so.

If we arrive at 19 May, and this list *isn't* looking good then, yeah, we kinda failed.

but I can't speculate about motivations, because I simply don't know

I'll ping Ade now and see if he heard anything.

ralphm: if much more of our traffic is encrypted, then we've succeeded

stpeter: good point

To me the most frustrating part is not even getting an ACK back from anyone at Google's XMPP team.

Simon: welcome to our world

Jonas has generally been really helpful when I've pinged him about other issues.

Simon, Arguably, Google no longer has an XMPP team. I suspect the federation is running largely because it's not yet caused any further problems.

dwd: the thought has crossed my mind

Do they need to call in the A-Team?

stpeter, I think there's also the impact of the IETF folk using it for meetings. It'd cause embarrassment if that failed. It has occured to me that if we could persuade the IETF to go encrypted, we might force the issue.

dwd: well, you've seen the discussions about https for ietf.org, I take it :-)

dwd: I gave a warning about this in my remarks at the plenary

Oh, I didn't see that.

do you think it is a big issue?

dwd: I was the last person to go to the mic at the technical plenary in Vancouver

"as someone said recently on Twitter, XMPP is the C++ of messaging protocols :P" Wow, that's really high praise

;-)

dwd: You mean there was someone who /wasn't/ watching that plenary?

frankly, as long as jabber.org deploys tls-only that's enough for me

this will cause waves and break things

things that ought to be fixed.

dwd: i'm showing googles webrtc team that ignoring jingle and xmpp is a very bad thing currently (-: