XSF Discussion - 2013-12-04

  1. Lance has joined
  2. tato has left
  3. tato has joined
  4. Lance has joined
  5. bear has left
  6. Lance has left
  7. SouL has left
  8. Alex has joined
  9. Alex has left
  10. Alex has joined
  11. Alex has left
  12. jabberjocke has joined
  13. SouL has joined
  14. Simon has joined
  15. jabberjocke has left
  16. Simon has left
  17. Simon has joined
  18. Simon has left
  19. Simon has joined
  20. dwd has joined
  21. jabberjocke has joined
  22. Simon has joined
  23. stpeter has joined
  24. stpeter has left
  25. Simon has left
  26. Simon has joined
  27. Zash has joined
  28. Ashley Ward has joined
  29. Zash has left
  30. Simon has joined
  31. Zash has joined
  32. Simon has left
  33. Simon has joined
  34. Simon has joined
  35. SouL has left
  36. SouL has joined
  37. SouL has left
  38. SouL has joined
  39. SouL has left
  40. tato has left
  41. jabberjocke has left
  42. Alex has joined
  43. Simon has left
  44. Simon has joined
  45. Simon has joined
  46. stpeter has joined
  47. stpeter has left
  48. SouL has joined
  49. intosi has left
  50. intosi has joined
  51. Zash has left
  52. stpeter has joined
  53. stpeter has left
  54. stpeter has joined
  55. Laura has joined
  56. Zash has joined
  57. bear has joined
  58. fippo http://webrtchacks.com/trickle-ice/
  59. fippo "Things get complicated for SIP because it has neither of the above: it has neither the reliable discovery mechanisms of XMPP, nor the mandatory support for trickling that WebRTC comes with."
  60. fippo poor old sip
  61. MattJ :'(
  62. stpeter heh
  63. stpeter speaking of which, would it be helpful to finish off the Server IP Check XEP?
  64. Zash Oh, hadn't seen that there was a new version of that
  65. stpeter newish, anyway
  66. stpeter all it really does is give you a hint that your IP address might not be what you think it is, thus the acronym "sic" ;-)
  67. MattJ Clever :)
  68. stpeter I love clever acronyms -- maybe I should've gone into marketing or advertising ;-)
  69. intosi has left
  70. intosi has joined
  71. Alex has left
  72. bear Board meeting in 5 minutes, I suspect it may be a fast one
  73. stpeter why do you suspect so? ;-)
  74. bear i'm just being an optimist
  75. dwd We can soon correct that one, though.
  76. stpeter http://webrtchacks.com/trickle-ice/ mentions Jingle Relay Nodes -- another spec we need to update
  77. dwd grabs thinking-pencil
  78. dwd What with SRTP-DTLS and stuff, a relay is unable to snoop on the conversation, I suppose?
  79. bear you can buy those!?!
  80. dwd bear, Don't know, but you should be able to. Then again, I also want a hex bit pencil and pen set, and I can't find those anywhere.
  81. bear checks for quorum
  82. bear ralphm, simon, dwd, laura?
  83. dwd waves appendages.
  84. Simon is here
  85. ralphm hi
  86. Laura Here
  87. bear sweet! everyone ready to start?
  88. ralphm go
  89. stpeter wow, cool, text from Laura appeared before she joined the chatrom
  90. stpeter +o
  91. dwd stpeter, Then your client had a MUC sync failure.
  92. bear yea, I just noticed she was not in the admin affiliates list
  93. bear so made the change just as she was responding
  94. dwd stpeter, You saw the role change as a entry.
  95. stpeter anyway
  96. stpeter topics for today?
  97. Simon Bear: I'd like to add a discussion about the XSF involvement with the securing of XMPP to the agenda.
  98. bear on the agenda:
  99. dwd Simon, Good call.
  100. bear GSoC update
  101. bear FOSDEM quick update
  102. bear Google outreach response/update
  103. dwd needs to largely vanish at 1700UTC (ie, 30 mins) to go cook the children's food.
  104. bear and XSF being active with the XMPP ubiquitous security thingy
  105. bear ok, first item - GSoC
  106. bear let's make this a Kev inspired meeting then - 30 minutes and done
  107. bear i'll do minutes later tonight
  108. bear the mailing list had quite a response
  109. Simon +1 for a fast meeting.
  110. bear so I want to make sure tonight the gsoc wiki page has items
  111. bear and then poke the responders to start updating it
  112. ralphm yeah, looks good
  113. bear i'll do that tonight
  114. Simon then we should mail out to the list(s) too?
  115. dwd It'd be nice to get some concrete support and suggestions.
  116. Simon +1
  117. Simon ok -happy to start adding concrete when the page is ready.
  118. jabberjocke has joined
  119. bear yes, if you all want, email me what lists I should target and I'll do them (or volunteer to help cover them)
  120. bear yea, that is better, update the wiki wth the lists and then we can coordinate
  121. bear anything else on GSoC ?
  122. stpeter (as to agenda items, I'd like to chat briefly about the various liaison relationships that might be forming)
  123. bear adds to agenda
  124. Simon Bear: happy with that for GSOC / nothing else
  125. ralphm isn't that like g outreach?
  126. bear ok, next item - google outreach results
  127. bear my take is that we are hitting a possible political stonewall ?
  128. dwd Well, no.
  129. Simon Update: Email doesn't reach google people/ G+ does. Ade pinged a couple of people inside google and "they are aware of what is happening" was the most I could get out.
  130. dwd The wheels of Google grind slowly, etc.
  131. Simon I'd tried to email quite a few people including their head of open souce Chris DiBona. Nothing back.
  132. dwd It's not so much a political stonewall, it's just the momentum of the juggernaut is hard to change.
  133. fippo i'd note https://twitter.com/juberti/status/401971677321367552 as well
  134. stpeter I did reach out to Justin Uberti and he said he would find out if it's possible / feasible for them to support s2s encryption
  135. Simon What about we take a different approach - of asking that they enable TLS without cert checking. But at this point I'm somewhat inclinded to say fuckit.
  136. bear ok, so my question would be this then: do we continue with another round of polite-behind-the-scenes contacts or do we start getting noisier on the G+ scene?
  137. dwd Simon, I don't think we've got anywhere close to that yet.
  138. stpeter Simon: that is what I suggested to Justin as a good place to start
  139. dwd bear, I'm nervous about becoming confrontational in public.
  140. fippo stpeter: they have it implemented. It worked a couple of years ago
  141. stpeter but, to Dave's point, we don't even know if they have anyone working on Talk any longer
  142. stpeter fippo: ah, I had forgotten about that
  143. dwd bear, I think the counter-reaction would be bad, basically.
  144. SouL has left
  145. stpeter I see no reason for a confrontation
  146. dwd What might be interesting is to try to get Google participation from the Chris DiBona/Ade types at the SUmmit.
  147. bear I wasn't suggesting bashing
  148. stpeter ideally we can bring along Google, although IMHO it might not happen as quickly as we'd like
  149. SouL has joined
  150. bear I was suggesting just taking some of the questions to G+ and starting a dialog
  151. dwd I know it'll be too late for the 4th Jan test day, but getting to chat face to face might prove much more effective.
  152. stpeter and BTW it's not just Google -- other providers like GMX and Dreamhost are relevant here, too
  153. fippo stpeter: i'll poke some people about GMX again.
  154. dwd bear, I think it'd end up a disaster, TBH. We just cannot control how other people pitch into a public conversation.
  155. Simon I can go an know on GMX's door here in Munich.
  156. stpeter Simon: :-)
  157. Simon is serious.
  158. ralphm dwd: agreed
  159. bear ok, so the push back i'm hearing is that we keep it direct until the first test day is over?
  160. bear and then regroup?
  161. stpeter that seems reasonable
  162. dwd Right, but I'd reiterate that if we can ply some Googlers with beer in Brussels I think it'd lubricate more than throats.
  163. jabberjocke has left
  164. stpeter :)
  165. fippo dwd: and london :-)
  166. ralphm the point is that we are effectively not having a conversation, not even no-comment
  167. Simon Sounds good. A nice report from the first test day explaining how we've tried to reach out to some of the larger providers wouldn't go amiss too.
  168. dwd ralphm, Well, we've had a to, and a fro. It's not great, but it's a start.
  169. ralphm those googlers we are talking to are not involved
  170. stpeter ralphm: methinks I'll post on +
  171. stpeter dwd: agreed
  172. Simon My post on G+ got an instant reaction.
  173. stpeter Simon: yes
  174. ralphm dwd: I chat with Ade all the time, that's easy
  175. bear ok, so the status is "still poking" with more pokes to happen and to keep it on a one-to-one level for now and let the sleeping giant that is our awesome membership quiet for the moment?
  176. Simon posting and linking to http://xmpp.net/result.php?domain=gmail.com&type=server (when it's finished testing).
  177. stpeter heh
  178. fippo simon: use google.com instead
  179. dwd Hmmm. xmpp.net isn't over https. No irony there.
  180. stpeter it doesn't force https
  181. ralphm heh
  182. stpeter we can fix that
  183. ralphm let's
  184. dwd But I digress...
  185. bear ok, moving on
  186. stpeter ok, done with that topic?
  187. stpeter (I will try to resurrect some DreamHost contacts)
  188. bear ralphm - can you give a quick FOSDEM update?
  189. ralphm no change
  190. Simon I'd like us to talk about the security effort though as part of the XSF. This security stuff is important to get right. At the moment we spoke about it at the summit, in the board meetings and in the mailing lists. If it's purely Peter's manifesto and the XSF isn't endorsing that, then we look indecicive. And this stuff is important and we should be endorsing it.
  191. bear nicely quick - thanks ralph
  192. bear passes the mic to simon
  193. Kev Simon: FWIW, I don't think the manifesto as it stands is 'right'.
  194. Simon I can't think of a more important cause that we should be focusing on and championing.
  195. bear kev - what part of the manifesto do you not agree with?
  196. dwd Simon, I'd be concerned that too many of the operators are not committed to it - in part because of the Google (and GMX, and ... ) issues.
  197. bear the non-technical bits?
  198. Simon Or put another way, is there anything more important than focusing on security right now?
  199. Kev I've sent an Isode position to Peter a few weeks back to give him a chance to comment before making such a thing publicly.
  200. dwd Simon, Think of the children.
  201. stpeter personally I'm not really a fan of manifesto as communication method, but it's been good as a way to start the conversation and set some goals
  202. Kev But my personal position, which may or may not be similar to Isode's, is that it states the requirements too firmly without nuance.
  203. bear i.e., can we endorse the testing and interoperability of the Security Test Day without waving the manifesto as our flag?
  204. dwd bear, Not really. Or at least, we can, but nobody will understand that.
  205. Kev There are significant (non-Internet) deployments that do not need, or should not have, TLS, and the manifesto simply says they need to use TLS. If the XSF endorses that, it's saying it doesn't recognise any of these deployments as valid, and that was Not Be Good.
  206. stpeter Kev: likely something is lost in my inbox and I need to reply, sorry about that
  207. Simon a) write a manifesto b) decide that security is an important selling point for XMPP c) XSF announces secure connections on the network test days. d) XMPP is secure.
  208. Laura What about seeing the manifesto as a work-in-progress?
  209. ralphm Maybe we can change the effort to an informational XEP and then have XSF announce test days
  210. Laura Look for engagement through involevemt?
  211. stpeter Laura: I definitely see it that way, but it perhaps hasn't been presented properly
  212. Kev stpeter: I think you replied saying "Will look at this", and then lost it, then :)
  213. dwd I personally see the manifesto as a kind of bargaining position. It's a statement of our ideal for internet services.
  214. dwd The trouble is, the way it's worded leaves little compromise.
  215. Laura Does it say that clearly? "This is a statement of our ideal…" etc?
  216. Kev dwd: But because it places requirements on software, not just deployment, that is not clear.
  217. stpeter Kev: as to non-Internet deployments, the manifesto doesn't talk about those since it's about the public XMPP network
  218. bear I can get behind the XSF creating a best-practices XEP and then starts to support interop testing to implement it
  219. Simon Kev: The manifesto calls for securing public servers that interconnect - don't think it mentions "behind the firewall" installs.
  220. Kev stpeter: No, it's about software too.
  221. dwd And I think that lack of compromise is seen as worrying by a considerable portion of the deployed servers out there.
  222. stpeter Kev: yes, we need the software to support the features and configuration options that make it possible for public XMPP services to encrypt traffic
  223. Kev stpeter: Yes, but some of the software points are not 'support', they're 'do'.
  224. Simon I see it more as "if you want to talk to my users, you jolly well ought to take their privacy seriously and use TLS"
  225. dwd Simon, Right, but that's not what it says.
  226. Kev I am not opposed to the ideas in the manifesto, but the wording is Not Quite Right to my eye.
  227. Kev stpeter: You have some comments on this in your inbox :)
  228. Laura Please tell me it actually uses the phrase "you jolly well ought to"
  229. Simon :)
  230. stpeter Kev: I'm sure
  231. stpeter anyway
  232. dwd Laura, No, it says "you must and I will not compromise".
  233. dwd THough I paraphrase.
  234. Laura Scary
  235. Laura What about "we will help you to…"?
  236. stpeter Kev: the only "do" I see is "no more SSLv2 and SSLv3", but I think the "and SSLv3" can be removed -- it's SSLv2 that is bad
  237. Laura More encouraging?
  238. stpeter in any case, this is not the place to wordsmith
  239. stpeter and 27 minutes have gone by in this meeting :-)
  240. Kev stpeter: Are you happy for me to share the mail more widely, or would you like to read it first?
  241. stpeter action item for me is to review all feedback and propose changes to the manifesto
  242. Kev OK.
  243. Simon My original point is that the XSF needs to be seizing this moment to fix security on s2s links (I don't care what you do on your c2s links)
  244. stpeter Kev: I'm fine with public discussion -- transparency is always better IMHO
  245. dwd stpeter, Right. But I think the point is that it's not clear that the XSF can wholeheartedly support it in its current form, which is unfortunate, because the goals of it seem very well aligned.
  246. bear can we get some wordsmithing on this in the lists and take this up again next week?
  247. stpeter dwd: I'm not sure what it means for the XSF to support such a thing -- does that mean the membership needs to vote, or can the Board voice its support?
  248. stpeter bear: sure
  249. dwd Simon, "Do this or go home" has the unfortunate problem that many people seem happy enough to take the latter option, judging by the lists.
  250. stpeter the idea is very much to give us some aspirational goals, *not* to split the network!!
  251. dwd stpeter, I would argue that the Board shoudl probably judge consensus, rather than ask for a formal vote in most cases.
  252. Simon dwd: I was thinking about that. And yes, there are some vocal opponents. But I think we risk loosing the voice of the vast majority of silent suporters that would like secure connections.
  253. stpeter but the text in the manifesto about unauthenticated encryption seems to make this uncontroversial
  254. dwd stpeter, " the idea is very much to give us some aspirational goals" - right, totally behind you on this. I think it's the absolutism, as it were, that's causing the discomfort.
  255. bear looks at the time
  256. bear ok, if we can get the wordsmithing fixed
  257. stpeter dwd: OK, I will revisit the text and see if I can propose some scrubbing to remove any remaining traces of absolutism
  258. Simon I think the manifest is right - this is a network and at some point one has to force the issue - it's been many years now and the state of XMPP security has rumbled on in an insecure hodgepodge.
  259. bear then we will have a chance next week to talk about what/how we as the board can get the membership to support the effort?
  260. stpeter Simon: yes, *but* IMHO we should be able to at least get to unauthenticated encryption using even anonymous DH
  261. stpeter bear: yes
  262. dwd stpeter, +1.
  263. stpeter shuts up about security
  264. ralphm heh
  265. bear that sounds like a best-practices XEP for sure
  266. bear so people can be pointed to it as a HOW-TO once they get their F from xmpp.net
  267. fippo bear: i pestered dwd about starttls+dialback already
  268. dwd If we're done with this, does that mean we're done-done?
  269. Simon (peter: what's happening on Jabber.org's upgrade?)
  270. bear ok, that was the last agenda item
  271. Simon moves soapbox to the side.
  272. stpeter quick update about the liaison agreements
  273. bear any agenda bashing?
  274. bear moves box to peter's side
  275. stpeter I have received communication from the UPnP Forum about a liaison agreement with them
  276. stpeter I'm working on this with someone from Cisco who is involved in UPnP Forum
  277. stpeter we'll do a bit of back and forth in the next day or two
  278. stpeter then I think I can send a proposed document to the Board
  279. stpeter they have a template for such things, we just need to fill in some of the details
  280. stpeter I haven't really reviewed it yet, just received it yesterday
  281. stpeter but it's in the works
  282. stpeter and you saw my note about their UPnP Cloud initiative
  283. stpeter so that's all good, I think
  284. stpeter I need to follow up with both ISO TC 122 and IEC TC 57
  285. stpeter I apologize for taking last week off ;-)
  286. ralphm any more text on that?
  287. stpeter that = ISO and IEC?
  288. ralphm upnp+xmpp
  289. bear smacks peter with the "you should take more time off" bat
  290. ralphm apart from the news page
  291. stpeter oh, BTW, UPnP Forum is very interested in conformance / compliance testing and might be able to contribute code in this area for XMPP stuff
  292. dwd stpeter, Do we have to approve your vacation time as your management?
  293. stpeter ralphm: I have two presentations (PPT format) that I can probably share -- the rest has all been verbal chats I've had with some folks at UPnP Forum
  294. ralphm right
  295. stpeter they've had quite a few technical questions about MUC, pubsub, security, naming, etc.
  296. stpeter even Jingle stuff
  297. stpeter I think they basically want to accomplish the vision that Dirk Meyer was working on a few years ago
  298. ralphm cool
  299. stpeter yep
  300. dwd My children are hungry; but I think we just ask the Council to select some folk in readiness on the assumption Peter will sort out the legal mumbo jumbo.
  301. stpeter yes
  302. bear cool, sounds like a +1 to peter's plan
  303. stpeter we can discuss more next week
  304. stpeter I just wanted to provide a quick update
  305. bear next week, same time and place?
  306. dwd Someone (COuncil or us) should put out a call for volunteers to serve on these things.
  307. dwd (to members@)
  308. stpeter seems like a Council thing
  309. dwd bear, Yes.
  310. stpeter let's put that on their agenda for next week's Council meeting :-)
  311. dwd stpeter, Happy for it to be Council, they're doing the selection.
  312. stpeter WFM
  313. bear k, i'll send an email to membership@ asking council to add it to agenda
  314. bear ok, we are done then - thanks all!
  315. dwd Doesn't that effectively act as a call for volunteers?
  316. bear nope, just a public way of getting it on the council agenda
  317. stpeter :)
  318. Kev Yes, just make sure that anything going on Council agends reaches me via email please (either directly, to council@ or to members@ with a clear subject line) so I notice it.
  319. bear +1
  320. stpeter yay
  321. bear k, i'll write up the minutes after work using the new Kev method
  322. stpeter super
  323. stpeter thanks, all!
  324. stpeter good discussion
  325. bear and the i'll do the calendar additions for next week
  326. Simon thanks all
  327. bear yep, thanks everyone
  328. Laura Bye all
  329. stpeter it's great to see such passion about XMPP after all these years :-)
  330. bear +1
  331. Kev So, post meeting...Board could use more bios :)
  332. Kev I'm happy to put them in place if people send them to me, or everyone probably has access to do it themselves.
  333. Laura Tried to log in to do mine but couldn\t get in. I have my password - is the user name email address?
  334. Laura It didn't like me
  335. Kev I don't believe so - who created your account?
  336. Kev Bug them about it :)
  337. bear looks at laura's account
  338. bear laura: your username is "laura" and the email is listed as "laura.gill@surevine.com"
  339. Laura Thank you bear
  340. stpeter updates the Board calendar
  341. Laura *makes note to do my homework*
  342. stpeter Laura: hopefully these meetings aren't too crazy for you -- we have a certain style of communicating and it can be difficult to follow, I think :-)
  343. bear it does take some getting used to
  344. Kev At least we don't communicate by yelling (much) :)
  345. stpeter hmph, I have a dentist appointment next Wednesday morning, I am not sure how I schedule such a thing at that time :(
  346. bear do you want a schedule change before/after?
  347. stpeter I can provide information by email beforehand and the Board can proceed, I think
  348. bear k
  349. stpeter maybe I can join via mobile or show up early and use their wifi
  350. bear I'm up for sliding the meeting up an hour if the others are ok with it
  351. stpeter I'm going to see if (a) the dentist has wifi or (b) I can move the appointment
  352. Kev Hahahaha
  353. stpeter if we have a 30-minute meeting, we should be fine :-)
  354. Kev Sentences you never expect to see "I'm going to see if the dentist has wifi".
  355. stpeter heh yeah
  356. stpeter I'll work it out on my end
  357. stpeter Board calendar updated
  358. bear has sent email to members@ asking for council time
  359. Kev Thanks bear.
  360. bear yw
  361. bear the gsoc wiki page has been created by jabberjocke - \o/
  362. ralphm has left
  363. bear proofreads the new page for typos and spelling
  364. bear sends blurb to members@ about GSOC project ideas
  365. Simon has left
  366. Laura has left
  367. Laura has joined
  368. Simon has joined
  369. Laura has left
  370. Simon has joined
  371. Alex has joined
  372. Simon has left
  373. Zash has left
  374. Zash has joined
  375. Ashley Ward has left
  376. tato has joined
  377. tato has left
  378. tato has joined
  379. tato has left
  380. tato has joined
  381. SouL has left
  382. fippo kev: the agenda for the next meeting is going to be pretty heavy
  383. fippo three submissions from me ;-)
  384. tato has left
  385. Kev Yay.
  386. tato has joined
  387. MattJ dwd, can you expand "with strong identity being considerably more prevalent that it was"? (assuming s/that/than/)
  388. SM has joined
  389. dwd We have a big push for proper certificates that seems to be working.
  390. dwd But you know, I thought I'd make it sound exciting and technical.
  391. jabberjocke has joined
  392. Ashley Ward has joined
  393. tato has left
  394. ralphm has left
  395. bear has left
  396. Simon has joined
  397. Simon has left
  398. Ashley Ward has left
  399. MattJ So now we need to get the discussion over to the security list somehow
  400. MattJ and then jingle, and the WG list
  401. stpeter :P
  402. Zash has joined
  403. tato has joined