XSF Discussion - 2013-12-04

  1. Lance has joined

  2. tato has left

  3. tato has joined

  4. Lance has joined

  5. bear has left

  6. Lance has left

  7. SouL has left

  8. Alex has joined

  9. Alex has left

  10. Alex has joined

  11. Alex has left

  12. jabberjocke has joined

  13. SouL has joined

  14. Simon has joined

  15. jabberjocke has left

  16. Simon has left

  17. Simon has joined

  18. Simon has left

  19. Simon has joined

  20. dwd has joined

  21. jabberjocke has joined

  22. Simon has joined

  23. stpeter has joined

  24. stpeter has left

  25. Simon has left

  26. Simon has joined

  27. Zash has joined

  28. Ashley Ward has joined

  29. Zash has left

  30. Simon has joined

  31. Zash has joined

  32. Simon has left

  33. Simon has joined

  34. Simon has joined

  35. SouL has left

  36. SouL has joined

  37. SouL has left

  38. SouL has joined

  39. SouL has left

  40. tato has left

  41. jabberjocke has left

  42. Alex has joined

  43. Simon has left

  44. Simon has joined

  45. Simon has joined

  46. stpeter has joined

  47. stpeter has left

  48. SouL has joined

  49. intosi has left

  50. intosi has joined

  51. Zash has left

  52. stpeter has joined

  53. stpeter has left

  54. stpeter has joined

  55. Laura has joined

  56. Zash has joined

  57. bear has joined

  58. fippo


  59. fippo

    "Things get complicated for SIP because it has neither of the above: it has neither the reliable discovery mechanisms of XMPP, nor the mandatory support for trickling that WebRTC comes with."

  60. fippo

    poor old sip

  61. MattJ


  62. stpeter


  63. stpeter

    speaking of which, would it be helpful to finish off the Server IP Check XEP?

  64. Zash

    Oh, hadn't seen that there was a new version of that

  65. stpeter

    newish, anyway

  66. stpeter

    all it really does is give you a hint that your IP address might not be what you think it is, thus the acronym "sic" ;-)

  67. MattJ

    Clever :)

  68. stpeter

    I love clever acronyms -- maybe I should've gone into marketing or advertising ;-)

  69. intosi has left

  70. intosi has joined

  71. Alex has left

  72. bear

    Board meeting in 5 minutes, I suspect it may be a fast one

  73. stpeter

    why do you suspect so? ;-)

  74. bear

    i'm just being an optimist

  75. dwd

    We can soon correct that one, though.

  76. stpeter

    http://webrtchacks.com/trickle-ice/ mentions Jingle Relay Nodes -- another spec we need to update

  77. dwd grabs thinking-pencil

  78. dwd

    What with SRTP-DTLS and stuff, a relay is unable to snoop on the conversation, I suppose?

  79. bear

    you can buy those!?!

  80. dwd

    bear, Don't know, but you should be able to. Then again, I also want a hex bit pencil and pen set, and I can't find those anywhere.

  81. bear checks for quorum

  82. bear

    ralphm, simon, dwd, laura?

  83. dwd waves appendages.

  84. Simon is here

  85. ralphm


  86. Laura


  87. bear

    sweet! everyone ready to start?

  88. ralphm


  89. stpeter

    wow, cool, text from Laura appeared before she joined the chatrom

  90. stpeter


  91. dwd

    stpeter, Then your client had a MUC sync failure.

  92. bear

    yea, I just noticed she was not in the admin affiliates list

  93. bear

    so made the change just as she was responding

  94. dwd

    stpeter, You saw the role change as a entry.

  95. stpeter


  96. stpeter

    topics for today?

  97. Simon

    Bear: I'd like to add a discussion about the XSF involvement with the securing of XMPP to the agenda.

  98. bear

    on the agenda:

  99. dwd

    Simon, Good call.

  100. bear

    GSoC update

  101. bear

    FOSDEM quick update

  102. bear

    Google outreach response/update

  103. dwd needs to largely vanish at 1700UTC (ie, 30 mins) to go cook the children's food.

  104. bear

    and XSF being active with the XMPP ubiquitous security thingy

  105. bear

    ok, first item - GSoC

  106. bear

    let's make this a Kev inspired meeting then - 30 minutes and done

  107. bear

    i'll do minutes later tonight

  108. bear

    the mailing list had quite a response

  109. Simon

    +1 for a fast meeting.

  110. bear

    so I want to make sure tonight the gsoc wiki page has items

  111. bear

    and then poke the responders to start updating it

  112. ralphm

    yeah, looks good

  113. bear

    i'll do that tonight

  114. Simon

    then we should mail out to the list(s) too?

  115. dwd

    It'd be nice to get some concrete support and suggestions.

  116. Simon


  117. Simon

    ok -happy to start adding concrete when the page is ready.

  118. jabberjocke has joined

  119. bear

    yes, if you all want, email me what lists I should target and I'll do them (or volunteer to help cover them)

  120. bear

    yea, that is better, update the wiki wth the lists and then we can coordinate

  121. bear

    anything else on GSoC ?

  122. stpeter

    (as to agenda items, I'd like to chat briefly about the various liaison relationships that might be forming)

  123. bear adds to agenda

  124. Simon

    Bear: happy with that for GSOC / nothing else

  125. ralphm

    isn't that like g outreach?

  126. bear

    ok, next item - google outreach results

  127. bear

    my take is that we are hitting a possible political stonewall ?

  128. dwd

    Well, no.

  129. Simon

    Update: Email doesn't reach google people/ G+ does. Ade pinged a couple of people inside google and "they are aware of what is happening" was the most I could get out.

  130. dwd

    The wheels of Google grind slowly, etc.

  131. Simon

    I'd tried to email quite a few people including their head of open souce Chris DiBona. Nothing back.

  132. dwd

    It's not so much a political stonewall, it's just the momentum of the juggernaut is hard to change.

  133. fippo

    i'd note https://twitter.com/juberti/status/401971677321367552 as well

  134. stpeter

    I did reach out to Justin Uberti and he said he would find out if it's possible / feasible for them to support s2s encryption

  135. Simon

    What about we take a different approach - of asking that they enable TLS without cert checking. But at this point I'm somewhat inclinded to say fuckit.

  136. bear

    ok, so my question would be this then: do we continue with another round of polite-behind-the-scenes contacts or do we start getting noisier on the G+ scene?

  137. dwd

    Simon, I don't think we've got anywhere close to that yet.

  138. stpeter

    Simon: that is what I suggested to Justin as a good place to start

  139. dwd

    bear, I'm nervous about becoming confrontational in public.

  140. fippo

    stpeter: they have it implemented. It worked a couple of years ago

  141. stpeter

    but, to Dave's point, we don't even know if they have anyone working on Talk any longer

  142. stpeter

    fippo: ah, I had forgotten about that

  143. dwd

    bear, I think the counter-reaction would be bad, basically.

  144. SouL has left

  145. stpeter

    I see no reason for a confrontation

  146. dwd

    What might be interesting is to try to get Google participation from the Chris DiBona/Ade types at the SUmmit.

  147. bear

    I wasn't suggesting bashing

  148. stpeter

    ideally we can bring along Google, although IMHO it might not happen as quickly as we'd like

  149. SouL has joined

  150. bear

    I was suggesting just taking some of the questions to G+ and starting a dialog

  151. dwd

    I know it'll be too late for the 4th Jan test day, but getting to chat face to face might prove much more effective.

  152. stpeter

    and BTW it's not just Google -- other providers like GMX and Dreamhost are relevant here, too

  153. fippo

    stpeter: i'll poke some people about GMX again.

  154. dwd

    bear, I think it'd end up a disaster, TBH. We just cannot control how other people pitch into a public conversation.

  155. Simon

    I can go an know on GMX's door here in Munich.

  156. stpeter

    Simon: :-)

  157. Simon is serious.

  158. ralphm

    dwd: agreed

  159. bear

    ok, so the push back i'm hearing is that we keep it direct until the first test day is over?

  160. bear

    and then regroup?

  161. stpeter

    that seems reasonable

  162. dwd

    Right, but I'd reiterate that if we can ply some Googlers with beer in Brussels I think it'd lubricate more than throats.

  163. jabberjocke has left

  164. stpeter


  165. fippo

    dwd: and london :-)

  166. ralphm

    the point is that we are effectively not having a conversation, not even no-comment

  167. Simon

    Sounds good. A nice report from the first test day explaining how we've tried to reach out to some of the larger providers wouldn't go amiss too.

  168. dwd

    ralphm, Well, we've had a to, and a fro. It's not great, but it's a start.

  169. ralphm

    those googlers we are talking to are not involved

  170. stpeter

    ralphm: methinks I'll post on +

  171. stpeter

    dwd: agreed

  172. Simon

    My post on G+ got an instant reaction.

  173. stpeter

    Simon: yes

  174. ralphm

    dwd: I chat with Ade all the time, that's easy

  175. bear

    ok, so the status is "still poking" with more pokes to happen and to keep it on a one-to-one level for now and let the sleeping giant that is our awesome membership quiet for the moment?

  176. Simon

    posting and linking to http://xmpp.net/result.php?domain=gmail.com&type=server (when it's finished testing).

  177. stpeter


  178. fippo

    simon: use google.com instead

  179. dwd

    Hmmm. xmpp.net isn't over https. No irony there.

  180. stpeter

    it doesn't force https

  181. ralphm


  182. stpeter

    we can fix that

  183. ralphm


  184. dwd

    But I digress...

  185. bear

    ok, moving on

  186. stpeter

    ok, done with that topic?

  187. stpeter

    (I will try to resurrect some DreamHost contacts)

  188. bear

    ralphm - can you give a quick FOSDEM update?

  189. ralphm

    no change

  190. Simon

    I'd like us to talk about the security effort though as part of the XSF. This security stuff is important to get right. At the moment we spoke about it at the summit, in the board meetings and in the mailing lists. If it's purely Peter's manifesto and the XSF isn't endorsing that, then we look indecicive. And this stuff is important and we should be endorsing it.

  191. bear

    nicely quick - thanks ralph

  192. bear passes the mic to simon

  193. Kev

    Simon: FWIW, I don't think the manifesto as it stands is 'right'.

  194. Simon

    I can't think of a more important cause that we should be focusing on and championing.

  195. bear

    kev - what part of the manifesto do you not agree with?

  196. dwd

    Simon, I'd be concerned that too many of the operators are not committed to it - in part because of the Google (and GMX, and ... ) issues.

  197. bear

    the non-technical bits?

  198. Simon

    Or put another way, is there anything more important than focusing on security right now?

  199. Kev

    I've sent an Isode position to Peter a few weeks back to give him a chance to comment before making such a thing publicly.

  200. dwd

    Simon, Think of the children.

  201. stpeter

    personally I'm not really a fan of manifesto as communication method, but it's been good as a way to start the conversation and set some goals

  202. Kev

    But my personal position, which may or may not be similar to Isode's, is that it states the requirements too firmly without nuance.

  203. bear

    i.e., can we endorse the testing and interoperability of the Security Test Day without waving the manifesto as our flag?

  204. dwd

    bear, Not really. Or at least, we can, but nobody will understand that.

  205. Kev

    There are significant (non-Internet) deployments that do not need, or should not have, TLS, and the manifesto simply says they need to use TLS. If the XSF endorses that, it's saying it doesn't recognise any of these deployments as valid, and that was Not Be Good.

  206. stpeter

    Kev: likely something is lost in my inbox and I need to reply, sorry about that

  207. Simon

    a) write a manifesto b) decide that security is an important selling point for XMPP c) XSF announces secure connections on the network test days. d) XMPP is secure.

  208. Laura

    What about seeing the manifesto as a work-in-progress?

  209. ralphm

    Maybe we can change the effort to an informational XEP and then have XSF announce test days

  210. Laura

    Look for engagement through involevemt?

  211. stpeter

    Laura: I definitely see it that way, but it perhaps hasn't been presented properly

  212. Kev

    stpeter: I think you replied saying "Will look at this", and then lost it, then :)

  213. dwd

    I personally see the manifesto as a kind of bargaining position. It's a statement of our ideal for internet services.

  214. dwd

    The trouble is, the way it's worded leaves little compromise.

  215. Laura

    Does it say that clearly? "This is a statement of our ideal…" etc?

  216. Kev

    dwd: But because it places requirements on software, not just deployment, that is not clear.

  217. stpeter

    Kev: as to non-Internet deployments, the manifesto doesn't talk about those since it's about the public XMPP network

  218. bear

    I can get behind the XSF creating a best-practices XEP and then starts to support interop testing to implement it

  219. Simon

    Kev: The manifesto calls for securing public servers that interconnect - don't think it mentions "behind the firewall" installs.

  220. Kev

    stpeter: No, it's about software too.

  221. dwd

    And I think that lack of compromise is seen as worrying by a considerable portion of the deployed servers out there.

  222. stpeter

    Kev: yes, we need the software to support the features and configuration options that make it possible for public XMPP services to encrypt traffic

  223. Kev

    stpeter: Yes, but some of the software points are not 'support', they're 'do'.

  224. Simon

    I see it more as "if you want to talk to my users, you jolly well ought to take their privacy seriously and use TLS"

  225. dwd

    Simon, Right, but that's not what it says.

  226. Kev

    I am not opposed to the ideas in the manifesto, but the wording is Not Quite Right to my eye.

  227. Kev

    stpeter: You have some comments on this in your inbox :)

  228. Laura

    Please tell me it actually uses the phrase "you jolly well ought to"

  229. Simon


  230. stpeter

    Kev: I'm sure

  231. stpeter


  232. dwd

    Laura, No, it says "you must and I will not compromise".

  233. dwd

    THough I paraphrase.

  234. Laura


  235. Laura

    What about "we will help you to…"?

  236. stpeter

    Kev: the only "do" I see is "no more SSLv2 and SSLv3", but I think the "and SSLv3" can be removed -- it's SSLv2 that is bad

  237. Laura

    More encouraging?

  238. stpeter

    in any case, this is not the place to wordsmith

  239. stpeter

    and 27 minutes have gone by in this meeting :-)

  240. Kev

    stpeter: Are you happy for me to share the mail more widely, or would you like to read it first?

  241. stpeter

    action item for me is to review all feedback and propose changes to the manifesto

  242. Kev


  243. Simon

    My original point is that the XSF needs to be seizing this moment to fix security on s2s links (I don't care what you do on your c2s links)

  244. stpeter

    Kev: I'm fine with public discussion -- transparency is always better IMHO

  245. dwd

    stpeter, Right. But I think the point is that it's not clear that the XSF can wholeheartedly support it in its current form, which is unfortunate, because the goals of it seem very well aligned.

  246. bear

    can we get some wordsmithing on this in the lists and take this up again next week?

  247. stpeter

    dwd: I'm not sure what it means for the XSF to support such a thing -- does that mean the membership needs to vote, or can the Board voice its support?

  248. stpeter

    bear: sure

  249. dwd

    Simon, "Do this or go home" has the unfortunate problem that many people seem happy enough to take the latter option, judging by the lists.

  250. stpeter

    the idea is very much to give us some aspirational goals, *not* to split the network!!

  251. dwd

    stpeter, I would argue that the Board shoudl probably judge consensus, rather than ask for a formal vote in most cases.

  252. Simon

    dwd: I was thinking about that. And yes, there are some vocal opponents. But I think we risk loosing the voice of the vast majority of silent suporters that would like secure connections.

  253. stpeter

    but the text in the manifesto about unauthenticated encryption seems to make this uncontroversial

  254. dwd

    stpeter, " the idea is very much to give us some aspirational goals" - right, totally behind you on this. I think it's the absolutism, as it were, that's causing the discomfort.

  255. bear looks at the time

  256. bear

    ok, if we can get the wordsmithing fixed

  257. stpeter

    dwd: OK, I will revisit the text and see if I can propose some scrubbing to remove any remaining traces of absolutism

  258. Simon

    I think the manifest is right - this is a network and at some point one has to force the issue - it's been many years now and the state of XMPP security has rumbled on in an insecure hodgepodge.

  259. bear

    then we will have a chance next week to talk about what/how we as the board can get the membership to support the effort?

  260. stpeter

    Simon: yes, *but* IMHO we should be able to at least get to unauthenticated encryption using even anonymous DH

  261. stpeter

    bear: yes

  262. dwd

    stpeter, +1.

  263. stpeter shuts up about security

  264. ralphm


  265. bear

    that sounds like a best-practices XEP for sure

  266. bear

    so people can be pointed to it as a HOW-TO once they get their F from xmpp.net

  267. fippo

    bear: i pestered dwd about starttls+dialback already

  268. dwd

    If we're done with this, does that mean we're done-done?

  269. Simon

    (peter: what's happening on Jabber.org's upgrade?)

  270. bear

    ok, that was the last agenda item

  271. Simon moves soapbox to the side.

  272. stpeter

    quick update about the liaison agreements

  273. bear

    any agenda bashing?

  274. bear moves box to peter's side

  275. stpeter

    I have received communication from the UPnP Forum about a liaison agreement with them

  276. stpeter

    I'm working on this with someone from Cisco who is involved in UPnP Forum

  277. stpeter

    we'll do a bit of back and forth in the next day or two

  278. stpeter

    then I think I can send a proposed document to the Board

  279. stpeter

    they have a template for such things, we just need to fill in some of the details

  280. stpeter

    I haven't really reviewed it yet, just received it yesterday

  281. stpeter

    but it's in the works

  282. stpeter

    and you saw my note about their UPnP Cloud initiative

  283. stpeter

    so that's all good, I think

  284. stpeter

    I need to follow up with both ISO TC 122 and IEC TC 57

  285. stpeter

    I apologize for taking last week off ;-)

  286. ralphm

    any more text on that?

  287. stpeter

    that = ISO and IEC?

  288. ralphm


  289. bear smacks peter with the "you should take more time off" bat

  290. ralphm

    apart from the news page

  291. stpeter

    oh, BTW, UPnP Forum is very interested in conformance / compliance testing and might be able to contribute code in this area for XMPP stuff

  292. dwd

    stpeter, Do we have to approve your vacation time as your management?

  293. stpeter

    ralphm: I have two presentations (PPT format) that I can probably share -- the rest has all been verbal chats I've had with some folks at UPnP Forum

  294. ralphm


  295. stpeter

    they've had quite a few technical questions about MUC, pubsub, security, naming, etc.

  296. stpeter

    even Jingle stuff

  297. stpeter

    I think they basically want to accomplish the vision that Dirk Meyer was working on a few years ago

  298. ralphm


  299. stpeter


  300. dwd

    My children are hungry; but I think we just ask the Council to select some folk in readiness on the assumption Peter will sort out the legal mumbo jumbo.

  301. stpeter


  302. bear

    cool, sounds like a +1 to peter's plan

  303. stpeter

    we can discuss more next week

  304. stpeter

    I just wanted to provide a quick update

  305. bear

    next week, same time and place?

  306. dwd

    Someone (COuncil or us) should put out a call for volunteers to serve on these things.

  307. dwd

    (to members@)

  308. stpeter

    seems like a Council thing

  309. dwd

    bear, Yes.

  310. stpeter

    let's put that on their agenda for next week's Council meeting :-)

  311. dwd

    stpeter, Happy for it to be Council, they're doing the selection.

  312. stpeter


  313. bear

    k, i'll send an email to membership@ asking council to add it to agenda

  314. bear

    ok, we are done then - thanks all!

  315. dwd

    Doesn't that effectively act as a call for volunteers?

  316. bear

    nope, just a public way of getting it on the council agenda

  317. stpeter


  318. Kev

    Yes, just make sure that anything going on Council agends reaches me via email please (either directly, to council@ or to members@ with a clear subject line) so I notice it.

  319. bear


  320. stpeter


  321. bear

    k, i'll write up the minutes after work using the new Kev method

  322. stpeter


  323. stpeter

    thanks, all!

  324. stpeter

    good discussion

  325. bear

    and the i'll do the calendar additions for next week

  326. Simon

    thanks all

  327. bear

    yep, thanks everyone

  328. Laura

    Bye all

  329. stpeter

    it's great to see such passion about XMPP after all these years :-)

  330. bear


  331. Kev

    So, post meeting...Board could use more bios :)

  332. Kev

    I'm happy to put them in place if people send them to me, or everyone probably has access to do it themselves.

  333. Laura

    Tried to log in to do mine but couldn\t get in. I have my password - is the user name email address?

  334. Laura

    It didn't like me

  335. Kev

    I don't believe so - who created your account?

  336. Kev

    Bug them about it :)

  337. bear looks at laura's account

  338. bear

    laura: your username is "laura" and the email is listed as "laura.gill@surevine.com"

  339. Laura

    Thank you bear

  340. stpeter updates the Board calendar

  341. Laura

    *makes note to do my homework*

  342. stpeter

    Laura: hopefully these meetings aren't too crazy for you -- we have a certain style of communicating and it can be difficult to follow, I think :-)

  343. bear

    it does take some getting used to

  344. Kev

    At least we don't communicate by yelling (much) :)

  345. stpeter

    hmph, I have a dentist appointment next Wednesday morning, I am not sure how I schedule such a thing at that time :(

  346. bear

    do you want a schedule change before/after?

  347. stpeter

    I can provide information by email beforehand and the Board can proceed, I think

  348. bear


  349. stpeter

    maybe I can join via mobile or show up early and use their wifi

  350. bear

    I'm up for sliding the meeting up an hour if the others are ok with it

  351. stpeter

    I'm going to see if (a) the dentist has wifi or (b) I can move the appointment

  352. Kev


  353. stpeter

    if we have a 30-minute meeting, we should be fine :-)

  354. Kev

    Sentences you never expect to see "I'm going to see if the dentist has wifi".

  355. stpeter

    heh yeah

  356. stpeter

    I'll work it out on my end

  357. stpeter

    Board calendar updated

  358. bear has sent email to members@ asking for council time

  359. Kev

    Thanks bear.

  360. bear


  361. bear

    the gsoc wiki page has been created by jabberjocke - \o/

  362. ralphm has left

  363. bear proofreads the new page for typos and spelling

  364. bear sends blurb to members@ about GSOC project ideas

  365. Simon has left

  366. Laura has left

  367. Laura has joined

  368. Simon has joined

  369. Laura has left

  370. Simon has joined

  371. Alex has joined

  372. Simon has left

  373. Zash has left

  374. Zash has joined

  375. Ashley Ward has left

  376. tato has joined

  377. tato has left

  378. tato has joined

  379. tato has left

  380. tato has joined

  381. SouL has left

  382. fippo

    kev: the agenda for the next meeting is going to be pretty heavy

  383. fippo

    three submissions from me ;-)

  384. tato has left

  385. Kev


  386. tato has joined

  387. MattJ

    dwd, can you expand "with strong identity being considerably more prevalent that it was"? (assuming s/that/than/)

  388. SM has joined

  389. dwd

    We have a big push for proper certificates that seems to be working.

  390. dwd

    But you know, I thought I'd make it sound exciting and technical.

  391. jabberjocke has joined

  392. Ashley Ward has joined

  393. tato has left

  394. ralphm has left

  395. bear has left

  396. Simon has joined

  397. Simon has left

  398. Ashley Ward has left

  399. MattJ

    So now we need to get the discussion over to the security list somehow

  400. MattJ

    and then jingle, and the WG list

  401. stpeter


  402. Zash has joined

  403. tato has joined