FlowThat was one of the only lectures/sessions relating to XMPP I found at the 33C3
TobiasFlow, yeah..there was a ton of matrix related stuff though
danielTobias: a ton?
danielI've heard of one
Tobiasdaniel, 2-3 i think :)
Flowanything interesting amongst that ton?
Tobiasah..misread one..so yeah..just one
Tobiasthe other was a different matrix
jubalhhas left
Tobiashas joined
daurnimatorhas left
daurnimatorhas joined
daurnimatorhas left
daurnimatorhas joined
xnyhpshas joined
Flowjust like the matrix movies: good there is only one
Flowerm, *movie
SamWhitedhas joined
jubalhhas joined
SouLhas joined
moparisthebestGood analogy Flow , matrix is like the matrix sequel to xmpp? :-)
daurnimatorhas left
daurnimatorhas joined
benihas left
Flowwhich matrix sequel?
daurnimatorhas left
daurnimatorhas joined
murphyhas joined
danielImagine they made a sequel. That would probably have been pretty terrible
lonerz1has joined
Alexhas joined
Flowi've heard that sensa8 is not so bad
jubalhhas left
Flow*sense8
edhelasSense8 is great yeah :) Can't wait for S02
Flowedhelas: So you say I shall start watching it?
lonerz1has left
Alexhas left
moparisthebesthas joined
Alexhas joined
waqashas joined
benihas left
lonerz1has joined
benihas left
lonerz1has left
benihas joined
pep.has joined
moparisthebesthas joined
mimi89999has left
Valerianhas left
Valerianhas joined
Valerianhas left
Valerianhas joined
danielhas left
lonerz1has joined
danielhas joined
danielhas left
moparisthebesthas left
xnyhpshas left
murphyhas left
danielhas joined
jerehas left
jerehas joined
Valerianhas left
ralphmhas left
ralphmhas joined
benihas left
danielhas left
SamWhitedhas left
jerehas joined
jerehas joined
danielhas joined
Neustradamushas left
manchohas joined
lonerz1has left
lonerz1has joined
MattJI don't get it, there are (at least?) two Matrix sequels... it was a trilogy
Tobiashas joined
lonerz1has left
ZashMattJ: No, I'm afraid that was all a fever induced nightmare you had.
Holgerhas left
murphyhas joined
mathieuijust submitted a cloudflare abuse report for xmppspam.space
mathieuiwondering if anything will come out of it
Viniloxhas joined
edhelasMoar spam ?
mathieuinot more
lonerz1has joined
manchohas left
moparisthebesthas joined
murphyhas left
goffihas left
murphyhas left
Tobiasmathieui: I doubt they will
Tobiaswow...MIX is alread 40% of the size of pubsub
Tobiaswow...MIX is already 40% of the size of pubsub
moparisthebesthas joined
SamWhitedouch
Tobiasi wonder if one could make that more compact
Zashcut up pubsub into pieces, each smaller than MIX?
Tobiasprobably
SamWhitedI suspect MIX and Pubsub could both be trimmed down. Surely they don't need all those features… (that last statement was only half joking)
murphyhas left
ralphmI have a physically chopped up XEP-0060 printout for quite a while now. I just haven't gotten to do all the editorial work to actually make it into separate XEPs.
moparisthebesthas joined
murphyhas left
Tobiasyeah..but with MIX you start fresh...you could already try to not bloat it up from the get go
benihas left
murphyhas left
vanitasvitaehas left
vanitasvitaehas joined
murphyhas joined
Tobiashas joined
archas left
archas joined
Flowhas left
lonerz1has left
Flowhas joined
archas left
archas joined
Flowhas left
SamWhitedhas left
archas left
archas joined
archas left
xnyhpshas left
archas joined
moparisthebesthas left
Tobiashas joined
SamWhitedhas left
goffihas joined
benihas left
goffihas left
goffihas joined
goffiMattJ: https://www.xkcd.com/566/
murphyhas left
jerehas left
jerehas joined
moparisthebesthas joined
Valerianhas joined
mathieuiI may have to hold edhelas back if the speaker reads some more moxie
mathieuiHanno has good points (that we already know), but some stuff is factually wrong though
lonerz1has joined
ZashHanno who's name I recognize from litsts like oss-sec?
Tobiashas joined
mathieuiyeah
SamWhitedThat should be good; wish I were there for that.
mathieuilike, he’s the one who found a nice series of PHP CVEs "reading random code on the train on the way to 33C3"
danielWho cares about facts though
mathieui(or raised the "gajim OTR leaks plaintext" CVE)
ZashTell them "Tradeoffs" and "Meh" from me.
SamWhitedThe description sounds pretty bang on; I'd be curious to know what he gets right/wrong in the actual talk.
danielmathieui: did he?
mathieuidaniel, "raised", after it was fixed
danielI was under the impression that this was lovetox
danielWho found the bug
Zashraised as in, so it got a CVE number?
mathieuiyeah
mathieuiso he still is kind of up-to-date and knowledgeable, I mean
murphyhas joined
Tobiashas joined
danielShould have brought some straw for all the men he is building
mathieui:D
SamWhitedOh joy, another one of those; *sigh* I keep hoping someone will have an actual talk about this.
xnyhpsHaha
Link MauveZash, https://www.zash.se/xmpp-features.html is now zero bytes.
lonerz1has left
ralphmhas joined
ZashLink Mauve: now then
Link MauveZash, thanks.
Link MauveOh, I didn’t contribute the server part of 0375?
Holgerhas left
Valerianhas left
jerehas joined
danielI like how his rhetorical question bomb completely. 'who here ever received xmpp spam?' almost nobody raises hand. 'who here ever used xmpp video chat?' lots of people raise hand
Sonnyhas left
Sonnyhas joined
Valerianhas joined
mathieuiwell, if he asked if people were using video chat often, it might have been a different answer
Link Mauve:)
danielmathieui: :-)
Link MauveI actually use Jitsi Meet as my sole personal video chat client.
edhelasmathieui, I'll call you after the conference to talk about it ;)
mathieuisure
mathieuiI used XMPP video chat, 5 years ago, twice
Valerianhas left
Valerianhas joined
Link MauveI helped ThibG test his implementation in Gajim 0.14, twice.
ZashDidn't we use Jitsi meet at some recent summit?
SamWhitedWe used it at the Austin one (it worked very well, if I do say so myself)
ZashLink Mauve: That sounds like thing I might have done as well.
Alexhas left
mathieuiso if I hear correctly one guy just suggested we should contribute to signal instead of writing XEPs
ZashWhat's the point when I can't run my own server?
edhelasincoming XEP-xxxx : Signal over XMPP
xnyhpsZash: You can, but you're on there alone.
Sonnyhas left
SamWhitedI wonder why we should contribute to signal instead of signal contributing to us… or why signal over <insert other favorite messaging app here>
SamWhitedOr why these two things are even related at all
mathieuiSamWhited, it has to mostly open-source
ZashIsn't that basically OMEMO?
mathieuiSamWhited, although, I kind of agree that people complaining that signal uses GCM should just finish the pull request adding websocket support
mathieuibut I personnally don’t care obviously
Alexhas joined
SamWhitedI don't care about any of that; I was just pointing out that the argument could go either way
ZashNo, everyone should go invent yet another messaging thing from scratch for no reason!
xyzhas joined
mathieuiZash, innovate!
Sonnyhas joined
Link MauveZash, disrupt!
waqasZash: The big issue here is a lack of JSON. XEP-0295 has been out for years, yet implementations are scarce.
ZashTry adding more JSON?
SamWhitedhas left
moparisthebesthas joined
jerehas left
jerehas joined
xyzhas left
archas left
benihas left
archas joined
xyzhas joined
archas left
archas joined
archas left
archas joined
archas left
archas joined
archas left
archas joined
TobiasNobody was ever fired for using JSON
Valerianhas left
Tobiashas left
Tobiashas joined
xyzhas left
intosihas joined
SamWhitedWere there any good points in the talk? We can mock, but this is an actual problem and it would be nice to solve some of XMPP's random incompatibilities.
SamWhitedThis is why I still think we need to deprecate privacy lists, and XHTML-IM, and Message Archiving, etc. even if no full replacement exists yet. It just leads to confusion, a fragmented ecosystem, and talks like this.
ZashYes, a summary would be neat to hear before I run out of Futurama episodes to watch instead of going to sleep.
waqasagrees with SamWhited about it being an actual problem to be discussed and solved
ZashXHTML-IM is bad now?
SamWhitedI certainly think so; nothing that supports it renders anything the same as anything else that supports it, and I have yet to find a web client that supports it which I couldn't script inject.
SamWhitedEven if you only look at a single client and don't care if things render exactly the same between clients, you can pretty much always break that particular clients UI with it (by introducing images or huge text or whatever)
SamWhitedI don't know if that was one of the specific complaints people had; I was just trying to think of examples of things that I think break XMPP clients UX
ZashNot that I personally would miss it, but I would care more for semantics than exact rendering.
lonerz1has joined
ZashAlso, you should try to find the giant stick labeled 'Is the new MAM revision done yet?' and poke MattJ with it.
ZashAnd whatever happened with Carbons?
ZashWasn't it supposed to be Draft-ified or updated or something?
SamWhitedThe Carbons last-call kind of died out; I should bring that back up again.
SamWhitedI don't remember why; I'm sure there was some update that needed doing.
intosihas left
mathieuiSamWhited, all in all it was a pretty balanced talk
mathieuislides will be online
SamWhitedrefreshes the page a bunch :)
moparisthebesthas joined
ZashSamWhited: Tell me when to refresh the page so I can refresh the page.
SamWhitedZash: wilco
TobiasSamWhited, will write some mail to standards/members ML...the manifesto as nice, but is outdated for nowaday security standards
SamWhitedZash: refresh the page
Tobiascompliance suites are nice, but the latest one doesn't include E2E security (OMEMO wasn't a XEP yet then)
SamWhited(the website is the slides, I just discovered)
SamWhitedOoh yah, we should definitely add it now that it is.
ZashHold on, I closed the page, let me just scroll up and find the link again so I can open it and refresh it.
ZashOh neat, only 22 hits for "Signal" in the slides
danielhas left
SamWhitedIt seems to me that his core premise is that all messages should be e2e encrypted all the time and that there should be no plaintext fallback, but I disagree with that as a valid assumption. His foundation feels a bit shakey.
danielhas joined
TobiasSamWhited, we should have the client list on xmpp.org sorted by support of compliance suite features...simular to that page from daniel where he shows what service support which XEPs
mathieuiSamWhited, I agree with you, but I see his point
mathieuiI mean, ideally you should choose your admin, but ideally you should still not be 100% hoping on his goodwill
Tobiashas joined
TobiasSamWhited, and modernize that manifesto for requiring TLS 1.2 support, cleaning up inconsistencies, etc.
ZashIdeally you should choose an admin within range of a tactical ballistic stones throw.
moparisthebestBut you can have that now with omemo, hell you could have it 10? Years ago with pgp xep27
SamWhitedI do agree with his assertion that having OMEMO and new-PGP is poor and not well justified; we should fix that too.
moparisthebestDifferent use cases SamWhited
moparisthebestOmemo forces forward secrecy, sometimes you don't want that
SamWhitedI don't disagree with that, but I don't think it's a good enough reason to have two separate crypto protocols.
Tobiasmoparisthebest, it only forces it as implementation detail, doesn't it?...if you never delete your keys, you won't have FS, not?
SamWhitedHis very next slide says "Is it good to idealize choice and sacrifice interoperability and security?" and I think the answer is no; we should only support OMEMO even if it means the no-FS use case isn't covered.
SamWhited(in my mind)
moparisthebestSo I use xep27 for notifications from my servers, cronjobs and such I used to use email for
Tobiasright..but in the end it's protocol choice
moparisthebestI'm not clear I could use omemo for that
Tobiasif hte new PGP XEP won't be part of the compliance suite, but omemo will, client devs have less incentive to implement it
moparisthebestAt least without keeping my keys too long etc
Tobiasmoparisthebest, i'm sure omemo could also be used by notification bots
SamWhitedIf it's a notification from your server isn't it already end-to-end encrypted (from the server to you) by virtue of using TLS?
moparisthebestTobias: well it connects, send the message and then disconnects
SamWhitedoh, not from your XMPP server, just "from my servers"; nevermind.
moparisthebestSamWhited: yes, but why not pgp also? :-)
Tobiasright..but as long as it fetches the correct prekeys from the receipient via PEP
SamWhitedmoparisthebest: because you've just increased your attack surface drastically and your reasoning is "why not"
mathieuiSamWhited, we usually refer to TLS as point-to-point, obviously
Tobiasdaniel, there's nothing preventing a script from connecting, sending a omemo message, and disconnecting, right?
danielhas left
ZashThat Prosody bug possibly.
moparisthebestSamWhited: I think it reduces attack surface, like if a tls bug happens, I'm fine
archas left
archas joined
SamWhitedAdding more things with the argument "why not" is *never* an okay way to engineer anything. Redundancy can be good, but it generally needs justification. In this case you're just introducing more dependencies to a system that's complex already (more dependencies that can have their own vulnerabilities and issues which I could potentially attack).
moparisthebestThen take out tls all together
archas left
TobiasSamWhited, true
moparisthebestAfter all these messages don't matter
SamWhitedIn this case I'd argue that adding more stuff is at best pointless, and at worst dangerous.
Tobiasi hope the MIX step has nothing redudant in it...i'll have to read it :)
moparisthebestThey are like, just renewed a cert
archas joined
tim@boese-ban.dehas left
danielhas joined
SamWhitedThose slides were pretty excellent; now I'm even more sad I wasn't there. Thanks for the link!
archas left
archas joined
pep.has joined
Tobiaswhat was daniel's webpage that shows what service supports which XEP?
SamWhitedTobias: Added it; although pretty soon these will need to be updated to "2017 compliance suites": https://github.com/xsf/xeps/pull/335
Alexhas joined
TobiasSamWhited, thx...currently proof reading my mail about the talk and will send it in a bit..looking forward to a healthy discussion and ideally rather soon actions
SamWhitedTobias ++; I'm looking forward to that. I'll try to be productive and not just gripe :)
Tobiassent..didn't know if jdev or standards would be better...so i send it to both..but probably makes sense to continue the discussion on one of the lists
HolgerThere's a version of Daniel's table ranked by greenness BTW: https://gultsch.de/compliance_ranked.html
TobiasHolger, damn..wanted to link to that...thanks
lonerz1has left
Tobiashas joined
Guushas left
Tobiashas joined
SamWhitedTobias: I added compliance suites/encryption to the council's agenda too. I think we should discuss it as a group, even thoug technically the PR doesn't need discussion.
SamWhitedObviously I have views about what we should do, but I think it's important that we get this one right, so I'd like everyones feedback before merging that PR.
Guushas left
benihas left
ZashSamWhited: I think Conversations does 377 actually
SamWhitedZash: Does it? I've been meaning to add it thinking it wasn't in there yet
Guushas left
SamWhitedI haven't been paying as much attention lately though, so I could have missed it quite easily
SamWhitedOh hey, yup, there's a bunch of references that look about right in the source. Nifty.
Guushas left
ZashShould be a checkbox or something when you block someone.
SamWhitedMaybe it doesn't show up because I have nothing to handle it on my server. I should add that plugin you made a while back.
ZashThe prosody module I wrote doesn't do anything besides loudly logging it yet tho.
ZashAnd fires an event so you can write another module to do .. something .. sensible perhaps
SamWhitedYah, not sure what I'd actually do with it yet. Maybe just collect stats for pretty graphs later.
ZashKinda tricky when we're doing Real Time(tm) things in that we might not know what the spammer/abuser sent because we already delivered and forgot all about it.
ZashOtherwise we could do spam filter training
Ge0rGWow, all it takes to get people started about Easy XMPP is a 33c3 talk?
ZashStarted with what?
SamWhitedWhat's Easy XMPP?
mathieuiGe0rG, yeah, I thought about that :D
mathieuiyou need a better marketing
goffihas left
mathieuiI mean, I had https://wiki.xmpp.org/web/Easy_Onboarding open even before hearing about that talk
Ge0rGhttps://wiki.xmpp.org/web/Easy_XMPP has some more, but it's lacking group chats
TobiasGe0rG, there have been some XMPP devs interest in Easy XMPP before, Swift was started to provide an easier to use/better UX client in comparison to Psi.
Ge0rGmathieui, I'm sure the term is right, we just need more attention from developers...
danielWe need more developers
danielDevelopers. Developers. Developers.
Ge0rGOr maybe we need a different front person. My style just isn't popular
Tobiasdaniel, yeah..especially that
Tobiasdaniel, if only half of the room where involved in XMPP client dev :P
ZashMarketing marketing marketing
danielFraming
goffihas left
Ge0rGFlaming?! I'm in!
Holgerhas left
Ge0rGCould somebody please send a link to https://wiki.xmpp.org/web/Easy_Onboarding to the ML thread? I'm on my mobile device and only have half the thread available...
XSF Discussion - 2016-12-29