I suspect MIX and Pubsub could both be trimmed down. Surely they don't need all those features… (that last statement was only half joking)
murphyhas left
ralphm
I have a physically chopped up XEP-0060 printout for quite a while now. I just haven't gotten to do all the editorial work to actually make it into separate XEPs.
moparisthebesthas joined
murphyhas left
Tobias
yeah..but with MIX you start fresh...you could already try to not bloat it up from the get go
benihas left
murphyhas left
vanitasvitaehas left
vanitasvitaehas joined
murphyhas joined
Tobiashas joined
archas left
archas joined
Flowhas left
lonerz1has left
Flowhas joined
archas left
archas joined
Flowhas left
SamWhitedhas left
archas left
archas joined
archas left
xnyhpshas left
archas joined
moparisthebesthas left
Tobiashas joined
SamWhitedhas left
goffihas joined
benihas left
goffihas left
goffihas joined
goffi
MattJ: https://www.xkcd.com/566/
murphyhas left
jerehas left
jerehas joined
moparisthebesthas joined
Valerianhas joined
mathieui
I may have to hold edhelas back if the speaker reads some more moxie
Hanno has good points (that we already know), but some stuff is factually wrong though
lonerz1has joined
Zash
Hanno who's name I recognize from litsts like oss-sec?
Tobiashas joined
mathieui
yeah
SamWhited
That should be good; wish I were there for that.
mathieui
like, he’s the one who found a nice series of PHP CVEs "reading random code on the train on the way to 33C3"
daniel
Who cares about facts though
mathieui
(or raised the "gajim OTR leaks plaintext" CVE)
Zash
Tell them "Tradeoffs" and "Meh" from me.
SamWhited
The description sounds pretty bang on; I'd be curious to know what he gets right/wrong in the actual talk.
daniel
mathieui: did he?
mathieui
daniel, "raised", after it was fixed
daniel
I was under the impression that this was lovetox
daniel
Who found the bug
Zash
raised as in, so it got a CVE number?
mathieui
yeah
mathieui
so he still is kind of up-to-date and knowledgeable, I mean
murphyhas joined
Tobiashas joined
daniel
Should have brought some straw for all the men he is building
mathieui
:D
SamWhited
Oh joy, another one of those; *sigh* I keep hoping someone will have an actual talk about this.
xnyhps
Haha
Link Mauve
Zash, https://www.zash.se/xmpp-features.html is now zero bytes.
lonerz1has left
ralphmhas joined
Zash
Link Mauve: now then
Link Mauve
Zash, thanks.
Link Mauve
Oh, I didn’t contribute the server part of 0375?
Holgerhas left
Valerianhas left
jerehas joined
daniel
I like how his rhetorical question bomb completely. 'who here ever received xmpp spam?' almost nobody raises hand. 'who here ever used xmpp video chat?' lots of people raise hand
Sonnyhas left
Sonnyhas joined
Valerianhas joined
mathieui
well, if he asked if people were using video chat often, it might have been a different answer
Link Mauve
:)
daniel
mathieui: :-)
Link Mauve
I actually use Jitsi Meet as my sole personal video chat client.
edhelas
mathieui, I'll call you after the conference to talk about it ;)
mathieui
sure
mathieui
I used XMPP video chat, 5 years ago, twice
Valerianhas left
Valerianhas joined
Link Mauve
I helped ThibG test his implementation in Gajim 0.14, twice.
Zash
Didn't we use Jitsi meet at some recent summit?
SamWhited
We used it at the Austin one (it worked very well, if I do say so myself)
Zash
Link Mauve: That sounds like thing I might have done as well.
Alexhas left
mathieui
so if I hear correctly one guy just suggested we should contribute to signal instead of writing XEPs
Zash
What's the point when I can't run my own server?
edhelas
incoming XEP-xxxx : Signal over XMPP
xnyhps
Zash: You can, but you're on there alone.
Sonnyhas left
SamWhited
I wonder why we should contribute to signal instead of signal contributing to us… or why signal over <insert other favorite messaging app here>
SamWhited
Or why these two things are even related at all
mathieui
SamWhited, it has to mostly open-source
Zash
Isn't that basically OMEMO?
mathieui
SamWhited, although, I kind of agree that people complaining that signal uses GCM should just finish the pull request adding websocket support
mathieui
but I personnally don’t care obviously
Alexhas joined
SamWhited
I don't care about any of that; I was just pointing out that the argument could go either way
Zash
No, everyone should go invent yet another messaging thing from scratch for no reason!
xyzhas joined
mathieui
Zash, innovate!
Sonnyhas joined
Link Mauve
Zash, disrupt!
waqas
Zash: The big issue here is a lack of JSON. XEP-0295 has been out for years, yet implementations are scarce.
Zash
Try adding more JSON?
SamWhitedhas left
moparisthebesthas joined
jerehas left
jerehas joined
xyzhas left
archas left
benihas left
archas joined
xyzhas joined
archas left
archas joined
archas left
archas joined
archas left
archas joined
archas left
archas joined
Tobias
Nobody was ever fired for using JSON
Valerianhas left
Tobiashas left
Tobiashas joined
xyzhas left
intosihas joined
SamWhited
Were there any good points in the talk? We can mock, but this is an actual problem and it would be nice to solve some of XMPP's random incompatibilities.
SamWhited
This is why I still think we need to deprecate privacy lists, and XHTML-IM, and Message Archiving, etc. even if no full replacement exists yet. It just leads to confusion, a fragmented ecosystem, and talks like this.
Zash
Yes, a summary would be neat to hear before I run out of Futurama episodes to watch instead of going to sleep.
waqasagrees with SamWhited about it being an actual problem to be discussed and solved
Zash
XHTML-IM is bad now?
SamWhited
I certainly think so; nothing that supports it renders anything the same as anything else that supports it, and I have yet to find a web client that supports it which I couldn't script inject.
SamWhited
Even if you only look at a single client and don't care if things render exactly the same between clients, you can pretty much always break that particular clients UI with it (by introducing images or huge text or whatever)
SamWhited
I don't know if that was one of the specific complaints people had; I was just trying to think of examples of things that I think break XMPP clients UX
Zash
Not that I personally would miss it, but I would care more for semantics than exact rendering.
lonerz1has joined
Zash
Also, you should try to find the giant stick labeled 'Is the new MAM revision done yet?' and poke MattJ with it.
Zash
And whatever happened with Carbons?
Zash
Wasn't it supposed to be Draft-ified or updated or something?
SamWhited
The Carbons last-call kind of died out; I should bring that back up again.
SamWhited
I don't remember why; I'm sure there was some update that needed doing.
intosihas left
mathieui
SamWhited, all in all it was a pretty balanced talk
mathieui
slides will be online
SamWhitedrefreshes the page a bunch :)
moparisthebesthas joined
Zash
SamWhited: Tell me when to refresh the page so I can refresh the page.
SamWhited
Zash: wilco
Tobias
SamWhited, will write some mail to standards/members ML...the manifesto as nice, but is outdated for nowaday security standards
SamWhited
Zash: refresh the page
Tobias
compliance suites are nice, but the latest one doesn't include E2E security (OMEMO wasn't a XEP yet then)
SamWhited
(the website is the slides, I just discovered)
SamWhited
Ooh yah, we should definitely add it now that it is.
Zash
Hold on, I closed the page, let me just scroll up and find the link again so I can open it and refresh it.
Zash
Oh neat, only 22 hits for "Signal" in the slides
danielhas left
SamWhited
It seems to me that his core premise is that all messages should be e2e encrypted all the time and that there should be no plaintext fallback, but I disagree with that as a valid assumption. His foundation feels a bit shakey.
danielhas joined
Tobias
SamWhited, we should have the client list on xmpp.org sorted by support of compliance suite features...simular to that page from daniel where he shows what service support which XEPs
mathieui
SamWhited, I agree with you, but I see his point
mathieui
I mean, ideally you should choose your admin, but ideally you should still not be 100% hoping on his goodwill
Tobiashas joined
Tobias
SamWhited, and modernize that manifesto for requiring TLS 1.2 support, cleaning up inconsistencies, etc.
Zash
Ideally you should choose an admin within range of a tactical ballistic stones throw.
moparisthebest
But you can have that now with omemo, hell you could have it 10? Years ago with pgp xep27
SamWhited
I do agree with his assertion that having OMEMO and new-PGP is poor and not well justified; we should fix that too.
moparisthebest
Different use cases SamWhited
moparisthebest
Omemo forces forward secrecy, sometimes you don't want that
SamWhited
I don't disagree with that, but I don't think it's a good enough reason to have two separate crypto protocols.
Tobias
moparisthebest, it only forces it as implementation detail, doesn't it?...if you never delete your keys, you won't have FS, not?
SamWhited
His very next slide says "Is it good to idealize choice and sacrifice interoperability and security?" and I think the answer is no; we should only support OMEMO even if it means the no-FS use case isn't covered.
SamWhited
(in my mind)
moparisthebest
So I use xep27 for notifications from my servers, cronjobs and such I used to use email for
Tobias
right..but in the end it's protocol choice
moparisthebest
I'm not clear I could use omemo for that
Tobias
if hte new PGP XEP won't be part of the compliance suite, but omemo will, client devs have less incentive to implement it
moparisthebest
At least without keeping my keys too long etc
Tobias
moparisthebest, i'm sure omemo could also be used by notification bots
SamWhited
If it's a notification from your server isn't it already end-to-end encrypted (from the server to you) by virtue of using TLS?
moparisthebest
Tobias: well it connects, send the message and then disconnects
SamWhited
oh, not from your XMPP server, just "from my servers"; nevermind.
moparisthebest
SamWhited: yes, but why not pgp also? :-)
Tobias
right..but as long as it fetches the correct prekeys from the receipient via PEP
SamWhited
moparisthebest: because you've just increased your attack surface drastically and your reasoning is "why not"
mathieui
SamWhited, we usually refer to TLS as point-to-point, obviously
Tobias
daniel, there's nothing preventing a script from connecting, sending a omemo message, and disconnecting, right?
danielhas left
Zash
That Prosody bug possibly.
moparisthebest
SamWhited: I think it reduces attack surface, like if a tls bug happens, I'm fine
archas left
archas joined
SamWhited
Adding more things with the argument "why not" is *never* an okay way to engineer anything. Redundancy can be good, but it generally needs justification. In this case you're just introducing more dependencies to a system that's complex already (more dependencies that can have their own vulnerabilities and issues which I could potentially attack).
moparisthebest
Then take out tls all together
archas left
Tobias
SamWhited, true
moparisthebest
After all these messages don't matter
SamWhited
In this case I'd argue that adding more stuff is at best pointless, and at worst dangerous.
Tobias
i hope the MIX step has nothing redudant in it...i'll have to read it :)
moparisthebest
They are like, just renewed a cert
archas joined
tim@boese-ban.dehas left
danielhas joined
SamWhited
Those slides were pretty excellent; now I'm even more sad I wasn't there. Thanks for the link!
archas left
archas joined
pep.has joined
Tobias
what was daniel's webpage that shows what service supports which XEP?
SamWhited
Tobias: https://gultsch.de/compliance.html
Tobias
thx
Alexhas left
nycohas left
nycohas joined
SamWhited
Tobias: Added it; although pretty soon these will need to be updated to "2017 compliance suites": https://github.com/xsf/xeps/pull/335
Alexhas joined
Tobias
SamWhited, thx...currently proof reading my mail about the talk and will send it in a bit..looking forward to a healthy discussion and ideally rather soon actions
SamWhited
Tobias ++; I'm looking forward to that. I'll try to be productive and not just gripe :)
Tobias
sent..didn't know if jdev or standards would be better...so i send it to both..but probably makes sense to continue the discussion on one of the lists
Holger
There's a version of Daniel's table ranked by greenness BTW: https://gultsch.de/compliance_ranked.html
Tobias
Holger, damn..wanted to link to that...thanks
lonerz1has left
Tobiashas joined
Guushas left
Tobiashas joined
SamWhited
Tobias: I added compliance suites/encryption to the council's agenda too. I think we should discuss it as a group, even thoug technically the PR doesn't need discussion.
SamWhited
Obviously I have views about what we should do, but I think it's important that we get this one right, so I'd like everyones feedback before merging that PR.
Guushas left
benihas left
Zash
SamWhited: I think Conversations does 377 actually
SamWhited
Zash: Does it? I've been meaning to add it thinking it wasn't in there yet
Guushas left
SamWhited
I haven't been paying as much attention lately though, so I could have missed it quite easily
SamWhited
Oh hey, yup, there's a bunch of references that look about right in the source. Nifty.
Guushas left
Zash
Should be a checkbox or something when you block someone.
SamWhited
Maybe it doesn't show up because I have nothing to handle it on my server. I should add that plugin you made a while back.
Zash
The prosody module I wrote doesn't do anything besides loudly logging it yet tho.
Zash
And fires an event so you can write another module to do .. something .. sensible perhaps
SamWhited
Yah, not sure what I'd actually do with it yet. Maybe just collect stats for pretty graphs later.
Zash
Kinda tricky when we're doing Real Time(tm) things in that we might not know what the spammer/abuser sent because we already delivered and forgot all about it.
Zash
Otherwise we could do spam filter training
Ge0rG
Wow, all it takes to get people started about Easy XMPP is a 33c3 talk?
Zash
Started with what?
SamWhited
What's Easy XMPP?
mathieui
Ge0rG, yeah, I thought about that :D
mathieui
you need a better marketing
goffihas left
mathieui
I mean, I had https://wiki.xmpp.org/web/Easy_Onboarding open even before hearing about that talk
https://wiki.xmpp.org/web/Easy_XMPP has some more, but it's lacking group chats
Tobias
Ge0rG, there have been some XMPP devs interest in Easy XMPP before, Swift was started to provide an easier to use/better UX client in comparison to Psi.
Ge0rG
mathieui, I'm sure the term is right, we just need more attention from developers...
daniel
We need more developers
daniel
Developers. Developers. Developers.
Ge0rG
Or maybe we need a different front person. My style just isn't popular
Tobias
daniel, yeah..especially that
Tobias
daniel, if only half of the room where involved in XMPP client dev :P
Zash
Marketing marketing marketing
daniel
Framing
goffihas left
Ge0rG
Flaming?! I'm in!
Holgerhas left
Ge0rG
Could somebody please send a link to https://wiki.xmpp.org/web/Easy_Onboarding to the ML thread? I'm on my mobile device and only have half the thread available...