-
mathieui
Tobias, what’s the talk that is going to say "federation doesn’t work" again?
-
Tobias
mathieui, https://events.ccc.de/congress/2016/wiki/Session:Are_decentralized_services_unable_to_innovate%3F#_0043166f5c425145741cb5a178a7ac3c
-
mathieui
oh ok, it’s not a in a big room
-
mathieui
that will probably be fun
-
Zash
But https://en.wikipedia.org/wiki/Betteridge%27s_law_of_headlines
-
Tobias
:D
-
Flow
Looking forward to what hanno has to say
-
Tobias
Flow, in what talk?
-
Flow
Tobias: the one you mentioned
-
Tobias
Flow, ah..i thought you meant another talk
-
Flow
That was one of the only lectures/sessions relating to XMPP I found at the 33C3
-
Tobias
Flow, yeah..there was a ton of matrix related stuff though
-
daniel
Tobias: a ton?
-
daniel
I've heard of one
-
Tobias
daniel, 2-3 i think :)
-
Flow
anything interesting amongst that ton?
-
Tobias
ah..misread one..so yeah..just one
-
Tobias
the other was a different matrix
-
Flow
just like the matrix movies: good there is only one
-
Flow
erm, *movie
-
moparisthebest
Good analogy Flow , matrix is like the matrix sequel to xmpp? :-)
-
Flow
which matrix sequel?
-
daniel
Imagine they made a sequel. That would probably have been pretty terrible
-
Flow
i've heard that sensa8 is not so bad
-
Flow
*sense8
-
edhelas
Sense8 is great yeah :) Can't wait for S02
-
Flow
edhelas: So you say I shall start watching it?
-
MattJ
I don't get it, there are (at least?) two Matrix sequels... it was a trilogy
-
Zash
MattJ: No, I'm afraid that was all a fever induced nightmare you had.
-
mathieui
just submitted a cloudflare abuse report for xmppspam.space
-
mathieui
wondering if anything will come out of it
-
edhelas
Moar spam ?
-
mathieui
not more
-
Tobias
mathieui: I doubt they will
-
Tobias
wow...MIX is alread 40% of the size of pubsub✎ -
Tobias
wow...MIX is already 40% of the size of pubsub ✏
-
SamWhited
ouch
-
Tobias
i wonder if one could make that more compact
-
Zash
cut up pubsub into pieces, each smaller than MIX?
-
Tobias
probably
-
SamWhited
I suspect MIX and Pubsub could both be trimmed down. Surely they don't need all those features… (that last statement was only half joking)
-
ralphm
I have a physically chopped up XEP-0060 printout for quite a while now. I just haven't gotten to do all the editorial work to actually make it into separate XEPs.
-
Tobias
yeah..but with MIX you start fresh...you could already try to not bloat it up from the get go
-
goffi
MattJ: https://www.xkcd.com/566/
-
mathieui
I may have to hold edhelas back if the speaker reads some more moxie
-
Zash
What's the thing?
-
Zash
Will it be video'd?
-
mathieui
nah
-
mathieui
it’s https://events.ccc.de/congress/2016/wiki/Session:Are_decentralized_services_unable_to_innovate%3F
-
mathieui
Hanno has good points (that we already know), but some stuff is factually wrong though
-
Zash
Hanno who's name I recognize from litsts like oss-sec?
-
mathieui
yeah
-
SamWhited
That should be good; wish I were there for that.
-
mathieui
like, he’s the one who found a nice series of PHP CVEs "reading random code on the train on the way to 33C3"
-
daniel
Who cares about facts though
-
mathieui
(or raised the "gajim OTR leaks plaintext" CVE)
-
Zash
Tell them "Tradeoffs" and "Meh" from me.
-
SamWhited
The description sounds pretty bang on; I'd be curious to know what he gets right/wrong in the actual talk.
-
daniel
mathieui: did he?
-
mathieui
daniel, "raised", after it was fixed
-
daniel
I was under the impression that this was lovetox
-
daniel
Who found the bug
-
Zash
raised as in, so it got a CVE number?
-
mathieui
yeah
-
mathieui
so he still is kind of up-to-date and knowledgeable, I mean
-
daniel
Should have brought some straw for all the men he is building
-
mathieui
:D
-
SamWhited
Oh joy, another one of those; *sigh* I keep hoping someone will have an actual talk about this.
-
xnyhps
Haha
-
Link Mauve
Zash, https://www.zash.se/xmpp-features.html is now zero bytes.
-
Zash
Link Mauve: now then
-
Link Mauve
Zash, thanks.
-
Link Mauve
Oh, I didn’t contribute the server part of 0375?
-
daniel
I like how his rhetorical question bomb completely. 'who here ever received xmpp spam?' almost nobody raises hand. 'who here ever used xmpp video chat?' lots of people raise hand
-
mathieui
well, if he asked if people were using video chat often, it might have been a different answer
-
Link Mauve
:)
-
daniel
mathieui: :-)
-
Link Mauve
I actually use Jitsi Meet as my sole personal video chat client.
-
edhelas
mathieui, I'll call you after the conference to talk about it ;)
-
mathieui
sure
-
mathieui
I used XMPP video chat, 5 years ago, twice
-
Link Mauve
I helped ThibG test his implementation in Gajim 0.14, twice.
-
Zash
Didn't we use Jitsi meet at some recent summit?
-
SamWhited
We used it at the Austin one (it worked very well, if I do say so myself)
-
Zash
Link Mauve: That sounds like thing I might have done as well.
-
mathieui
so if I hear correctly one guy just suggested we should contribute to signal instead of writing XEPs
-
Zash
What's the point when I can't run my own server?
-
edhelas
incoming XEP-xxxx : Signal over XMPP
-
xnyhps
Zash: You can, but you're on there alone.
-
SamWhited
I wonder why we should contribute to signal instead of signal contributing to us… or why signal over <insert other favorite messaging app here>
-
SamWhited
Or why these two things are even related at all
-
mathieui
SamWhited, it has to mostly open-source
-
Zash
Isn't that basically OMEMO?
-
mathieui
SamWhited, although, I kind of agree that people complaining that signal uses GCM should just finish the pull request adding websocket support
-
mathieui
but I personnally don’t care obviously
-
SamWhited
I don't care about any of that; I was just pointing out that the argument could go either way
-
Zash
No, everyone should go invent yet another messaging thing from scratch for no reason!
-
mathieui
Zash, innovate!
-
Link Mauve
Zash, disrupt!
-
waqas
Zash: The big issue here is a lack of JSON. XEP-0295 has been out for years, yet implementations are scarce.
-
Zash
Try adding more JSON?
-
Tobias
Nobody was ever fired for using JSON
-
SamWhited
Were there any good points in the talk? We can mock, but this is an actual problem and it would be nice to solve some of XMPP's random incompatibilities.
-
SamWhited
This is why I still think we need to deprecate privacy lists, and XHTML-IM, and Message Archiving, etc. even if no full replacement exists yet. It just leads to confusion, a fragmented ecosystem, and talks like this.
-
Zash
Yes, a summary would be neat to hear before I run out of Futurama episodes to watch instead of going to sleep.
- waqas agrees with SamWhited about it being an actual problem to be discussed and solved
-
Zash
XHTML-IM is bad now?
-
SamWhited
I certainly think so; nothing that supports it renders anything the same as anything else that supports it, and I have yet to find a web client that supports it which I couldn't script inject.
-
SamWhited
Even if you only look at a single client and don't care if things render exactly the same between clients, you can pretty much always break that particular clients UI with it (by introducing images or huge text or whatever)
-
SamWhited
I don't know if that was one of the specific complaints people had; I was just trying to think of examples of things that I think break XMPP clients UX
-
Zash
Not that I personally would miss it, but I would care more for semantics than exact rendering.
-
Zash
Also, you should try to find the giant stick labeled 'Is the new MAM revision done yet?' and poke MattJ with it.
-
Zash
And whatever happened with Carbons?
-
Zash
Wasn't it supposed to be Draft-ified or updated or something?
-
SamWhited
The Carbons last-call kind of died out; I should bring that back up again.
-
SamWhited
I don't remember why; I'm sure there was some update that needed doing.
-
mathieui
SamWhited, all in all it was a pretty balanced talk
-
mathieui
slides will be online
- SamWhited refreshes the page a bunch :)
-
Zash
SamWhited: Tell me when to refresh the page so I can refresh the page.
-
SamWhited
Zash: wilco
-
Tobias
SamWhited, will write some mail to standards/members ML...the manifesto as nice, but is outdated for nowaday security standards
-
SamWhited
Zash: refresh the page
-
Tobias
compliance suites are nice, but the latest one doesn't include E2E security (OMEMO wasn't a XEP yet then)
-
SamWhited
(the website is the slides, I just discovered)
-
SamWhited
Ooh yah, we should definitely add it now that it is.
-
Zash
Hold on, I closed the page, let me just scroll up and find the link again so I can open it and refresh it.
-
Zash
Oh neat, only 22 hits for "Signal" in the slides
-
SamWhited
It seems to me that his core premise is that all messages should be e2e encrypted all the time and that there should be no plaintext fallback, but I disagree with that as a valid assumption. His foundation feels a bit shakey.
-
Tobias
SamWhited, we should have the client list on xmpp.org sorted by support of compliance suite features...simular to that page from daniel where he shows what service support which XEPs
-
mathieui
SamWhited, I agree with you, but I see his point
-
mathieui
I mean, ideally you should choose your admin, but ideally you should still not be 100% hoping on his goodwill
-
Tobias
SamWhited, and modernize that manifesto for requiring TLS 1.2 support, cleaning up inconsistencies, etc.
-
Zash
Ideally you should choose an admin within range of a tactical ballistic stones throw.
-
moparisthebest
But you can have that now with omemo, hell you could have it 10? Years ago with pgp xep27
-
SamWhited
I do agree with his assertion that having OMEMO and new-PGP is poor and not well justified; we should fix that too.
-
moparisthebest
Different use cases SamWhited
-
moparisthebest
Omemo forces forward secrecy, sometimes you don't want that
-
SamWhited
I don't disagree with that, but I don't think it's a good enough reason to have two separate crypto protocols.
-
Tobias
moparisthebest, it only forces it as implementation detail, doesn't it?...if you never delete your keys, you won't have FS, not?
-
SamWhited
His very next slide says "Is it good to idealize choice and sacrifice interoperability and security?" and I think the answer is no; we should only support OMEMO even if it means the no-FS use case isn't covered.
-
SamWhited
(in my mind)
-
moparisthebest
So I use xep27 for notifications from my servers, cronjobs and such I used to use email for
-
Tobias
right..but in the end it's protocol choice
-
moparisthebest
I'm not clear I could use omemo for that
-
Tobias
if hte new PGP XEP won't be part of the compliance suite, but omemo will, client devs have less incentive to implement it
-
moparisthebest
At least without keeping my keys too long etc
-
Tobias
moparisthebest, i'm sure omemo could also be used by notification bots
-
SamWhited
If it's a notification from your server isn't it already end-to-end encrypted (from the server to you) by virtue of using TLS?
-
moparisthebest
Tobias: well it connects, send the message and then disconnects
-
SamWhited
oh, not from your XMPP server, just "from my servers"; nevermind.
-
moparisthebest
SamWhited: yes, but why not pgp also? :-)
-
Tobias
right..but as long as it fetches the correct prekeys from the receipient via PEP
-
SamWhited
moparisthebest: because you've just increased your attack surface drastically and your reasoning is "why not"
-
mathieui
SamWhited, we usually refer to TLS as point-to-point, obviously
-
Tobias
daniel, there's nothing preventing a script from connecting, sending a omemo message, and disconnecting, right?
-
Zash
That Prosody bug possibly.
-
moparisthebest
SamWhited: I think it reduces attack surface, like if a tls bug happens, I'm fine
-
SamWhited
Adding more things with the argument "why not" is *never* an okay way to engineer anything. Redundancy can be good, but it generally needs justification. In this case you're just introducing more dependencies to a system that's complex already (more dependencies that can have their own vulnerabilities and issues which I could potentially attack).
-
moparisthebest
Then take out tls all together
-
Tobias
SamWhited, true
-
moparisthebest
After all these messages don't matter
-
SamWhited
In this case I'd argue that adding more stuff is at best pointless, and at worst dangerous.
-
Tobias
i hope the MIX step has nothing redudant in it...i'll have to read it :)
-
moparisthebest
They are like, just renewed a cert
-
SamWhited
Those slides were pretty excellent; now I'm even more sad I wasn't there. Thanks for the link!
-
Tobias
what was daniel's webpage that shows what service supports which XEP?
-
SamWhited
Tobias: https://gultsch.de/compliance.html
-
Tobias
thx
-
SamWhited
Tobias: Added it; although pretty soon these will need to be updated to "2017 compliance suites": https://github.com/xsf/xeps/pull/335
-
Tobias
SamWhited, thx...currently proof reading my mail about the talk and will send it in a bit..looking forward to a healthy discussion and ideally rather soon actions
-
SamWhited
Tobias ++; I'm looking forward to that. I'll try to be productive and not just gripe :)
-
Tobias
sent..didn't know if jdev or standards would be better...so i send it to both..but probably makes sense to continue the discussion on one of the lists
-
Holger
There's a version of Daniel's table ranked by greenness BTW: https://gultsch.de/compliance_ranked.html
-
Tobias
Holger, damn..wanted to link to that...thanks
-
SamWhited
Tobias: I added compliance suites/encryption to the council's agenda too. I think we should discuss it as a group, even thoug technically the PR doesn't need discussion.
-
SamWhited
Obviously I have views about what we should do, but I think it's important that we get this one right, so I'd like everyones feedback before merging that PR.
-
Zash
SamWhited: I think Conversations does 377 actually
-
SamWhited
Zash: Does it? I've been meaning to add it thinking it wasn't in there yet
-
SamWhited
I haven't been paying as much attention lately though, so I could have missed it quite easily
-
SamWhited
Oh hey, yup, there's a bunch of references that look about right in the source. Nifty.
-
Zash
Should be a checkbox or something when you block someone.
-
SamWhited
Maybe it doesn't show up because I have nothing to handle it on my server. I should add that plugin you made a while back.
-
Zash
The prosody module I wrote doesn't do anything besides loudly logging it yet tho.
-
Zash
And fires an event so you can write another module to do .. something .. sensible perhaps
-
SamWhited
Yah, not sure what I'd actually do with it yet. Maybe just collect stats for pretty graphs later.
-
Zash
Kinda tricky when we're doing Real Time(tm) things in that we might not know what the spammer/abuser sent because we already delivered and forgot all about it.
-
Zash
Otherwise we could do spam filter training
-
Ge0rG
Wow, all it takes to get people started about Easy XMPP is a 33c3 talk?
-
Zash
Started with what?
-
SamWhited
What's Easy XMPP?
-
mathieui
Ge0rG, yeah, I thought about that :D
-
mathieui
you need a better marketing
-
mathieui
I mean, I had https://wiki.xmpp.org/web/Easy_Onboarding open even before hearing about that talk
-
Ge0rG
SamWhited, https://wiki.xmpp.org/web/Easy_Onboarding
-
Ge0rG
https://wiki.xmpp.org/web/Easy_XMPP has some more, but it's lacking group chats
-
Tobias
Ge0rG, there have been some XMPP devs interest in Easy XMPP before, Swift was started to provide an easier to use/better UX client in comparison to Psi.
-
Ge0rG
mathieui, I'm sure the term is right, we just need more attention from developers...
-
daniel
We need more developers
-
daniel
Developers. Developers. Developers.
-
Ge0rG
Or maybe we need a different front person. My style just isn't popular
-
Tobias
daniel, yeah..especially that
-
Tobias
daniel, if only half of the room where involved in XMPP client dev :P
-
Zash
Marketing marketing marketing
-
daniel
Framing
-
Ge0rG
Flaming?! I'm in!
-
Ge0rG
Could somebody please send a link to https://wiki.xmpp.org/web/Easy_Onboarding to the ML thread? I'm on my mobile device and only have half the thread available...
-
Zash
Hey MattJ