XSF Discussion - 2016-12-29

Tobias, what’s the talk that is going to say "federation doesn’t work" again?

mathieui, https://events.ccc.de/congress/2016/wiki/Session:Are_decentralized_services_unable_to_innovate%3F#_0043166f5c425145741cb5a178a7ac3c

oh ok, it’s not a in a big room

that will probably be fun

But https://en.wikipedia.org/wiki/Betteridge%27s_law_of_headlines

:D

Looking forward to what hanno has to say

Flow, in what talk?

Tobias: the one you mentioned

Flow, ah..i thought you meant another talk

That was one of the only lectures/sessions relating to XMPP I found at the 33C3

Flow, yeah..there was a ton of matrix related stuff though

Tobias: a ton?

I've heard of one

daniel, 2-3 i think :)

anything interesting amongst that ton?

ah..misread one..so yeah..just one

the other was a different matrix

just like the matrix movies: good there is only one

erm, *movie

Good analogy Flow , matrix is like the matrix sequel to xmpp? :-)

which matrix sequel?

Imagine they made a sequel. That would probably have been pretty terrible

i've heard that sensa8 is not so bad

*sense8

Sense8 is great yeah :) Can't wait for S02

edhelas: So you say I shall start watching it?

I don't get it, there are (at least?) two Matrix sequels... it was a trilogy

MattJ: No, I'm afraid that was all a fever induced nightmare you had.

just submitted a cloudflare abuse report for xmppspam.space

wondering if anything will come out of it

Moar spam ?

not more

mathieui: I doubt they will

wow...MIX is already 40% of the size of pubsub ✏

ouch

i wonder if one could make that more compact

cut up pubsub into pieces, each smaller than MIX?

probably

I suspect MIX and Pubsub could both be trimmed down. Surely they don't need all those features… (that last statement was only half joking)

I have a physically chopped up XEP-0060 printout for quite a while now. I just haven't gotten to do all the editorial work to actually make it into separate XEPs.

yeah..but with MIX you start fresh...you could already try to not bloat it up from the get go

MattJ: https://www.xkcd.com/566/

I may have to hold edhelas back if the speaker reads some more moxie

What's the thing?

Will it be video'd?

nah

it’s https://events.ccc.de/congress/2016/wiki/Session:Are_decentralized_services_unable_to_innovate%3F

Hanno has good points (that we already know), but some stuff is factually wrong though

Hanno who's name I recognize from litsts like oss-sec?

yeah

That should be good; wish I were there for that.

like, he’s the one who found a nice series of PHP CVEs "reading random code on the train on the way to 33C3"

Who cares about facts though

(or raised the "gajim OTR leaks plaintext" CVE)

Tell them "Tradeoffs" and "Meh" from me.

The description sounds pretty bang on; I'd be curious to know what he gets right/wrong in the actual talk.

mathieui: did he?

daniel, "raised", after it was fixed

I was under the impression that this was lovetox

Who found the bug

raised as in, so it got a CVE number?

yeah

so he still is kind of up-to-date and knowledgeable, I mean

Should have brought some straw for all the men he is building

:D

Oh joy, another one of those; *sigh* I keep hoping someone will have an actual talk about this.

Haha

Zash, https://www.zash.se/xmpp-features.html is now zero bytes.

Link Mauve: now then

Zash, thanks.

Oh, I didn’t contribute the server part of 0375?

I like how his rhetorical question bomb completely. 'who here ever received xmpp spam?' almost nobody raises hand. 'who here ever used xmpp video chat?' lots of people raise hand

well, if he asked if people were using video chat often, it might have been a different answer

:)

mathieui: :-)

I actually use Jitsi Meet as my sole personal video chat client.

mathieui, I'll call you after the conference to talk about it ;)

sure

I used XMPP video chat, 5 years ago, twice

I helped ThibG test his implementation in Gajim 0.14, twice.

Didn't we use Jitsi meet at some recent summit?

We used it at the Austin one (it worked very well, if I do say so myself)

Link Mauve: That sounds like thing I might have done as well.

so if I hear correctly one guy just suggested we should contribute to signal instead of writing XEPs

What's the point when I can't run my own server?

incoming XEP-xxxx : Signal over XMPP

Zash: You can, but you're on there alone.

I wonder why we should contribute to signal instead of signal contributing to us… or why signal over <insert other favorite messaging app here>

Or why these two things are even related at all

SamWhited, it has to mostly open-source

Isn't that basically OMEMO?

SamWhited, although, I kind of agree that people complaining that signal uses GCM should just finish the pull request adding websocket support

but I personnally don’t care obviously

I don't care about any of that; I was just pointing out that the argument could go either way

No, everyone should go invent yet another messaging thing from scratch for no reason!

Zash, innovate!

Zash, disrupt!

Zash: The big issue here is a lack of JSON. XEP-0295 has been out for years, yet implementations are scarce.

Try adding more JSON?

Nobody was ever fired for using JSON

Were there any good points in the talk? We can mock, but this is an actual problem and it would be nice to solve some of XMPP's random incompatibilities.

This is why I still think we need to deprecate privacy lists, and XHTML-IM, and Message Archiving, etc. even if no full replacement exists yet. It just leads to confusion, a fragmented ecosystem, and talks like this.

Yes, a summary would be neat to hear before I run out of Futurama episodes to watch instead of going to sleep.

XHTML-IM is bad now?

I certainly think so; nothing that supports it renders anything the same as anything else that supports it, and I have yet to find a web client that supports it which I couldn't script inject.

Even if you only look at a single client and don't care if things render exactly the same between clients, you can pretty much always break that particular clients UI with it (by introducing images or huge text or whatever)

I don't know if that was one of the specific complaints people had; I was just trying to think of examples of things that I think break XMPP clients UX

Not that I personally would miss it, but I would care more for semantics than exact rendering.

Also, you should try to find the giant stick labeled 'Is the new MAM revision done yet?' and poke MattJ with it.

And whatever happened with Carbons?

Wasn't it supposed to be Draft-ified or updated or something?

The Carbons last-call kind of died out; I should bring that back up again.

I don't remember why; I'm sure there was some update that needed doing.

SamWhited, all in all it was a pretty balanced talk

slides will be online

SamWhited: Tell me when to refresh the page so I can refresh the page.

Zash: wilco

SamWhited, will write some mail to standards/members ML...the manifesto as nice, but is outdated for nowaday security standards

Zash: refresh the page

compliance suites are nice, but the latest one doesn't include E2E security (OMEMO wasn't a XEP yet then)

(the website is the slides, I just discovered)

Ooh yah, we should definitely add it now that it is.

Hold on, I closed the page, let me just scroll up and find the link again so I can open it and refresh it.

Oh neat, only 22 hits for "Signal" in the slides

It seems to me that his core premise is that all messages should be e2e encrypted all the time and that there should be no plaintext fallback, but I disagree with that as a valid assumption. His foundation feels a bit shakey.

SamWhited, we should have the client list on xmpp.org sorted by support of compliance suite features...simular to that page from daniel where he shows what service support which XEPs

SamWhited, I agree with you, but I see his point

I mean, ideally you should choose your admin, but ideally you should still not be 100% hoping on his goodwill

SamWhited, and modernize that manifesto for requiring TLS 1.2 support, cleaning up inconsistencies, etc.

Ideally you should choose an admin within range of a tactical ballistic stones throw.

But you can have that now with omemo, hell you could have it 10? Years ago with pgp xep27

I do agree with his assertion that having OMEMO and new-PGP is poor and not well justified; we should fix that too.

Different use cases SamWhited

Omemo forces forward secrecy, sometimes you don't want that

I don't disagree with that, but I don't think it's a good enough reason to have two separate crypto protocols.

moparisthebest, it only forces it as implementation detail, doesn't it?...if you never delete your keys, you won't have FS, not?

His very next slide says "Is it good to idealize choice and sacrifice interoperability and security?" and I think the answer is no; we should only support OMEMO even if it means the no-FS use case isn't covered.

(in my mind)

So I use xep27 for notifications from my servers, cronjobs and such I used to use email for

right..but in the end it's protocol choice

I'm not clear I could use omemo for that

if hte new PGP XEP won't be part of the compliance suite, but omemo will, client devs have less incentive to implement it

At least without keeping my keys too long etc

moparisthebest, i'm sure omemo could also be used by notification bots

If it's a notification from your server isn't it already end-to-end encrypted (from the server to you) by virtue of using TLS?

Tobias: well it connects, send the message and then disconnects

oh, not from your XMPP server, just "from my servers"; nevermind.

SamWhited: yes, but why not pgp also? :-)

right..but as long as it fetches the correct prekeys from the receipient via PEP

moparisthebest: because you've just increased your attack surface drastically and your reasoning is "why not"

SamWhited, we usually refer to TLS as point-to-point, obviously

daniel, there's nothing preventing a script from connecting, sending a omemo message, and disconnecting, right?

That Prosody bug possibly.

SamWhited: I think it reduces attack surface, like if a tls bug happens, I'm fine

Adding more things with the argument "why not" is *never* an okay way to engineer anything. Redundancy can be good, but it generally needs justification. In this case you're just introducing more dependencies to a system that's complex already (more dependencies that can have their own vulnerabilities and issues which I could potentially attack).

Then take out tls all together

SamWhited, true

After all these messages don't matter

In this case I'd argue that adding more stuff is at best pointless, and at worst dangerous.

i hope the MIX step has nothing redudant in it...i'll have to read it :)

They are like, just renewed a cert

Those slides were pretty excellent; now I'm even more sad I wasn't there. Thanks for the link!

what was daniel's webpage that shows what service supports which XEP?

Tobias: https://gultsch.de/compliance.html

thx

Tobias: Added it; although pretty soon these will need to be updated to "2017 compliance suites": https://github.com/xsf/xeps/pull/335

SamWhited, thx...currently proof reading my mail about the talk and will send it in a bit..looking forward to a healthy discussion and ideally rather soon actions

Tobias ++; I'm looking forward to that. I'll try to be productive and not just gripe :)

sent..didn't know if jdev or standards would be better...so i send it to both..but probably makes sense to continue the discussion on one of the lists

There's a version of Daniel's table ranked by greenness BTW: https://gultsch.de/compliance_ranked.html

Holger, damn..wanted to link to that...thanks

Tobias: I added compliance suites/encryption to the council's agenda too. I think we should discuss it as a group, even thoug technically the PR doesn't need discussion.

Obviously I have views about what we should do, but I think it's important that we get this one right, so I'd like everyones feedback before merging that PR.

SamWhited: I think Conversations does 377 actually

Zash: Does it? I've been meaning to add it thinking it wasn't in there yet

I haven't been paying as much attention lately though, so I could have missed it quite easily

Oh hey, yup, there's a bunch of references that look about right in the source. Nifty.

Should be a checkbox or something when you block someone.

Maybe it doesn't show up because I have nothing to handle it on my server. I should add that plugin you made a while back.

The prosody module I wrote doesn't do anything besides loudly logging it yet tho.

And fires an event so you can write another module to do .. something .. sensible perhaps

Yah, not sure what I'd actually do with it yet. Maybe just collect stats for pretty graphs later.

Kinda tricky when we're doing Real Time(tm) things in that we might not know what the spammer/abuser sent because we already delivered and forgot all about it.

Otherwise we could do spam filter training

Wow, all it takes to get people started about Easy XMPP is a 33c3 talk?

Started with what?

What's Easy XMPP?

Ge0rG, yeah, I thought about that :D

you need a better marketing

I mean, I had https://wiki.xmpp.org/web/Easy_Onboarding open even before hearing about that talk

SamWhited, https://wiki.xmpp.org/web/Easy_Onboarding

https://wiki.xmpp.org/web/Easy_XMPP has some more, but it's lacking group chats

Ge0rG, there have been some XMPP devs interest in Easy XMPP before, Swift was started to provide an easier to use/better UX client in comparison to Psi.

mathieui, I'm sure the term is right, we just need more attention from developers...

We need more developers

Developers. Developers. Developers.

Or maybe we need a different front person. My style just isn't popular

daniel, yeah..especially that

daniel, if only half of the room where involved in XMPP client dev :P

Marketing marketing marketing

Framing

Flaming?! I'm in!

Could somebody please send a link to https://wiki.xmpp.org/web/Easy_Onboarding to the ML thread? I'm on my mobile device and only have half the thread available...

Hey MattJ