XSF Discussion - 2017-01-18

Putting notes within notes does not seem vital

In the notes list, it would be ideal to sort XEPs in order, so you can quickly check if a given XEP is referenced

Holger: Is that you: https://wiki.diasporafoundation.org/User:Holger ?

Flow: Nope, that's someone else.

Hey, I'm checking python-omemo which use - if I'm not mistaken -, the old oloxotl based method for OMEMO: https://python-omemo.readthedocs.io/en/latest/xep-omemo.html

And I'm really surprised to see that the same namespace is used in current XEP: https://xmpp.org/extensions/xep-0384.html

Axoilotl-based OMEMO was never submitted; but the namespace should probably have been bumped anyway.

Sorry - was submitted, but rejected.

goffi: I think this is actually just the docs that refer to that namespace

The actual implementation uses siacs namespace

As it should if it's using the signal protocol

Someone just blindly copied the xep into the docs

daniel: ah ok, that's good then, because if we do an implementation in SàT it will be with the current method (olm), and that will be a big issue with gajim or other using python-omemo

I'll open a ticket

Blindly copying the examples? :)

Examples Considered Harmful

Zash, nobody does that!

"Considered Harmful" Considered Harmful

Moderated +1, It's True

daniel, you really should move forward with conversations to use the XEP namespace to get rid of the confusion. You'll need to support both anyway for the time being

Ge0rG: we can't just sed the namespace

There is no confusion. Siacs namespace means axolotl. Official namespace means olm

daniel, siacs namespace isn't documented in the XEP, but widely deployed. Now you have created a de-facto standard, which other developers are following.

Ge0rG, it's documented in the protoxep on the omemo website, not?

still, the current situation is suboptimal

daniel, it's not easy, but it is only going to get harder from here

we have a xep, which either no one is going to implement because it is not what conversations does, or if somebody implements it, he/she would find out that it doesn't work with conversations

what georg said

These things are messy.

Ge0rG, the thing is, there isn't a java lib for Olm yeta

Tobias, I can't imagine how that is not a de-facto standard.

Ge0rG: get me a Java implementation of olm and I can switch pretty quickly. I can also get the majority of the other clients to switch at roughly the same time. I'm in contact with all of them all their libraries are designed with modularity with a switch to olm already in mind

The olm/signal switch is extremly easy from an implementation standpoint

daniel, being a developer myself, I tend not to believe this claim

Is there still a reason to use OLM, now that Moxie put double ratchet into the public domain?

Flow: this is one of the things I'd like to figure out before I do the switch

Why not have OMEMO use https://whispersystems.org/docs/specifications/doubleratchet/ ?

Flow: that's what we are currently checking

If that's feasible

daniel: I hope we can sort this things out at the summit

daniel, you'll need to support both namespaces in order not to break older versions of the code. You can't just "flip the switch"

Ge0rG: hard switch and tell your user to update or gtfo

Someone say Flag Day? :)

I have absolutely no problem doing that

daniel, but your users will. You are going to alternate your core audience.

it would be nice to sort is out yes, if we do an implemention it will be XEP version regardless of existing implementations

Ge0rG: when did I ever care about my users

*alienate

daniel, I don't know. But I do care about the users of XMPP.

As long as the other clients are available they can simply upgrade

It's not like upgrading is hard

daniel: I hear you live in a world without long term support releases.

there's no problem for Conversations to support axolotl OMEMO and olm OMEMO for a year or so and then dropping the axolotl one...it already supports OMEMO and OTR in parallel

and GPG IIRC

Zash: if someone pays me to do lts I'll happily do that. For now very few people even pay to provide any support at all

ISTM if daniel is happy for a hard-upgrade, then given this is switching from a 'non-standard' to 'standard' version, that's actually a good thing.

Kev, so your position is standardization over UX? 😛

Dear summiteers. I just sent an e-mail to the summit@xmpp.org mailinglist about the Summit/FOSDEM hotel. Please read and act on it ASAP.

Do I have to sign up for the list again if I have been subscribed last year?

it's the same as last year

I assume nobody went and removed all subscriptions

Interesting. I should be subscribed to that list, but there's no mail come through.

Kev: that's what triggered me asking that question

Ge0rG: No. My position is that if daniel says that his users can and will trivially upgrade, along with other users of that namespace, I'm going to trust he knows what he's talking about.

daniel, Kev: maybe. But when I look at it from the user perspective, I see three issues: - how is user A supposed to figure out that he can't chat with B any more because of the upgrade? - how can A tell B to upgrade as well if they can't talk to each other? - who's going to delete the old pre-keys from PEP?

Ge0rG, disco?

mathieui, how is that going to solve any of the three? Maybe just a bit of #1.

Ge0rG: we can un-annouce the old devices. So messages won't just get discarded

It'll look like that contact doesn't have support for omemo

daniel, un-announce on upgrade? That might work. You could also add discovery for the new namespace already, and show a message to upgrade the client if it is encountered on a contract.

Ge0rG: see. No problem

daniel, see, you need to do advance planning!

daniel, and you need to convince all the others to do the same planning.

daniel, you can't just sed out the namespace on day X.

Ge0rG: convincing the others is not a problem. We are all besties

daniel, it's getting harder and harder with each non standard implementation.

Ge0rG: I'm not doubting that it gets relatively harder

I'm just saying...

Ge0rG: in any case there are a couple of things that have to happen first. Assess if a switch is still necessary with ows releasing specs

Write a olm java library

Fix bugs in olm

Maybe the OWS spec is something that should be discussed in Brussels.

I'm happy to discuss it if people have enough background information to make that assessment.

Note that this far I dont have that level of background information either

daniel, I think it would be awesome if you could prepare it then and add a discussion point to the agenda. Unfortunately I'm not going to attend.

Kev: so did the e-mail just come in delayed?

I had it on my other account. I thought both accounts were subbed, but presumably either I'm wrong, or it got spamtrapped at work.

“17:30:58 SamWhited> I wouldn't mind writing an XMPP implementation ontop of [tokio].”, oh nice, I’ll have a look, I remember wanting to try it before but it was very immature a few months ago (especially due to futures) so I went for mio instead.

“17:36:10 Zash> lua::lua_setfield(L, -2, CString::new("foo").unwrap());”, you are just using raw bindings that don’t have a higher-level wraper, it won’t provide you any better safety than writing plain C either, it’s not the level at which you want to be using Rust.

Link Mauve: I imagined that it'd be possible to do Safe™ things in Rust and have a relatively small area of unsafe code that moves stuff between that and the C / Lua world.

Which should be true, but then I reached my tolerance of telling a computer how to turn a string into a string.

> Welcome to our room, I'm going to add you to my roster, if you accept, please reply with Yes or 1 to accept, or you can reply with No or 0 if you don't want to. مـرحـبآ بك في رومنا , سأقوم بإضافتك, لو سمحت أجب بنعم او 1 ان كنت موافقآ, او لا او 0 ان كنت لا تريد اضافتي.

Whisper in jdev or somewhere

Zash, :)

That's a new one

SamWhited, from who?

discuss@, rather; if anyone here has a ban hammer…

A kind of thing highlighting the continued need for JID privacy in public rooms?

That wouldn't stop a pm would it?

SamWhited, a fix for the duplicated note numbers https://github.com/xsf/xeps/pull/374

"Avril Lavinge" if anyone has op rights there

Tobias: nice, thanks!

SamWhited: Makes it harder for whatever that was to actually add you to their roster and/or send direct spam.

Fair

It would be nice if clients would render PM's outside of the chat room context, IMO ;) Avoids a bit of confusion.

Agreed

I'm generally always confused by how Conversations handles this.

Still need to write that server module to limit PMs in the MUC itself.

It would also prevent a lot of "me sending private messages to the whole room by mistake"

SamWhited, and that :)

I only know of two clients doing that, imo you should report to their bugtracker.

It’s indeed a terrible UX.

that’s conversations and mcabber?

Yeah.

I talked to daniel about that before and it was a deliberate design decision

Yay trade offs

if I recall correctly, because it'd be confusing that people they were chatting with just disappeared and quit working etc

which is fair I guess

I also hate it, coding it up as an advanced option has been on my todo list for too long

The target audience (tm) is also discouraged to use PMs at all

They usually dont hang around anonymous conferences

Oh huh, the person sending that spam *is* an admin. Compromised account, maybe.

maybe they just want to make friends :-(

The nickname does seem familiar somehow

yea I have a feeling hardcore xmpp or irc users are the only ones bothered by that behavior daniel :) ✏

daniel: perhaps in your client, but that doesn't stop other clients from doing do.

intosi: yeah sure. I was just talking about the reasoning Conversations doesn't do it this way

Discouraging its use is fine (I know I rather receive normal chats instead), but rendering it such that it's easy to broadcast things meant to be said in private might not be the best choice for random users ;) They might also assume the thing was said in publiuc in the first place.

The incoming message, that is.

If a techie is confused about the whispers, imagine how non-techies would perceive it ;)

Mix to the rescue

daniel: how would you handle it differently for MIX?

ralphm: the private conversation doesn't randomly drop out and can be persistent over longer periods

sure

so would press-hold on a participant then bring you to another conversation?

ralphm: it can be a different conversation. How exactly you'd open one I haven't thought about yet

But in essence yes

Zash, Flow, and other participants of the XMPP Summit and/or FOSDEM, please join summit@muc.xmpp.org

A coworker just clicked my nickname in gajim's MUC window to chat to me. He was utterly confused when I tried to explain to him that this is not the same as a direct message. Oh the woes of XMPP

Normal people would be best served by MUC light.

Why did you try to explain that? He probably did so because he had a question, and an answer would've made him close the window again ;)

Also, I've recently fixed yaxim to put MUC PMs into separate windows, even though they lack presence info yet. It vastly improved the UX

im a bit confused by something; why is MIX split into two services with the special proxy service?

Because some things can only happen on your own server.

Arc: Will talk about this at the summit. Need to make this clearer. MIX has requirements on the User's server, and these requirements are currently reference as MIX Proxy

The 'special proxy service' is bad terminology for 'things your server does'.

Arc, it requires support from your server, and the MIX proxy is the part of your server that implements this support

I'm still in favor of "MIX agent"

MIX Master?

dwd, nice sound but technically misleading

Well, it has to be MIX something or else Steve Kille won't write the spec. See RFC 2156.

MIX Connector, or MC for short.

MIX Blender

or MIX Bender (futurama style)

dwd, that problem can be solved. I remember you offered to kill people who come to Brussels... :P

Tobias, +1

Bite my shiny mixing affiliation.

Why not just as short as possible? "mixer" or "MIXer"

MIXing Server

MIX Inclusion eXtension

hmm

ok

it doesnt sit quite right, does it? requiring special server support for a remote service?

I believe it started as "what if the server kept track of your pubsub subscriptions?" combined with "what if muc was pubsub based?"

Currently, pubsub state is between a client (resource) and the pubsub service. Moving the tracking into the account (on the server) enables magic.

maybe the MIX XEP should make that explicit, so that we don't have someone stubling about that fact every month

Having not kept up with MIX, I'm not sure how much magic is expected of the server now.

*explicit in the introduction

meeting time

and starting today, I'm FREE!

Google Code-in is officially over. all student work submitted, all reviews complete, only thing left is choosing grand prize winners and the awards ceremony sometime this spring

ralphm: nyco:

Arc, congratulations

hey

I'm here

https://wiki.xmpp.org/web/Joshua_Pan_Application_2017 is a great result from google code-in

start in 40 s

hey Arc, can/should we write a blog post about XMPP-related work on Google Code-In?

Zash: if you want to follow up with one of the students, that's the big one

intosi: but will it MIX?

nyco: we could? im not huge into press release style posts tho

1. Welcome + Agenda

Arc, rather tech content?

Martin: you here?

Who do we have today?

Welcome ;-)

Here

MattJ?

Here

(despite your presence)

Good. Any agenda items, besides Summit/FOSDEM?

Agenda: all for the summit?

I added 2 to the board

IMHO we should focus on Brussels

ah ok

2. Minute taker

dwd around?

I'm not going to be around the entire time, but I'll get to minutes.

ok

3. Summit / FOSDEM

Thank you ralph for getting the hotel stuff together

As you might have seen, I've got the quote from Thon Hotel, and sent out some details on the Summit ML

thx

(apologies, I'm here, but on a train, so my connection is ropey)

I still need to sign the document, and dwd suggested we could simply put in the bank details to cover their requirement for non-paying individuals

If that's ok with y'all

thats ok so long as everyone in the block is known and reliable

aye, that's also why I put up the Google Docs form

and there's a clear understanding that the XSF will hold people responsible for paying anything charged to the XSF on their behalf

which I think you've covered.

Hence the phrasing on the Google Docs form, indeed.

It has a checkbox stating 'I understand that I will be personally responsible for the payment to Thon Hotel EU and will be required to make good any expense incurred by the XMPP Standards Foundation in relation to my stay.̈́

quick question - why is wednesday twice the price for weekend nights?

arc, Because Hotels.

I'm assuming that's also because of EU

It's always been like this at Aloft, too

They had few rooms available on that date.

thats bizarre, but moving on.

yeah

payments to the hotel okay, but why to the XSF?

unfortunetly there's not a lot of other options; the eariest eurostar from london (for example) arrives after 10am, over 30 minutes from summit

So, other than that, I got word that Chris Deering won't be at the Summit, and neither will M&M, but Chris is in talks with Jerome Poisson on the summit venue

tobias: you don't pay the XSF for the hotel, this is just to make sure that if you don't pay the hotel, we will need to cover it and come haunt you

ralphm, ahh

To be clear, the venue being Cisco Diegem

I trust we can work that out again

In case Cisco doesn't work out, maybe it's worth inquiring if the hotel has a conference room we can use?

We'll squat all of the Poechenellekelder if not .

is that not locked down yet?

it does, dwd said it was expensive

Arc: please don't worry so much

Ah weird, I'd assume it would be free to people bringing in a big group paying them tons of money

The XSF can, if needs be, afford the hotel's conference room.

SamWhited: that's not how bistromath works.

SamWhited, That's a US thing. EU hotels don't operate in that way.

Huh, interesting.

dwd: yeah

I thought that was the point of conference rooms in hotels, to attract big groups :)

SamWhited: well, in the case of hotels in the EU district in Brussels, there appear to be plenty of venues offered by the EU

Moving on

SamWhited: and in the US, wednesdays are usually the cheapest day.

Other thing on the list is the XSF dinner. We just need to contact the same old restaurant and setup a new Google Form afterwards

what restaurant is it?

dwd: let's get that check list done today

http://www.aubergebretonne.be/

We've been going there for years. Good venue.

ralphm, Yes. Mea culpa and all that.

That brings me to the next point, sponsors

we need to chase those. Who wants to take that on

?

if needed dwd can help with tips

i have a bad feeling that im going to lose so much weight on this trip lol

arc, You'll lose many negative pounds.

dwd :-)

dwd: you might. lol

not seeing any volunteers

:-(

come on guys, I can't do it all

I'll volunteer, if someone gives me pointers

ralphm, This is for Dinner etc?

yeah

Not convinced I'm the best person for the job, but hey :)

last year we had Dinner and Lunch sponsors, as well as Cisco for the Summit venue

I'll give MattJ some tips.

MattJ: You can arrange for all vegan and cheese free dinner for everyone

MattJ: you'll be fine, just don't get lost in the woods

I won't be there :)

ralphm, That's how lost he'll be.

Zash: I don't think its possible, looking at this one restaurant's menu. even the fish has dairy on it

Arc, Vegan isn't really a thing in Belgium. Vegetarian isn't much of a thing either.

Arc: I'm sure they can do specials, we've always had a veggie option, too

dwd: yes I'm getting that impression.

ralphm: vegan is probably more complex for them.

I'm vegan plus fish and eggs. strong dairy allergy.

intosi: hm. I'll ask them anyway

(or whoever calls them)

Arc, Ah... Yes, you may have some problems.

Arc, You can always live off beer. It's practically a meal in itself there.

things like butter can lead to a hospital visit, you can understand hesitation eating in non-english countries

I'm sure native speakers can help out at the Auberge here.

I ate exactly two meals in paris over 4 days.

Arc, it's fine, once the infamous "ribs place" made up a vegetarian dish for me

Consisting 100% of tomatoes

MattJ: the plate full of tomatoes?

Yeah, I'm sure people in Paris think you're from another planet

That's the one

MattJ: tomatos are great for electrolites lol

I think there was some parsley on the top

anyway we can discuss that on summit@

What has the typical cost of the dinner been? i.e., what's the baseline funding goal?

I'd have to check previous years' figures.

meanwhile, let's spend the last 5 minutes on Marketing

I relatedly asked if my company could provide a projector, and I think that's shouldn't be a problem

I asked if Surevine could, and nobody seemed to know where the projector was, so that's good to hear

We do need to get things printed soonish

Martin: the more the better

Martin, :)

ralphm: yes, do you have quotes on that?

ralphm: OK, I'll chase

ralphm: full color front and back A4

Arc: I'll get you a quote on that.

anything else specifically?

well you mentioned a banner

I'm focusing my attention on flyers, which i should have a pdf by friday

Arc: right. Roll op banners are around €35

(going from, of course you can get more expensive)

I've also eyed this: https://www.dvc.nl/beurs-presentatie/beurs-en-wanden

ralphm: want me to do layout for the banner too?

The soft image wand (wall), for example

and https://www.dvc.nl/beurs-presentatie/balies

Arc: yes please

ok get me DPI and size. my schedule is pretty open this week

time's up

I added tshirts for decision

anything else?

Arc: I'm +1 on them, we just need to get a nice design

no problem. full color on one side, one color on the other?

are we doing free shirts for summit participants (they'll cost under $20/ea I expect) or taking online orders to pay for them?

Martin, nyco?

not sure

Arc: I don't know

I would pay for it

it'd cost under $400 to print them. the issue here is the price goes up in smaller quantity

assuming similar pricing US to EU, good tshirt material around $8, and around $15 setup per screen, plus a nominal amount per shirt to print. but the screens are the key there

does different sizes affect that?

not typically, until you get to XXL or higher

with full color on one side (for xmpp logo) it'll cost $75-$100 USD for setup and printing regardless of quantity

I have no idea on this

I'm going to close this meeting, but we can chat some more afterwards

Would it be possible to get summit-neutral t shirts for non-participants?

Arc: thanks for the PyCon thing

ok, I need to go, sorry... I've not been useful :'(

Ge0rG: the idea this time around is participant-only shirts, if I remember correctly.

so being conservative it'll cost under $400 for qty 36.

4. Date of Next

+1W

5. Close

Thanks all

thx

Thanks ralphm

By the way, I think we'll skip Feb 1.

what, no in-person board meeting?

Not on Feb 1

I'll still be in Veldhoven

But I'm all up for the in-person board drink

(on one of the other nights)

ralphm: i'm suggesting we use up to $400 of the $1500 for promo material budget for tshirts

right

so, you ended the meeting a bit abruptly there. are we making those decisions on the list?

Arc: well, yeah, because it's been mostly a conversation between us two. I think that's a reasonable course of action

I am curious about how to find proper shirt material

the printer will have options.

Most of my shirts are American Apparel, but I'm not sure if you can get those here

'MIX Proxy' should be renamed 'MIX User Connector', or MUC for short, that'll fix all the confusion surely

a third of my closet are tshirts ive designed or run the orders on, mostly rugby shirts

I know good vendors for flags and for paper printing, but not so much for clothes

Guus, intosi, any idea?

would amsterdam be easy for you to pick up from ralphm?

I can ask the rugby team in amsterdam, all rugby teams make shirts like crazy

btw ralphm you've got an invite to Bingham Cup 2018 in Amsterdam ;-)

I'm in A'dam three days a week

But I'd guess that all printers would do cheap shipping

.nl is small

Hah.

i asked the amsterdam lowlanders

"I'm in A'dam three days a week" this is a surprising coming out.

Ge0rG: especially when replying to an invite to a gay rugby tournament lol

Yeah, I found it hard to admit, too.

largest rugby tournament in the world, pretty big deal.

https://www.youtube.com/watch?v=ulSPA_Enh2A was Sydney 3 years ago.

Some one mentioned me?

Clothing vendors, no idea

Has anybody ever considered that JIDs reflected by a MUC or MIX are not trustworthy, as the component could fake everything?

thats an interesting point

currently tho you can confirm their server at least if they use http upload to send a photo

http://xmpp.org/extensions/xep-0045.html#invite-mediated writes "The <room@service> itself MUST then add a 'from' address to the <invite/> element whose value is the bare JID, full JID, or occupant JID of the inviter" which all have interesting security implications

ive retreated to my safe EXI level work, theres just too many privacy exploits to close them all

besides, many of those problems *we* can't solve.

i think i found the bottom of the rabbit hole, and it puts everything else in perspective

all I need to do to uncover your IP address is send you a custom link to a server I manage.

Arc: and make me click it

thats easy. i just have to provoke you with an emotional discussion and make it look like a url shortener service

I started running this as a proof of concept on alt-right forums, im getting over 50% click-through rate

it works most reliably with DMs

usually after forum visibility posts

Arc: I hope you aren't doing unethical things with the IP data

not unless profiting from humans being terrible to each other is unethical

Arc: in not sure. "profiting" can be anything or nothing

I'm

i got the idea when I first noticed this problem a few weeks ago at the same time a transwoman friend was being harassed online to the point of closing her facebook account. using this method we were able to uncover that they were using RCN from the DC area, meaning its likely someone she knows

but we lacked data.

so I identified other places online where this person might be posting, and started running automated agents there to see if we could find a match. we haven't yet.

if we could ever link the person to a real identity, they would face criminal charges for repeatedly threatening to kill her

the latest is after she left facebook, her harrasser created a spoof profile with her name and started sending friend requests to people she knows. its been pretty scary

Arc: interesting op-sec finding

(RCN?)

RCN is a cable company. unfortunetly RCN doesnt have ipv6

Does somebody have a deep link to the summits mailing list sign-up page / archive. (basically to the mailman page). I'm on mobile with horrible Internet and googleing that is a pain

https://mail.jabber.org/mailman/listinfo/summit

anyway im considering turning it into a business. the data archived exclusively from "biggot sites" that trolls tend to use frequently. advertisers are already using your IP address to track you

Arc: such a business would be illegal wir where I live

when is the next board meeting?

Ge0rG: thats entirely possible.

Ge0rG: Jan 25.

we are skipping Feb 1

ah, today was one?

yes, and we really only got through one item. its unlikely we'll be able to touch non-summit next week either

the big one we need to attack now is GSoC. if XSF is going to put in a decent application this year we need someone to step up, I'm happy to serve as backup admin (I've been a GSoC mentor every year since 2005), and need to start getting the ideas page going like yesterday

Board should probably have a say in the desirability of something like, which is why I was asking: https://github.com/xsf/xmpp.org/pull/246

ah, GSoC, good thought. Not sure if I can commit to put in effort there though. I can try to coordinate with IgniteRealtime projects, if that'd be helpful

Ge0rG: just curious, what part specifically would be illegal where you are? the recording of IP addresses? sending bots to engage in social sites? allowing paid subscribers to use our data to narrow down who their harassers are?

Guus: well GCI just ended, which means GSoC is starting.

please note, and this is very important, if XSF isnt accepted there are other projects that will umbrella

we can, Python may, even Apache

GSOC, yes please :)

the difference is who gets the money. umbrellas usually keep most or all of the per-student funds

so does the XSF ;)

Guus: thank you

Arc, I don't think we do it for the monety.

dwd: no, but it helps

helps how?

I'm not sure if I want mentors who wouldn't mentor if there was no money

we had Wesnoth under us as an umbrella a few years ago, they threw a nuclear hissy fit over the org payment from google even when they were a very small part of the overall org

Arc: recording of addresses is borderline, selling them without user consent illegal

Ge0rG: would love to see that law, because advertisers do this all the time.

Ge0rG, Germany's a little over-inclusive about what they treat as PII, mind.

Arc: Germa...what Dave said.

ah, gotcha.

well if i do this i plan to incorporate as an LLC in nevada anyway

dwd: it's good to err on the safe side

Arc, You could probably have a query service over whether a particular user visiting a site may frequent alt-right groups. Having a flat out IP blacklist might be problematic.

dwd: not a blacklist. we're not blocking anyone, just attempting to link up what they've said on different sites to identify who they are

once we get into facebook it might become very easy.

Arc, If you do it via advertising - or via a mechanism that's substantially similar - you're perfectly fine.

Arc, Depending on what "identify" might mean here.

the IP address is easy. the question is who's posting hate from that IP address.

On another note - pubsub events and retracts - type='headline' a sensible default?

so the MIX "proxy" isnt MIX-specific, its your own server tracking pubsub subscriptions

It *is* MIX specific, because MIX does a special type of pubsub.

And because the proxy also filters / redirects messages and possibly presence

could it be mare more generic, tracking pubsub subscriptions would be a nice feature

Yes, that's PAM.

Arc, See PAM.

But PAM wasn't specced out sufficiently when MIX was being done to use PAM.

Arc, And that does need work, but I think I've got a reasonable spec for the actual tracking bit.

So what's needed is specced out in MIX more explicitly, with the understanding it may well be rephrased in terms of PAM when PAM is more fully baked.

ok

Kev: why haven't we progressed PAM then?

clearly i have a lot of reading to do

easier to retreat back to EXI and let the rest wash over for now

Arc: Sure. We're basically building XMPP2 at this point.

Ge0rG, Cycles. I'm always blocked when thinking how PEP ought to work with PAM.

that is long since overdue

We're just doing it in a way that still works on top of 6120/6121 and allows interop with XMPP1.

TLS mandatory, EXI detection mandatory, SASL mandatory, fully framed and no restarts

Which is obviously a good thing, but makes it hard to break the mindset of 'well, why should entity X have to support Y in order for entity Z to ...', when the answer is 'because this is how the new world needs to work'.

XMPP2 you say? Is that why bind2 is called as it is? I found the name rather uncreative

Let's duplicate all xeps and add a 2.0 to the name

daniel: Resource binding 1 not being a XEP, of course ;)

daniel: just bump the steam namespace version

And replace XML with http2

And I'm out again.

and then replace http2 with telnet

hmm, yesterday gave a +1 for removing the ability of the client to suggest a resource, and today I look at stanza traces of integration tests I wrote which use that feature to make it clear which role the involved full JIDs perform in the test.

Yes, custum resource names can be really convenient during debugging.

exactly, so I'm not sure if we should get rid of them on protocol level again

(and that, of course, includes bind2)

it's just one indirection more

tobias: hmm?

instead of looking at the localpart?

in your logs, just find the resource you interested in and then look at all debugs things related to it

you just skip the "find the resource you're interested in"

tobias: in case of integration tests, i'm interested in multiple resources

of course, I could highlight them in different colors

Debugging is a good usecase. Maybe the only one. Not sure if this justifies keeping them

sure..but you can just have them handle them being dynamic, not?

and then try to remember somehow that blue is the address doing to the read out from the red resource

if you have asserts that are resource dependent, just do a lookup for the resource after you log in, and use the resource in the asserts of your integration tests

tobias: ahh i'm not sure if we talk about the same thing

i'm neither

Right now I've a stanza trace in front of me, which involves three different entities

what's the integration test you have that requires static hardcoded resources?

which somehow interact with each other

tobias: it does not *require* it

it makes the trace much easier to read

so, highlight them differently based on resoruce

*resource

i may not always have emacs in front of me

i.e. I could have an editor in front of me which doesn't have this feature

like google docs

which is actually the case right now

google docs can colour text

ahh ok, didn't knew

let's see

but the point still stands

tobias: can color text, or can color search results in different colors?

i don't know...i rarely use google docs

it's useful for debugging, but it's hard to use that as a strong motivation to keep the feature, imho

i do the same thing with my resources in tests

and you can still use static resources, just not when doing login using bind2

If the only motiviation for removing it is that it makes clustering easier, then I tend to say "keep it", because it's already possible to generate the resources on the local cluster node with the current RFC

+1 for keeping client generated resources.

it removes a round trip when you don't have to negotiate resources

tobias: right, but what if bind2 becomes XMPP 2.0?

My motivation is debugging as well, and really, we shouldn't make server operator lives even more complicated

honestly, not sure if i care about that, either, but there you go

bjc: no it does not

it could be streamlined

no? i haven't read bind2 yet

it's the XEP with no external references :p

There is no extra round-trip. The client politely asks, the server either approves or reassigns

it's a round trip if you have to ask, as opposed to just being assigned one

Besides, we need some way to tell the server to kill the stale session anyway on a reconnect

I sometimes wish the bind element would be more explicit about the "politely asks" aspect

Ge0rG, why do we need that?

The only party which has an advantage by removing the old stale session is the server, no?

Flow: because I just killed and restarted my client, and I want to replace the previous session

because? I mean with carbons and such?

what flow said

hmm, probably stale presence, not sure

Ge0rG: the kill stale sessions can be done differently

It doesn't require custom resources

true

may be an issue with directed presence

daniel: eg with 0198,which has its own session identifier

isn't directed presence send to bare JIDs?

full or bare

but for, eg, muc, it's full

ahh ok

Flow: because of OMEMO for example, which talks to a given resource

not sure if it matters, at the end of the day, though

doesn't OMEMO talk to devices?

(in mixed support situations)

What?

Omemo doesn't need resources

Ge0rG, carbons?

But I don't see a problem extending <bind2/> with an optional <kill-previous-session resource='foo'/> element

Flow: yeah that's what I suggested yesterday

Or if bind 2 requires sm when can use sm for that

brrr "requires"

Flow: that and <attempt-stream-resume id=bar>

I'd avoid hard dependencies when possible

hmm stream-resume doesn't make sense for bind2

stream-enable may does

why would you use sm over bosh instead of just using acks?

Flow: if we want to clean up the mess, we need to make bold steps

Flow: I don't have an opinion on that. But I said *if* it requires sm. Either that or do the kill-prevois element

right, but still, stream-resume doesn't make sense when using bind2

Flow: stream-resume does make sense because it spares a round-trip and moves more logic into the server

if you do SASL auth followed by xep198 stream resume, then you don't need bind2

Flow: but in case it fails

It spares you a round trip

then you do bind2 with stream-enable

Flow: yes. And that's the extra round trip

That you have to do the bind

Flow: or you just do bind2 with attempt-resume and the server does all the magic

ahh, got ya, fair point

(I'm not necessarily agreeing just explaining that it does save a round trip)

Ideally, as a client, I'd put (my last MAM id, resource, sm session) into the bind2 request and let the server do everything else

BTW: I did some related art yesterday. Ladies and Gentleman, I present you, the XMPP client session establishment state machine: https://goo.gl/photos/xg2yECoACUscsj6Z6

Ge0rg, the last MAM ID, so the server also sends you the missing messages?

Flow: exactly

hmm, not sure if that's really required

I mean bind2 is there to solve a race condition

and not to make everything super optimized

at least that's how I see it

Flow: nice; I've got a few chunks of that drawn up in some details, and I've been meaning to complete the picture and try to get the full diagram drawn out. Good job

Sending the mam id would be a very bold move

SamWhited: I'm tikz'ing it and plan to put the tex into a public git

Expected result: either stream resume, or: - kill old session - update old sm state according to delivered counter - send all I missed from MAM - bind new session - enable carbons

Not sure if bind 2 wants to take that on

Flow: I'e got a few graphs here, feel free to borrow from them: https://bitbucket.org/SamWhited/xmppdocs/overview

daniel: why not make bind2 explicitly support extension elements for MAM, sm etc

Ge0rG: I didn't say bold aren't good moves. I'm just not sure if this is something that Kev would be willing to do

SamWhited: will certainly have a look. thanks!

daniel: im not sure if Kev is the ultimate authority or if we want to make something that's good and future proof

(not implying that we can't with Kev)

Ge0rG: sure. But you can't hijack kevs xep is what I'm saying.

'hijack' and 'kevs'

daniel: this is a shortcoming of the XEP process.

If I had more time, I'd hijack a bunch of them.

Maybe it is...

We can make bind2 something awesome and remove some cruft from the graph Flow shared.

And not just a hot fix for a race condition.

I wouldn't mind it becoming XMPP2. There are many problems in XMPP 1

I've been thinking about that a lot lately actually; redoing the login flow and calling it XMPP 1.1 or 2 or whatever; maybe fixing some of the erratas, or merging in XEPs that are now seen as necessary, etc.

Almost certainly not worth the effort though.

SamWhited: why not?

Because everything would break, and most of the problems probably aren't bad enough that anyone would bother implementing it. Just a hunch though.

Besides of the MAM carbon SM mess we could also get 2fa and one-time / per device passwords

And the IETF-WG process is a big deal, and would take a massive amount of effort.

We can get that now without rewriting the whole RFC.

What I want to do with the bind2 spec is not to do anything complicated without a clear consensus.

Dave has possibly reasonable things he wants to do, including redoing all of SASL I think.

If that happens, it'd probably bin any work done on complicated things in bind2, which is why I'm not keen on boiling the ocean at this stage.

Kev: I want to redo the things after SASL, and I have controversial ideas about it. Will post to the ML after my holiday (next week)

Kev: how does one thing bin the other?

My approach is "Do the simple things right now in bind2 so we can solve the real problems that need solving, then let someone write an elegant and future-proof reworking of the entire stream setup, and then rephrase bind2 in terms of that".

SASL itself is a pain to implement in a generic way; I haven't seen anything better, but I'm not sure the problems with it are just XMPP problems…

SamWhited: And then you start ratholing.

SamWhited: And then bind2 gets held up. And then we don't solve the immediate problems.

Exactly

Thus my approach of doing the simple thing first, and adapting once the complicated thing is done (if ever)

Maybe my simple thing is *too* simple, even for that plan, but that is my motivation.

Kevs approach ++; there are places where I think it's necessary to do a radical redesign, but in this case I suspect it's simpler and cleaner to do it incrementally. Especially since even the "simple" approach is a pretty big step.

Just make bind2 extensible with additional elements for SM and MAM