XSF Discussion - 2017-01-24

Yay! I am not alone! https://gist.github.com/ValdikSS/30f866602413c036e4e6924c1895b838

Ge0rG: you are not alone willing to improve clients, but you should understand that we (clients developers) have limited time and resources.

I think Ge0rG understands that just as much as other client developers

mathieui: or even more so.

The last yaxim release has been two years ago.

But I have good news to announce. I found a critical vulnerability in yaxim that requires an immediate release!

Nothing like a security issue to speed up the release schedule :D

does anyone know if xabber is still considered as maintained?

Ge0rG: yes, gregory is very active

he's contributing to smack as well as commiting to xabber

Flow: do you happen to have his jid?

No, I'd contact him via mail

btw, the development seems to happen in the 'develop' branch and not in 'master': https://github.com/redsolution/xabber-android/tree/develop

Which is a pitty as it makes the project appear inactive while it isn't

uh, grigory that is

O tempora, o mores! Some mediated MUC invitations contain <x xmlns="jabber:x:conference"/>, despite not being required, others don't.

is that a groupchat 1.0 invitation?

Yes, and also direct MUC invitation.

which have a different schema.

the MUC code I inherited first checks for presence of <x xmlns="jabber:x:conference"/>, then parses <x xmlns="http://jabber.org/protocol/muc#user"><invite /></x>

which is bound to fail on non-groupchat1-servers and for direct invitations

fippo, do you have a socket library with MSG_PEEK support?

Zash, it's supported by BSDs and Linux, end even abstraction libs like libuv

High level socket library*

LuaSocket doesn't afaik

libuv is pretty high level

zash: proper C and good old select() :-)

zash: it doesn't have to be peek. if you can get your first batch of tcp data and then decide whether to put it into openssl or your xml parser that is sufficient. i found peek very convenient for the way i dealt with openssl (not using bios... a decade later i know how to do that too :-))

and that's a nifty feature, but I just let sslh handle all that for me

because I don't want an xmpp server doing xml and TLS on 443, I want https, imaps, smtps, xmpps, ircs etc etc etc all on 443

sslh is nice indeed, except that it currently only supports select() or fork().

It should just use libev or something ...

he's very receptive to patches Holger, wink wink :)

haproxy supposedly supports doing the same stuff and I think it uses libev and zero-copy stuff etc

I haven't tried it though

libev, libuv, libevent hrrrrr

moparisthebest: :-) Yes I was going to add libev support next time I'm bored.

Zash, yeah...all the same stuff that requires to give up runtime control :/

I'll just write my own network lib, with hookers, and blackjack!

moparisthebest: Should be really simple.

bite my shiny little network lib :P

I'm hoping you get bored soon Holger , the sslh code is rather nice for C in my opinion, I'm not really a C developer

Why hasn't that moved into systemd yet?

how can you judge the niceness of C code, when you're not really a C developer?

Zash, too small CVE potential ✏

I mean, I write C code sometimes, but I'm primarily a Java developer

and some C code makes me wince and other looks nice :)

Tobias: TLS support in the socket activation bits of the init system? Surely you can get a few CVEs out of that?

Zash, but it seems they go for low hanging CVEs instead of complicated TLS/socket CVEs ...as soon as OpenSSL and systemd reach the same code quality level they could merge that in...running OpenSSL code in PID 1, a dream come true

moparisthebest: isn't that true in any language?

intosi, yes of course, I was only commenting that in my opinion the sslh code looked like nice C code

Bad coders will create awful code, no matter how nice the language. C doesn't only hand you the gun, it detaults to pointing it at your feet, making bad coding that much more obvious, but bad devs will go at lenghts to point guns towards feet.

intosi: C is rather easy to use correctly when compared to C++

pointer to pointer to array of pointer to structs full of pointers to pointers hurts my head tho

Actually it's one of the few languages that feels like it more or less completely fits into my brain.

Unlike these C++/Scala/whatever monsters.

Sure, yeah. C and Lua <3

C with moderate use of pointer indirection :)

Yes C and Lua, and Erlang falls into that category as well :-) Most others don't.

Zash: arrays in C are a lie!

You guys should try forth. Its so easy to implement it itself in asm.

Ge0rG: No, all memory is a giant array.

It's minimal and your software ends up written in a DSL like language which makes fits your software

S/makes//

So many languages. So few ideas about what to do with them.

kalkin: I've written a robot control application in Z80 Forth some 20 years ago. Most find some time to blog it

*must

http://angg.twu.net/miniforth-article.html

https://github.com/nornagon/jonesforth/blob/master/jonesforth.S

Ge0rG: 😎

Zash: each memory, but not all memory! 😀

God, I'm old.

Wait, I need to fix things on my SPARC, glad Openboot has forth built in ;)

Zash: damn it, you just made me realize that /me notifications in yaxim are broken.

Ge0rG: You are welcome

Zash: thanks! ☺️

Ge0rG: Speaking of which, is Yaxim still built with Smack versions from before SCRAM was implemented?

Both major C++ projects I've done recently went sailing through COverity et al without anything major being found. OTOH, their C dependencies were pretty scary.

Zash: smack 3.something

i don't get the value of default ports if you have a requirement for SRV lookup anyway

I don't get the value of ports if you tunnel everything over 443

I don't get the value of firewalls, if you move all applications to a single port

MattJ, was more refering to standards ML discussion about new direct TLS only ports for C2S and S2S xmpp

the bike shedding debate about whether real tls is more securer than start tls?

we all know that startssl is insecure since it was bought by China

Tobias: yea I don't think default ports are useful there either

just default to 443!

There you go Ge0rG ! :-) you are getting it now