XSF Discussion - 2017-01-24

  1. Ge0rG

    Yay! I am not alone! https://gist.github.com/ValdikSS/30f866602413c036e4e6924c1895b838

  2. goffi

    Ge0rG: you are not alone willing to improve clients, but you should understand that we (clients developers) have limited time and resources.

  3. mathieui

    I think Ge0rG understands that just as much as other client developers

  4. Ge0rG

    mathieui: or even more so.

  5. Ge0rG

    The last yaxim release has been two years ago.

  6. Ge0rG

    But I have good news to announce. I found a critical vulnerability in yaxim that requires an immediate release!

  7. Zash

    Nothing like a security issue to speed up the release schedule :D

  8. mathieui slowly fades out in the background

  9. Ge0rG

    does anyone know if xabber is still considered as maintained?

  10. Flow

    Ge0rG: yes, gregory is very active

  11. Flow

    he's contributing to smack as well as commiting to xabber

  12. Ge0rG

    Flow: do you happen to have his jid?

  13. Flow

    No, I'd contact him via mail

  14. Flow

    btw, the development seems to happen in the 'develop' branch and not in 'master': https://github.com/redsolution/xabber-android/tree/develop

  15. Flow

    Which is a pitty as it makes the project appear inactive while it isn't

  16. Flow

    uh, grigory that is

  17. Ge0rG

    O tempora, o mores! Some mediated MUC invitations contain <x xmlns="jabber:x:conference"/>, despite not being required, others don't.

  18. Ge0rG

    is that a groupchat 1.0 invitation?

  19. Zash

    Yes, and also direct MUC invitation.

  20. Ge0rG

    which have a different schema.

  21. Ge0rG

    the MUC code I inherited first checks for presence of <x xmlns="jabber:x:conference"/>, then parses <x xmlns="http://jabber.org/protocol/muc#user"><invite /></x>

  22. Ge0rG

    which is bound to fail on non-groupchat1-servers and for direct invitations

  23. Zash

    fippo, do you have a socket library with MSG_PEEK support?

  24. Tobias

    Zash, it's supported by BSDs and Linux, end even abstraction libs like libuv

  25. Zash

    High level socket library*

  26. Zash

    LuaSocket doesn't afaik

  27. Tobias

    libuv is pretty high level

  28. fippo

    zash: proper C and good old select() :-)

  29. fippo

    zash: it doesn't have to be peek. if you can get your first batch of tcp data and then decide whether to put it into openssl or your xml parser that is sufficient. i found peek very convenient for the way i dealt with openssl (not using bios... a decade later i know how to do that too :-))

  30. moparisthebest

    and that's a nifty feature, but I just let sslh handle all that for me

  31. moparisthebest

    because I don't want an xmpp server doing xml and TLS on 443, I want https, imaps, smtps, xmpps, ircs etc etc etc all on 443

  32. Holger

    sslh is nice indeed, except that it currently only supports select() or fork().

  33. Holger

    It should just use libev or something ...

  34. moparisthebest

    he's very receptive to patches Holger, wink wink :)

  35. moparisthebest

    haproxy supposedly supports doing the same stuff and I think it uses libev and zero-copy stuff etc

  36. moparisthebest

    I haven't tried it though

  37. Zash

    libev, libuv, libevent hrrrrr

  38. Holger

    moparisthebest: :-) Yes I was going to add libev support next time I'm bored.

  39. Tobias

    Zash, yeah...all the same stuff that requires to give up runtime control :/

  40. Zash

    I'll just write my own network lib, with hookers, and blackjack!

  41. Holger

    moparisthebest: Should be really simple.

  42. Tobias

    bite my shiny little network lib :P

  43. moparisthebest

    I'm hoping you get bored soon Holger , the sslh code is rather nice for C in my opinion, I'm not really a C developer

  44. Zash

    Why hasn't that moved into systemd yet?

  45. Tobias

    how can you judge the niceness of C code, when you're not really a C developer?

  46. Tobias

    Zash, too few CVE potential

  47. Tobias

    Zash, too small CVE potential

  48. moparisthebest

    I mean, I write C code sometimes, but I'm primarily a Java developer

  49. moparisthebest

    and some C code makes me wince and other looks nice :)

  50. Zash

    Tobias: TLS support in the socket activation bits of the init system? Surely you can get a few CVEs out of that?

  51. Tobias

    Zash, but it seems they go for low hanging CVEs instead of complicated TLS/socket CVEs ...as soon as OpenSSL and systemd reach the same code quality level they could merge that in...running OpenSSL code in PID 1, a dream come true

  52. intosi

    moparisthebest: isn't that true in any language?

  53. moparisthebest

    intosi, yes of course, I was only commenting that in my opinion the sslh code looked like nice C code

  54. intosi

    Bad coders will create awful code, no matter how nice the language. C doesn't only hand you the gun, it detaults to pointing it at your feet, making bad coding that much more obvious, but bad devs will go at lenghts to point guns towards feet.

  55. Ge0rG

    intosi: C is rather easy to use correctly when compared to C++

  56. Zash

    pointer to pointer to array of pointer to structs full of pointers to pointers hurts my head tho

  57. Holger

    Actually it's one of the few languages that feels like it more or less completely fits into my brain.

  58. Holger

    Unlike these C++/Scala/whatever monsters.

  59. Zash

    Sure, yeah. C and Lua <3

  60. Zash

    C with moderate use of pointer indirection :)

  61. Holger

    Yes C and Lua, and Erlang falls into that category as well :-) Most others don't.

  62. Ge0rG

    Zash: arrays in C are a lie!

  63. kalkin

    You guys should try forth. Its so easy to implement it itself in asm.

  64. Zash

    Ge0rG: No, all memory is a giant array.

  65. kalkin

    It's minimal and your software ends up written in a DSL like language which makes fits your software

  66. kalkin


  67. Zash

    So many languages. So few ideas about what to do with them.

  68. Ge0rG

    kalkin: I've written a robot control application in Z80 Forth some 20 years ago. Most find some time to blog it

  69. Ge0rG


  70. MattJ


  71. kalkin


  72. kalkin

    Ge0rG: 😎

  73. Ge0rG

    Zash: each memory, but not all memory! πŸ˜€

  74. Ge0rG

    God, I'm old.

  75. Zash throws a handfull of tiny magnetic rings at Ge0rG

  76. intosi

    Wait, I need to fix things on my SPARC, glad Openboot has forth built in ;)

  77. Ge0rG

    Zash: damn it, you just made me realize that /me notifications in yaxim are broken.

  78. Zash

    Ge0rG: You are welcome

  79. Ge0rG

    Zash: thanks! ☺️

  80. Zash

    Ge0rG: Speaking of which, is Yaxim still built with Smack versions from before SCRAM was implemented?

  81. dwd

    Both major C++ projects I've done recently went sailing through COverity et al without anything major being found. OTOH, their C dependencies were pretty scary.

  82. Ge0rG

    Zash: smack 3.something

  83. Tobias

    i don't get the value of default ports if you have a requirement for SRV lookup anyway

  84. MattJ

    I don't get the value of ports if you tunnel everything over 443

  85. Tobias

    I don't get the value of firewalls, if you move all applications to a single port

  86. Tobias

    MattJ, was more refering to standards ML discussion about new direct TLS only ports for C2S and S2S xmpp

  87. Ge0rG

    the bike shedding debate about whether real tls is more securer than start tls?

  88. Ge0rG

    we all know that startssl is insecure since it was bought by China

  89. moparisthebest

    Tobias: yea I don't think default ports are useful there either

  90. Ge0rG

    just default to 443!

  91. moparisthebest

    There you go Ge0rG ! :-) you are getting it now