XSF Discussion - 2017-02-28

I wonder if it's too much to ask from gsoc students to join the muc

I don't think it's too much to ask

Newspeak?

or Zeitungsenten ("newspaper ducks") in german

which is probably translated as "hoax"

nah... 📰🦆 sounds way better

that’s even outside unicode 8.x. you’re unfair. ;P

jonasw, it just shows the effort :)

Over U+9000?

daniel, There's a gsoc@ MUC specifically for them to join, and we ask them to.

so we don't interrupt the ongoing board meeting here

This board meeting is the best one. The longest board meeting. It's awesome.

Tobias, Alright for you. I've been taking minuites for the past six months.

My Android won't show that secod glyph either, what is it?

those minutes will probably blow up mailman when the meeing concludes

to be fair, I think that the subject has only been set like two weeks ago...

Ge0rG: time to get a new phone

daniel: time to get a new OS update.

Ge0rG, it's one of the ducks, obviously

but maybe I'll get me a Nokia.

The subject was indeed set only in response to my assertion that nobody uses the subject.

And then left as-is, because nobody uses the subject...

which kind of shows this UX inconsistency definilty needs to be fixed with MIX :)

Tobias, I'd honestly prefer we built a feature people actually wanted to use. But not a hill to die on, etc.

ghee, who knew that there was content under that 'recent events' list on the wiki? :)

what the

?

Looking at https://xmpp.org/software/libraries.html and noticed that the link for Verse points to the older unsupported version I never used, instead of the new one that's basically a subset of Prosody libraries.

I am looking forward to your PR :)

MattJ: Do you have a web page for the new verse, other than the source repo?

http://code.matthewwild.co.uk/verse ?

ah, that's the repo

http://www.matthewwild.co.uk/projects/verse/home

Guus: PR'd

merged

Zash: hi, looking at babbler, it too points to old version.

uc: Your turn to write a PR :)

Thanks Zash

Ok sorry, I think I forgot I clicked on something, it looks ok.

MattJ: You can thank me by writing docs for Verse :)

Guus: The in-Github editors syntax highlighting seemed upset about the unescaped * in "IP*Works Internet Toolkit". Is whatever does the rendering fine with \* ?

Can we please-pretty-please announce a sunset period for old clients, servers and libraries to jdev@ and kick out everything that didn't react within a month?

Zash - i don't know. Try and find out? I've added Vagrant-based instructions that should make it pretty easy to run a virtual machine with the website

Ge0rG: sure.

Ge0rG, blablabla

unfortunately, the according discussion in [board|council] dissipated into bikeshedding.

Ge0rG, we need have an implementation ready first for our website publishing

Tobias: have you worked on the jinja thing?

jonasw, haven't gotten around doing that yet

Tobias: need help? :)

Guus: Vawhatnow?

I can into pelican and jinja2

jonasw, if you have the time, feel free to do a PR on the xmpp.org repo that does this kind of thing. I'll be happy to review it

ash: https://www.vagrantup.com/

Zash: https://www.vagrantup.com/

Tobias: okay :)

Website too flashy, I'm skeptical.

if we have this ready in PR form and tested that it works, we can announce the new process on jdev, and merge the PR a week later and done

Zash: it predates stuff like docker, I think

Tobias: how is website publishing happening now? I read Guus' #246 PR merge mail and wondered why I can't find the "getting started" page

Ge0rG: Mix #246 https://github.com/xsf/xeps/pull/246

Bunneh: no. wrong repository!

Ge0rG: How is Bunneh supposed to know?

Ge0rG: Yeah, I've been wondering about that too

Zash: dunno. How am I supposed to tell it?

not sure what happened there - Locally, it worked fine.

I am *assuming* that the website gets periodically updated from github, automatically. If there's an actual person involved, then someone is now blocking that change and I'm not aware :)

Ge0rG, it's three parts, pelican building HTML files, and sed replacing a longish string in one HTML file with the list of XEPs

Tobias: that was only two parts.

the list of XEPs is generated on demand by the XEP editor, while the website is automatically rebuilt from master 3-4 times a day i think

Ge0rG, don't tell me how to count my thoughts :P

Tobias: Ge0rG is referring to a page that I added in https://github.com/xsf/xmpp.org/pull/246 - which was merged two days ago, but is not available on the website.

Tobias: the two biggest problems in Computer Science: 2. Event Ordering; 1. Naming Things; and 3. Off-by-one errors

I assume I messed up somewhere, but I haven't spent the time to figure out what went wrong.

FYI, starting to work on the overhaul of library pages with magic expiry

\o/

jonasw, thx...if that works nicely, we can extend that to client and server pages too

well, yes, I’m doing that all in one rush.

or at least in a way which is easily extensible

jonasw: sounds interesting

Ge0rG: I'd be grateful if you can figure out what went wrong with my merge though.

Is there like a manifest of pages cached somewhere?

Guus: I'm sorry, I have no idea about how the website works internally

Ge0rG: neither do I, but that's not stopping me :)

I’m going to spread the word on the XSF-GSOC, do any other projects have a nice overview page like this? https://conversations.im/gsoc.html

jonasw, there is https://wiki.xmpp.org/web/Summer_of_Code_2017 but with less nice CSS on top of it

thanks!

Tobias: https://github.com/xsf/xmpp.org/pull/269

worksforme locally, let’s see what travis thinks of it :)

That looks interesting, thanks.

jonasw, thx...will give that a review soon ✏

jonasw: you could replace `last_renewed` with a bit of git-blame magic :P

Ge0rG: what if someone fixes a typo or converts URLs to https without interacting with the project?

right

jonasw: and there is the opposite problem of a project that is maintained but where the record doesn't change ;)

the idea is that the authors can issue PRs, that update the last_renew timestamp to a time in the past.

It's not much fun to issue PRs just for updating a timestamp, but it's also low-maintenance for the XSF and that seems like a good thing. And it's not too onerous.

It's certainly a not-very-contentious thing to get done Right Now.

as mentioned in the PR, updating a timestamp is done by .

Kev: +1

as mentioned in the PR, updating a timestamp is done by ./data/update-entry.py data/libraries.json $libraryname && git commit -avm "Update timestamp of $library" && git push

that’s low maintenance even without PRs.

gah, there are obvious bugs in that line, but you get the idea

I haven’t yet sent a formal proposal about a format for developers to describe their software, but I have worked on it and am planning on sending that soon-ish.

It would remove the need to do a PR against every website listing their software.

https://linkmauve.fr/files/client-sample.xml for a WIP of which I’m very not satisfied yet, but trying to include the information I want to have available.

Link Mauve: please make your server send a content-type for xml. firefox probably tries to render this as html because there’s no Content-Type header.

y u no disco#info

As discussed at the summit, I also want it to be usable like on the w3c specification pages, where they list implementations directly on the page.

Zash, because it’s highly incomplete, requires an instance of it to be online and reachable through s2s, requires this software to be a client or a server, etc.

Link Mauve: looking at the XML: logo maybe as favicon?

jonasw, “Content-Type: text/xml; charset=utf-8”

Link Mauve: I mean the format, not the method

Firefox is probably trying to be smart with the xmlns:xhtml.

Link Mauve: why did firebug lie to me.

agh, looked at the wrong header because it came out of the cache :(

Zash, and extend it with all of the information we need? ✏

firefox bug then, I have never said a thing, Link Mauve

Zash: Link Mauves XML even contains disco:identity

Link Mauve: Maybe, what info is required?

jonasw, the final thing would probably be a RDF-like format, but I don’t know enough about RDF or the semantic web yet to design it like that immediately.

Link Mauve: Sounds overkill

Zash, have a look at the sample I posted.

Zash, maybe, as I said I don’t know enough about it to make an informed decision.

Zash: not neccessarily: using established formats makes it easy to parse with existing tooling

og:image etc. are well-established tags, I’d be interested how tools like facebook react if you simply link that thing (and make the webserver pretend it’s XHTML… just to fool them)

although, facebook etc. are notoriously bad with XHTML, especially when namespace prefixes are used :(

jonasw, I would guess you don’t even need to pretend it’s XHTML, text/xml is already a valid XHTML content-type.

it’ll probably still break on namespace prefixes :/

Everything is bad when namespace prefixes are used :) I'm always half tempted to suggest we write XMPP 2.0 with the only change being that namespace prefixes aren't allowed.

I originally wanted to use these og: properties, but there was e.g. no way to specify the licence, or to specify what is a logo and what is a screenshot, so I gave up on that idea.

SamWhited: with a proper XML parser, namespace prefixes are irrelevant to the application.

SamWhited: <stream xmlns="urn:xmpp:stanzas"> yeeeeaaaah

Zash: yes please!

or just urn:xmpp?

SamWhited: <iq xmlns="jabber:client"> for each stanza? :)

jonasw: No, default namespaces are still a thing, just not prefixes.

jonasw: jabber:client and jabber:server ought to go away completely

right

Half the XML parsers out there aren't proper, or are buggy… it's just needless complexity that makes implementing XML difficult (which in theory I don't have to care about, but if <language-of-choice>'s built in XML parser is broken, I do)

SamWhited: This means no namespaced attributes.

Zash: Sounds good to me

SamWhited: You can start by getting Pidgin to get rid of {http://www.google.com/talk/protocol/auth}client-uses-full-bind-result='true' :)

SamWhited: the instant stream resumption xep would break then :)

Redesign it

jonasw: Yah, it would be a backwards incompatible change; I'm pretty okay with that for a 2.0 version (not that I actually expect this to happen, it's just fun to think about; I have RFC modifications floating about for this somewhere :) )

Also, RE Pidgin: … wat?

SamWhited: if you get rid of namespace prefixes altogether, why not go with JSON right away :)

jonasw: Because JSON doesn't have namespaces, and isn't really streamable.

Link Mauve: https://tools.ietf.org/html/rfc4287 might be interesting for your usecase

SamWhited: GTalk compat stuff that annoys me because to no end as it shows up in logs all the time.

Zash: That hurts me :)

jonasw, Atom would be fine as a container format, to notify subscribers of new releases, but it doesn’t define any of the elements we will need in there.

Link Mauve: atom:rights, atom:logo, atom:published, atom:updated, atom:title seem all like very relevant things; and it explicitly allows extensions in foreign namespaces

jonasw, indeed, maybe I’ll use that as a container format, especially since I plan on requiring it to be hosted as a PubSub feed, so multiple websites can get notified of new versions.

Link Mauve: https://www.iana.org/assignments/link-relations/link-relations.xhtml#link-relations-1 those may also be interesting (cf. https://tools.ietf.org/html/rfc5988 )

jonasw, thanks.

(I once wrote a blog/static webpage framework before I came across pelican, I spent quite some time figuring out how to put metadata correctly into websites so that they produce nice snippets in social media)

ralphm: Could you please add me to and make me an admin of https://trello.com/xmppstandardsfoundation/members ?

'kevinsmith', I believe. The avatar is pretty obviously me.

Do we already have a gsoc MUC somewhere? (eg. where should we point people who ask about XSF gsoc?)

gsoc@muc.xmpp.org ?

oh hey, yup, that worked. Thanks.

I should get a client that allows me to actually list rooms one day.

(although I suppose I should have just guessed that one)

SamWhited, Instead you have a conversational UI to search rooms with full natural language support, called "asking Zash".

dwd: It works pretty well in Conversations and Mcabber!

SamWhited, Cross-platform server-side, FTW.

@council: could you put https://mail.jabber.org/pipermail/standards/2017-February/032328.html on your agenda for the next meeting?

jonasw: What would the actual discussion be about?

whether a modification of XEP-115 is worth the trouble

Clarifying is always good

it’s more than clarifying

I'll add it as soon as us-east-1 comes back and the entire internet stops being broken.

I can write up what I’m thinking about; it would re-do the concatenation of the disco information because as it currently stands it’s weird and it’s been discussed a few years back.

(or maybe Trello having trouble is unrelated, but I just got an alarm from Amazon and now nothing works, so I'm making the assumption that they're related…)

SamWhited: to be clear, I specifically include the suggestion by Florian: > And after we decided a successor of SHA-1 for XEP-0115 we could also fix the existing flaws of XEP-0115 like [1], because this would require a namespace bump anyway.

What requires a namespace bump?

Zash: https://mail.jabber.org/pipermail/standards/2017-February/032324.html > But it may be sensible to change the mandatory hash algorithm of XEP-0155. And after we decided a successor of SHA-1 for XEP-0115 we could also fix the existing flaws of XEP-0115 like [1], because this would require a namespace bump anyway.

Are there any clients using features such that their caps hash would change if the special characters were escaped?

Changing a new thing to be mandatory would require a bump, I think

What if we pretend that the algorithm was always like that?

Just, poorly documented

And put some text into an implementation note

what escaping are you talking about?

Hrm, I lost my caps compression experiment :(

> Joe Hildebrand (one of the authors of the XEP) mentioned that his intention was that you would escape any "<" to "&lt;" in feature names. But this isn't specified in the XEP and isn't obvious.

jonasw: The [1]

right, that wouldn’t help with Attack 3 and 4 outlined in [1]

poke waqas

Let's bump all the namespaces at once. It even better. Let's bump the namespace of XMPP to XMPP2!

Ge0rG: you’re late to the party, SamWhited outlined XMPP 2.0 above

Ge0rG: That's part of my evil plan, *shhh*

is it going to be json over http?

cause then I'm out >:)

With a DAG based storage backend?

moparisthebest: https://i.imgur.com/cT3NEdI.gif ;-)

I mean we might as well re-invent it right, why not, NIH syndrome is cool

Globally distributed DAG in MongoDB with extra blockchain on top?

I am torn between existential despair and laughter.

Zash: You forgot the Docker; gotta use some Docker.

Otherwise it's not webscale.

oh and Cloud

right, and obviously the only choice for language is javascript running in node.js

http://howfuckedismydatabase.com/nosql/fault-tolerance.png

yea that is my favorite one from that site

maybe my favorite cartoon of all time

now I need to watch Erlang The Movie again.

especially the sick erlang burn (sorry ejabberd guys)

Erlang is one of the coolest languages ever made, and concepts from it (and other similar CSP style languages) should have become part of mainstream programming 20 years ago… and I still can't stand to write anything in it just because I hate reading it.

disclaimer: I never knowingly saw a bit of erlang code.

same jonasw I'm kind of ashamed to admit I've never looked at it at all :)

Just for fun, if you're interested, watch this and spot the Erlang reference :) https://www.youtube.com/watch?v=8pTEmbeENF4

(and then still don't go write Erlang, because it will make your eyes bleed)

I wonder whether it’s worse than Cortex-M0 ASM

I guess arc would be the only one that would know :)

Some years ago, when I still was running ejabberd, a student approached me for inspiration. I told him that erlang is awesome and totally different, and now he's working at a telco development company.

using erlang?

:D

Yes

my favorite dig at erlang is this: https://www.erlang-solutions.com/blog/mongooseim-2-0-0beta2-the-power-of-an-xmpp-platform-with-the-simplicity-of-a-rest-api.html

Developing tr069 equipment and Hotspot login things

knocks XML for being 'not trendy', uses erlang...

Zash?

waqas: there was mention of the caps issue earlier

I haven't read the backlog, but did it start with sha1?

I guess

waqas: context is this: https://mail.jabber.org/pipermail/standards/2017-February/032324.html it appears that now is a good chance to fix xep 115

Caps is completely broken. Updating the XEP to suggest XML escaping isn't going to fix it. Please read old threads for why. The caps algorithm is bad. sha-1 to sha-2/3 is meaningless given how broken the algorithm is.

waqas: yes, i mean actually fixing

Wasn't there a workaround for clients to recalculate the checksum?

Not a working one Ge0rG. The simple workaround is to not share caps cache across JIDs.

And no server side implementation does that for PEP

The "old thread" is https://mail.jabber.org/pipermail/standards/2011-August/025011.html

Which links to my older thread: https://mail.jabber.org/pipermail/security/2009-July/000812.html

Wow, it was 8 years ago

Feel old? :)

That ejabberd story made me feel old as well. Sigh.

Also that I'm using this nickname for over 20 years already.

Security awareness doesn't seem to run very strong among in the xsf

That's what the IETF is for

That xep should be retracted

It could use some pretty serious work…

It could use xep-300

SamWhited: just retract it. Copy past the xml over in a new xep with a new namespace and do the nul thing with sha2 Dave suggested 8 years ago

If you don't retract it it get forgotten for another 8 years

oh, yah, it's draft, so maybe that would be the more practical course of action

daniel: +1

although it might be wise to not use NUL but the field separators in the last control characters up to U+0020

that allows to convey the structure

and they’re still disallowed in XML

I’d be happy to write that up.

Are you sure that they are disallowed?

Note that the null thing isn't sufficient. The data model is nested, and you need at least two delimiters, if not more.

\0 and \1 would work. Both are disallowed in XML.

waqas: that’s why I suggest to use FS DS etc. from ASCII

Zash: https://www.w3.org/TR/2008/REC-xml-20081126/#charsets characters does not cover 0x00 through 0x1f, except for 0x09 (tab), 0x0a (newline), 0x0d (carriage return)

There are field and record separator characters in ASCII. I'm even using those in my xmpp client

this includes CDATA sections as well as normal text and attribute data

Ge0rG: +1

But I felt dirty for implementing them.

why? :)

Because I was abusing Android's key value XML storage to contain a table of ASCII separated key value pairs

:D

Ge0rG: Was the hack really that dirty? I don't know what you did, but I'm reminded of the story of Mel. Read that one? :)

waqas: nope

Ge0rG: http://www.pbm.com/~lindahl/mel.html

https://github.com/pfleidi/yaxim/blob/master/src/org/yaxim/androidclient/data/YaximConfiguration.java#L195-L202

waqas: ah, that story!

Zash, jonasw, Ge0rG: This is the important email in the thread, explaining the problem: https://mail.jabber.org/pipermail/standards/2011-August/025035.html

daniel: ^

waqas: thanks

that’s why I’m in favour of using the ASCII control codes for structural information. there are four control codepoints for that.

Sigh, that thread is painful to read. I was being such a pain :P

you are right though :)

Always

Being a pain about security issues is a good thing.

Please keep doing it :)

Unfortunately it wasn't effective. Things went nowhere :)

Talking didn't help? How unusual :)

SamWhited: being in council (other council members may of course chime in) what do you think is more sensible? (a) write up a fresh XEP based on the idea of XEP-115 with new hash function and new algorithm to generate the input for the hash function, based on waqas thoughts (b) write up a patch for XEP-115 with new mandatory hash function and new algorithm to generate the input for the hash function, based on waqas thoughts (c) wait for the next council meeting before doing anything. (d) none of the above, please fill in here: _____________

XEP-115 was hurting my eyes ever since I started implementing it, and I want to see it fixed.

jonasw: I'm with daniel; (a) makes the most sense to me. Actually doing it is a whole different matter though :)

then I’m starting to do it right now.

<{newcaps}c node=''><{hashes}hash algo='sha-wesome'>ASDF</hash>{<hash/>...}</c>

♡

jonasw: do it

Do things and talk about them.

I think we should just have a new XEP with a new namespace and a super simple algorithm.

Trying to patch XEP-115… I'm sure many would like to do that, but I've said my piece on my that's a bad idea.

Does anyone happen to know where the canonical version of rfc2629.dtd lives (as an actual file so that I don't have to go through and remove all the page breaks and headers that get injected if I try to copy / paste from the RFC)?

Or does it live anywhere? All I can find are old draft copies on random non-IETF websites

or 7991 or whatever we're on now

good night everyone

aha! Found a tiny ihdden link on the xml2rfc page

Trello just deployed some stuff to not-aws so it's back now; pretty sure someone wanted something on the agenda, but I don't remember what now… something about SHA-1.

jonasw 18:51 @council: could you put https://mail.jabber.org/pipermail/standards/2017-February/032328.html on your agenda for the next meeting?

Another thing I wish either of my clients had so that Zash wouldn't have to take the features place: Search.

(thanks)

I'd be more concerned as to how Zash got access to your MAM archive SamWhited

prosody backdoor? someone call the guardian!!!!!

By the use of a magical device called a scroll wheel.

It can see into the past

I'm not actually sure there is a way to scroll in mcabber; I assume there is. I should probably figure out the shortcut for that.

Wild guess: Pg Up

I can see the headline now "Popular chat server has backdoor, developer codename "ScrollWheel"" ✏

nah, that changes to the previous/next chat.

ScrollWheel. SamWhited. Coincidence? I think not.

looks like Ctrl+P

TIL

I feel like I knew that at one point

That's for printing...

SamWhited: Hah. So, exact opposite to irssi.

yah, the keyboard shortcuts aren't the most consistent thing; some of them are random, some are irssi style, some are vim style

mostly I just use the vim style ones and don't know any of the others

what the bloody hell

refering to the email that was just sent

heh, yah, I wonder where he got that random list of people to send it too

is he refering to the old defunct and should be removed XEPs or something new?

¯\_(ツ)_/¯ one possible outcome of the IoT SIG's work would be to replace the existing stuff (or improve it before we consider advancing them) like we discussed at summit, so I guess he meant the old ones?

The idea to throw 115 away came primarily from the desire to act now and deal with a replacement later

"The "S" in IoT stands for Security." just has become my quote of the year.

SamWhited: /buffer up.

oh hey, that too; thanks

another question because I'm curious, some members of council and board are up for membership renewal this time

what happens if they don't get renewed?

There's only one way to find out! :)

:)

ok everyone vote no for Link Mauve so we can find out!

moparisthebest: what incentives are you going to offer? Should I PM you my Bitcoin address?

I'm curious, I'm not paying money curious :)

I for one shall follow Link Mauve in the to be created real XSF. The other XSFses are fake. #sad

Guus: you will create the best xsf. An awesome xsf. There is no other xsf than yours?

Believe me. I create the GREATEST XSF. Be careful of the other ones. Full with bad hombres.

But I am sleepy. Anarchy is postponed until tomorrow. Goodnight.

still waiting on a joke about a wall

moparisthebest: Guus' probably going to turn off federation with the other XSFs (and make them pay for it)

thanks

I see that my work here is done.

Something something we're going to build a mod_firewall ... oh wait

Zash: and forbid the Russians to send us messages?

ooh yah, that one's better

You meant "bitter"?

Too true

We need a joke about proof of work things too

Pow!

Zash: the xsf has proven to work by holding its longest board meeting yet. We don't know how long it is, but it's going on for two weeks already, and it's the best board meeting. It's an awesome board meeting

How much Bitcoin can you make with cheap jokes?

How many xsf members does it take to replace a lightb^W cryptographic hash function?

waqas, you mean kung pow?

Tobias: really awesome movie!

indeed