XSF Discussion - 2017-03-03

100 bytes is a very optimistic MTU for 802.15.4

LTIC it was more like 80 bytes.

jonasw, 100 or 120 bytes is realistic for 6LoWPAN

hmm

must’ve confused something then

jonasw, around 100 and with link security it was 80 https://en.wikipedia.org/wiki/6LoWPAN

but yeah..it's not much

at least my elliptic curve based signatures didn't fit in a single packet :D

ah, I think I was thinking about zigbee

there the baseline is 84 bytes

jonasw: 2.5 mesh networking eats a bit, as does TLS if you're using it

but yes.

my point is, going from SHA256 to something higher has performance costs associated with it

doesn't SHA have bad runtime performance on constrained devices anyway

Tobias: you missed the "magic"

i think the SHA code even didn't fit on my target device, so i had to go with something differnet like BLAKE2 :)

wouldn't it be possible to precompute the caps hash when compiling the firmware? :D

arc, what kind of devices are you usally dealing with? I mostly played around with SAM-R21 like smallish things

the schemaId the client uses is pre-baked, and if the server receives it and returns a different schemaId to use, it will use that. as long as its not required for SASL then there's no issue

Tobias: im not working with a specific device right now. im just writing libexi

ah, ok

but talking about how I think EXI should be properly implemented with xmpp

"just writing libexi" :)

that method is this: the device (having no previous contact from a given server) sends a sha256: URI as the schemaId, which the server either responds to in-kind (if it is supported) with its own EXI header and the same schema, OR the server responds using a default schema all devices must support with an error, in which case the client must send the pre-encoded schema it wants to use to the server. this schema should be small enough to fit on a given embedded device.

the key here is that the use of sha256 is a convention, and this leaves forward compatability if in the future this needs to change

a future version of the same XEP may recommend a different hash to default to "guessing" on first connect.

after the server receives the schema from the client though, the server returns the schemaId for the client to use in the future with that server. that schemaId SHOULD be a hash, but it can be literally any string.

so..

say in 2 years there's a quantum computer breakthrough and SHA256 can be easily broken, leading to the risk for cache poisoning, BUT there's a new quantum-proof hash

there's thousands of embedded IoT devices out there..

but XMPP server software is updated for the new hash.

the servers can then reject all sha256 URIs and ask for the client to send the schema they want to use, on first connection to the server (or reconnection after the server is updated with this security update)

seems reasonable

the clients send the schema, the server responds with a QPROOFHASH:... URI to use as the schemaId, and older clients simply use that string as-is to refer to the schema they were designed to use.

the XEP is updated accordingly, and everyone is happy.

right...will be interesting to see on how small of a device you can get XMPP to run

the smallest devices ive used on a network generally was atmega running Contiki

i havent done 8-bit optimizations to libexi. mostly that would be in the bitpacker I think, because an 8-bit libexi would certainly NOT be compiled with text XML capabilities which is where all the funky stuff is

but I think its very doable.

arc, do you know RIOT OS?

no, never heard of it

on the embedded side i'm a hobbiest at best

it's an IoT OS, similar to continki, but it's all standard C and you could even use C++ https://riot-os.org/

I loath C++

but that's cool, ill look into it down the road

i see it runs on 8bit

haven't used it on 8bit yet, mostly 16 and 32 bit I think

interesting

but I’m too much a weird person to use a pre-made OS on an embedded system

maybe for the next project :)

and they have good support for standard IETF protocols

I thought Cortex M0 was going to obsolete the AVR-based devices, but in a recent meeting I was shown a AVR-based internet connected sensor only slightly larger/thicker than a quarter that essentially stacks on top of a coin-cell battery and runs for a full year, the device costing under $5 including the cost of the battery.

jonasw: i've written 3 TCP/IP stacks on 8-bit so far. I do not recommend it, especially IPv6

:D

I don’t do TCP/IP on embedded though :)

if you havent done it before, you should save whatever sanity is left and let someone else do that work.

ah ok. well you're safe

for MTU and "heck, I don’t want to implement a TCP/IP stack on embedded" reasons

jonasw, https://github.com/RIOT-OS/RIOT/wiki (the supported devices are listed on the right)

Tobias: on the website too

you can do it. its just not fun.

arc: I tried to implement UDP/IP/Ethernet in VHDL though.

does that count? ;-)

jonasw, didn't notice that :)

essentially you need to run the whole thing zerocopy due to constrained RAM

Tobias: well, at least enough info on the architectures that I could guess that it’ll run on anything I’ve ever touched ;-)

arc: yes.

that’s what I needed to do for my custom protocol

and with that, im going to bed.

I’m streaming three sensors at 200 Hz and need to spread lower sample rate data inbetween of that; the transport being Xbee it’s usual that the connection interrupts for some time. so every bit of ram needs to go into buffers.

Bed? At 9AM? :)

Kev: im in DC. its 3:38am here.

good night, arc

I knew ;)

NN

i just spent 2 hours searching my old records for my social security card

Everyone needs a hobby.

everyone needs secretaries.

I wouldn't place important things together with old records.

I wouldn’t place important things on a piece of paper.

but unfortunately one doesn’t always have a choice on that.

still looking for a nice document management system, so I can just scan all documents and pack them away in crates

I have ~/Documents/{category}/{date-of-issuance}\ {tags}.pdf. works reasonably well

Whatever process that normally makes sure that the xmpp.org website is updated after a change in the corresponding git repository appears to be failing

it wasn’t me.<x xmlns="jabber:x:tone">not-convincing</x>

the problem predates my merger of your code :)

oh okay

i can take a look

I think it started going wrong on Feb 26, with my merger of the 'getting started' page

unless Kev is already

JC's 'add subscribe url for the standards list' is live

ah, it failed first for my attempt to remove the empty 'who uses xmpp' page

that page is still on the website, although I tried deleting it here https://github.com/xsf/xmpp.org/commit/83f365dc99f8a60f31ea5b524e7daafedb714916

I'm struggling at the moment to even work out what's supposed to trigger a build of the site.

Kev, when I fixed things summer last year, i set up a cron job

Kev: repository settings -> webhooks?

Tobias: Where's the cron?

It used to be that this was all generated in Travis so we could just pull it onto the server without running code there, but I don't think that's true any more?

in staticweb's crontab?

Ah, staticweb, of course :)

didn't want to add it to root's crontab :P

Tonnes of PDF generation errors.

/etc/crontab or /etc/cron.d would've been proper.

intosi, even for user cron jobs?

yes

Arguably this isn't a user cron job.

pick a user there, prevents manipulation of the crontab by the user

^ what jonasw said.

Tobias: in /etc/cron* you have to explicitly state as which user the job runs

so it’s not like everything there runs as root

ahh

ta

There's the added benefit that a random admin would look in /etc/cron* first, and might not even consider user crontabs for essential tasks until much later.

feel free to move it there then

perhaps first fix the issue at hand?

Guus: that's all one go.

Indeed, I was looking in /etc/cron*.

Guus: You were right though, it does seem to be the one where you edited the sidebar :)

CRITICAL: UndefinedError: 'pelican.contents.Page object' has no attribute 'sidebar_menu_elem_url_8'

weird - why do I not get that locally? Might relate to https://github.com/xsf/xmpp.org/issues/247 ?

Yes, sounds like your local environment isn't quite working right, if that's the case.

I might require things that are not in the repository then. My environment is a clean virtual machine, which just the repo content and build tools as listed in the readme.

don't know how up to date the readme is, "Any editorial questions: Laura Gill or Simon Tennant can help", at least Simon doesn't seem to be around to respond to any questions regarding xmpp.org site

Kev: can you make Travis fail with the same error?

Guus, what state is https://github.com/xsf/xmpp.org/pull/185 in?

Tobias: I have not looked at it since. I have now aquired a bit more knowledge about Pelican, so I might not depend on others to finish this

however: the data that it adds is incomplete

incomplete how?

all votes since 2010 are not in there, I think

right, but years that are in there are in there completely right?

it was a one-on-one conversion of the old pages.

whatever was in there, is now here.

I assume that the old data was complete, for those years.

right

Kev / Tobias: I'll be away for the weekend in a short while. If I can help with the website issue, I'll need to do that now-ish.

No rush right now, I think.

just saying that I'm willing to help, but will be without laptop soon

(doing a weekend trip)

Thanks. Just enjoy your trip, the website will still be here Monday.

:)

kk :)

Flow: backward compatibility is hard :( https://github.com/ge0rg/MemorizingTrustManager/commit/168b7b5598095bfe6ae6fab4797af3f913b574f4

Ge0rG: true

in related news: running the gradle lint on yaxim turned up a dozen of issues, including this one

Flow, Ge0rG, any experience using errorprone?

Tobias: Smack uses errorprone

and it's one of the reasons I made the previous statement

ah..ok

but it did that foundt hat many issues in Smack

well..but the thinks it found were sensible issues, right?

it didn't produce tons of useless warnings

or did it?

which is of course only because of my l337 c0d1n6 5k1ll5

Tobias: very sensible

compare to facebook's infer, which produces a ton of non-issues

but to be fair, infer was right about every issue it found, it where just non-issues in that particular context

Can you tell it to ignore those non-issues?

Zash: sure, you could suppress them

I decided against infer in Smack because another static code analyzer would increase the compile time again

people on security@ argued back then that the hash agility of 115 doesn’t work (dwd and waqas for example), but there are no conclusive reasons given.

here for example: https://mail.jabber.org/pipermail/security/2009-September/000828.html

doesn't work how

Zash: I have no idea

I would like to know.

md5 was used before according to the capsdb

jonasw: Hash agility doesn't work. What we mean by this is backwards compatibility wasn't allowed for. Clients using new hashes vs old hashes would fail to interoperate.

waqas: what would be wrong with simply sending two <c/> elements with different hash functions?

jonasw: Reality. That wasn't allowed, and clients assume there's only one. You'd fail to interop with most (all?) existing deployments out there.

okay

makes sense

I hate reality

i.e., you are modifying the XEP in a way that isn't compatible with prior understanding of implementations

I like the suggestions you make in https://mail.jabber.org/pipermail/security/2009-September/000829.html btw.

specifically: > Also worth considering is whether multiple hashes for different sets of data > make sense instead of just one. A hash for capabilities of an entity is the > most basic. A hash for software ID and version (disco#meta?). A hash for > disco#items. Future XEPs being able to define hashes for datasets they > define is also useful. The downside is a slightly larger presence packet > (which is mitigated by the caps optimization), but I see this leading to a > significant reduction in queries.

hu? why wasn't/isn't it allowed to send multiple <c/>s?

fwiw, aioxmpp also only uses the last one it finds, but it would be trivial to change that into a map hash->caps

so it might simply not be clear that clients should expect multiple nodes

Flow: Everything is allowed. You can even call it <b/> or <d/>. That existing clients would fail to interpret it in a defined way is the problem.

Client behavior when they see multiple instances of something that they expected to be single tends to vary between pick-first, pick-last, pick-random, error.

"""The Web shell used by the attackers didn't support SSL, so all their activities were logged to the webserver, enabling Verizon's RISKS team to analyze their actions. Though the idea of attacking cargo ships by hacking their CMS is a sophisticated one by the standards of sea-pirates, the attackers weren't sophisticated enough to run their attacks through a VPN, enabling the RISKS team to trace the attack back to the hackers' home IP address."""

… and server behaviour when caps optimization is in place would also be interesting

there are at least 3 things wrong with that.

ralphm: Ping; when you're next online can I get a bit of help with Trello? I keep missing you :)

e.g. would the injection of caps in stanzas on first subscription to presence work?

arc: what’s a CMS in this context?

content management system

d’oh

I was hoping for cargo management or something domain-specific

arc: Why ... why would .. why the .. whaaaayyyy???

stupid script kiddies hacked a shipping company's website and started rerouting cargo ships to them to steal the content of the ships..

waqas: I don't see receiving clients failing if <c =hash='sha1'/> is also send

then it’s: (1) why the heck to cargo ships run a CMS which is (2) accessible from the internet and (3) can be used to take over the ship?!

together with a <c hash='new-hash-alg'/>

jonasw: the ship didnt run the CMS. the shipping company operating autonomously controlled ships did

arc: well, that’s only marginally better.

the ships are controlled by the company remotely

this future

however, not only was their website - used for shipping easily hundreds of millions of goods a year - unpatched to common known vulnerabilities, but they didn't use SSL

They Should Have Used XMPP for their remote controlled drone ships

but then - Verizon admits that their risk analysis team was actively monitoring unsecured HTTP, acting as a man in the middle

arc, sorry to change the subject but you have me intrigued about EXI, it sounds like it might be feasible to run a generic exi<->xml converting proxy in front of any xmpp server to give it full exi support, yes or no?

moparisthebest: yes, and to be clear I do think that is the first way deployment will happen, however its suboptimal to run two XML parsers in a chain like that

arc, what’s the source of that read? it sounds lovely

mathieui: google points me to https://boingboing.net/2016/03/03/pirates-hacked-shipping-compan.html

mathieui: https://boingboing.net/2016/03/03/pirates-hacked-shipping-compan.html

yea arc not as great for the server but could be excellent for clients, so when can I expect to be able to download and run the first version from you? :D

SamWhited: thanks for that super-qucik MIX turnaround

moparisthebest: as soon as i wrap up libexi im going to update my Apache mod_xmpp with it, which is primarily designed to serve as a proxy (websockets to xmpp) but now will also do EXI ports too

👍 my morning coffee goes well witch catching up on emails and taking care of XSF stuff :)

Thanks for the new revision

arc, so when do I get an nginx module instead? :P

Steve Kille: ah, you’re here. I wanted to make sure you don’t feel bothered by my insisting on the issues I pointed out. I feel that I should probably have given you more time, but then again, too often things get forgotten and then we end up with sub-optimal XEPs which cannot be changed anymore because there are too many implementations :/

just joking that would be fine too, I'd be curious to look at adding it to Conversations

am I the only one who thinks that webservers are not the right place to terminate SSL for everything?

jonasw: not bothered at all. You are making some excellent input to help move this spec foraward.

Define "web servers"? If you mean reverse proxies like nginx and haproxy, I'd say they're definitely the right place to terminate SSL for everything :)

Because that's what they're designed to do

SamWhited: apache?

moparisthebest: I will never write a nginx module. I'm friends with their CEO, Gus, who I used to play on the same rugby team with when he lived in DC, but he was unwilling to hire me while allowing me to work on non-NGINX FOSS on my own time

moparisthebest: you can already start, there is a complete Java library implementing EXI

jonasw: Yah, I agree with you there… apache may be good at it now, I dunno, but it was not designed to be a reverse proxy.

arc: wtf?

ah yea arc I remember you saying that, and it sounded super shitty

I need to repeat: wtf? Is that even legal?

I've heard that about nginx several times now, which is kind of sad, because I do love the software…

jonasw: Did you know that nginx is actually an email proxy? :)

Zash: unfortunately, yes.

jonasw: yea its because of some VC agreement or someshit. but the idea of a FOSS project turned commercial turning down an employee they just interviewed and were excited about because he works on other FOSS projects is insane

arc, well you said your EXI should work differently than the XEP, and I'd prefer to have a proper server implementation to test against, but yea the library is there at least

I think most big companies have that clause for whatever reason, but I always try to negotiate it away.

I also know that their protocol implementation is simply a character state machine, I don’t want to know how people implemented XMPP on it. I bet it cannot deal with namespace prefixes properly :-)

so I don't consider nginx to be FOSS anymore, regardless to whatever license its available under

SamWhited: wait wat? clauses which forbid you to work on FLOSS in your freetime?

I’m really not sure that would be legal here.

moparisthebest: im unsure how the java library works, but it might do general xml processing. so you could start by changing it to use the different library and developing your client's exi schema

I think it is here, I guess you can agree to about anything jonasw

jonasw: this was the major issue with me and Atlassian, too.

jonasw: Yah, I have no idea if they're enforceable or not, but most places I've applied or worked have had some similar thing.

and Google. and Facebook. and Twitter. and Adroll. and dozens of other firms.

Isn't usually that they claim ownership of anything you do while employed, not forbid things outright?

that's why I'm founding hub.coop

15:23:00 jonasw> I’m really not sure that would be legal here. → it’s legal in some states/countries

and even if illegal, nobody is challenging it in court

hasn’t occured to me yet. but then again, I only worked at a startup and a research facility up to now. the latter being very clueless on software development in general.

Or at least, I think they had; I don't ever understand the legal stuff, but mostly places have made me sign a "previous inventions" thing or I've been able to negotiate that clause out.

arc, btw, google doesn’t always have that clause, afaik

Zash: California law forbids exactly that, anything you work on in your own time and on your own equipment is yours. but they can fire you for doing it without permission and without negotiating aspects about it

but good to know. something to watch out for.

that’d be a deal-breaker for me, too

mathieui: Google requires that you get permission from them, and you must argue how it is in Google's best interest. if the project is *GPL they will ask you why you don't want to work on something Apache based instead, etc

ha right

AGPL will always get a hard "NO"

that explains a lot.

Google employees are not allowed to work on any AGPL licensed project.

Heh, that's okay then; AGPL is a hard no for me personally too :)

I have no regrets about not pushing to join google anymore.

having to ask permission puts them in the position of being able to say no, and negotiate with you what you can do on your own time

SamWhited: for me its beyond the simple ability, its the morality of it.

arc, they aren't allowed to contribute to other's AGPL projects?

this explains so mcuh

yea for me AGPL is almost always the correct choice meh

moparisthebest: no. and that comes from a lawyer working in Google's Open Source Programs Office, the same office that runs Summer of Code is also the office that manages employees wanting to contribute to FOSS

moparisthebest: i agree.

makes me glad I work at a non-software company that just has in-house devs to develop in-house stuff lol, so none of this contract nonsense

what the heck

in fact Google is so hostile to the AGPL that they specifically forbade 3rd party projects from hosting them on their old code hosting site, code.google.com

I think GitHub does that now too, no? Wasn't that one of the consequences of their new TOS?

uh

Or maybe that was just anything that required attribution

that would make a few projects I host there illegal

SamWhited: there were several consequences, I believe GPLv3 and AGPLv3 both

I'm staying out of that one since I dislike github anyway

wait what? lots of AGPL projects are on github?

yah, but technically they're not allowed anymore I think (no idea why, that's just what someone said about their new TOS). I suspect it wasn't an intentional consequence, it was just something they did that was incompatible with those licenses somehow

SamWhited: do you have any sources for that?

the concept of a for-profit company like github having so much control over FOSS projects, their new TOS a perfect example to the potential for abuse of that power, makes me extremely uncomfortable

I can't imagine any TOS that would conflict for code hosting

unintentionally anyway

obviously "no agpl projects" would, but that'd be intentional

moparisthebest: I wouldn't be too concerned for that, the folks at the FSF, SFLC, and SFC are all over it

they'll issue a new TOS soon enough

arc: URLs?

the last I heard they were apologetic for the "misunderstanding" this has caused

arc, yea the way I justify using github is it's not like SVN where your repo is held hostage, I have everything locally and can just host my own gitlab whenever I want

jonasw: i know this from IRC, I've been watching the lawyers talk about it

arc: which IRC?

but yea ideally I wouldn't use it at all... meh

freenode

that’s a very broad statement, arc

not very specific :)

mostly #Conservancy

where else would lawyers be?

ah the kallithea people? I love those guys

but its all over, every channels talking about it

jonasw: Not in front of me; go read their new TOS or search for other peoples blog posts about it.

a few projects immediately pulled their repos and started self-hosting since

SamWhited: the TOS is huge and I can’t find a diff

GIThub tos, no diff? :P

I thought they literally did have it in a repo so you could get a diff…

SamWhited: yes, but

that’s a line diff

not a legalese diff

fair enough

IANAL, what up?

jonasw: Here's a source, but probably also a non-lawyer / completely biased one, so grain of salt: https://www.mirbsd.org/wlog-10_all.htm

SamWhited: Every comment thread I've seen about that has started with "This person doesn't know what they are talking about" ...

ah, section D narrows it down so that I can take a look

Zash: Yah, they probably don't

I just assume they're seeing what they want to see, but I have no idea

I’m not dealing with this right now

hoping to fix a bug today

thanks SamWhited I was searching for 'github agpl' and such with no luck

yah, it was suprisingly hard to find again; makes me think it was just one or two sources being loud and blowing it way out of proportion

arc: if you don’t like github (and I agree that github is a dangerous centralisation of power over FLOSS), what is your alternative suggestion, if I want the broad developer public to easily contribute to and raise bugs for my software?

jonasw, you can go gitlab or bitbucket, it’s slightly less terribad

mathieui: that’s only shifting the problem

yes.

you can run your own gitlab or whatever hip forge like gogs with external auth and it’s equally easy for people to contribute

Self-host all the things!

I have a self-hosted gogs instance, but (a) I don’t really like the idea of having to maintain possible abuse if I open registrations or issues and (b) it adds the hurdle to create an account there while ~everyone has a github acconut.

"equally easy" except that now if everyone does that every single person has to make an account with every single project they want to contribute too…

jonasw, gogs doesn’t allow gitlab oauth?

-gitlab + github

I don’t know, but that doesn’t solve (a)

because you can login into self-hosted gitlab from github

and yeah, there is no solution not run by other people where you don’t have to care for abuse

only allowing to open issues is probably already a good reduction of possibilities for an attacker, but that’s barely sufficient if you want people to contribute patches

Now GitHub is the centralized service for auth, so you have more or less the same problem.

I dunno, not that I actually think this is a problem. If you don't want your stuff on GitHub or wherever you can move it later. I'm just going to keep using GitHub and Bitbucket; mostly they're pretty okay and legal stuff is hard.

yes, currently it is not a problem and GitHub is convenient.

that's how I justify it, I have full history and can move wherever later

right

except the issues and everything else which is only on gh

I actually think github is the last 'hosted' thing I use, that I don't run myself

and if they're apologizing for the confusion over the new TOS like arc said, that probably means they're not going to start randomly deleting your software

you can kind of export those, but yea

SamWhited: i think one of the questions that's come up is whether you've granted github rights above and beyond the license by hosting with them

arc: so it's not that the AGPL is banned, it's just that the AGPL people don't want to give GitHub extra rights?

I feel like, I would HOPE, it would be harder than just a TOS change for them to take rights above and beyond an explicit legal license...

that wouldn't remotely be legal anyway right? if I push an AGPL project there that have AGPL contributions from countless different devs over the years, *I* can't legally grant anyone any other license can I ?

moparisthebest: uh, actually, it shouldn’t be that hard. "By uploading to and using the service you agree that github is allowde to do X with your data"

done.

most of the time it's not *my* data though

not to mention I didn't get any emails or even click to agree, they just published a new version and said 'by continuing...' what like I need to check it every time I push? meh

well, they also state that you must ensure that you have the right to grant that license on the adta

That's the point though I think; it's not illegal for GitHub to say "if you want to use our service, you have to give us a legal grant to use whatever you put on our service", and if you can't do that (because you don't want to relicense from something else that says you can't), then you just don't use their service.

And if you can't license it because it's someone elses work, then you shouldn't be uploading it anyways (which is probably one of the things they were trying to prevent)

well that part isn't true

like I have a fork of curl on github, I can't license that to others with any different license than it has, I certainly can't give github extra stuff over what the license says

right, so you can't upload it to GitHub because they say that to upload things to them you have to be able to give them a rights grant.

bad example because curl has a crazy permissive license, but if it had gpl it'd be a good example :)

so what if you do anyway because you aren't a lawyer and/or haven't read the TOS since 2012 when you signed up or whatever?

they can't *take* those rights, they can just stop hosting you?

Yah, I think that's generally how it works

yea and if that's worst case I don't care

Unless you *do* own the software, then you probably have given them a grant to use it however unless you live somewhere that legal contracts have to be explicit and TOS's don't count

at least, that's what this sounds like to me

so I'm not clear legally on the boundaries there, it *seems* they can say stuff like 'by using the service you implicitly grant us rights', why can't they say stuff like 'if you walk outside today you explicitly grant us rights' ?

Because you're not entering into a business relationship with them in that case.

s/explicitly/implicitly/

(but again, I feel compelled to point out that I have no idea what I'm talking about: I'm just reading shit off the internet and interpreting it as best I can)

then can they say 'if you utter the name github you implicitly grant us rights'

no, of course they can't

I'm not really seeing a precise boundry here, but I guess that's law for you

moparisthebest: the boundary is probably somewhere along the line of "you are using resources on their systems"

jonasw, so then "if you ever visit github.com you are implicitly granting us rights to all your programs"

moparisthebest: there are "if you visit our website you grant us rights" clauses

I suspect a court would also find that visiting GitHub.com doesn't count as entering into a legal contract or business relationship…

that clause there is probably not in proportion and would thus be refuted

what's the legal boundry between visiting and pushing code? both are simple https calls

you can even edit/create code in your browser on github.com

moparisthebest: the amount of data you move to their systems and which is stored persistently

What does the protocol (or anything technical) have to do with any of this?

the data you store on their systems is theirs

The data you upload to github will be thoroughly searched by the United States border control.

SamWhited: im not sure, just things im seeing as i jump between channels. as i said im trying to stay out of it

I don't like github, so my opinions would be biased. I'm just sharing snippets of what ive seen.

honestly I loved bitbucket

once i get quicksilver into a more deployable state I think it could take over

quicksilver is a rather hackish realtime mercurial over xmpp I setup. it needs a lot more work, but is kinda cool for remote pair programming

agh, I don’t like hg :-)

jonasw: well you're in luck because there's nothing about it thats mercurial specific, I think

it could run server-side git just as well

but its not in great shape, extremely hackish. i literally have hg running in a subprocess right now

i put it together with a student twoish years ago as an experiment

re pair programming using xmpp: It's so sad that gobby is no longer under active development

arc, familiar with kallithea?

I know, gobby was nice. but it had its faults too.

or jonasw because kallithea does hg and git :P

moparisthebest: yea ive seen it around

moparisthebest: no, but let me check it out

Flow: what i dont like about gobby is its really session oriented, it doesnt integrate well into daily workflow.

and if you want to compile your work, and someone is editing the same session, you have to wait for them to get their part into a ready state. its a bit *too* realtime

moparisthebest: not confident yet, as they don’t use kallithea to host their own code ;-)

uh, there is commit activity at github.com/gobby/libinfinity

jonasw, they do https://kallithea-scm.org/repos/kallithea

but not their issues etc.

been using it at work since 2012, when it was called rhodecode, before the rhodecode dev did illegal license things and threatened to sue me and sent DMCA takedown notices for patches and stuff....

gah, I can’t stand hosting services which show irrelevant information first and not the files. this is also annoying the hell out of me with the recent gitlab updates.

QS is basically receiving realtime code pushes into your local VC as you work, but doesn't update. so you see that the code is there, and can merge it in realtime, but its not automagic

arc: Isn't pair programming about having a live/real-time programming session with one or more other ppl?

and everything else would be basically using a DVCS

but then the software conservancy vetted it and forked it to kallithea :)

ooh, yah, Bitbucket does that by default… there's an option to change it, but it's an option on each individual repo not on your account, which is stupid.

Flow: it is a dvcs, just with pubsub

arc: and it's called quicksilver?

moparisthebest: all over all, kallithea looks interesting though

arc: got a link?

Flow: i reserved quicksilver.vc but there's nothing really in the repo there, as i said its super hackish and only works with our GCI web-based editor

at some point I'll get it into a deployable format and put some time into porting plugins to gedit/etc

the protocol is stupid simple, the server-side is a quick and dirty pubsub service running mercurial in a subprocess with hooks and pipes, and the client side is a python script in front of local hg in their docker container receiving data from the web-based editor and chat client

the client side is on gci.copyleftgames.org

more than half of it was written by a 15 year old

Alight - im headed to grab coffee with Mr Miller to discuss becoming a member of the XSF

good luck, arc

Flow: if im successful you'll have more members for the IoT sig

they're a washington dc firm doing IoT

Good luck

5 hours later...

That was a long talk. I can't even begin to summarize

He's a XMPP evangelist for sure

Wants to join the iot WG

And XSF more generally...

He suggested the Xsf should have a relationship with IEEE

He wants to get XMPP standardized for iot within IEEE and other bodies

Rickard has met him and Peter Saint-Andre

Isn't psa the xsf's relationship with the IEEE?

If so he missed a ieee XMPP standards group forming

Also httpx is a registered URI protocol for http over XMPP??????

I'm trying to get the engineers in his IEEE group into XSF

Not even a single XSF member involved

It's mad and he agrees. He knew of XSF but didn't know how membership works... He asked how much it cost

And how much did you tell him arc ? :-)

Just $599

What a deal!

Where can I send the money?

Heh