jonasw100 bytes is a very optimistic MTU for 802.15.4
jonaswLTIC it was more like 80 bytes.
xnyhpshas left
kalkinhas left
vurpohas left
vurpohas joined
intosihas joined
vurpohas left
Tobiasjonasw, 100 or 120 bytes is realistic for 6LoWPAN
jonaswhmm
vurpohas joined
jonaswmust’ve confused something then
sezuanhas left
sezuanhas left
intosihas left
Tobiasjonasw, around 100 and with link security it was 80 https://en.wikipedia.org/wiki/6LoWPAN
Tobiasbut yeah..it's not much
Tobiasat least my elliptic curve based signatures didn't fit in a single packet :D
jonaswah, I think I was thinking about zigbee
Ge0rGremembers a sensor network project that was using XML over UDP and then had "unexplainable" errors when manifests grew over 64KB
jonaswthere the baseline is 84 bytes
arcjonasw: 2.5 mesh networking eats a bit, as does TLS if you're using it
arcbut yes.
blipphas joined
arcmy point is, going from SHA256 to something higher has performance costs associated with it
Tobiasdoesn't SHA have bad runtime performance on constrained devices anyway
arcTobias: you missed the "magic"
Tobiasi think the SHA code even didn't fit on my target device, so i had to go with something differnet like BLAKE2 :)
Ge0rGwouldn't it be possible to precompute the caps hash when compiling the firmware? :D
Tobiasarc, what kind of devices are you usally dealing with? I mostly played around with SAM-R21 like smallish things
arcthe schemaId the client uses is pre-baked, and if the server receives it and returns a different schemaId to use, it will use that. as long as its not required for SASL then there's no issue
arcTobias: im not working with a specific device right now. im just writing libexi
Tobiasah, ok
arcbut talking about how I think EXI should be properly implemented with xmpp
jonasw"just writing libexi" :)
arcthat method is this: the device (having no previous contact from a given server) sends a sha256: URI as the schemaId, which the server either responds to in-kind (if it is supported) with its own EXI header and the same schema, OR the server responds using a default schema all devices must support with an error, in which case the client must send the pre-encoded schema it wants to use to the server. this schema should be small enough to fit on a given embedded device.
arcthe key here is that the use of sha256 is a convention, and this leaves forward compatability if in the future this needs to change
arca future version of the same XEP may recommend a different hash to default to "guessing" on first connect.
arcafter the server receives the schema from the client though, the server returns the schemaId for the client to use in the future with that server. that schemaId SHOULD be a hash, but it can be literally any string.
arcso..
arcsay in 2 years there's a quantum computer breakthrough and SHA256 can be easily broken, leading to the risk for cache poisoning, BUT there's a new quantum-proof hash
arcthere's thousands of embedded IoT devices out there..
arcbut XMPP server software is updated for the new hash.
arcthe servers can then reject all sha256 URIs and ask for the client to send the schema they want to use, on first connection to the server (or reconnection after the server is updated with this security update)
intosihas joined
jonaswseems reasonable
arcthe clients send the schema, the server responds with a QPROOFHASH:... URI to use as the schemaId, and older clients simply use that string as-is to refer to the schema they were designed to use.
arcthe XEP is updated accordingly, and everyone is happy.
intosihas left
intosihas joined
Tobiasright...will be interesting to see on how small of a device you can get XMPP to run
arcthe smallest devices ive used on a network generally was atmega running Contiki
suzyohas left
arci havent done 8-bit optimizations to libexi. mostly that would be in the bitpacker I think, because an 8-bit libexi would certainly NOT be compiled with text XML capabilities which is where all the funky stuff is
arcbut I think its very doable.
Tobiasarc, do you know RIOT OS?
arcno, never heard of it
arcon the embedded side i'm a hobbiest at best
intosihas left
intosihas joined
Tobiasit's an IoT OS, similar to continki, but it's all standard C and you could even use C++ https://riot-os.org/
ralphmhas left
arcI loath C++
arcbut that's cool, ill look into it down the road
arci see it runs on 8bit
suzyohas joined
Tobiashaven't used it on 8bit yet, mostly 16 and 32 bit I think
kalkinhas left
jonaswinteresting
jonaswbut I’m too much a weird person to use a pre-made OS on an embedded system
jonaswmaybe for the next project :)
Tobiasand they have good support for standard IETF protocols
arcI thought Cortex M0 was going to obsolete the AVR-based devices, but in a recent meeting I was shown a AVR-based internet connected sensor only slightly larger/thicker than a quarter that essentially stacks on top of a coin-cell battery and runs for a full year, the device costing under $5 including the cost of the battery.
arcjonasw: i've written 3 TCP/IP stacks on 8-bit so far. I do not recommend it, especially IPv6
jonasw:D
jonaswI don’t do TCP/IP on embedded though :)
nicolas.veritehas left
arcif you havent done it before, you should save whatever sanity is left and let someone else do that work.
arcah ok. well you're safe
jonaswfor MTU and "heck, I don’t want to implement a TCP/IP stack on embedded" reasons
Tobiasjonasw, https://github.com/RIOT-OS/RIOT/wiki (the supported devices are listed on the right)
jonaswTobias: on the website too
arcyou can do it. its just not fun.
jonaswarc: I tried to implement UDP/IP/Ethernet in VHDL though.
jonaswdoes that count? ;-)
Tobiasjonasw, didn't notice that :)
arcessentially you need to run the whole thing zerocopy due to constrained RAM
jonaswTobias: well, at least enough info on the architectures that I could guess that it’ll run on anything I’ve ever touched ;-)
jonaswarc: yes.
jonaswthat’s what I needed to do for my custom protocol
arcand with that, im going to bed.
jonaswI’m streaming three sensors at 200 Hz and need to spread lower sample rate data inbetween of that; the transport being Xbee it’s usual that the connection interrupts for some time. so every bit of ram needs to go into buffers.
KevBed? At 9AM? :)
arcKev: im in DC. its 3:38am here.
jonaswgood night, arc
KevI knew ;)
KevNN
arci just spent 2 hours searching my old records for my social security card
KevEveryone needs a hobby.
jonasweveryone needs secretaries.
jubalhhas joined
Ge0rGI wouldn't place important things together with old records.
Steve Killehas left
jonaswI wouldn’t place important things on a piece of paper.
jonaswbut unfortunately one doesn’t always have a choice on that.
Steve Killehas joined
Tobiasstill looking for a nice document management system, so I can just scan all documents and pack them away in crates
jonaswI have ~/Documents/{category}/{date-of-issuance}\ {tags}.pdf. works reasonably well
vurpohas left
vurpohas joined
vurpohas left
vurpohas joined
vurpohas left
vurpohas joined
mhterreshas joined
danielhas left
Flowhas joined
danielhas left
GuusWhatever process that normally makes sure that the xmpp.org website is updated after a change in the corresponding git repository appears to be failing
Guusthe problem predates my merger of your code :)
jonaswoh okay
Tobiasi can take a look
Ge0rGhas joined
GuusI think it started going wrong on Feb 26, with my merger of the 'getting started' page
Tobiasunless Kev is already
GuusJC's 'add subscribe url for the standards list' is live
Guusah, it failed first for my attempt to remove the empty 'who uses xmpp' page
Guusthat page is still on the website, although I tried deleting it here https://github.com/xsf/xmpp.org/commit/83f365dc99f8a60f31ea5b524e7daafedb714916
danielhas left
KevI'm struggling at the moment to even work out what's supposed to trigger a build of the site.
TobiasKev, when I fixed things summer last year, i set up a cron job
jonaswKev: repository settings -> webhooks?
KevTobias: Where's the cron?
KevIt used to be that this was all generated in Travis so we could just pull it onto the server without running code there, but I don't think that's true any more?
Tobiasin staticweb's crontab?
KevAh, staticweb, of course :)
Tobiasdidn't want to add it to root's crontab :P
KevTonnes of PDF generation errors.
intosi/etc/crontab or /etc/cron.d would've been proper.
Tobiasintosi, even for user cron jobs?
jonaswyes
intosiArguably this isn't a user cron job.
jonaswpick a user there, prevents manipulation of the crontab by the user
intosi^ what jonasw said.
jonaswTobias: in /etc/cron* you have to explicitly state as which user the job runs
jonaswso it’s not like everything there runs as root
Tobiasahh
Tobiasta
intosiThere's the added benefit that a random admin would look in /etc/cron* first, and might not even consider user crontabs for essential tasks until much later.
jonaswhas left
Tobiasfeel free to move it there then
Guusperhaps first fix the issue at hand?
intosiGuus: that's all one go.
KevIndeed, I was looking in /etc/cron*.
KevGuus: You were right though, it does seem to be the one where you edited the sidebar :)
KevCRITICAL: UndefinedError: 'pelican.contents.Page object' has no attribute 'sidebar_menu_elem_url_8'
Guusweird - why do I not get that locally? Might relate to https://github.com/xsf/xmpp.org/issues/247 ?
KevYes, sounds like your local environment isn't quite working right, if that's the case.
vurpohas left
vurpohas joined
GuusI might require things that are not in the repository then. My environment is a clean virtual machine, which just the repo content and build tools as listed in the readme.
Tobiasdon't know how up to date the readme is, "Any editorial questions: Laura Gill or Simon Tennant can help", at least Simon doesn't seem to be around to respond to any questions regarding xmpp.org site
GuusKev: can you make Travis fail with the same error?
kaboomhas joined
jubalhhas left
blipphas left
jubalhhas joined
Ge0rGhas left
xnyhpshas left
nicolas.veritehas joined
TobiasGuus, what state is https://github.com/xsf/xmpp.org/pull/185 in?
nicolas.veritehas left
jubalhhas left
jubalhhas joined
jubalhhas left
GuusTobias: I have not looked at it since. I have now aquired a bit more knowledge about Pelican, so I might not depend on others to finish this
Guushowever: the data that it adds is incomplete
Tobiasincomplete how?
Guusall votes since 2010 are not in there, I think
Tobiasright, but years that are in there are in there completely right?
kalkinhas left
Guusit was a one-on-one conversion of the old pages.
Guuswhatever was in there, is now here.
GuusI assume that the old data was complete, for those years.
Tobiasright
danielhas left
Zashhas joined
Alexhas joined
Ge0rGhas left
danielhas left
uchas left
xnyhpshas left
xnyhpshas left
uchas joined
xnyhpshas left
GuusKev / Tobias: I'll be away for the weekend in a short while. If I can help with the website issue, I'll need to do that now-ish.
KevNo rush right now, I think.
Guusjust saying that I'm willing to help, but will be without laptop soon
Guus(doing a weekend trip)
KevThanks. Just enjoy your trip, the website will still be here Monday.
Kev:)
Guuskk :)
jubalhhas joined
Zashhas left
Yagizahas joined
Zashhas joined
Valerianhas joined
jonaswhas left
Valerianhas left
Valerianhas joined
danielhas left
danielhas joined
xnyhpshas left
xnyhpshas left
danielhas left
danielhas joined
danielhas left
danielhas joined
danielhas left
danielhas joined
nicolas.veritehas joined
nicolas.veritehas left
danielhas left
danielhas joined
danielhas left
xnyhpshas left
danielhas joined
danielhas left
danielhas joined
jonaswhas left
xnyhpshas left
mimi89999has joined
Manchohas left
xnyhpshas left
Alexhas left
sezuanhas left
xnyhpshas left
winfriedhas joined
Valerianhas left
Valerianhas joined
Valerianhas left
Valerianhas joined
jonaswhas left
Valerianhas left
Valerianhas joined
blipphas joined
nicolas.veritehas joined
nicolas.veritehas left
Ge0rGhas left
danielhas left
danielhas joined
Alexhas joined
jerehas joined
uchas left
uchas joined
jubalhhas left
Tobiashas joined
jerehas left
jerehas joined
uchas left
xnyhpshas left
uchas joined
kaboomhas left
jubalhhas left
uchas left
Ge0rGFlow: backward compatibility is hard :(
https://github.com/ge0rg/MemorizingTrustManager/commit/168b7b5598095bfe6ae6fab4797af3f913b574f4
uchas joined
Yagizahas joined
xnyhpshas left
xnyhpshas left
uchas left
uchas joined
uchas left
uchas joined
FlowGe0rG: true
Ge0rGin related news: running the gradle lint on yaxim turned up a dozen of issues, including this one
jubalhhas joined
jubalhhas left
kalkinhas left
koyuhas joined
Flow♥ lovles lint/static code analyzers
TobiasFlow, Ge0rG, any experience using errorprone?
jubalhhas joined
FlowTobias: Smack uses errorprone
xnyhpshas left
Flowand it's one of the reasons I made the previous statement
Tobiasah..ok
Flowbut it did that foundt hat many issues in Smack
Tobiaswell..but the thinks it found were sensible issues, right?
Tobiasit didn't produce tons of useless warnings
Tobiasor did it?
Flowwhich is of course only because of my l337 c0d1n6 5k1ll5
FlowTobias: very sensible
Flowcompare to facebook's infer, which produces a ton of non-issues
xnyhpshas left
Flowbut to be fair, infer was right about every issue it found, it where just non-issues in that particular context
Guushas left
Valerianhas left
ZashCan you tell it to ignore those non-issues?
FlowZash: sure, you could suppress them
FlowI decided against infer in Smack because another static code analyzer would increase the compile time again
koyuhas left
koyuhas joined
koyuhas left
jubalhhas left
koyuhas joined
koyuhas left
koyuhas joined
koyuhas left
Guushas left
Guushas joined
Guushas left
Guushas joined
waqashas joined
koyuhas joined
sezuanhas left
Ge0rGhas joined
jonaswhas left
koyuhas left
vurpohas left
winfriedhas left
Piotr Nosekhas left
koyuhas joined
kalkinhas left
koyuhas left
Ge0rGhas left
koyuhas joined
koyuhas left
Tobiashas left
koyuhas joined
Valerianhas joined
kaboomhas joined
Ge0rGhas left
jonaswpeople on security@ argued back then that the hash agility of 115 doesn’t work (dwd and waqas for example), but there are no conclusive reasons given.
jonaswhere for example: https://mail.jabber.org/pipermail/security/2009-September/000828.html
Guushas left
Zashdoesn't work how
jonaswZash: I have no idea
jonaswI would like to know.
Zashmd5 was used before according to the capsdb
koyuhas left
danielhas left
danielhas joined
Guushas joined
nicolas.veritehas joined
nicolas.veritehas left
waqashas left
Zashhas joined
nicolas.veritehas joined
Martinhas left
Homer Jhas joined
xnyhpshas left
xnyhpshas left
Homer Jhas left
Guushas left
Guushas joined
nicolas.veritehas left
Guushas left
Steve Killehas left
waqashas joined
Steve Killehas left
waqasjonasw: Hash agility doesn't work. What we mean by this is backwards compatibility wasn't allowed for. Clients using new hashes vs old hashes would fail to interoperate.
jonaswwaqas: what would be wrong with simply sending two <c/> elements with different hash functions?
vurpohas joined
waqasjonasw: Reality. That wasn't allowed, and clients assume there's only one. You'd fail to interop with most (all?) existing deployments out there.
jonaswokay
jonaswmakes sense
jonaswI hate reality
waqasi.e., you are modifying the XEP in a way that isn't compatible with prior understanding of implementations
jonaswI like the suggestions you make in https://mail.jabber.org/pipermail/security/2009-September/000829.html btw.
jonaswspecifically:
> Also worth considering is whether multiple hashes for different sets of data
> make sense instead of just one. A hash for capabilities of an entity is the
> most basic. A hash for software ID and version (disco#meta?). A hash for
> disco#items. Future XEPs being able to define hashes for datasets they
> define is also useful. The downside is a slightly larger presence packet
> (which is mitigated by the caps optimization), but I see this leading to a
> significant reduction in queries.
waqashas left
Flowhu? why wasn't/isn't it allowed to send multiple <c/>s?
Guushas joined
jonaswfwiw, aioxmpp also only uses the last one it finds, but it would be trivial to change that into a map hash->caps
jonaswso it might simply not be clear that clients should expect multiple nodes
jonaswhas left
xnyhpshas left
waqashas joined
waqasFlow: Everything is allowed. You can even call it <b/> or <d/>. That existing clients would fail to interpret it in a defined way is the problem.
waqasClient behavior when they see multiple instances of something that they expected to be single tends to vary between pick-first, pick-last, pick-random, error.
arc"""The Web shell used by the attackers didn't support SSL, so all their activities were logged to the webserver, enabling Verizon's RISKS team to analyze their actions. Though the idea of attacking cargo ships by hacking their CMS is a sophisticated one by the standards of sea-pirates, the attackers weren't sophisticated enough to run their attacks through a VPN, enabling the RISKS team to trace the attack back to the hackers' home IP address."""
jonasw… and server behaviour when caps optimization is in place would also be interesting
arcthere are at least 3 things wrong with that.
SamWhitedralphm: Ping; when you're next online can I get a bit of help with Trello? I keep missing you :)
jonaswe.g. would the injection of caps in stanzas on first subscription to presence work?
jonaswarc: what’s a CMS in this context?
arccontent management system
jonaswd’oh
jonaswI was hoping for cargo management or something domain-specific
Zasharc: Why ... why would .. why the .. whaaaayyyy???
arcstupid script kiddies hacked a shipping company's website and started rerouting cargo ships to them to steal the content of the ships..
Flowwaqas: I don't see receiving clients failing if <c =hash='sha1'/> is also send
jonaswthen it’s: (1) why the heck to cargo ships run a CMS which is (2) accessible from the internet and (3) can be used to take over the ship?!
Flowtogether with a <c hash='new-hash-alg'/>
arcjonasw: the ship didnt run the CMS. the shipping company operating autonomously controlled ships did
jonaswarc: well, that’s only marginally better.
arcthe ships are controlled by the company remotely
jonaswthis future
archowever, not only was their website - used for shipping easily hundreds of millions of goods a year - unpatched to common known vulnerabilities, but they didn't use SSL
ZashThey Should Have Used XMPP for their remote controlled drone ships
arcbut then - Verizon admits that their risk analysis team was actively monitoring unsecured HTTP, acting as a man in the middle
moparisthebestarc, sorry to change the subject but you have me intrigued about EXI, it sounds like it might be feasible to run a generic exi<->xml converting proxy in front of any xmpp server to give it full exi support, yes or no?
arcmoparisthebest: yes, and to be clear I do think that is the first way deployment will happen, however its suboptimal to run two XML parsers in a chain like that
mathieuiarc, what’s the source of that read? it sounds lovely
jonaswmathieui: google points me to https://boingboing.net/2016/03/03/pirates-hacked-shipping-compan.html
moparisthebestyea arc not as great for the server but could be excellent for clients, so when can I expect to be able to download and run the first version from you? :D
Steve KilleSamWhited: thanks for that super-qucik MIX turnaround
arcmoparisthebest: as soon as i wrap up libexi im going to update my Apache mod_xmpp with it, which is primarily designed to serve as a proxy (websockets to xmpp) but now will also do EXI ports too
SamWhited👍 my morning coffee goes well witch catching up on emails and taking care of XSF stuff :)
SamWhitedThanks for the new revision
Ge0rGhas joined
moparisthebestarc, so when do I get an nginx module instead? :P
jonaswSteve Kille: ah, you’re here. I wanted to make sure you don’t feel bothered by my insisting on the issues I pointed out. I feel that I should probably have given you more time, but then again, too often things get forgotten and then we end up with sub-optimal XEPs which cannot be changed anymore because there are too many implementations :/
moparisthebestjust joking that would be fine too, I'd be curious to look at adding it to Conversations
jonaswam I the only one who thinks that webservers are not the right place to terminate SSL for everything?
Steve Killejonasw: not bothered at all. You are making some excellent input to help move this spec foraward.
SamWhitedDefine "web servers"? If you mean reverse proxies like nginx and haproxy, I'd say they're definitely the right place to terminate SSL for everything :)
SamWhitedBecause that's what they're designed to do
jonaswSamWhited: apache?
arcmoparisthebest: I will never write a nginx module. I'm friends with their CEO, Gus, who I used to play on the same rugby team with when he lived in DC, but he was unwilling to hire me while allowing me to work on non-NGINX FOSS on my own time
arcmoparisthebest: you can already start, there is a complete Java library implementing EXI
SamWhitedjonasw: Yah, I agree with you there… apache may be good at it now, I dunno, but it was not designed to be a reverse proxy.
jonaswarc: wtf?
moparisthebestah yea arc I remember you saying that, and it sounded super shitty
jonaswI need to repeat: wtf? Is that even legal?
SamWhitedI've heard that about nginx several times now, which is kind of sad, because I do love the software…
Zashjonasw: Did you know that nginx is actually an email proxy? :)
jonaswZash: unfortunately, yes.
arcjonasw: yea its because of some VC agreement or someshit. but the idea of a FOSS project turned commercial turning down an employee they just interviewed and were excited about because he works on other FOSS projects is insane
moparisthebestarc, well you said your EXI should work differently than the XEP, and I'd prefer to have a proper server implementation to test against, but yea the library is there at least
SamWhitedI think most big companies have that clause for whatever reason, but I always try to negotiate it away.
jonaswI also know that their protocol implementation is simply a character state machine, I don’t want to know how people implemented XMPP on it. I bet it cannot deal with namespace prefixes properly :-)
arcso I don't consider nginx to be FOSS anymore, regardless to whatever license its available under
jonaswSamWhited: wait wat? clauses which forbid you to work on FLOSS in your freetime?
jonaswI’m really not sure that would be legal here.
arcmoparisthebest: im unsure how the java library works, but it might do general xml processing. so you could start by changing it to use the different library and developing your client's exi schema
moparisthebestI think it is here, I guess you can agree to about anything jonasw
arcjonasw: this was the major issue with me and Atlassian, too.
SamWhitedjonasw: Yah, I have no idea if they're enforceable or not, but most places I've applied or worked have had some similar thing.
arcand Google. and Facebook. and Twitter. and Adroll. and dozens of other firms.
ZashIsn't usually that they claim ownership of anything you do while employed, not forbid things outright?
arcthat's why I'm founding hub.coop
mathieui15:23:00 jonasw> I’m really not sure that would be legal here. → it’s legal in some states/countries
mathieuiand even if illegal, nobody is challenging it in court
jonaswhasn’t occured to me yet. but then again, I only worked at a startup and a research facility up to now. the latter being very clueless on software development in general.
SamWhitedOr at least, I think they had; I don't ever understand the legal stuff, but mostly places have made me sign a "previous inventions" thing or I've been able to negotiate that clause out.
mathieuiarc, btw, google doesn’t always have that clause, afaik
arcZash: California law forbids exactly that, anything you work on in your own time and on your own equipment is yours. but they can fire you for doing it without permission and without negotiating aspects about it
jonaswbut good to know. something to watch out for.
jonaswthat’d be a deal-breaker for me, too
arcmathieui: Google requires that you get permission from them, and you must argue how it is in Google's best interest. if the project is *GPL they will ask you why you don't want to work on something Apache based instead, etc
mathieuiha right
arcAGPL will always get a hard "NO"
jonaswthat explains a lot.
arcGoogle employees are not allowed to work on any AGPL licensed project.
SamWhitedHeh, that's okay then; AGPL is a hard no for me personally too :)
jonaswI have no regrets about not pushing to join google anymore.
archaving to ask permission puts them in the position of being able to say no, and negotiate with you what you can do on your own time
arcSamWhited: for me its beyond the simple ability, its the morality of it.
moparisthebestarc, they aren't allowed to contribute to other's AGPL projects?
jonaswthis explains so mcuh
moparisthebestyea for me AGPL is almost always the correct choice meh
arcmoparisthebest: no. and that comes from a lawyer working in Google's Open Source Programs Office, the same office that runs Summer of Code is also the office that manages employees wanting to contribute to FOSS
arcmoparisthebest: i agree.
moparisthebestmakes me glad I work at a non-software company that just has in-house devs to develop in-house stuff lol, so none of this contract nonsense
jonaswwhat the heck
arcin fact Google is so hostile to the AGPL that they specifically forbade 3rd party projects from hosting them on their old code hosting site, code.google.com
SamWhitedI think GitHub does that now too, no? Wasn't that one of the consequences of their new TOS?
jonaswuh
SamWhitedOr maybe that was just anything that required attribution
jonaswthat would make a few projects I host there illegal
arcSamWhited: there were several consequences, I believe GPLv3 and AGPLv3 both
arcI'm staying out of that one since I dislike github anyway
moparisthebestwait what? lots of AGPL projects are on github?
SamWhitedyah, but technically they're not allowed anymore I think (no idea why, that's just what someone said about their new TOS). I suspect it wasn't an intentional consequence, it was just something they did that was incompatible with those licenses somehow
jonaswSamWhited: do you have any sources for that?
arcthe concept of a for-profit company like github having so much control over FOSS projects, their new TOS a perfect example to the potential for abuse of that power, makes me extremely uncomfortable
moparisthebestI can't imagine any TOS that would conflict for code hosting
moparisthebestunintentionally anyway
moparisthebestobviously "no agpl projects" would, but that'd be intentional
arcmoparisthebest: I wouldn't be too concerned for that, the folks at the FSF, SFLC, and SFC are all over it
arcthey'll issue a new TOS soon enough
xnyhpshas left
jonaswarc: URLs?
arcthe last I heard they were apologetic for the "misunderstanding" this has caused
moparisthebestarc, yea the way I justify using github is it's not like SVN where your repo is held hostage, I have everything locally and can just host my own gitlab whenever I want
arcjonasw: i know this from IRC, I've been watching the lawyers talk about it
jonaswarc: which IRC?
moparisthebestbut yea ideally I wouldn't use it at all... meh
arcfreenode
jonaswthat’s a very broad statement, arc
moparisthebestnot very specific :)
arcmostly #Conservancy
arcwhere else would lawyers be?
moparisthebestah the kallithea people? I love those guys
arcbut its all over, every channels talking about it
SamWhitedjonasw: Not in front of me; go read their new TOS or search for other peoples blog posts about it.
arca few projects immediately pulled their repos and started self-hosting since
jonaswSamWhited: the TOS is huge and I can’t find a diff
moparisthebestGIThub tos, no diff? :P
SamWhitedI thought they literally did have it in a repo so you could get a diff…
jonaswSamWhited: yes, but
mathieuithat’s a line diff
mathieuinot a legalese diff
SamWhitedfair enough
ZashIANAL, what up?
SamWhitedjonasw: Here's a source, but probably also a non-lawyer / completely biased one, so grain of salt: https://www.mirbsd.org/wlog-10_all.htm
ZashSamWhited: Every comment thread I've seen about that has started with "This person doesn't know what they are talking about" ...
jonaswah, section D narrows it down so that I can take a look
SamWhitedZash: Yah, they probably don't
SamWhitedI just assume they're seeing what they want to see, but I have no idea
nicolas.veritehas joined
jonaswI’m not dealing with this right now
nicolas.veritehas left
jonaswhoping to fix a bug today
moparisthebestthanks SamWhited I was searching for 'github agpl' and such with no luck
SamWhitedyah, it was suprisingly hard to find again; makes me think it was just one or two sources being loud and blowing it way out of proportion
jerehas left
Ge0rGhas left
jonaswarc: if you don’t like github (and I agree that github is a dangerous centralisation of power over FLOSS), what is your alternative suggestion, if I want the broad developer public to easily contribute to and raise bugs for my software?
mathieuijonasw, you can go gitlab or bitbucket, it’s slightly less terribad
jonaswmathieui: that’s only shifting the problem
mathieuiyes.
mathieuiyou can run your own gitlab or whatever hip forge like gogs with external auth and it’s equally easy for people to contribute
ZashSelf-host all the things!
jonaswI have a self-hosted gogs instance, but (a) I don’t really like the idea of having to maintain possible abuse if I open registrations or issues and (b) it adds the hurdle to create an account there while ~everyone has a github acconut.
SamWhited"equally easy" except that now if everyone does that every single person has to make an account with every single project they want to contribute too…
mathieuijonasw, gogs doesn’t allow gitlab oauth?
mathieui-gitlab + github
jonaswI don’t know, but that doesn’t solve (a)
mathieuibecause you can login into self-hosted gitlab from github
kalkinhas left
mathieuiand yeah, there is no solution not run by other people where you don’t have to care for abuse
jonaswonly allowing to open issues is probably already a good reduction of possibilities for an attacker, but that’s barely sufficient if you want people to contribute patches
SamWhitedNow GitHub is the centralized service for auth, so you have more or less the same problem.
SamWhitedI dunno, not that I actually think this is a problem. If you don't want your stuff on GitHub or wherever you can move it later. I'm just going to keep using GitHub and Bitbucket; mostly they're pretty okay and legal stuff is hard.
jonaswyes, currently it is not a problem and GitHub is convenient.
moparisthebestthat's how I justify it, I have full history and can move wherever later
jonaswright
jonaswexcept the issues and everything else which is only on gh
moparisthebestI actually think github is the last 'hosted' thing I use, that I don't run myself
SamWhitedand if they're apologizing for the confusion over the new TOS like arc said, that probably means they're not going to start randomly deleting your software
moparisthebestyou can kind of export those, but yea
nicolas.veritehas joined
nicolas.veritehas left
Guushas left
arcSamWhited: i think one of the questions that's come up is whether you've granted github rights above and beyond the license by hosting with them
nicolas.veritehas joined
SamWhitedarc: so it's not that the AGPL is banned, it's just that the AGPL people don't want to give GitHub extra rights?
moparisthebestI feel like, I would HOPE, it would be harder than just a TOS change for them to take rights above and beyond an explicit legal license...
sezuanhas left
moparisthebestthat wouldn't remotely be legal anyway right? if I push an AGPL project there that have AGPL contributions from countless different devs over the years, *I* can't legally grant anyone any other license can I ?
jonaswmoparisthebest: uh, actually, it shouldn’t be that hard. "By uploading to and using the service you agree that github is allowde to do X with your data"
jonaswdone.
moparisthebestmost of the time it's not *my* data though
moparisthebestnot to mention I didn't get any emails or even click to agree, they just published a new version and said 'by continuing...' what like I need to check it every time I push? meh
jonaswwell, they also state that you must ensure that you have the right to grant that license on the adta
SamWhitedThat's the point though I think; it's not illegal for GitHub to say "if you want to use our service, you have to give us a legal grant to use whatever you put on our service", and if you can't do that (because you don't want to relicense from something else that says you can't), then you just don't use their service.
SamWhitedAnd if you can't license it because it's someone elses work, then you shouldn't be uploading it anyways (which is probably one of the things they were trying to prevent)
nicolas.veritehas left
moparisthebestwell that part isn't true
moparisthebestlike I have a fork of curl on github, I can't license that to others with any different license than it has, I certainly can't give github extra stuff over what the license says
Guushas joined
SamWhitedright, so you can't upload it to GitHub because they say that to upload things to them you have to be able to give them a rights grant.
moparisthebestbad example because curl has a crazy permissive license, but if it had gpl it'd be a good example :)
moparisthebestso what if you do anyway because you aren't a lawyer and/or haven't read the TOS since 2012 when you signed up or whatever?
moparisthebestthey can't *take* those rights, they can just stop hosting you?
SamWhitedYah, I think that's generally how it works
moparisthebestyea and if that's worst case I don't care
SamWhitedUnless you *do* own the software, then you probably have given them a grant to use it however unless you live somewhere that legal contracts have to be explicit and TOS's don't count
SamWhitedat least, that's what this sounds like to me
moparisthebestso I'm not clear legally on the boundaries there, it *seems* they can say stuff like 'by using the service you implicitly grant us rights', why can't they say stuff like 'if you walk outside today you explicitly grant us rights' ?
bjchas left
bjchas joined
SamWhitedBecause you're not entering into a business relationship with them in that case.
moparisthebests/explicitly/implicitly/
SamWhited(but again, I feel compelled to point out that I have no idea what I'm talking about: I'm just reading shit off the internet and interpreting it as best I can)
moparisthebestthen can they say 'if you utter the name github you implicitly grant us rights'
SamWhitedno, of course they can't
moparisthebestI'm not really seeing a precise boundry here, but I guess that's law for you
jonaswmoparisthebest: the boundary is probably somewhere along the line of "you are using resources on their systems"
moparisthebestjonasw, so then "if you ever visit github.com you are implicitly granting us rights to all your programs"
sezuanhas left
jonaswmoparisthebest: there are "if you visit our website you grant us rights" clauses
SamWhitedI suspect a court would also find that visiting GitHub.com doesn't count as entering into a legal contract or business relationship…
jonaswthat clause there is probably not in proportion and would thus be refuted
moparisthebestwhat's the legal boundry between visiting and pushing code? both are simple https calls
moparisthebestyou can even edit/create code in your browser on github.com
jonaswmoparisthebest: the amount of data you move to their systems and which is stored persistently
SamWhitedWhat does the protocol (or anything technical) have to do with any of this?
jonaswthe data you store on their systems is theirs
Ge0rGThe data you upload to github will be thoroughly searched by the United States border control.
arcSamWhited: im not sure, just things im seeing as i jump between channels. as i said im trying to stay out of it
arcI don't like github, so my opinions would be biased. I'm just sharing snippets of what ive seen.
archonestly I loved bitbucket
arconce i get quicksilver into a more deployable state I think it could take over
arcquicksilver is a rather hackish realtime mercurial over xmpp I setup. it needs a lot more work, but is kinda cool for remote pair programming
jonaswagh, I don’t like hg :-)
arcjonasw: well you're in luck because there's nothing about it thats mercurial specific, I think
arcit could run server-side git just as well
sonnyhas left
nicolas.veritehas joined
nicolas.veritehas left
arcbut its not in great shape, extremely hackish. i literally have hg running in a subprocess right now
arci put it together with a student twoish years ago as an experiment
Flowre pair programming using xmpp: It's so sad that gobby is no longer under active development
moparisthebestarc, familiar with kallithea?
arcI know, gobby was nice. but it had its faults too.
moparisthebestor jonasw because kallithea does hg and git :P
arcmoparisthebest: yea ive seen it around
jonaswmoparisthebest: no, but let me check it out
arcFlow: what i dont like about gobby is its really session oriented, it doesnt integrate well into daily workflow.
arcand if you want to compile your work, and someone is editing the same session, you have to wait for them to get their part into a ready state. its a bit *too* realtime
jonaswmoparisthebest: not confident yet, as they don’t use kallithea to host their own code ;-)
Flowuh, there is commit activity at github.com/gobby/libinfinity
moparisthebestjonasw, they do https://kallithea-scm.org/repos/kallithea
jonaswbut not their issues etc.
moparisthebestbeen using it at work since 2012, when it was called rhodecode, before the rhodecode dev did illegal license things and threatened to sue me and sent DMCA takedown notices for patches and stuff....
jonaswgah, I can’t stand hosting services which show irrelevant information first and not the files. this is also annoying the hell out of me with the recent gitlab updates.
arcQS is basically receiving realtime code pushes into your local VC as you work, but doesn't update. so you see that the code is there, and can merge it in realtime, but its not automagic
Flowarc: Isn't pair programming about having a live/real-time programming session with one or more other ppl?
Flowand everything else would be basically using a DVCS
moparisthebestbut then the software conservancy vetted it and forked it to kallithea :)
SamWhitedooh, yah, Bitbucket does that by default… there's an option to change it, but it's an option on each individual repo not on your account, which is stupid.
arcFlow: it is a dvcs, just with pubsub
Flowarc: and it's called quicksilver?
jonaswmoparisthebest: all over all, kallithea looks interesting though
Flowarc: got a link?
arcFlow: i reserved quicksilver.vc but there's nothing really in the repo there, as i said its super hackish and only works with our GCI web-based editor
arcat some point I'll get it into a deployable format and put some time into porting plugins to gedit/etc
nicolas.veritehas joined
arcthe protocol is stupid simple, the server-side is a quick and dirty pubsub service running mercurial in a subprocess with hooks and pipes, and the client side is a python script in front of local hg in their docker container receiving data from the web-based editor and chat client
arcthe client side is on gci.copyleftgames.org
arcmore than half of it was written by a 15 year old
xnyhpshas left
arcAlight - im headed to grab coffee with Mr Miller to discuss becoming a member of the XSF
jonaswgood luck, arc
arcFlow: if im successful you'll have more members for the IoT sig
arcthey're a washington dc firm doing IoT
SamWhitedGood luck
jubalhhas joined
winfriedhas joined
ralphmhas left
bjchas left
jubalhhas left
kalkinhas left
bjchas joined
Guushas left
Guushas joined
Valerianhas left
Valerianhas joined
nycohas joined
nicolas.veritehas left
nycohas left
xnyhpshas left
sezuanhas left
sezuanhas left
jubalhhas joined
nicolas.veritehas joined
Valerianhas left
Valerianhas joined
xnyhpshas left
sezuanhas left
tim@boese-ban.dehas joined
Steve Killehas left
vurpohas joined
Zashhas left
Steve Killehas left
Lancehas joined
Steve Killehas joined
ooihhas joined
ooihhas left
Zashhas joined
Zashhas joined
xnyhpshas left
mhterreshas left
intosihas left
kaboomhas left
waqashas left
Guushas left
kalkinhas left
Guushas joined
jubalhhas left
nicolas.veritehas left
kaboomhas joined
nycohas joined
waqashas joined
Zashhas joined
tim@boese-ban.dehas joined
nicolas.veritehas joined
Guushas left
jonaswhas left
vurpohas left
Guushas joined
vurpohas joined
vurpohas left
vurpohas joined
vurpohas left
vurpohas joined
vurpohas left
Valerianhas left
Valerianhas joined
vurpohas joined
vurpohas left
vurpohas joined
vurpohas left
vurpohas joined
waqashas left
vurpohas left
xnyhpshas left
vurpohas joined
xnyhpshas left
vurpohas left
vurpohas joined
ralphmhas left
waqashas joined
jubalhhas joined
Valerianhas left
Valerianhas joined
vurpohas left
vurpohas joined
danielhas left
danielhas joined
vurpohas left
vurpohas joined
vurpohas left
vurpohas joined
vurpohas left
vurpohas joined
vurpohas left
Zashhas joined
vurpohas joined
vurpohas left
vurpohas joined
vurpohas left
vurpohas joined
suzyohas left
vurpohas left
suzyohas joined
xnyhpshas left
vurpohas joined
nycohas left
nicolas.veritehas left
nicolas.veritehas joined
xnyhpshas left
kaboomhas left
vurpohas left
vurpohas joined
SamWhitedhas left
nicolas.veritehas left
jerehas left
jerehas joined
Flowhas joined
jerehas left
jerehas joined
Flowhas left
Valerianhas left
goffihas left
Guushas left
Alexhas left
Guushas joined
Guushas left
Guushas joined
SamWhitedhas left
vurpohas left
kalkinhas left
vurpohas joined
nicolas.veritehas joined
Guushas left
Guushas joined
waqashas left
Tobiashas joined
Flowhas joined
nicolas.veritehas left
intosihas joined
sezuanhas left
kalkinhas left
jubalhhas left
vurpohas left
vurpohas joined
intosihas left
jubalhhas left
vurpohas left
vurpohas joined
sezuanhas left
danielhas left
danielhas joined
Lancehas left
waqashas joined
goffihas joined
jubalhhas joined
Lancehas joined
Zashhas left
vurpohas left
vurpohas joined
jubalhhas left
vurpohas left
vurpohas joined
Guushas left
Flowhas left
Guushas joined
vurpohas left
Guushas left
vurpohas joined
Guushas joined
winfriedhas left
waqashas left
jubalhhas joined
moparisthebesthas joined
SamWhitedhas left
devnullhas left
devnullhas joined
Zashhas joined
danielhas left
danielhas joined
vurpohas left
vurpohas joined
waqashas joined
Manchohas left
jubalhhas left
jubalhhas joined
jubalhhas left
Guushas left
vurpohas left
vurpohas joined
vurpohas left
vurpohas joined
vurpohas left
vurpohas joined
waqashas left
vurpohas left
vurpohas joined
jerehas left
jerehas joined
nicolas.veritehas joined
vurpohas left
vurpohas joined
moparisthebesthas left
danielhas left
danielhas joined
danielhas left
danielhas joined
waqashas joined
moparisthebesthas joined
danielhas left
danielhas joined
danielhas left
danielhas joined
danielhas left
danielhas joined
danielhas left
danielhas joined
danielhas left
danielhas joined
danielhas left
danielhas joined
danielhas left
danielhas joined
jubalhhas joined
danielhas left
danielhas joined
Valerianhas joined
danielhas left
danielhas joined
danielhas left
danielhas joined
Valerianhas left
Valerianhas joined
suzyohas left
kaboomhas joined
Guushas joined
danielhas left
danielhas joined
danielhas left
danielhas joined
arc5 hours later...
goffihas left
Guushas left
xnyhpshas left
xnyhpshas joined
danielhas left
danielhas joined
danielhas left
danielhas joined
Valerianhas left
waqashas left
kaboomhas left
arcThat was a long talk. I can't even begin to summarize
arcHe's a XMPP evangelist for sure
xnyhpshas left
arcWants to join the iot WG
sezuanhas left
arcAnd XSF more generally...
arcHe suggested the Xsf should have a relationship with IEEE
kaboomhas joined
arcHe wants to get XMPP standardized for iot within IEEE and other bodies
jubalhhas left
arcRickard has met him and Peter Saint-Andre
moparisthebestIsn't psa the xsf's relationship with the IEEE?
arcIf so he missed a ieee XMPP standards group forming
arcAlso httpx is a registered URI protocol for http over XMPP??????
arcI'm trying to get the engineers in his IEEE group into XSF
arcNot even a single XSF member involved
arcIt's mad and he agrees. He knew of XSF but didn't know how membership works... He asked how much it cost
jerehas joined
moparisthebestAnd how much did you tell him arc ? :-)