jonasw, around 100 and with link security it was 80 https://en.wikipedia.org/wiki/6LoWPAN
Tobias
but yeah..it's not much
Tobias
at least my elliptic curve based signatures didn't fit in a single packet :D
jonasw
ah, I think I was thinking about zigbee
Ge0rGremembers a sensor network project that was using XML over UDP and then had "unexplainable" errors when manifests grew over 64KB
jonasw
there the baseline is 84 bytes
arc
jonasw: 2.5 mesh networking eats a bit, as does TLS if you're using it
arc
but yes.
blipphas joined
arc
my point is, going from SHA256 to something higher has performance costs associated with it
Tobias
doesn't SHA have bad runtime performance on constrained devices anyway
arc
Tobias: you missed the "magic"
Tobias
i think the SHA code even didn't fit on my target device, so i had to go with something differnet like BLAKE2 :)
Ge0rG
wouldn't it be possible to precompute the caps hash when compiling the firmware? :D
Tobias
arc, what kind of devices are you usally dealing with? I mostly played around with SAM-R21 like smallish things
arc
the schemaId the client uses is pre-baked, and if the server receives it and returns a different schemaId to use, it will use that. as long as its not required for SASL then there's no issue
arc
Tobias: im not working with a specific device right now. im just writing libexi
Tobias
ah, ok
arc
but talking about how I think EXI should be properly implemented with xmpp
jonasw
"just writing libexi" :)
arc
that method is this: the device (having no previous contact from a given server) sends a sha256: URI as the schemaId, which the server either responds to in-kind (if it is supported) with its own EXI header and the same schema, OR the server responds using a default schema all devices must support with an error, in which case the client must send the pre-encoded schema it wants to use to the server. this schema should be small enough to fit on a given embedded device.
arc
the key here is that the use of sha256 is a convention, and this leaves forward compatability if in the future this needs to change
arc
a future version of the same XEP may recommend a different hash to default to "guessing" on first connect.
arc
after the server receives the schema from the client though, the server returns the schemaId for the client to use in the future with that server. that schemaId SHOULD be a hash, but it can be literally any string.
arc
so..
arc
say in 2 years there's a quantum computer breakthrough and SHA256 can be easily broken, leading to the risk for cache poisoning, BUT there's a new quantum-proof hash
arc
there's thousands of embedded IoT devices out there..
arc
but XMPP server software is updated for the new hash.
arc
the servers can then reject all sha256 URIs and ask for the client to send the schema they want to use, on first connection to the server (or reconnection after the server is updated with this security update)
intosihas joined
jonasw
seems reasonable
arc
the clients send the schema, the server responds with a QPROOFHASH:... URI to use as the schemaId, and older clients simply use that string as-is to refer to the schema they were designed to use.
arc
the XEP is updated accordingly, and everyone is happy.
intosihas left
intosihas joined
Tobias
right...will be interesting to see on how small of a device you can get XMPP to run
arc
the smallest devices ive used on a network generally was atmega running Contiki
suzyohas left
arc
i havent done 8-bit optimizations to libexi. mostly that would be in the bitpacker I think, because an 8-bit libexi would certainly NOT be compiled with text XML capabilities which is where all the funky stuff is
arc
but I think its very doable.
Tobias
arc, do you know RIOT OS?
arc
no, never heard of it
arc
on the embedded side i'm a hobbiest at best
intosihas left
intosihas joined
Tobias
it's an IoT OS, similar to continki, but it's all standard C and you could even use C++ https://riot-os.org/
ralphmhas left
arc
I loath C++
arc
but that's cool, ill look into it down the road
arc
i see it runs on 8bit
suzyohas joined
Tobias
haven't used it on 8bit yet, mostly 16 and 32 bit I think
kalkinhas left
jonasw
interesting
jonasw
but I’m too much a weird person to use a pre-made OS on an embedded system
jonasw
maybe for the next project :)
Tobias
and they have good support for standard IETF protocols
arc
I thought Cortex M0 was going to obsolete the AVR-based devices, but in a recent meeting I was shown a AVR-based internet connected sensor only slightly larger/thicker than a quarter that essentially stacks on top of a coin-cell battery and runs for a full year, the device costing under $5 including the cost of the battery.
arc
jonasw: i've written 3 TCP/IP stacks on 8-bit so far. I do not recommend it, especially IPv6
jonasw
:D
jonasw
I don’t do TCP/IP on embedded though :)
nicolas.veritehas left
arc
if you havent done it before, you should save whatever sanity is left and let someone else do that work.
arc
ah ok. well you're safe
jonasw
for MTU and "heck, I don’t want to implement a TCP/IP stack on embedded" reasons
Tobias
jonasw, https://github.com/RIOT-OS/RIOT/wiki (the supported devices are listed on the right)
jonasw
Tobias: on the website too
arc
you can do it. its just not fun.
jonasw
arc: I tried to implement UDP/IP/Ethernet in VHDL though.
jonasw
does that count? ;-)
Tobias
jonasw, didn't notice that :)
arc
essentially you need to run the whole thing zerocopy due to constrained RAM
jonasw
Tobias: well, at least enough info on the architectures that I could guess that it’ll run on anything I’ve ever touched ;-)
jonasw
arc: yes.
jonasw
that’s what I needed to do for my custom protocol
arc
and with that, im going to bed.
jonasw
I’m streaming three sensors at 200 Hz and need to spread lower sample rate data inbetween of that; the transport being Xbee it’s usual that the connection interrupts for some time. so every bit of ram needs to go into buffers.
Kev
Bed? At 9AM? :)
arc
Kev: im in DC. its 3:38am here.
jonasw
good night, arc
Kev
I knew ;)
Kev
NN
arc
i just spent 2 hours searching my old records for my social security card
Kev
Everyone needs a hobby.
jonasw
everyone needs secretaries.
jubalhhas joined
Ge0rG
I wouldn't place important things together with old records.
Steve Killehas left
jonasw
I wouldn’t place important things on a piece of paper.
jonasw
but unfortunately one doesn’t always have a choice on that.
Steve Killehas joined
Tobias
still looking for a nice document management system, so I can just scan all documents and pack them away in crates
jonasw
I have ~/Documents/{category}/{date-of-issuance}\ {tags}.pdf. works reasonably well
vurpohas left
vurpohas joined
vurpohas left
vurpohas joined
vurpohas left
vurpohas joined
mhterreshas joined
danielhas left
Flowhas joined
danielhas left
Guus
Whatever process that normally makes sure that the xmpp.org website is updated after a change in the corresponding git repository appears to be failing
jonasw
it wasn’t me.<x xmlns="jabber:x:tone">not-convincing</x>
Guus
the problem predates my merger of your code :)
jonasw
oh okay
Tobias
i can take a look
Ge0rGhas joined
Guus
I think it started going wrong on Feb 26, with my merger of the 'getting started' page
Tobias
unless Kev is already
Guus
JC's 'add subscribe url for the standards list' is live
Guus
ah, it failed first for my attempt to remove the empty 'who uses xmpp' page
Guus
that page is still on the website, although I tried deleting it here https://github.com/xsf/xmpp.org/commit/83f365dc99f8a60f31ea5b524e7daafedb714916
danielhas left
Kev
I'm struggling at the moment to even work out what's supposed to trigger a build of the site.
Tobias
Kev, when I fixed things summer last year, i set up a cron job
jonasw
Kev: repository settings -> webhooks?
Kev
Tobias: Where's the cron?
Kev
It used to be that this was all generated in Travis so we could just pull it onto the server without running code there, but I don't think that's true any more?
Tobias
in staticweb's crontab?
Kev
Ah, staticweb, of course :)
Tobias
didn't want to add it to root's crontab :P
Kev
Tonnes of PDF generation errors.
intosi
/etc/crontab or /etc/cron.d would've been proper.
Tobias
intosi, even for user cron jobs?
jonasw
yes
intosi
Arguably this isn't a user cron job.
jonasw
pick a user there, prevents manipulation of the crontab by the user
intosi
^ what jonasw said.
jonasw
Tobias: in /etc/cron* you have to explicitly state as which user the job runs
jonasw
so it’s not like everything there runs as root
Tobias
ahh
Tobias
ta
intosi
There's the added benefit that a random admin would look in /etc/cron* first, and might not even consider user crontabs for essential tasks until much later.
jonaswhas left
Tobias
feel free to move it there then
Guus
perhaps first fix the issue at hand?
intosi
Guus: that's all one go.
Kev
Indeed, I was looking in /etc/cron*.
Kev
Guus: You were right though, it does seem to be the one where you edited the sidebar :)
Kev
CRITICAL: UndefinedError: 'pelican.contents.Page object' has no attribute 'sidebar_menu_elem_url_8'
Guus
weird - why do I not get that locally? Might relate to https://github.com/xsf/xmpp.org/issues/247 ?
Kev
Yes, sounds like your local environment isn't quite working right, if that's the case.
vurpohas left
vurpohas joined
Guus
I might require things that are not in the repository then. My environment is a clean virtual machine, which just the repo content and build tools as listed in the readme.
Tobias
don't know how up to date the readme is, "Any editorial questions: Laura Gill or Simon Tennant can help", at least Simon doesn't seem to be around to respond to any questions regarding xmpp.org site
Guus
Kev: can you make Travis fail with the same error?
kaboomhas joined
jubalhhas left
blipphas left
jubalhhas joined
Ge0rGhas left
xnyhpshas left
nicolas.veritehas joined
Tobias
Guus, what state is https://github.com/xsf/xmpp.org/pull/185 in?
nicolas.veritehas left
jubalhhas left
jubalhhas joined
jubalhhas left
Guus
Tobias: I have not looked at it since. I have now aquired a bit more knowledge about Pelican, so I might not depend on others to finish this
Guus
however: the data that it adds is incomplete
Tobias
incomplete how?
Guus
all votes since 2010 are not in there, I think
Tobias
right, but years that are in there are in there completely right?
kalkinhas left
Guus
it was a one-on-one conversion of the old pages.
Guus
whatever was in there, is now here.
Guus
I assume that the old data was complete, for those years.
Tobias
right
danielhas left
Zashhas joined
Alexhas joined
Ge0rGhas left
danielhas left
uchas left
xnyhpshas left
xnyhpshas left
uchas joined
xnyhpshas left
Guus
Kev / Tobias: I'll be away for the weekend in a short while. If I can help with the website issue, I'll need to do that now-ish.
Kev
No rush right now, I think.
Guus
just saying that I'm willing to help, but will be without laptop soon
Guus
(doing a weekend trip)
Kev
Thanks. Just enjoy your trip, the website will still be here Monday.
Kev
:)
Guus
kk :)
jubalhhas joined
Zashhas left
Yagizahas joined
Zashhas joined
Valerianhas joined
jonaswhas left
Valerianhas left
Valerianhas joined
danielhas left
danielhas joined
xnyhpshas left
xnyhpshas left
danielhas left
danielhas joined
danielhas left
danielhas joined
danielhas left
danielhas joined
nicolas.veritehas joined
nicolas.veritehas left
danielhas left
danielhas joined
danielhas left
xnyhpshas left
danielhas joined
danielhas left
danielhas joined
jonaswhas left
xnyhpshas left
mimi89999has joined
Manchohas left
xnyhpshas left
Alexhas left
sezuanhas left
xnyhpshas left
winfriedhas joined
Valerianhas left
Valerianhas joined
Valerianhas left
Valerianhas joined
jonaswhas left
Valerianhas left
Valerianhas joined
blipphas joined
nicolas.veritehas joined
nicolas.veritehas left
Ge0rGhas left
danielhas left
danielhas joined
Alexhas joined
jerehas joined
uchas left
uchas joined
jubalhhas left
Tobiashas joined
jerehas left
jerehas joined
uchas left
xnyhpshas left
uchas joined
kaboomhas left
jubalhhas left
uchas left
Ge0rG
Flow: backward compatibility is hard :(
https://github.com/ge0rg/MemorizingTrustManager/commit/168b7b5598095bfe6ae6fab4797af3f913b574f4
uchas joined
Yagizahas joined
xnyhpshas left
xnyhpshas left
uchas left
uchas joined
uchas left
uchas joined
Flow
Ge0rG: true
Ge0rG
in related news: running the gradle lint on yaxim turned up a dozen of issues, including this one
jubalhhas joined
jubalhhas left
kalkinhas left
koyuhas joined
Flow♥ lovles lint/static code analyzers
Tobias
Flow, Ge0rG, any experience using errorprone?
jubalhhas joined
Flow
Tobias: Smack uses errorprone
xnyhpshas left
Flow
and it's one of the reasons I made the previous statement
Tobias
ah..ok
Flow
but it did that foundt hat many issues in Smack
Tobias
well..but the thinks it found were sensible issues, right?
Tobias
it didn't produce tons of useless warnings
Tobias
or did it?
Flow
which is of course only because of my l337 c0d1n6 5k1ll5
Flow
Tobias: very sensible
Flow
compare to facebook's infer, which produces a ton of non-issues
xnyhpshas left
Flow
but to be fair, infer was right about every issue it found, it where just non-issues in that particular context
Guushas left
Valerianhas left
Zash
Can you tell it to ignore those non-issues?
Flow
Zash: sure, you could suppress them
Flow
I decided against infer in Smack because another static code analyzer would increase the compile time again
koyuhas left
koyuhas joined
koyuhas left
jubalhhas left
koyuhas joined
koyuhas left
koyuhas joined
koyuhas left
Guushas left
Guushas joined
Guushas left
Guushas joined
waqashas joined
koyuhas joined
sezuanhas left
Ge0rGhas joined
jonaswhas left
koyuhas left
vurpohas left
winfriedhas left
Piotr Nosekhas left
koyuhas joined
kalkinhas left
koyuhas left
Ge0rGhas left
koyuhas joined
koyuhas left
Tobiashas left
koyuhas joined
Valerianhas joined
kaboomhas joined
Ge0rGhas left
jonasw
people on security@ argued back then that the hash agility of 115 doesn’t work (dwd and waqas for example), but there are no conclusive reasons given.
jonasw
here for example: https://mail.jabber.org/pipermail/security/2009-September/000828.html
Guushas left
Zash
doesn't work how
jonasw
Zash: I have no idea
jonasw
I would like to know.
Zash
md5 was used before according to the capsdb
koyuhas left
danielhas left
danielhas joined
Guushas joined
nicolas.veritehas joined
nicolas.veritehas left
waqashas left
Zashhas joined
nicolas.veritehas joined
Martinhas left
Homer Jhas joined
xnyhpshas left
xnyhpshas left
Homer Jhas left
Guushas left
Guushas joined
nicolas.veritehas left
Guushas left
Steve Killehas left
waqashas joined
Steve Killehas left
waqas
jonasw: Hash agility doesn't work. What we mean by this is backwards compatibility wasn't allowed for. Clients using new hashes vs old hashes would fail to interoperate.
jonasw
waqas: what would be wrong with simply sending two <c/> elements with different hash functions?
vurpohas joined
waqas
jonasw: Reality. That wasn't allowed, and clients assume there's only one. You'd fail to interop with most (all?) existing deployments out there.
jonasw
okay
jonasw
makes sense
jonasw
I hate reality
waqas
i.e., you are modifying the XEP in a way that isn't compatible with prior understanding of implementations
jonasw
I like the suggestions you make in https://mail.jabber.org/pipermail/security/2009-September/000829.html btw.
jonasw
specifically:
> Also worth considering is whether multiple hashes for different sets of data
> make sense instead of just one. A hash for capabilities of an entity is the
> most basic. A hash for software ID and version (disco#meta?). A hash for
> disco#items. Future XEPs being able to define hashes for datasets they
> define is also useful. The downside is a slightly larger presence packet
> (which is mitigated by the caps optimization), but I see this leading to a
> significant reduction in queries.
waqashas left
Flow
hu? why wasn't/isn't it allowed to send multiple <c/>s?
Guushas joined
jonasw
fwiw, aioxmpp also only uses the last one it finds, but it would be trivial to change that into a map hash->caps
jonasw
so it might simply not be clear that clients should expect multiple nodes
jonaswhas left
xnyhpshas left
waqashas joined
waqas
Flow: Everything is allowed. You can even call it <b/> or <d/>. That existing clients would fail to interpret it in a defined way is the problem.
waqas
Client behavior when they see multiple instances of something that they expected to be single tends to vary between pick-first, pick-last, pick-random, error.
arc
"""The Web shell used by the attackers didn't support SSL, so all their activities were logged to the webserver, enabling Verizon's RISKS team to analyze their actions. Though the idea of attacking cargo ships by hacking their CMS is a sophisticated one by the standards of sea-pirates, the attackers weren't sophisticated enough to run their attacks through a VPN, enabling the RISKS team to trace the attack back to the hackers' home IP address."""
jonasw
… and server behaviour when caps optimization is in place would also be interesting
arc
there are at least 3 things wrong with that.
SamWhited
ralphm: Ping; when you're next online can I get a bit of help with Trello? I keep missing you :)
jonasw
e.g. would the injection of caps in stanzas on first subscription to presence work?
jonasw
arc: what’s a CMS in this context?
arc
content management system
jonasw
d’oh
jonasw
I was hoping for cargo management or something domain-specific
Zash
arc: Why ... why would .. why the .. whaaaayyyy???
arc
stupid script kiddies hacked a shipping company's website and started rerouting cargo ships to them to steal the content of the ships..
Flow
waqas: I don't see receiving clients failing if <c =hash='sha1'/> is also send
jonasw
then it’s: (1) why the heck to cargo ships run a CMS which is (2) accessible from the internet and (3) can be used to take over the ship?!
Flow
together with a <c hash='new-hash-alg'/>
arc
jonasw: the ship didnt run the CMS. the shipping company operating autonomously controlled ships did
jonasw
arc: well, that’s only marginally better.
arc
the ships are controlled by the company remotely
jonasw
this future
arc
however, not only was their website - used for shipping easily hundreds of millions of goods a year - unpatched to common known vulnerabilities, but they didn't use SSL
Zash
They Should Have Used XMPP for their remote controlled drone ships
arc
but then - Verizon admits that their risk analysis team was actively monitoring unsecured HTTP, acting as a man in the middle
moparisthebest
arc, sorry to change the subject but you have me intrigued about EXI, it sounds like it might be feasible to run a generic exi<->xml converting proxy in front of any xmpp server to give it full exi support, yes or no?
arc
moparisthebest: yes, and to be clear I do think that is the first way deployment will happen, however its suboptimal to run two XML parsers in a chain like that
mathieui
arc, what’s the source of that read? it sounds lovely
jonasw
mathieui: google points me to https://boingboing.net/2016/03/03/pirates-hacked-shipping-compan.html
yea arc not as great for the server but could be excellent for clients, so when can I expect to be able to download and run the first version from you? :D
Steve Kille
SamWhited: thanks for that super-qucik MIX turnaround
arc
moparisthebest: as soon as i wrap up libexi im going to update my Apache mod_xmpp with it, which is primarily designed to serve as a proxy (websockets to xmpp) but now will also do EXI ports too
SamWhited
👍 my morning coffee goes well witch catching up on emails and taking care of XSF stuff :)
SamWhited
Thanks for the new revision
Ge0rGhas joined
moparisthebest
arc, so when do I get an nginx module instead? :P
jonasw
Steve Kille: ah, you’re here. I wanted to make sure you don’t feel bothered by my insisting on the issues I pointed out. I feel that I should probably have given you more time, but then again, too often things get forgotten and then we end up with sub-optimal XEPs which cannot be changed anymore because there are too many implementations :/
moparisthebest
just joking that would be fine too, I'd be curious to look at adding it to Conversations
jonasw
am I the only one who thinks that webservers are not the right place to terminate SSL for everything?
Steve Kille
jonasw: not bothered at all. You are making some excellent input to help move this spec foraward.
SamWhited
Define "web servers"? If you mean reverse proxies like nginx and haproxy, I'd say they're definitely the right place to terminate SSL for everything :)
SamWhited
Because that's what they're designed to do
jonasw
SamWhited: apache?
arc
moparisthebest: I will never write a nginx module. I'm friends with their CEO, Gus, who I used to play on the same rugby team with when he lived in DC, but he was unwilling to hire me while allowing me to work on non-NGINX FOSS on my own time
arc
moparisthebest: you can already start, there is a complete Java library implementing EXI
SamWhited
jonasw: Yah, I agree with you there… apache may be good at it now, I dunno, but it was not designed to be a reverse proxy.
jonasw
arc: wtf?
moparisthebest
ah yea arc I remember you saying that, and it sounded super shitty
jonasw
I need to repeat: wtf? Is that even legal?
SamWhited
I've heard that about nginx several times now, which is kind of sad, because I do love the software…
Zash
jonasw: Did you know that nginx is actually an email proxy? :)
jonasw
Zash: unfortunately, yes.
arc
jonasw: yea its because of some VC agreement or someshit. but the idea of a FOSS project turned commercial turning down an employee they just interviewed and were excited about because he works on other FOSS projects is insane
moparisthebest
arc, well you said your EXI should work differently than the XEP, and I'd prefer to have a proper server implementation to test against, but yea the library is there at least
SamWhited
I think most big companies have that clause for whatever reason, but I always try to negotiate it away.
jonasw
I also know that their protocol implementation is simply a character state machine, I don’t want to know how people implemented XMPP on it. I bet it cannot deal with namespace prefixes properly :-)
arc
so I don't consider nginx to be FOSS anymore, regardless to whatever license its available under
jonasw
SamWhited: wait wat? clauses which forbid you to work on FLOSS in your freetime?
jonasw
I’m really not sure that would be legal here.
arc
moparisthebest: im unsure how the java library works, but it might do general xml processing. so you could start by changing it to use the different library and developing your client's exi schema
moparisthebest
I think it is here, I guess you can agree to about anything jonasw
arc
jonasw: this was the major issue with me and Atlassian, too.
SamWhited
jonasw: Yah, I have no idea if they're enforceable or not, but most places I've applied or worked have had some similar thing.
arc
and Google. and Facebook. and Twitter. and Adroll. and dozens of other firms.
Zash
Isn't usually that they claim ownership of anything you do while employed, not forbid things outright?
arc
that's why I'm founding hub.coop
mathieui
15:23:00 jonasw> I’m really not sure that would be legal here. → it’s legal in some states/countries
mathieui
and even if illegal, nobody is challenging it in court
jonasw
hasn’t occured to me yet. but then again, I only worked at a startup and a research facility up to now. the latter being very clueless on software development in general.
SamWhited
Or at least, I think they had; I don't ever understand the legal stuff, but mostly places have made me sign a "previous inventions" thing or I've been able to negotiate that clause out.
mathieui
arc, btw, google doesn’t always have that clause, afaik
arc
Zash: California law forbids exactly that, anything you work on in your own time and on your own equipment is yours. but they can fire you for doing it without permission and without negotiating aspects about it
jonasw
but good to know. something to watch out for.
jonasw
that’d be a deal-breaker for me, too
arc
mathieui: Google requires that you get permission from them, and you must argue how it is in Google's best interest. if the project is *GPL they will ask you why you don't want to work on something Apache based instead, etc
mathieui
ha right
arc
AGPL will always get a hard "NO"
jonasw
that explains a lot.
arc
Google employees are not allowed to work on any AGPL licensed project.
SamWhited
Heh, that's okay then; AGPL is a hard no for me personally too :)
jonasw
I have no regrets about not pushing to join google anymore.
arc
having to ask permission puts them in the position of being able to say no, and negotiate with you what you can do on your own time
arc
SamWhited: for me its beyond the simple ability, its the morality of it.
moparisthebest
arc, they aren't allowed to contribute to other's AGPL projects?
jonasw
this explains so mcuh
moparisthebest
yea for me AGPL is almost always the correct choice meh
arc
moparisthebest: no. and that comes from a lawyer working in Google's Open Source Programs Office, the same office that runs Summer of Code is also the office that manages employees wanting to contribute to FOSS
arc
moparisthebest: i agree.
moparisthebest
makes me glad I work at a non-software company that just has in-house devs to develop in-house stuff lol, so none of this contract nonsense
jonasw
what the heck
arc
in fact Google is so hostile to the AGPL that they specifically forbade 3rd party projects from hosting them on their old code hosting site, code.google.com
SamWhited
I think GitHub does that now too, no? Wasn't that one of the consequences of their new TOS?
jonasw
uh
SamWhited
Or maybe that was just anything that required attribution
jonasw
that would make a few projects I host there illegal
arc
SamWhited: there were several consequences, I believe GPLv3 and AGPLv3 both
arc
I'm staying out of that one since I dislike github anyway
moparisthebest
wait what? lots of AGPL projects are on github?
SamWhited
yah, but technically they're not allowed anymore I think (no idea why, that's just what someone said about their new TOS). I suspect it wasn't an intentional consequence, it was just something they did that was incompatible with those licenses somehow
jonasw
SamWhited: do you have any sources for that?
arc
the concept of a for-profit company like github having so much control over FOSS projects, their new TOS a perfect example to the potential for abuse of that power, makes me extremely uncomfortable
moparisthebest
I can't imagine any TOS that would conflict for code hosting
moparisthebest
unintentionally anyway
moparisthebest
obviously "no agpl projects" would, but that'd be intentional
arc
moparisthebest: I wouldn't be too concerned for that, the folks at the FSF, SFLC, and SFC are all over it
arc
they'll issue a new TOS soon enough
xnyhpshas left
jonasw
arc: URLs?
arc
the last I heard they were apologetic for the "misunderstanding" this has caused
moparisthebest
arc, yea the way I justify using github is it's not like SVN where your repo is held hostage, I have everything locally and can just host my own gitlab whenever I want
arc
jonasw: i know this from IRC, I've been watching the lawyers talk about it
jonasw
arc: which IRC?
moparisthebest
but yea ideally I wouldn't use it at all... meh
arc
freenode
jonasw
that’s a very broad statement, arc
moparisthebest
not very specific :)
arc
mostly #Conservancy
arc
where else would lawyers be?
moparisthebest
ah the kallithea people? I love those guys
arc
but its all over, every channels talking about it
SamWhited
jonasw: Not in front of me; go read their new TOS or search for other peoples blog posts about it.
arc
a few projects immediately pulled their repos and started self-hosting since
jonasw
SamWhited: the TOS is huge and I can’t find a diff
moparisthebest
GIThub tos, no diff? :P
SamWhited
I thought they literally did have it in a repo so you could get a diff…
jonasw
SamWhited: yes, but
mathieui
that’s a line diff
mathieui
not a legalese diff
SamWhited
fair enough
Zash
IANAL, what up?
SamWhited
jonasw: Here's a source, but probably also a non-lawyer / completely biased one, so grain of salt: https://www.mirbsd.org/wlog-10_all.htm
Zash
SamWhited: Every comment thread I've seen about that has started with "This person doesn't know what they are talking about" ...
jonasw
ah, section D narrows it down so that I can take a look
SamWhited
Zash: Yah, they probably don't
SamWhited
I just assume they're seeing what they want to see, but I have no idea
nicolas.veritehas joined
jonasw
I’m not dealing with this right now
nicolas.veritehas left
jonasw
hoping to fix a bug today
moparisthebest
thanks SamWhited I was searching for 'github agpl' and such with no luck
SamWhited
yah, it was suprisingly hard to find again; makes me think it was just one or two sources being loud and blowing it way out of proportion
jerehas left
Ge0rGhas left
jonasw
arc: if you don’t like github (and I agree that github is a dangerous centralisation of power over FLOSS), what is your alternative suggestion, if I want the broad developer public to easily contribute to and raise bugs for my software?
mathieui
jonasw, you can go gitlab or bitbucket, it’s slightly less terribad
jonasw
mathieui: that’s only shifting the problem
mathieui
yes.
mathieui
you can run your own gitlab or whatever hip forge like gogs with external auth and it’s equally easy for people to contribute
Zash
Self-host all the things!
jonasw
I have a self-hosted gogs instance, but (a) I don’t really like the idea of having to maintain possible abuse if I open registrations or issues and (b) it adds the hurdle to create an account there while ~everyone has a github acconut.
SamWhited
"equally easy" except that now if everyone does that every single person has to make an account with every single project they want to contribute too…
mathieui
jonasw, gogs doesn’t allow gitlab oauth?
mathieui
-gitlab + github
jonasw
I don’t know, but that doesn’t solve (a)
mathieui
because you can login into self-hosted gitlab from github
kalkinhas left
mathieui
and yeah, there is no solution not run by other people where you don’t have to care for abuse
jonasw
only allowing to open issues is probably already a good reduction of possibilities for an attacker, but that’s barely sufficient if you want people to contribute patches
SamWhited
Now GitHub is the centralized service for auth, so you have more or less the same problem.
SamWhited
I dunno, not that I actually think this is a problem. If you don't want your stuff on GitHub or wherever you can move it later. I'm just going to keep using GitHub and Bitbucket; mostly they're pretty okay and legal stuff is hard.
jonasw
yes, currently it is not a problem and GitHub is convenient.
moparisthebest
that's how I justify it, I have full history and can move wherever later
jonasw
right
jonasw
except the issues and everything else which is only on gh
moparisthebest
I actually think github is the last 'hosted' thing I use, that I don't run myself
SamWhited
and if they're apologizing for the confusion over the new TOS like arc said, that probably means they're not going to start randomly deleting your software
moparisthebest
you can kind of export those, but yea
nicolas.veritehas joined
nicolas.veritehas left
Guushas left
arc
SamWhited: i think one of the questions that's come up is whether you've granted github rights above and beyond the license by hosting with them
nicolas.veritehas joined
SamWhited
arc: so it's not that the AGPL is banned, it's just that the AGPL people don't want to give GitHub extra rights?
moparisthebest
I feel like, I would HOPE, it would be harder than just a TOS change for them to take rights above and beyond an explicit legal license...
sezuanhas left
moparisthebest
that wouldn't remotely be legal anyway right? if I push an AGPL project there that have AGPL contributions from countless different devs over the years, *I* can't legally grant anyone any other license can I ?
jonasw
moparisthebest: uh, actually, it shouldn’t be that hard. "By uploading to and using the service you agree that github is allowde to do X with your data"
jonasw
done.
moparisthebest
most of the time it's not *my* data though
moparisthebest
not to mention I didn't get any emails or even click to agree, they just published a new version and said 'by continuing...' what like I need to check it every time I push? meh
jonasw
well, they also state that you must ensure that you have the right to grant that license on the adta
SamWhited
That's the point though I think; it's not illegal for GitHub to say "if you want to use our service, you have to give us a legal grant to use whatever you put on our service", and if you can't do that (because you don't want to relicense from something else that says you can't), then you just don't use their service.
SamWhited
And if you can't license it because it's someone elses work, then you shouldn't be uploading it anyways (which is probably one of the things they were trying to prevent)
nicolas.veritehas left
moparisthebest
well that part isn't true
moparisthebest
like I have a fork of curl on github, I can't license that to others with any different license than it has, I certainly can't give github extra stuff over what the license says
Guushas joined
SamWhited
right, so you can't upload it to GitHub because they say that to upload things to them you have to be able to give them a rights grant.
moparisthebest
bad example because curl has a crazy permissive license, but if it had gpl it'd be a good example :)
moparisthebest
so what if you do anyway because you aren't a lawyer and/or haven't read the TOS since 2012 when you signed up or whatever?
moparisthebest
they can't *take* those rights, they can just stop hosting you?
SamWhited
Yah, I think that's generally how it works
moparisthebest
yea and if that's worst case I don't care
SamWhited
Unless you *do* own the software, then you probably have given them a grant to use it however unless you live somewhere that legal contracts have to be explicit and TOS's don't count
SamWhited
at least, that's what this sounds like to me
moparisthebest
so I'm not clear legally on the boundaries there, it *seems* they can say stuff like 'by using the service you implicitly grant us rights', why can't they say stuff like 'if you walk outside today you explicitly grant us rights' ?
bjchas left
bjchas joined
SamWhited
Because you're not entering into a business relationship with them in that case.
moparisthebest
s/explicitly/implicitly/
SamWhited
(but again, I feel compelled to point out that I have no idea what I'm talking about: I'm just reading shit off the internet and interpreting it as best I can)
moparisthebest
then can they say 'if you utter the name github you implicitly grant us rights'
SamWhited
no, of course they can't
moparisthebest
I'm not really seeing a precise boundry here, but I guess that's law for you
jonasw
moparisthebest: the boundary is probably somewhere along the line of "you are using resources on their systems"
moparisthebest
jonasw, so then "if you ever visit github.com you are implicitly granting us rights to all your programs"
sezuanhas left
jonasw
moparisthebest: there are "if you visit our website you grant us rights" clauses
SamWhited
I suspect a court would also find that visiting GitHub.com doesn't count as entering into a legal contract or business relationship…
jonasw
that clause there is probably not in proportion and would thus be refuted
moparisthebest
what's the legal boundry between visiting and pushing code? both are simple https calls
moparisthebest
you can even edit/create code in your browser on github.com
jonasw
moparisthebest: the amount of data you move to their systems and which is stored persistently
SamWhited
What does the protocol (or anything technical) have to do with any of this?
jonasw
the data you store on their systems is theirs
Ge0rG
The data you upload to github will be thoroughly searched by the United States border control.
arc
SamWhited: im not sure, just things im seeing as i jump between channels. as i said im trying to stay out of it
arc
I don't like github, so my opinions would be biased. I'm just sharing snippets of what ive seen.
arc
honestly I loved bitbucket
arc
once i get quicksilver into a more deployable state I think it could take over
arc
quicksilver is a rather hackish realtime mercurial over xmpp I setup. it needs a lot more work, but is kinda cool for remote pair programming
jonasw
agh, I don’t like hg :-)
arc
jonasw: well you're in luck because there's nothing about it thats mercurial specific, I think
arc
it could run server-side git just as well
sonnyhas left
nicolas.veritehas joined
nicolas.veritehas left
arc
but its not in great shape, extremely hackish. i literally have hg running in a subprocess right now
arc
i put it together with a student twoish years ago as an experiment
Flow
re pair programming using xmpp: It's so sad that gobby is no longer under active development
moparisthebest
arc, familiar with kallithea?
arc
I know, gobby was nice. but it had its faults too.
moparisthebest
or jonasw because kallithea does hg and git :P
arc
moparisthebest: yea ive seen it around
jonasw
moparisthebest: no, but let me check it out
arc
Flow: what i dont like about gobby is its really session oriented, it doesnt integrate well into daily workflow.
arc
and if you want to compile your work, and someone is editing the same session, you have to wait for them to get their part into a ready state. its a bit *too* realtime
jonasw
moparisthebest: not confident yet, as they don’t use kallithea to host their own code ;-)
Flow
uh, there is commit activity at github.com/gobby/libinfinity
moparisthebest
jonasw, they do https://kallithea-scm.org/repos/kallithea
jonasw
but not their issues etc.
moparisthebest
been using it at work since 2012, when it was called rhodecode, before the rhodecode dev did illegal license things and threatened to sue me and sent DMCA takedown notices for patches and stuff....
jonasw
gah, I can’t stand hosting services which show irrelevant information first and not the files. this is also annoying the hell out of me with the recent gitlab updates.
arc
QS is basically receiving realtime code pushes into your local VC as you work, but doesn't update. so you see that the code is there, and can merge it in realtime, but its not automagic
Flow
arc: Isn't pair programming about having a live/real-time programming session with one or more other ppl?
Flow
and everything else would be basically using a DVCS
moparisthebest
but then the software conservancy vetted it and forked it to kallithea :)
SamWhited
ooh, yah, Bitbucket does that by default… there's an option to change it, but it's an option on each individual repo not on your account, which is stupid.
arc
Flow: it is a dvcs, just with pubsub
Flow
arc: and it's called quicksilver?
jonasw
moparisthebest: all over all, kallithea looks interesting though
Flow
arc: got a link?
arc
Flow: i reserved quicksilver.vc but there's nothing really in the repo there, as i said its super hackish and only works with our GCI web-based editor
arc
at some point I'll get it into a deployable format and put some time into porting plugins to gedit/etc
nicolas.veritehas joined
arc
the protocol is stupid simple, the server-side is a quick and dirty pubsub service running mercurial in a subprocess with hooks and pipes, and the client side is a python script in front of local hg in their docker container receiving data from the web-based editor and chat client
arc
the client side is on gci.copyleftgames.org
arc
more than half of it was written by a 15 year old
xnyhpshas left
arc
Alight - im headed to grab coffee with Mr Miller to discuss becoming a member of the XSF
jonasw
good luck, arc
arc
Flow: if im successful you'll have more members for the IoT sig
arc
they're a washington dc firm doing IoT
SamWhited
Good luck
jubalhhas joined
winfriedhas joined
ralphmhas left
bjchas left
jubalhhas left
kalkinhas left
bjchas joined
Guushas left
Guushas joined
Valerianhas left
Valerianhas joined
nycohas joined
nicolas.veritehas left
nycohas left
xnyhpshas left
sezuanhas left
sezuanhas left
jubalhhas joined
nicolas.veritehas joined
Valerianhas left
Valerianhas joined
xnyhpshas left
sezuanhas left
tim@boese-ban.dehas joined
Steve Killehas left
vurpohas joined
Zashhas left
Steve Killehas left
Lancehas joined
Steve Killehas joined
ooihhas joined
ooihhas left
Zashhas joined
Zashhas joined
xnyhpshas left
mhterreshas left
intosihas left
kaboomhas left
waqashas left
Guushas left
kalkinhas left
Guushas joined
jubalhhas left
nicolas.veritehas left
kaboomhas joined
nycohas joined
waqashas joined
Zashhas joined
tim@boese-ban.dehas joined
nicolas.veritehas joined
Guushas left
jonaswhas left
vurpohas left
Guushas joined
vurpohas joined
vurpohas left
vurpohas joined
vurpohas left
vurpohas joined
vurpohas left
Valerianhas left
Valerianhas joined
vurpohas joined
vurpohas left
vurpohas joined
vurpohas left
vurpohas joined
waqashas left
vurpohas left
xnyhpshas left
vurpohas joined
xnyhpshas left
vurpohas left
vurpohas joined
ralphmhas left
waqashas joined
jubalhhas joined
Valerianhas left
Valerianhas joined
vurpohas left
vurpohas joined
danielhas left
danielhas joined
vurpohas left
vurpohas joined
vurpohas left
vurpohas joined
vurpohas left
vurpohas joined
vurpohas left
Zashhas joined
vurpohas joined
vurpohas left
vurpohas joined
vurpohas left
vurpohas joined
suzyohas left
vurpohas left
suzyohas joined
xnyhpshas left
vurpohas joined
nycohas left
nicolas.veritehas left
nicolas.veritehas joined
xnyhpshas left
kaboomhas left
vurpohas left
vurpohas joined
SamWhitedhas left
nicolas.veritehas left
jerehas left
jerehas joined
Flowhas joined
jerehas left
jerehas joined
Flowhas left
Valerianhas left
goffihas left
Guushas left
Alexhas left
Guushas joined
Guushas left
Guushas joined
SamWhitedhas left
vurpohas left
kalkinhas left
vurpohas joined
nicolas.veritehas joined
Guushas left
Guushas joined
waqashas left
Tobiashas joined
Flowhas joined
nicolas.veritehas left
intosihas joined
sezuanhas left
kalkinhas left
jubalhhas left
vurpohas left
vurpohas joined
intosihas left
jubalhhas left
vurpohas left
vurpohas joined
sezuanhas left
danielhas left
danielhas joined
Lancehas left
waqashas joined
goffihas joined
jubalhhas joined
Lancehas joined
Zashhas left
vurpohas left
vurpohas joined
jubalhhas left
vurpohas left
vurpohas joined
Guushas left
Flowhas left
Guushas joined
vurpohas left
Guushas left
vurpohas joined
Guushas joined
winfriedhas left
waqashas left
jubalhhas joined
moparisthebesthas joined
SamWhitedhas left
devnullhas left
devnullhas joined
Zashhas joined
danielhas left
danielhas joined
vurpohas left
vurpohas joined
waqashas joined
Manchohas left
jubalhhas left
jubalhhas joined
jubalhhas left
Guushas left
vurpohas left
vurpohas joined
vurpohas left
vurpohas joined
vurpohas left
vurpohas joined
waqashas left
vurpohas left
vurpohas joined
jerehas left
jerehas joined
nicolas.veritehas joined
vurpohas left
vurpohas joined
moparisthebesthas left
danielhas left
danielhas joined
danielhas left
danielhas joined
waqashas joined
moparisthebesthas joined
danielhas left
danielhas joined
danielhas left
danielhas joined
danielhas left
danielhas joined
danielhas left
danielhas joined
danielhas left
danielhas joined
danielhas left
danielhas joined
danielhas left
danielhas joined
jubalhhas joined
danielhas left
danielhas joined
Valerianhas joined
danielhas left
danielhas joined
danielhas left
danielhas joined
Valerianhas left
Valerianhas joined
suzyohas left
kaboomhas joined
Guushas joined
danielhas left
danielhas joined
danielhas left
danielhas joined
arc
5 hours later...
goffihas left
Guushas left
xnyhpshas left
xnyhpshas joined
danielhas left
danielhas joined
danielhas left
danielhas joined
Valerianhas left
waqashas left
kaboomhas left
arc
That was a long talk. I can't even begin to summarize
arc
He's a XMPP evangelist for sure
xnyhpshas left
arc
Wants to join the iot WG
sezuanhas left
arc
And XSF more generally...
arc
He suggested the Xsf should have a relationship with IEEE
kaboomhas joined
arc
He wants to get XMPP standardized for iot within IEEE and other bodies
jubalhhas left
arc
Rickard has met him and Peter Saint-Andre
moparisthebest
Isn't psa the xsf's relationship with the IEEE?
arc
If so he missed a ieee XMPP standards group forming
arc
Also httpx is a registered URI protocol for http over XMPP??????
arc
I'm trying to get the engineers in his IEEE group into XSF
arc
Not even a single XSF member involved
arc
It's mad and he agrees. He knew of XSF but didn't know how membership works... He asked how much it cost