XSF Discussion - 2017-03-03

  1. jonasw

    100 bytes is a very optimistic MTU for 802.15.4

  2. jonasw

    LTIC it was more like 80 bytes.

  3. Tobias

    jonasw, 100 or 120 bytes is realistic for 6LoWPAN

  4. jonasw


  5. jonasw

    must’ve confused something then

  6. Tobias

    jonasw, around 100 and with link security it was 80 https://en.wikipedia.org/wiki/6LoWPAN

  7. Tobias

    but yeah..it's not much

  8. Tobias

    at least my elliptic curve based signatures didn't fit in a single packet :D

  9. jonasw

    ah, I think I was thinking about zigbee

  10. Ge0rG remembers a sensor network project that was using XML over UDP and then had "unexplainable" errors when manifests grew over 64KB

  11. jonasw

    there the baseline is 84 bytes

  12. arc

    jonasw: 2.5 mesh networking eats a bit, as does TLS if you're using it

  13. arc

    but yes.

  14. arc

    my point is, going from SHA256 to something higher has performance costs associated with it

  15. Tobias

    doesn't SHA have bad runtime performance on constrained devices anyway

  16. arc

    Tobias: you missed the "magic"

  17. Tobias

    i think the SHA code even didn't fit on my target device, so i had to go with something differnet like BLAKE2 :)

  18. Ge0rG

    wouldn't it be possible to precompute the caps hash when compiling the firmware? :D

  19. Tobias

    arc, what kind of devices are you usally dealing with? I mostly played around with SAM-R21 like smallish things

  20. arc

    the schemaId the client uses is pre-baked, and if the server receives it and returns a different schemaId to use, it will use that. as long as its not required for SASL then there's no issue

  21. arc

    Tobias: im not working with a specific device right now. im just writing libexi

  22. Tobias

    ah, ok

  23. arc

    but talking about how I think EXI should be properly implemented with xmpp

  24. jonasw

    "just writing libexi" :)

  25. arc

    that method is this: the device (having no previous contact from a given server) sends a sha256: URI as the schemaId, which the server either responds to in-kind (if it is supported) with its own EXI header and the same schema, OR the server responds using a default schema all devices must support with an error, in which case the client must send the pre-encoded schema it wants to use to the server. this schema should be small enough to fit on a given embedded device.

  26. arc

    the key here is that the use of sha256 is a convention, and this leaves forward compatability if in the future this needs to change

  27. arc

    a future version of the same XEP may recommend a different hash to default to "guessing" on first connect.

  28. arc

    after the server receives the schema from the client though, the server returns the schemaId for the client to use in the future with that server. that schemaId SHOULD be a hash, but it can be literally any string.

  29. arc


  30. arc

    say in 2 years there's a quantum computer breakthrough and SHA256 can be easily broken, leading to the risk for cache poisoning, BUT there's a new quantum-proof hash

  31. arc

    there's thousands of embedded IoT devices out there..

  32. arc

    but XMPP server software is updated for the new hash.

  33. arc

    the servers can then reject all sha256 URIs and ask for the client to send the schema they want to use, on first connection to the server (or reconnection after the server is updated with this security update)

  34. jonasw

    seems reasonable

  35. arc

    the clients send the schema, the server responds with a QPROOFHASH:... URI to use as the schemaId, and older clients simply use that string as-is to refer to the schema they were designed to use.

  36. arc

    the XEP is updated accordingly, and everyone is happy.

  37. Tobias

    right...will be interesting to see on how small of a device you can get XMPP to run

  38. arc

    the smallest devices ive used on a network generally was atmega running Contiki

  39. arc

    i havent done 8-bit optimizations to libexi. mostly that would be in the bitpacker I think, because an 8-bit libexi would certainly NOT be compiled with text XML capabilities which is where all the funky stuff is

  40. arc

    but I think its very doable.

  41. Tobias

    arc, do you know RIOT OS?

  42. arc

    no, never heard of it

  43. arc

    on the embedded side i'm a hobbiest at best

  44. Tobias

    it's an IoT OS, similar to continki, but it's all standard C and you could even use C++ https://riot-os.org/

  45. arc

    I loath C++

  46. arc

    but that's cool, ill look into it down the road

  47. arc

    i see it runs on 8bit

  48. Tobias

    haven't used it on 8bit yet, mostly 16 and 32 bit I think

  49. jonasw


  50. jonasw

    but I’m too much a weird person to use a pre-made OS on an embedded system

  51. jonasw

    maybe for the next project :)

  52. Tobias

    and they have good support for standard IETF protocols

  53. arc

    I thought Cortex M0 was going to obsolete the AVR-based devices, but in a recent meeting I was shown a AVR-based internet connected sensor only slightly larger/thicker than a quarter that essentially stacks on top of a coin-cell battery and runs for a full year, the device costing under $5 including the cost of the battery.

  54. arc

    jonasw: i've written 3 TCP/IP stacks on 8-bit so far. I do not recommend it, especially IPv6

  55. jonasw


  56. jonasw

    I don’t do TCP/IP on embedded though :)

  57. arc

    if you havent done it before, you should save whatever sanity is left and let someone else do that work.

  58. arc

    ah ok. well you're safe

  59. jonasw

    for MTU and "heck, I don’t want to implement a TCP/IP stack on embedded" reasons

  60. Tobias

    jonasw, https://github.com/RIOT-OS/RIOT/wiki (the supported devices are listed on the right)

  61. jonasw

    Tobias: on the website too

  62. arc

    you can do it. its just not fun.

  63. jonasw

    arc: I tried to implement UDP/IP/Ethernet in VHDL though.

  64. jonasw

    does that count? ;-)

  65. Tobias

    jonasw, didn't notice that :)

  66. arc

    essentially you need to run the whole thing zerocopy due to constrained RAM

  67. jonasw

    Tobias: well, at least enough info on the architectures that I could guess that it’ll run on anything I’ve ever touched ;-)

  68. jonasw

    arc: yes.

  69. jonasw

    that’s what I needed to do for my custom protocol

  70. arc

    and with that, im going to bed.

  71. jonasw

    I’m streaming three sensors at 200 Hz and need to spread lower sample rate data inbetween of that; the transport being Xbee it’s usual that the connection interrupts for some time. so every bit of ram needs to go into buffers.

  72. Kev

    Bed? At 9AM? :)

  73. arc

    Kev: im in DC. its 3:38am here.

  74. jonasw

    good night, arc

  75. Kev

    I knew ;)

  76. Kev


  77. arc

    i just spent 2 hours searching my old records for my social security card

  78. Kev

    Everyone needs a hobby.

  79. jonasw

    everyone needs secretaries.

  80. Ge0rG

    I wouldn't place important things together with old records.

  81. jonasw

    I wouldn’t place important things on a piece of paper.

  82. jonasw

    but unfortunately one doesn’t always have a choice on that.

  83. Tobias

    still looking for a nice document management system, so I can just scan all documents and pack them away in crates

  84. jonasw

    I have ~/Documents/{category}/{date-of-issuance}\ {tags}.pdf. works reasonably well

  85. Guus

    Whatever process that normally makes sure that the xmpp.org website is updated after a change in the corresponding git repository appears to be failing

  86. jonasw

    it wasn’t me.<x xmlns="jabber:x:tone">not-convincing</x>

  87. Guus

    the problem predates my merger of your code :)

  88. jonasw

    oh okay

  89. Tobias

    i can take a look

  90. Guus

    I think it started going wrong on Feb 26, with my merger of the 'getting started' page

  91. Tobias

    unless Kev is already

  92. Guus

    JC's 'add subscribe url for the standards list' is live

  93. Guus

    ah, it failed first for my attempt to remove the empty 'who uses xmpp' page

  94. Guus

    that page is still on the website, although I tried deleting it here https://github.com/xsf/xmpp.org/commit/83f365dc99f8a60f31ea5b524e7daafedb714916

  95. Kev

    I'm struggling at the moment to even work out what's supposed to trigger a build of the site.

  96. Tobias

    Kev, when I fixed things summer last year, i set up a cron job

  97. jonasw

    Kev: repository settings -> webhooks?

  98. Kev

    Tobias: Where's the cron?

  99. Kev

    It used to be that this was all generated in Travis so we could just pull it onto the server without running code there, but I don't think that's true any more?

  100. Tobias

    in staticweb's crontab?

  101. Kev

    Ah, staticweb, of course :)

  102. Tobias

    didn't want to add it to root's crontab :P

  103. Kev

    Tonnes of PDF generation errors.

  104. intosi

    /etc/crontab or /etc/cron.d would've been proper.

  105. Tobias

    intosi, even for user cron jobs?

  106. jonasw


  107. intosi

    Arguably this isn't a user cron job.

  108. jonasw

    pick a user there, prevents manipulation of the crontab by the user

  109. intosi

    ^ what jonasw said.

  110. jonasw

    Tobias: in /etc/cron* you have to explicitly state as which user the job runs

  111. jonasw

    so it’s not like everything there runs as root

  112. Tobias


  113. Tobias


  114. intosi

    There's the added benefit that a random admin would look in /etc/cron* first, and might not even consider user crontabs for essential tasks until much later.

  115. Tobias

    feel free to move it there then

  116. Guus

    perhaps first fix the issue at hand?

  117. intosi

    Guus: that's all one go.

  118. Kev

    Indeed, I was looking in /etc/cron*.

  119. Kev

    Guus: You were right though, it does seem to be the one where you edited the sidebar :)

  120. Kev

    CRITICAL: UndefinedError: 'pelican.contents.Page object' has no attribute 'sidebar_menu_elem_url_8'

  121. Guus

    weird - why do I not get that locally? Might relate to https://github.com/xsf/xmpp.org/issues/247 ?

  122. Kev

    Yes, sounds like your local environment isn't quite working right, if that's the case.

  123. Guus

    I might require things that are not in the repository then. My environment is a clean virtual machine, which just the repo content and build tools as listed in the readme.

  124. Tobias

    don't know how up to date the readme is, "Any editorial questions: Laura Gill or Simon Tennant can help", at least Simon doesn't seem to be around to respond to any questions regarding xmpp.org site

  125. Guus

    Kev: can you make Travis fail with the same error?

  126. Tobias

    Guus, what state is https://github.com/xsf/xmpp.org/pull/185 in?

  127. Guus

    Tobias: I have not looked at it since. I have now aquired a bit more knowledge about Pelican, so I might not depend on others to finish this

  128. Guus

    however: the data that it adds is incomplete

  129. Tobias

    incomplete how?

  130. Guus

    all votes since 2010 are not in there, I think

  131. Tobias

    right, but years that are in there are in there completely right?

  132. Guus

    it was a one-on-one conversion of the old pages.

  133. Guus

    whatever was in there, is now here.

  134. Guus

    I assume that the old data was complete, for those years.

  135. Tobias


  136. Guus

    Kev / Tobias: I'll be away for the weekend in a short while. If I can help with the website issue, I'll need to do that now-ish.

  137. Kev

    No rush right now, I think.

  138. Guus

    just saying that I'm willing to help, but will be without laptop soon

  139. Guus

    (doing a weekend trip)

  140. Kev

    Thanks. Just enjoy your trip, the website will still be here Monday.

  141. Kev


  142. Guus

    kk :)

  143. Ge0rG

    Flow: backward compatibility is hard :( https://github.com/ge0rg/MemorizingTrustManager/commit/168b7b5598095bfe6ae6fab4797af3f913b574f4

  144. Flow

    Ge0rG: true

  145. Ge0rG

    in related news: running the gradle lint on yaxim turned up a dozen of issues, including this one

  146. Flow ♥ lovles lint/static code analyzers

  147. Tobias

    Flow, Ge0rG, any experience using errorprone?

  148. Flow

    Tobias: Smack uses errorprone

  149. Flow

    and it's one of the reasons I made the previous statement

  150. Tobias


  151. Flow

    but it did that foundt hat many issues in Smack

  152. Tobias

    well..but the thinks it found were sensible issues, right?

  153. Tobias

    it didn't produce tons of useless warnings

  154. Tobias

    or did it?

  155. Flow

    which is of course only because of my l337 c0d1n6 5k1ll5

  156. Flow

    Tobias: very sensible

  157. Flow

    compare to facebook's infer, which produces a ton of non-issues

  158. Flow

    but to be fair, infer was right about every issue it found, it where just non-issues in that particular context

  159. Zash

    Can you tell it to ignore those non-issues?

  160. Flow

    Zash: sure, you could suppress them

  161. Flow

    I decided against infer in Smack because another static code analyzer would increase the compile time again

  162. jonasw

    people on security@ argued back then that the hash agility of 115 doesn’t work (dwd and waqas for example), but there are no conclusive reasons given.

  163. jonasw

    here for example: https://mail.jabber.org/pipermail/security/2009-September/000828.html

  164. Zash

    doesn't work how

  165. jonasw

    Zash: I have no idea

  166. jonasw

    I would like to know.

  167. Zash

    md5 was used before according to the capsdb

  168. waqas

    jonasw: Hash agility doesn't work. What we mean by this is backwards compatibility wasn't allowed for. Clients using new hashes vs old hashes would fail to interoperate.

  169. jonasw

    waqas: what would be wrong with simply sending two <c/> elements with different hash functions?

  170. waqas

    jonasw: Reality. That wasn't allowed, and clients assume there's only one. You'd fail to interop with most (all?) existing deployments out there.

  171. jonasw


  172. jonasw

    makes sense

  173. jonasw

    I hate reality

  174. waqas

    i.e., you are modifying the XEP in a way that isn't compatible with prior understanding of implementations

  175. jonasw

    I like the suggestions you make in https://mail.jabber.org/pipermail/security/2009-September/000829.html btw.

  176. jonasw

    specifically: > Also worth considering is whether multiple hashes for different sets of data > make sense instead of just one. A hash for capabilities of an entity is the > most basic. A hash for software ID and version (disco#meta?). A hash for > disco#items. Future XEPs being able to define hashes for datasets they > define is also useful. The downside is a slightly larger presence packet > (which is mitigated by the caps optimization), but I see this leading to a > significant reduction in queries.

  177. Flow

    hu? why wasn't/isn't it allowed to send multiple <c/>s?

  178. jonasw

    fwiw, aioxmpp also only uses the last one it finds, but it would be trivial to change that into a map hash->caps

  179. jonasw

    so it might simply not be clear that clients should expect multiple nodes

  180. waqas

    Flow: Everything is allowed. You can even call it <b/> or <d/>. That existing clients would fail to interpret it in a defined way is the problem.

  181. waqas

    Client behavior when they see multiple instances of something that they expected to be single tends to vary between pick-first, pick-last, pick-random, error.

  182. arc

    """The Web shell used by the attackers didn't support SSL, so all their activities were logged to the webserver, enabling Verizon's RISKS team to analyze their actions. Though the idea of attacking cargo ships by hacking their CMS is a sophisticated one by the standards of sea-pirates, the attackers weren't sophisticated enough to run their attacks through a VPN, enabling the RISKS team to trace the attack back to the hackers' home IP address."""

  183. jonasw

    … and server behaviour when caps optimization is in place would also be interesting

  184. arc

    there are at least 3 things wrong with that.

  185. SamWhited

    ralphm: Ping; when you're next online can I get a bit of help with Trello? I keep missing you :)

  186. jonasw

    e.g. would the injection of caps in stanzas on first subscription to presence work?

  187. jonasw

    arc: what’s a CMS in this context?

  188. arc

    content management system

  189. jonasw


  190. jonasw

    I was hoping for cargo management or something domain-specific

  191. Zash

    arc: Why ... why would .. why the .. whaaaayyyy???

  192. arc

    stupid script kiddies hacked a shipping company's website and started rerouting cargo ships to them to steal the content of the ships..

  193. Flow

    waqas: I don't see receiving clients failing if <c =hash='sha1'/> is also send

  194. jonasw

    then it’s: (1) why the heck to cargo ships run a CMS which is (2) accessible from the internet and (3) can be used to take over the ship?!

  195. Flow

    together with a <c hash='new-hash-alg'/>

  196. arc

    jonasw: the ship didnt run the CMS. the shipping company operating autonomously controlled ships did

  197. jonasw

    arc: well, that’s only marginally better.

  198. arc

    the ships are controlled by the company remotely

  199. jonasw

    this future

  200. arc

    however, not only was their website - used for shipping easily hundreds of millions of goods a year - unpatched to common known vulnerabilities, but they didn't use SSL

  201. Zash

    They Should Have Used XMPP for their remote controlled drone ships

  202. arc

    but then - Verizon admits that their risk analysis team was actively monitoring unsecured HTTP, acting as a man in the middle

  203. moparisthebest

    arc, sorry to change the subject but you have me intrigued about EXI, it sounds like it might be feasible to run a generic exi<->xml converting proxy in front of any xmpp server to give it full exi support, yes or no?

  204. arc

    moparisthebest: yes, and to be clear I do think that is the first way deployment will happen, however its suboptimal to run two XML parsers in a chain like that

  205. mathieui

    arc, what’s the source of that read? it sounds lovely

  206. jonasw

    mathieui: google points me to https://boingboing.net/2016/03/03/pirates-hacked-shipping-compan.html

  207. arc

    mathieui: https://boingboing.net/2016/03/03/pirates-hacked-shipping-compan.html

  208. moparisthebest

    yea arc not as great for the server but could be excellent for clients, so when can I expect to be able to download and run the first version from you? :D

  209. Steve Kille

    SamWhited: thanks for that super-qucik MIX turnaround

  210. arc

    moparisthebest: as soon as i wrap up libexi im going to update my Apache mod_xmpp with it, which is primarily designed to serve as a proxy (websockets to xmpp) but now will also do EXI ports too

  211. SamWhited

    👍 my morning coffee goes well witch catching up on emails and taking care of XSF stuff :)

  212. SamWhited

    Thanks for the new revision

  213. moparisthebest

    arc, so when do I get an nginx module instead? :P

  214. jonasw

    Steve Kille: ah, you’re here. I wanted to make sure you don’t feel bothered by my insisting on the issues I pointed out. I feel that I should probably have given you more time, but then again, too often things get forgotten and then we end up with sub-optimal XEPs which cannot be changed anymore because there are too many implementations :/

  215. moparisthebest

    just joking that would be fine too, I'd be curious to look at adding it to Conversations

  216. jonasw

    am I the only one who thinks that webservers are not the right place to terminate SSL for everything?

  217. Steve Kille

    jonasw: not bothered at all. You are making some excellent input to help move this spec foraward.

  218. SamWhited

    Define "web servers"? If you mean reverse proxies like nginx and haproxy, I'd say they're definitely the right place to terminate SSL for everything :)

  219. SamWhited

    Because that's what they're designed to do

  220. jonasw

    SamWhited: apache?

  221. arc

    moparisthebest: I will never write a nginx module. I'm friends with their CEO, Gus, who I used to play on the same rugby team with when he lived in DC, but he was unwilling to hire me while allowing me to work on non-NGINX FOSS on my own time

  222. arc

    moparisthebest: you can already start, there is a complete Java library implementing EXI

  223. SamWhited

    jonasw: Yah, I agree with you there… apache may be good at it now, I dunno, but it was not designed to be a reverse proxy.

  224. jonasw

    arc: wtf?

  225. moparisthebest

    ah yea arc I remember you saying that, and it sounded super shitty

  226. jonasw

    I need to repeat: wtf? Is that even legal?

  227. SamWhited

    I've heard that about nginx several times now, which is kind of sad, because I do love the software…

  228. Zash

    jonasw: Did you know that nginx is actually an email proxy? :)

  229. jonasw

    Zash: unfortunately, yes.

  230. arc

    jonasw: yea its because of some VC agreement or someshit. but the idea of a FOSS project turned commercial turning down an employee they just interviewed and were excited about because he works on other FOSS projects is insane

  231. moparisthebest

    arc, well you said your EXI should work differently than the XEP, and I'd prefer to have a proper server implementation to test against, but yea the library is there at least

  232. SamWhited

    I think most big companies have that clause for whatever reason, but I always try to negotiate it away.

  233. jonasw

    I also know that their protocol implementation is simply a character state machine, I don’t want to know how people implemented XMPP on it. I bet it cannot deal with namespace prefixes properly :-)

  234. arc

    so I don't consider nginx to be FOSS anymore, regardless to whatever license its available under

  235. jonasw

    SamWhited: wait wat? clauses which forbid you to work on FLOSS in your freetime?

  236. jonasw

    I’m really not sure that would be legal here.

  237. arc

    moparisthebest: im unsure how the java library works, but it might do general xml processing. so you could start by changing it to use the different library and developing your client's exi schema

  238. moparisthebest

    I think it is here, I guess you can agree to about anything jonasw

  239. arc

    jonasw: this was the major issue with me and Atlassian, too.

  240. SamWhited

    jonasw: Yah, I have no idea if they're enforceable or not, but most places I've applied or worked have had some similar thing.

  241. arc

    and Google. and Facebook. and Twitter. and Adroll. and dozens of other firms.

  242. Zash

    Isn't usually that they claim ownership of anything you do while employed, not forbid things outright?

  243. arc

    that's why I'm founding hub.coop

  244. mathieui

    15:23:00 jonasw> I’m really not sure that would be legal here. → it’s legal in some states/countries

  245. mathieui

    and even if illegal, nobody is challenging it in court

  246. jonasw

    hasn’t occured to me yet. but then again, I only worked at a startup and a research facility up to now. the latter being very clueless on software development in general.

  247. SamWhited

    Or at least, I think they had; I don't ever understand the legal stuff, but mostly places have made me sign a "previous inventions" thing or I've been able to negotiate that clause out.

  248. mathieui

    arc, btw, google doesn’t always have that clause, afaik

  249. arc

    Zash: California law forbids exactly that, anything you work on in your own time and on your own equipment is yours. but they can fire you for doing it without permission and without negotiating aspects about it

  250. jonasw

    but good to know. something to watch out for.

  251. jonasw

    that’d be a deal-breaker for me, too

  252. arc

    mathieui: Google requires that you get permission from them, and you must argue how it is in Google's best interest. if the project is *GPL they will ask you why you don't want to work on something Apache based instead, etc

  253. mathieui

    ha right

  254. arc

    AGPL will always get a hard "NO"

  255. jonasw

    that explains a lot.

  256. arc

    Google employees are not allowed to work on any AGPL licensed project.

  257. SamWhited

    Heh, that's okay then; AGPL is a hard no for me personally too :)

  258. jonasw

    I have no regrets about not pushing to join google anymore.

  259. arc

    having to ask permission puts them in the position of being able to say no, and negotiate with you what you can do on your own time

  260. arc

    SamWhited: for me its beyond the simple ability, its the morality of it.

  261. moparisthebest

    arc, they aren't allowed to contribute to other's AGPL projects?

  262. jonasw

    this explains so mcuh

  263. moparisthebest

    yea for me AGPL is almost always the correct choice meh

  264. arc

    moparisthebest: no. and that comes from a lawyer working in Google's Open Source Programs Office, the same office that runs Summer of Code is also the office that manages employees wanting to contribute to FOSS

  265. arc

    moparisthebest: i agree.

  266. moparisthebest

    makes me glad I work at a non-software company that just has in-house devs to develop in-house stuff lol, so none of this contract nonsense

  267. jonasw

    what the heck

  268. arc

    in fact Google is so hostile to the AGPL that they specifically forbade 3rd party projects from hosting them on their old code hosting site, code.google.com

  269. SamWhited

    I think GitHub does that now too, no? Wasn't that one of the consequences of their new TOS?

  270. jonasw


  271. SamWhited

    Or maybe that was just anything that required attribution

  272. jonasw

    that would make a few projects I host there illegal

  273. arc

    SamWhited: there were several consequences, I believe GPLv3 and AGPLv3 both

  274. arc

    I'm staying out of that one since I dislike github anyway

  275. moparisthebest

    wait what? lots of AGPL projects are on github?

  276. SamWhited

    yah, but technically they're not allowed anymore I think (no idea why, that's just what someone said about their new TOS). I suspect it wasn't an intentional consequence, it was just something they did that was incompatible with those licenses somehow

  277. jonasw

    SamWhited: do you have any sources for that?

  278. arc

    the concept of a for-profit company like github having so much control over FOSS projects, their new TOS a perfect example to the potential for abuse of that power, makes me extremely uncomfortable

  279. moparisthebest

    I can't imagine any TOS that would conflict for code hosting

  280. moparisthebest

    unintentionally anyway

  281. moparisthebest

    obviously "no agpl projects" would, but that'd be intentional

  282. arc

    moparisthebest: I wouldn't be too concerned for that, the folks at the FSF, SFLC, and SFC are all over it

  283. arc

    they'll issue a new TOS soon enough

  284. jonasw

    arc: URLs?

  285. arc

    the last I heard they were apologetic for the "misunderstanding" this has caused

  286. moparisthebest

    arc, yea the way I justify using github is it's not like SVN where your repo is held hostage, I have everything locally and can just host my own gitlab whenever I want

  287. arc

    jonasw: i know this from IRC, I've been watching the lawyers talk about it

  288. jonasw

    arc: which IRC?

  289. moparisthebest

    but yea ideally I wouldn't use it at all... meh

  290. arc


  291. jonasw

    that’s a very broad statement, arc

  292. moparisthebest

    not very specific :)

  293. arc

    mostly #Conservancy

  294. arc

    where else would lawyers be?

  295. moparisthebest

    ah the kallithea people? I love those guys

  296. arc

    but its all over, every channels talking about it

  297. SamWhited

    jonasw: Not in front of me; go read their new TOS or search for other peoples blog posts about it.

  298. arc

    a few projects immediately pulled their repos and started self-hosting since

  299. jonasw

    SamWhited: the TOS is huge and I can’t find a diff

  300. moparisthebest

    GIThub tos, no diff? :P

  301. SamWhited

    I thought they literally did have it in a repo so you could get a diff…

  302. jonasw

    SamWhited: yes, but

  303. mathieui

    that’s a line diff

  304. mathieui

    not a legalese diff

  305. SamWhited

    fair enough

  306. Zash

    IANAL, what up?

  307. SamWhited

    jonasw: Here's a source, but probably also a non-lawyer / completely biased one, so grain of salt: https://www.mirbsd.org/wlog-10_all.htm

  308. Zash

    SamWhited: Every comment thread I've seen about that has started with "This person doesn't know what they are talking about" ...

  309. jonasw

    ah, section D narrows it down so that I can take a look

  310. SamWhited

    Zash: Yah, they probably don't

  311. SamWhited

    I just assume they're seeing what they want to see, but I have no idea

  312. jonasw

    I’m not dealing with this right now

  313. jonasw

    hoping to fix a bug today

  314. moparisthebest

    thanks SamWhited I was searching for 'github agpl' and such with no luck

  315. SamWhited

    yah, it was suprisingly hard to find again; makes me think it was just one or two sources being loud and blowing it way out of proportion

  316. jonasw

    arc: if you don’t like github (and I agree that github is a dangerous centralisation of power over FLOSS), what is your alternative suggestion, if I want the broad developer public to easily contribute to and raise bugs for my software?

  317. mathieui

    jonasw, you can go gitlab or bitbucket, it’s slightly less terribad

  318. jonasw

    mathieui: that’s only shifting the problem

  319. mathieui


  320. mathieui

    you can run your own gitlab or whatever hip forge like gogs with external auth and it’s equally easy for people to contribute

  321. Zash

    Self-host all the things!

  322. jonasw

    I have a self-hosted gogs instance, but (a) I don’t really like the idea of having to maintain possible abuse if I open registrations or issues and (b) it adds the hurdle to create an account there while ~everyone has a github acconut.

  323. SamWhited

    "equally easy" except that now if everyone does that every single person has to make an account with every single project they want to contribute too…

  324. mathieui

    jonasw, gogs doesn’t allow gitlab oauth?

  325. mathieui

    -gitlab + github

  326. jonasw

    I don’t know, but that doesn’t solve (a)

  327. mathieui

    because you can login into self-hosted gitlab from github

  328. mathieui

    and yeah, there is no solution not run by other people where you don’t have to care for abuse

  329. jonasw

    only allowing to open issues is probably already a good reduction of possibilities for an attacker, but that’s barely sufficient if you want people to contribute patches

  330. SamWhited

    Now GitHub is the centralized service for auth, so you have more or less the same problem.

  331. SamWhited

    I dunno, not that I actually think this is a problem. If you don't want your stuff on GitHub or wherever you can move it later. I'm just going to keep using GitHub and Bitbucket; mostly they're pretty okay and legal stuff is hard.

  332. jonasw

    yes, currently it is not a problem and GitHub is convenient.

  333. moparisthebest

    that's how I justify it, I have full history and can move wherever later

  334. jonasw


  335. jonasw

    except the issues and everything else which is only on gh

  336. moparisthebest

    I actually think github is the last 'hosted' thing I use, that I don't run myself

  337. SamWhited

    and if they're apologizing for the confusion over the new TOS like arc said, that probably means they're not going to start randomly deleting your software

  338. moparisthebest

    you can kind of export those, but yea

  339. arc

    SamWhited: i think one of the questions that's come up is whether you've granted github rights above and beyond the license by hosting with them

  340. SamWhited

    arc: so it's not that the AGPL is banned, it's just that the AGPL people don't want to give GitHub extra rights?

  341. moparisthebest

    I feel like, I would HOPE, it would be harder than just a TOS change for them to take rights above and beyond an explicit legal license...

  342. moparisthebest

    that wouldn't remotely be legal anyway right? if I push an AGPL project there that have AGPL contributions from countless different devs over the years, *I* can't legally grant anyone any other license can I ?

  343. jonasw

    moparisthebest: uh, actually, it shouldn’t be that hard. "By uploading to and using the service you agree that github is allowde to do X with your data"

  344. jonasw


  345. moparisthebest

    most of the time it's not *my* data though

  346. moparisthebest

    not to mention I didn't get any emails or even click to agree, they just published a new version and said 'by continuing...' what like I need to check it every time I push? meh

  347. jonasw

    well, they also state that you must ensure that you have the right to grant that license on the adta

  348. SamWhited

    That's the point though I think; it's not illegal for GitHub to say "if you want to use our service, you have to give us a legal grant to use whatever you put on our service", and if you can't do that (because you don't want to relicense from something else that says you can't), then you just don't use their service.

  349. SamWhited

    And if you can't license it because it's someone elses work, then you shouldn't be uploading it anyways (which is probably one of the things they were trying to prevent)

  350. moparisthebest

    well that part isn't true

  351. moparisthebest

    like I have a fork of curl on github, I can't license that to others with any different license than it has, I certainly can't give github extra stuff over what the license says

  352. SamWhited

    right, so you can't upload it to GitHub because they say that to upload things to them you have to be able to give them a rights grant.

  353. moparisthebest

    bad example because curl has a crazy permissive license, but if it had gpl it'd be a good example :)

  354. moparisthebest

    so what if you do anyway because you aren't a lawyer and/or haven't read the TOS since 2012 when you signed up or whatever?

  355. moparisthebest

    they can't *take* those rights, they can just stop hosting you?

  356. SamWhited

    Yah, I think that's generally how it works

  357. moparisthebest

    yea and if that's worst case I don't care

  358. SamWhited

    Unless you *do* own the software, then you probably have given them a grant to use it however unless you live somewhere that legal contracts have to be explicit and TOS's don't count

  359. SamWhited

    at least, that's what this sounds like to me

  360. moparisthebest

    so I'm not clear legally on the boundaries there, it *seems* they can say stuff like 'by using the service you implicitly grant us rights', why can't they say stuff like 'if you walk outside today you explicitly grant us rights' ?

  361. SamWhited

    Because you're not entering into a business relationship with them in that case.

  362. moparisthebest


  363. SamWhited

    (but again, I feel compelled to point out that I have no idea what I'm talking about: I'm just reading shit off the internet and interpreting it as best I can)

  364. moparisthebest

    then can they say 'if you utter the name github you implicitly grant us rights'

  365. SamWhited

    no, of course they can't

  366. moparisthebest

    I'm not really seeing a precise boundry here, but I guess that's law for you

  367. jonasw

    moparisthebest: the boundary is probably somewhere along the line of "you are using resources on their systems"

  368. moparisthebest

    jonasw, so then "if you ever visit github.com you are implicitly granting us rights to all your programs"

  369. jonasw

    moparisthebest: there are "if you visit our website you grant us rights" clauses

  370. SamWhited

    I suspect a court would also find that visiting GitHub.com doesn't count as entering into a legal contract or business relationship…

  371. jonasw

    that clause there is probably not in proportion and would thus be refuted

  372. moparisthebest

    what's the legal boundry between visiting and pushing code? both are simple https calls

  373. moparisthebest

    you can even edit/create code in your browser on github.com

  374. jonasw

    moparisthebest: the amount of data you move to their systems and which is stored persistently

  375. SamWhited

    What does the protocol (or anything technical) have to do with any of this?

  376. jonasw

    the data you store on their systems is theirs

  377. Ge0rG

    The data you upload to github will be thoroughly searched by the United States border control.

  378. arc

    SamWhited: im not sure, just things im seeing as i jump between channels. as i said im trying to stay out of it

  379. arc

    I don't like github, so my opinions would be biased. I'm just sharing snippets of what ive seen.

  380. arc

    honestly I loved bitbucket

  381. arc

    once i get quicksilver into a more deployable state I think it could take over

  382. arc

    quicksilver is a rather hackish realtime mercurial over xmpp I setup. it needs a lot more work, but is kinda cool for remote pair programming

  383. jonasw

    agh, I don’t like hg :-)

  384. arc

    jonasw: well you're in luck because there's nothing about it thats mercurial specific, I think

  385. arc

    it could run server-side git just as well

  386. arc

    but its not in great shape, extremely hackish. i literally have hg running in a subprocess right now

  387. arc

    i put it together with a student twoish years ago as an experiment

  388. Flow

    re pair programming using xmpp: It's so sad that gobby is no longer under active development

  389. moparisthebest

    arc, familiar with kallithea?

  390. arc

    I know, gobby was nice. but it had its faults too.

  391. moparisthebest

    or jonasw because kallithea does hg and git :P

  392. arc

    moparisthebest: yea ive seen it around

  393. jonasw

    moparisthebest: no, but let me check it out

  394. arc

    Flow: what i dont like about gobby is its really session oriented, it doesnt integrate well into daily workflow.

  395. arc

    and if you want to compile your work, and someone is editing the same session, you have to wait for them to get their part into a ready state. its a bit *too* realtime

  396. jonasw

    moparisthebest: not confident yet, as they don’t use kallithea to host their own code ;-)

  397. Flow

    uh, there is commit activity at github.com/gobby/libinfinity

  398. moparisthebest

    jonasw, they do https://kallithea-scm.org/repos/kallithea

  399. jonasw

    but not their issues etc.

  400. moparisthebest

    been using it at work since 2012, when it was called rhodecode, before the rhodecode dev did illegal license things and threatened to sue me and sent DMCA takedown notices for patches and stuff....

  401. jonasw

    gah, I can’t stand hosting services which show irrelevant information first and not the files. this is also annoying the hell out of me with the recent gitlab updates.

  402. arc

    QS is basically receiving realtime code pushes into your local VC as you work, but doesn't update. so you see that the code is there, and can merge it in realtime, but its not automagic

  403. Flow

    arc: Isn't pair programming about having a live/real-time programming session with one or more other ppl?

  404. Flow

    and everything else would be basically using a DVCS

  405. moparisthebest

    but then the software conservancy vetted it and forked it to kallithea :)

  406. SamWhited

    ooh, yah, Bitbucket does that by default… there's an option to change it, but it's an option on each individual repo not on your account, which is stupid.

  407. arc

    Flow: it is a dvcs, just with pubsub

  408. Flow

    arc: and it's called quicksilver?

  409. jonasw

    moparisthebest: all over all, kallithea looks interesting though

  410. Flow

    arc: got a link?

  411. arc

    Flow: i reserved quicksilver.vc but there's nothing really in the repo there, as i said its super hackish and only works with our GCI web-based editor

  412. arc

    at some point I'll get it into a deployable format and put some time into porting plugins to gedit/etc

  413. arc

    the protocol is stupid simple, the server-side is a quick and dirty pubsub service running mercurial in a subprocess with hooks and pipes, and the client side is a python script in front of local hg in their docker container receiving data from the web-based editor and chat client

  414. arc

    the client side is on gci.copyleftgames.org

  415. arc

    more than half of it was written by a 15 year old

  416. arc

    Alight - im headed to grab coffee with Mr Miller to discuss becoming a member of the XSF

  417. jonasw

    good luck, arc

  418. arc

    Flow: if im successful you'll have more members for the IoT sig

  419. arc

    they're a washington dc firm doing IoT

  420. SamWhited

    Good luck

  421. arc

    5 hours later...

  422. arc

    That was a long talk. I can't even begin to summarize

  423. arc

    He's a XMPP evangelist for sure

  424. arc

    Wants to join the iot WG

  425. arc

    And XSF more generally...

  426. arc

    He suggested the Xsf should have a relationship with IEEE

  427. arc

    He wants to get XMPP standardized for iot within IEEE and other bodies

  428. arc

    Rickard has met him and Peter Saint-Andre

  429. moparisthebest

    Isn't psa the xsf's relationship with the IEEE?

  430. arc

    If so he missed a ieee XMPP standards group forming

  431. arc

    Also httpx is a registered URI protocol for http over XMPP??????

  432. arc

    I'm trying to get the engineers in his IEEE group into XSF

  433. arc

    Not even a single XSF member involved

  434. arc

    It's mad and he agrees. He knew of XSF but didn't know how membership works... He asked how much it cost

  435. moparisthebest

    And how much did you tell him arc ? :-)

  436. arc

    Just $599

  437. moparisthebest

    What a deal!

  438. SouL

    Where can I send the money?

  439. arc