XSF Discussion - 2017-03-04


  1. arc

    Or twelve easy payments of $59!

  2. Ge0rG

    That reminds me of the jabber trademark license fee... Is it still a thing for commercial applications?

  3. arc

    I do not believe so, any evidence to the contrary appears to be a mistake. But you should reach out to PSA for that

  4. arc

    I'm excited to pull in a whole new group of XMPP enthusiasts to the XSF

  5. arc

    http://www.sensei-iot.org/ over 100 members to this IoT working group

  6. arc

    and its all XMPP

  7. arc

    William (the man I met with today) is extremely interested in discussing IoT security issues and cross protocol gateways using XMPP as a core standard for interop

  8. arc

    how this man, who knows PSA, Michael Holden, Rikard, Peter Waher, and others, has been working with and promoting XMPP for 5 years or more, and has never been invited to join the XSF is beyond me

  9. fippo

    arc: the xsf is not something where you need an invite to join

  10. Tobias

    even more scary, you have to candidate and be voted in...think of all the campaigning involved

  11. arc

    fippo: no its not, but you do need to know you can join.

  12. arc

    ive been taking an active approach to reaching out to xmpp library developers trying to grow the xsf membership for the last year, and we've had at least a handful of new members join that way who've been working with XMPP for years

  13. arc

    in many foundations that FOSS devs are used to working around, membership is not so easy. often you do need an invite and often an onerous process to join. joining the Python Software Foundation, for example, has always been a painless but undocumented process which boils down to "what, she isn't already a member? we should add her to the list"

  14. Tobias

    what do you get from joining the PSF?

  15. arc

    the ability to vote and invite to the posh free annual member dinner at PyCon

  16. arc

    and being able to join the members-only list, which boils down to about the same as the XSF

  17. Tobias

    ah..ok

  18. arc

    I was an officer for the PSF before I was a member, I became a member when a board member asked me at pycon if i was coming to the member luncheon and I told him I wasn't a member. He brought me to the luncheon, and I became a member

  19. arc

    your first annual meeting with the PSF (which is the luncheon or dinner) you stand up to introduce yourself. and its done.

  20. arc

    there are several developers with python-dev (aka they have commit/push rights to Python itself) who are not yet PSF members due nobody noticing that they're not members yet.

  21. arc

    anyway - so thoughts on this proposed "httpx" URI scheme for http over xmpp?

  22. arc

    i guess it boils down to whether XMPP is considered a proxy service or a primary protocol

  23. jonasw

    arc: why would one want to do http over xmpp?

  24. jonasw

    I only heard people *joking* about that.

  25. Ge0rG

    jonasw: so that you can tunnel HTTP over BOSH.

  26. jonasw

    arc: I’m sure there are usecases, but which are they?

  27. Ge0rG

    In band http upload?

  28. Ge0rG

    jonasw: we should write up something for next month.

  29. jonasw

    Ge0rG: XEP-0363 over XEP-0332?

  30. Ge0rG

    jonasw: Yeah, I'm sure we can add some more layers to the stack... WebSockets, serverless, mdns, json/rest...

  31. jonasw

    I’d rather work on something productive at the moment.

  32. jonasw

    also, my april 1st thing (if I get around to do it) will be on mtr-tiny

  33. Ge0rG

    jonasw: I'd like to proof read it, if that's okay for you

  34. jonasw

    Ge0rG: what? what I do with mtr-tiny?

  35. Ge0rG

    jonasw: Yeah, that one

  36. moparisthebest

    Hmm HTTP over xmpp using xep368 over tls on port 443...

  37. moparisthebest

    What's the point? :/

  38. arc

    jonasw: to hide your IP address

  39. jonasw

    arc: you can use a generic HTTP proxy for that

  40. Zash

    For when you don't have Tor, but do have XMPP?

  41. arc

    jonasw: that would be a fine solution too, especially if there was a manner for your xmpp server to provision it

  42. arc

    and if Tor was more widely deployed that could work too

  43. arc

    i want to close the IP leak tho with shared URLs

  44. arc

    btw moparisthebest i did a quick and dirty test late last night, exi compressed offers not much in the way of actual compression when used for xmpp due to flushes for stanzas

  45. arc

    there would be a few cases that it would such as some pubsub payloads

  46. arc

    so a lot of the values for a reasonable client's schema has a lot of low values; 01, 02, 04.. compression does pack those values together, but it doesnt save nearly as much as bitpacked does

  47. arc

    and text messages are too small to save a ton unless a dictionary is pre-applied

  48. arc

    there are some bitpacking schemes you can use to compress latin text down tho

  49. Zash

    Heh, dictionary based on xml:lang? heeeheh

  50. moparisthebest

    Zstd has an interesting dictionary thing built in too, but if compression can't be secure I don't see why it matters much

  51. moparisthebest

    Like secure wouldn't matter on a private LAN, but bandwidth isn't an issue there either

  52. Zash

    Trade-offs everywhere

  53. moparisthebest

    Yup but this tradeoff at least seems basically clear cut

  54. moparisthebest

    Compression or encryption, pick one

  55. jonasw

    moparisthebest: it’s not that clear cut

  56. Zash

    Memory vs security more like

  57. jonasw

    in cases where an attacker cannot inject input into your output…

  58. Zash

    vs compression ratio

  59. Zash

    Having a compression dictionary per (to, from) would probably be secure and get good compression ratio, but you have to keep a ton of compression streams in memory

  60. Zash

    Compressing each stanza in their own state, or doing a full flush between each stanza is probably secure and don't use too much memory, but you don't get that great compression ratio

  61. moparisthebest

    jonasw: it's basically clear cut, since it's so hard to impossible to make sure attacker controlled input isn't in there, the only secure thing to do is no compression

  62. moparisthebest

    Especially at the protocol level

  63. Tobias

    wouldn't EXI allow us compression of some contents and not of others..so we could exclude security relevant info from compression

  64. moparisthebest

    Like maybe doing what Zash says is secure, but as a server or client you can't tell if the other end is doing it that way

  65. moparisthebest

    So the only secure thing to do is not support compression

  66. Zash

    You speak like security is absolute. It is not.

  67. Tobias

    moparisthebest, at some level you got to trust the software on the other end, you don't know if the other end of your TLS connection is dumping the cleartext somewhere

  68. moparisthebest

    Tobias: sounds like exis bitpacking without compression makes size smaller while still retaining security

  69. moparisthebest

    Maybe :-)

  70. arc

    well, if my memory and what i just re-read is sane, then in the schema you can define alternative character-restricted CH event types for chat messages

  71. arc

    for example, you could offer a latin + extended latin + common emoticons CH type that may still be 6 or 7 bits in size, in which case it'll only use that number of bits in bitpacked

  72. arc

    i do *not* want to write the regular expressions for that though.

  73. arc

    thankfully that'll be up to each client.

  74. jonasw

    that doesn’t sound crazy at all

  75. arc

    i think you would want at least 3 different format options; common latin-based language, 2-byte unicode, and full unicode

  76. jonasw

    and what happens if a client gets send content which doesn’t fit that CH type?

  77. arc

    jonasw: the server would use a different CH type.

  78. jonasw

    ah okay

  79. Zash

    Huffman code all the text?

  80. jonasw

    so there can be multiple :)

  81. arc

    or, if no type is available according to the schema the client requested, then the message would not be delivered

  82. arc

    i do believe so, yes.

  83. arc

    honestly ive stayed the hell away from CH encoding because the regex parser scares the shit out of me

  84. arc

    i need to do it. one of these days, and soon.

  85. arc

    there are one of three outcomes from such an effort; 1) I finish it and afterward find myself wiser, more self-confident, and appreciating the effort I put in 2) I finish it, but at the cost of whatever sanity I have left 3) I don't finish it, decide to change professions, and end up working at a starbucks

  86. SamWhited

    arc: starbucks? Aren't you moving to Portland? You'll have your choice of much better coffee shops there!

  87. arc

    SamWhited: lol

  88. Zash

    There's a 4th option, move into the woods and become a potato farmer.

  89. arc

    I tried that already. I got really, really bored.

  90. arc

    there's 8 acres of land in New Hampshire owned by a monastic society I founded about a decade ago

  91. arc

    the last I heard there's still 3 people living there.

  92. arc

    try a git clone on a dialup modem...

  93. arc

    but since its a church, its not required to file with the IRS - only updating its information with the state every 5 years. its exempt from paying property taxes, so the land is effectively perpetual

  94. arc

    in 2020 ill just have to make sure an online form gets filed with the state as a keep-alive.

  95. Zash

    Probably not too hard/expensive to get fiber. 3G/4G coverage might be good enough too.

  96. arc

    to get there you need to drive down what looks like a driveway, but is a public gravel road, with utility poles that have telephone but no electric. there is only a weak GSM 2G cell service at best (often no signal), no cable, and its too far out for DSL. the only power on the land is 2 solar panels mounted to the roof of a yurt.

  97. Zash

    The word "here" was missing in that sentence.

  98. Zash

    Small village I lived in in like ~2000 had fiber.

  99. Zash

    Then I moved into the city. Got worthless cable with download caps.

  100. Zash

    Local hackerspace only got fiber now and it's pretty central.

  101. arc

    oh they have decent cable internet there, but nowhere near the land. we got the land cheap as hell because there's absolutely nothing near it. there's an adjoining 118 acre plot, and an adjoining 270 acre plot, both of which are owned by family trusts and are never used

  102. arc

    its overlooking a lake, and on the other side of the lake there is cable service with 100m business class available. if i moved back at any point, I'd buy a tiny shed with a microwave beam from the other side of the lake, and upgrade the solar capacity

  103. jonasw

    :D

  104. SamWhited has thought about doing something similar a few times.

  105. arc

    but right now the monastery survives on having virtually no expenses. they have a vegetable garden that sells at the local farmers market, and have bulk supplies delivered down the 4 mile dirt road, and the telephone bill.. but that's about it.

  106. arc

    SamWhited: I can literally tell you everything about incorporating a monastery. ;-)

  107. SamWhited

    I meant getting a tiny shed with Solar (which works very well in Texas) and then getting a Fiber line as far out of the city as Google will run it and doing microwave or something to get it to me.

  108. arc

    ah, yea. thats more sane.

  109. arc

    if you ever lose your mind and need to completely escape i can help there too lol

  110. SamWhited

    Don't tempt me; I'm dangerously close to that again already!

  111. arc

    if i did it again id make it a lot more tech focused and closer to a city, a place for techies to retire, or at least retreat to, but without being completely cut off.

  112. arc

    Destiny in Vermont (about 30 miles from the monastery) is a much better model. 200+ acres, permanent kitchen building, sewage, off the grid but good cell service.

  113. Zash

    arc: Let me tell you about the church of Kopimism

  114. Zash

    https://en.wikipedia.org/wiki/Missionary_Church_of_Kopimism

  115. arc

    heh a friend is incorporating a church of cannabis right now with a similar vibe

  116. jonasw

    I read cannibals at the first attempt.

  117. jonasw

    that was way more disturbing.

  118. arc

    jonasw: i like the world you live in. :-)

  119. arc

    no the monastery is associated with Quakers, "Monastic Friends", and is effectively stable with people who just want to retire and live on the land away from technology. we had more technically minded people involved early on, but i didnt understand an important property of group building back then - the early form an organization takes will determine who will remain involved with it, and thus who will shape its future.

  120. arc

    the people there, and by design they're the same people who make decisions for the organization, don't want to grow the monastery or develop it in any way. they just want to live their lives in quiet reflection.

  121. arc

    ive learned a lot about how to form a successful new org through many, many mistakes.