XSF Discussion - 2017-03-04

Or twelve easy payments of $59!

That reminds me of the jabber trademark license fee... Is it still a thing for commercial applications?

I do not believe so, any evidence to the contrary appears to be a mistake. But you should reach out to PSA for that

I'm excited to pull in a whole new group of XMPP enthusiasts to the XSF

http://www.sensei-iot.org/ over 100 members to this IoT working group

and its all XMPP

William (the man I met with today) is extremely interested in discussing IoT security issues and cross protocol gateways using XMPP as a core standard for interop

how this man, who knows PSA, Michael Holden, Rikard, Peter Waher, and others, has been working with and promoting XMPP for 5 years or more, and has never been invited to join the XSF is beyond me

arc: the xsf is not something where you need an invite to join

even more scary, you have to candidate and be voted in...think of all the campaigning involved

fippo: no its not, but you do need to know you can join.

ive been taking an active approach to reaching out to xmpp library developers trying to grow the xsf membership for the last year, and we've had at least a handful of new members join that way who've been working with XMPP for years

in many foundations that FOSS devs are used to working around, membership is not so easy. often you do need an invite and often an onerous process to join. joining the Python Software Foundation, for example, has always been a painless but undocumented process which boils down to "what, she isn't already a member? we should add her to the list"

what do you get from joining the PSF?

the ability to vote and invite to the posh free annual member dinner at PyCon

and being able to join the members-only list, which boils down to about the same as the XSF

ah..ok

I was an officer for the PSF before I was a member, I became a member when a board member asked me at pycon if i was coming to the member luncheon and I told him I wasn't a member. He brought me to the luncheon, and I became a member

your first annual meeting with the PSF (which is the luncheon or dinner) you stand up to introduce yourself. and its done.

there are several developers with python-dev (aka they have commit/push rights to Python itself) who are not yet PSF members due nobody noticing that they're not members yet.

anyway - so thoughts on this proposed "httpx" URI scheme for http over xmpp?

i guess it boils down to whether XMPP is considered a proxy service or a primary protocol

arc: why would one want to do http over xmpp?

I only heard people *joking* about that.

jonasw: so that you can tunnel HTTP over BOSH.

arc: I’m sure there are usecases, but which are they?

In band http upload?

jonasw: we should write up something for next month.

Ge0rG: XEP-0363 over XEP-0332?

jonasw: Yeah, I'm sure we can add some more layers to the stack... WebSockets, serverless, mdns, json/rest...

I’d rather work on something productive at the moment.

also, my april 1st thing (if I get around to do it) will be on mtr-tiny

jonasw: I'd like to proof read it, if that's okay for you

Ge0rG: what? what I do with mtr-tiny?

jonasw: Yeah, that one

Hmm HTTP over xmpp using xep368 over tls on port 443...

What's the point? :/

jonasw: to hide your IP address

arc: you can use a generic HTTP proxy for that

For when you don't have Tor, but do have XMPP?

jonasw: that would be a fine solution too, especially if there was a manner for your xmpp server to provision it

and if Tor was more widely deployed that could work too

i want to close the IP leak tho with shared URLs

btw moparisthebest i did a quick and dirty test late last night, exi compressed offers not much in the way of actual compression when used for xmpp due to flushes for stanzas

there would be a few cases that it would such as some pubsub payloads

so a lot of the values for a reasonable client's schema has a lot of low values; 01, 02, 04.. compression does pack those values together, but it doesnt save nearly as much as bitpacked does

and text messages are too small to save a ton unless a dictionary is pre-applied

there are some bitpacking schemes you can use to compress latin text down tho

Heh, dictionary based on xml:lang? heeeheh

Zstd has an interesting dictionary thing built in too, but if compression can't be secure I don't see why it matters much

Like secure wouldn't matter on a private LAN, but bandwidth isn't an issue there either

Trade-offs everywhere

Yup but this tradeoff at least seems basically clear cut

Compression or encryption, pick one

moparisthebest: it’s not that clear cut

Memory vs security more like

in cases where an attacker cannot inject input into your output…

vs compression ratio

Having a compression dictionary per (to, from) would probably be secure and get good compression ratio, but you have to keep a ton of compression streams in memory

Compressing each stanza in their own state, or doing a full flush between each stanza is probably secure and don't use too much memory, but you don't get that great compression ratio

jonasw: it's basically clear cut, since it's so hard to impossible to make sure attacker controlled input isn't in there, the only secure thing to do is no compression

Especially at the protocol level

wouldn't EXI allow us compression of some contents and not of others..so we could exclude security relevant info from compression

Like maybe doing what Zash says is secure, but as a server or client you can't tell if the other end is doing it that way

So the only secure thing to do is not support compression

You speak like security is absolute. It is not.

moparisthebest, at some level you got to trust the software on the other end, you don't know if the other end of your TLS connection is dumping the cleartext somewhere

Tobias: sounds like exis bitpacking without compression makes size smaller while still retaining security

Maybe :-)

well, if my memory and what i just re-read is sane, then in the schema you can define alternative character-restricted CH event types for chat messages

for example, you could offer a latin + extended latin + common emoticons CH type that may still be 6 or 7 bits in size, in which case it'll only use that number of bits in bitpacked

i do *not* want to write the regular expressions for that though.

thankfully that'll be up to each client.

that doesn’t sound crazy at all

i think you would want at least 3 different format options; common latin-based language, 2-byte unicode, and full unicode

and what happens if a client gets send content which doesn’t fit that CH type?

jonasw: the server would use a different CH type.

ah okay

Huffman code all the text?

so there can be multiple :)

or, if no type is available according to the schema the client requested, then the message would not be delivered

i do believe so, yes.

honestly ive stayed the hell away from CH encoding because the regex parser scares the shit out of me

i need to do it. one of these days, and soon.

there are one of three outcomes from such an effort; 1) I finish it and afterward find myself wiser, more self-confident, and appreciating the effort I put in 2) I finish it, but at the cost of whatever sanity I have left 3) I don't finish it, decide to change professions, and end up working at a starbucks

arc: starbucks? Aren't you moving to Portland? You'll have your choice of much better coffee shops there!

SamWhited: lol

There's a 4th option, move into the woods and become a potato farmer.

I tried that already. I got really, really bored.

there's 8 acres of land in New Hampshire owned by a monastic society I founded about a decade ago

the last I heard there's still 3 people living there.

try a git clone on a dialup modem...

but since its a church, its not required to file with the IRS - only updating its information with the state every 5 years. its exempt from paying property taxes, so the land is effectively perpetual

in 2020 ill just have to make sure an online form gets filed with the state as a keep-alive.

Probably not too hard/expensive to get fiber. 3G/4G coverage might be good enough too.

to get there you need to drive down what looks like a driveway, but is a public gravel road, with utility poles that have telephone but no electric. there is only a weak GSM 2G cell service at best (often no signal), no cable, and its too far out for DSL. the only power on the land is 2 solar panels mounted to the roof of a yurt.

The word "here" was missing in that sentence.

Small village I lived in in like ~2000 had fiber.

Then I moved into the city. Got worthless cable with download caps.

Local hackerspace only got fiber now and it's pretty central.

oh they have decent cable internet there, but nowhere near the land. we got the land cheap as hell because there's absolutely nothing near it. there's an adjoining 118 acre plot, and an adjoining 270 acre plot, both of which are owned by family trusts and are never used

its overlooking a lake, and on the other side of the lake there is cable service with 100m business class available. if i moved back at any point, I'd buy a tiny shed with a microwave beam from the other side of the lake, and upgrade the solar capacity

:D

but right now the monastery survives on having virtually no expenses. they have a vegetable garden that sells at the local farmers market, and have bulk supplies delivered down the 4 mile dirt road, and the telephone bill.. but that's about it.

SamWhited: I can literally tell you everything about incorporating a monastery. ;-)

I meant getting a tiny shed with Solar (which works very well in Texas) and then getting a Fiber line as far out of the city as Google will run it and doing microwave or something to get it to me.

ah, yea. thats more sane.

if you ever lose your mind and need to completely escape i can help there too lol

Don't tempt me; I'm dangerously close to that again already!

if i did it again id make it a lot more tech focused and closer to a city, a place for techies to retire, or at least retreat to, but without being completely cut off.

Destiny in Vermont (about 30 miles from the monastery) is a much better model. 200+ acres, permanent kitchen building, sewage, off the grid but good cell service.

arc: Let me tell you about the church of Kopimism

https://en.wikipedia.org/wiki/Missionary_Church_of_Kopimism

heh a friend is incorporating a church of cannabis right now with a similar vibe

I read cannibals at the first attempt.

that was way more disturbing.

jonasw: i like the world you live in. :-)

no the monastery is associated with Quakers, "Monastic Friends", and is effectively stable with people who just want to retire and live on the land away from technology. we had more technically minded people involved early on, but i didnt understand an important property of group building back then - the early form an organization takes will determine who will remain involved with it, and thus who will shape its future.

the people there, and by design they're the same people who make decisions for the organization, don't want to grow the monastery or develop it in any way. they just want to live their lives in quiet reflection.

ive learned a lot about how to form a successful new org through many, many mistakes.