XSF Discussion - 2017-03-13

  1. intosi has joined

  2. bjc has joined

  3. Mancho has left

  4. intosi has left

  5. jere has left

  6. jere has joined

  7. vurpo has left

  8. vurpo has joined

  9. sezuan has left

  10. intosi has joined

  11. Alex has left

  12. intosi has left

  13. kalkin has joined

  14. Yagiza has joined

  15. moparisthebest has joined

  16. Tobias has left

  17. intosi has joined

  18. vurpo has left

  19. vurpo has joined

  20. intosi has left

  21. SouL has left

  22. SouL has joined

  23. kaboom has left

  24. Tobias has left

  25. Vinilox has joined

  26. vurpo has left

  27. vurpo has joined

  28. intosi has joined

  29. kalkin has left

  30. daniel has left

  31. daniel has joined

  32. intosi has left

  33. kalkin has joined

  34. nicolas.verite has joined

  35. vurpo has left

  36. vurpo has joined

  37. intosi has joined

  38. intosi has left

  39. nicolas.verite has left

  40. Mancho has joined

  41. sezuan has left

  42. SamWhited has left

  43. sezuan has left

  44. sezuan has left

  45. sezuan has left

  46. SamWhited has joined

  47. SamWhited has joined

  48. SamWhited has joined

  49. SamWhited has joined

  50. intosi has joined

  51. nicolas.verite has joined

  52. intosi has left

  53. moparisthebest has left

  54. moparisthebest has joined

  55. mimi89999 has left

  56. mimi89999 has left

  57. mimi89999 has joined

  58. nicolas.verite has left

  59. intosi has joined

  60. Valerian has joined

  61. dwd has joined

  62. Guus has left

  63. nyco has joined

  64. intosi has left

  65. Flow has joined

  66. nicolas.verite has joined

  67. nyco has left

  68. nicolas.verite has left

  69. rion has joined

  70. mimi89999 has joined

  71. nicolas.verite has joined

  72. uc has left

  73. uc has joined

  74. mimi89999 has joined

  75. nicolas.verite has left

  76. kalkin has left

  77. kalkin has joined

  78. Vinilox has joined

  79. Flow has left

  80. Guus has left

  81. Mancho has left

  82. nyco has left

  83. intosi has joined

  84. waqas has joined

  85. pep. has left

  86. pep. has left

  87. suzyo has joined

  88. Guus has left

  89. nyco has joined

  90. nicolas.verite has joined

  91. nyco has left

  92. Guus has left

  93. Guus has left

  94. sonny has joined

  95. sonny has joined

  96. jere has left

  97. jere has joined

  98. nicolas.verite has left

  99. Valerian has left

  100. blipp has left

  101. nicolas.verite has joined

  102. uc has left

  103. uc has joined

  104. pep. has joined

  105. Valerian has joined

  106. intosi has left

  107. intosi has joined

  108. Laura has joined

  109. Laura has left

  110. waqas has left

  111. Laura has joined

  112. Laura has left

  113. Laura has joined

  114. sonny has joined

  115. nyco has joined

  116. kaboom has joined

  117. Steve Kille has left

  118. Steve Kille has left

  119. sezuan has left

  120. zeank has joined

  121. Guus has left

  122. Steve Kille has joined

  123. zeank

    Hidiho! In the light of Push Notifications I wondered if it wouldn't make sense to add a <no-push xmlns="urn:xmpp:hints"/> to https://xmpp.org/extensions/xep-0334.html ?

  124. rion has left

  125. Ge0rG

    zeank: where should it be used, then?

  126. nyco has joined

  127. zeank

    To not trigger a push on the server side

  128. Tobias

    and you want remote parties in control of that?

  129. zeank

    in certain cases, yes

  130. zeank

    Ok, I see a problem … they could control it all then :/

  131. nicolas.verite has left

  132. Tobias

    zeank, what cases are those?

  133. zeank

    in our scenario we exchange let's call it meta information between clients

  134. zeank

    as messages though

  135. zeank

    and we don't want to trigger a push for those

  136. Kev

    Servers need to not act on hints, because you almost never want a remote client being able to tell your server what to do about things like storing or copying or pushing.

  137. zeank

    typing notifications could be another

  138. Tobias

    why would servers trigger push notifications on body-less messages

  139. ralphm has left

  140. blipp has joined

  141. zeank

    hm, fair point in our case all messages are body less because they are encrypted and have no body in general

  142. zeank

    it's a proprietary system

  143. zeank

    just thought it might be useful for others as well

  144. zeank

    @Kev so the whole XEP is wrong?

  145. Ge0rG

    I think we need a common ruleset for decisions about pushing, carbon-copying and MAM-archiving of messages.

  146. Kev

    zeank: I thought 334 said that they were just hints, and entities didn't have to honour them.

  147. Ge0rG

    Kev: the alternative would be to encode stateful processing rules in the server, right?

  148. Kev

    But if it really says that a remote client can choose whether my server puts things in my archive, then yes, it's of limited applicability (rather than wrong, as it might still be useful in closed systems), and we need to be very careful about anything depending on it.

  149. zeank

    yes, they are just "hints", but they are targeting the behaviour of the server, not sure how push and MAM are so different in this regard then

  150. sonny has joined

  151. kalkin has left

  152. Tobias

    zeank, that proprietary system sounds interesting if it can encrypt even typing notifications, which OMEMO currently can't afaik :)

  153. kalkin has joined

  154. zeank

    we don't have typing notifications yet, just to be clear ;)

  155. Tobias is much less excited now

  156. zeank


  157. Ge0rG

    Kev: do you happen to have an idea how to make the desired functionality of hints secure and proper, in the context of the right trust boundaries?

  158. Laura has left

  159. Laura has joined

  160. Kev

    Ge0rG: Put the rules in the server not the remote client, is all I have.

  161. mhterres has joined

  162. Holger

    As for the copying of messages, doesn't XMPP core allow the sender to control this by addressing the full vs. bare JID and using certain message types?

  163. Kev

    What gets archived by the server is very clearly a server decision, not a remote client decision.

  164. Kev

    Holger: Not with carbons.

  165. Tobias

    right, but there are currently few sensible guidelines on that, not?

  166. Ge0rG

    Kev: "A message of type 'chat' is not eligible for carbon copies if it contains a body and the body starts with the verbatim string '?OTR'"

  167. Holger

    Yes then XEP-0280 breaks this, which is why we need hints for that :-)

  168. zeank


  169. Ge0rG

    Holger: actually, the remote party can only choose between "deliver to THIS resource" and "deliver to somebody implementation-defined"

  170. Holger


  171. Ge0rG

    and I really despise the last part of it.

  172. Holger

    I think the desired behavior is to be able to address either an individual device or the account.

  173. Ge0rG

    because you can't rely on it, but you need to for a proper notification implementation.

  174. jonasw

    we could all agree that "somebody implementation defined" is "nobody, but everyone interested gets a carbon copy" :)

  175. jere has joined

  176. Ge0rG

    jonasw: that makes sense if all your clients enable carbons and if you make no client-side semantic difference between "real" messages and carbons

  177. Ge0rG

    jonasw: but the latter will bite you in a multi-client context.

  178. Ge0rG

    e.g. in the "I have my phone on the desk and use my desktop" user story.

  179. jonasw

    Ge0rG: you need to solve that anyways, no matter if you CC everything or not

  180. nicolas.verite has joined

  181. jonasw

    because the user can switch at any point in time

  182. Ge0rG

    jonasw: yes, but you can use carbons as a hint

  183. jonasw

    for the former part: clients who cannot into CC are annoying anyways and they’re gambling on whether they get messages or not as-is

  184. jonasw

    Ge0rG: but you depend on the server implementation-defined mess if your peer always addresses the bare JID like your client does ;)

  185. nicolas.verite has left

  186. jonasw

    I’d rather use xep 84 as a hint actually.

  187. Ge0rG

    > clients who cannot into CC are annoying anyways said the pidgin user

  188. jonasw

    yes, that means that I must know, Ge0rG.

  189. Martin has joined

  190. narcode has left

  191. Martin has left

  192. Ge0rG

    It's obviously getting complicated and complicated, on the client side. This is the opposite of the general idea of XMPP, but we could do something like this: on received message: if (message is carbon or sent to bare JID) and (we got presence/activity from another resource of our account recently): delay notification by a 1-minute timer which is cancelled on activity from another client

  193. Martin has joined

  194. Holger

    Conversations does the "we got presence/activity from another resource" check.

  195. Laura has left

  196. Ge0rG

    Holger: Conversations does many things that are not codified. While this is good for Conversations users, it makes it harder for future client implementations

  197. Holger

    A better solution might be looking at the CSI state. Then again, at least desktop clients probably just don't have a good idea of whether they're currently active or not.

  198. Ge0rG

    What about just reading tea leaves?

  199. Kev

    I think 'implement Kev's upcoming read-sync XEP' might be a good approach ;)

  200. Kev

    I really need to write something there, though :/

  201. Tobias

    Ge0rG, that won't float well with coffee enthusiasts

  202. Mancho has joined

  203. Ge0rG

    Tobias: they wouldn't even notice, if we provide centralized access to tea-leaves-entropy. Otherwise, we'd need to kindly ask the user to make a photograph.

  204. blipp has left

  205. blipp has joined

  206. kaboom has left

  207. kaboom has left

  208. nyco has joined

  209. kaboom has left

  210. kaboom has left

  211. kaboom has left

  212. goffi has joined

  213. rion has joined

  214. efrit has joined

  215. goffi has left

  216. goffi has joined

  217. jubalh has joined

  218. jubalh has left

  219. nyco has joined

  220. Ge0rG

    Kev: the read-sync sounds like a more explicit way to tell other clients that messages have been read. I'm not sure if it will also help in the notification-delay/prevention situation

  221. Kev

    Well, it helps, because it's an explicit way of knowing that a message doesn't need to be notified (or that a notification can be cleared), but it doesn't prevent you needing some logic somewhere about delaying notifications, indeed.

  222. Kev

    I think that's just the cost of doing business.

  223. Ge0rG

    Kev: will it be similar to chat state notifications?

  224. Kev

    Not particularly, no :)

  225. kaboom has left

  226. efrit has joined

  227. nicolas.verite has joined

  228. nicolas.verite has left

  229. Valerian has left

  230. Valerian has joined

  231. Valerian has left

  232. kaboom has left

  233. mhterres has left

  234. Guus has left

  235. lloydwatkin has joined

  236. kaboom has left

  237. kaboom has left

  238. kaboom has left

  239. kaboom has left

  240. kaboom has left

  241. kaboom has left

  242. kaboom has left

  243. Ge0rG

    Kev: why not?

  244. Kev

    Because CSN go to the other party, and read sync goes to your server, and from there to your clients?

  245. Ge0rG

    Hm. So it's an account-centric thing.

  246. kaboom has left

  247. Kev


  248. jonasw

    Kev: you could send CSN to your own bare JID :-)

  249. jonasw

    and let carbons do the rest

  250. Ge0rG

    jonasw: it would get reflected to yourself.

  251. jonasw


  252. Kev

    jonasw: That doesn't work for saying which messages are read, though.

  253. Ge0rG

    there is no xmpp primitive to "send something to all the other clients of yours"

  254. jonasw

    Kev: yes, but isn’t there something for that already?

  255. jonasw

    Ge0rG: ah, that’s what you mean

  256. jonasw

    Ge0rG: well, we may need one

  257. Ge0rG

    one could use PEP

  258. jonasw


  259. Tobias

    Ge0rG, with carbons there is, not?

  260. jonasw

    Tobias: all *other* clients

  261. Ge0rG

    Tobias: what'd be your destination JID? the server?

  262. Tobias

    Ge0rG, your own bare JID? :)

  263. Ge0rG

    message to "account-domain.xmpp" would get carboned to all other clients

  264. Ge0rG

    Tobias: no. you'd get the message twice

  265. jonasw

    on each resource (once as <sent/>, once as <received/>)

  266. Ge0rG

    Tobias: first the 'sent' carbon, then the delivered message/carbon

  267. Ge0rG

    except on the sending client, it would only get one copy

  268. Tobias

    Ge0rG, "at least once" semantic is easier than "exactly once"

  269. Ge0rG

    Tobias: but using the "most probably twice" semantics is just wrong.

  270. Holger

    What's wrong with PEP BTW?

  271. jonasw


  272. nicolas.verite has joined

  273. nicolas.verite has left

  274. suzyo has left

  275. suzyo has joined

  276. kaboom has left

  277. nyco has joined

  278. kalkin has left

  279. kaboom has left

  280. kalkin has joined

  281. lskdjf has joined

  282. kaboom has left

  283. kaboom has left

  284. kaboom has left

  285. nyco has joined

  286. kaboom has left

  287. Mancho has left

  288. Alex has joined

  289. nicolas.verite has joined

  290. Alex has left

  291. Holger has left

  292. nicolas.verite has left

  293. lskdjf has left

  294. Tobias

    and that would be the last XMPP related fosdem talk tweeted about

  295. kaboom has left

  296. Guus

    which reminds me: we could use a new post for the blog. Anyone interested in writing one?

  297. sonny has joined

  298. sonny has joined

  299. nicolas.verite has joined

  300. Ge0rG

    Guus: what should it be about?

  301. kaboom has left

  302. Tobias

    Ge0rG, federal reserve, rainforest, and that sort of thing

  303. Ge0rG

    Tobias: xsf world domination plans? Because it's a greater challenge if we announce the plans in advance?

  304. nicolas.verite has left

  305. Tobias

    we already have a retracted XEP for that :P that should be enough of an announcement

  306. kaboom has left

  307. kaboom has left

  308. kaboom has left

  309. Valerian has joined

  310. nyco has joined

  311. Ge0rG

    Retracted? People don't even care about experimental...

  312. kaboom has left

  313. Guus

    Ge0rG: I have no specific agenda, other than trying to help make sure that the blog gets regular updates. So far, I've reached out to Daniel for an OMEMO post, and Rikard for an IoT one.

  314. Tobias

    well..it's kind of hidde

  315. Tobias


  316. kaboom has left

  317. Yagiza has left

  318. Guus

    If you have a good idea, feel free to submit something. You can easily add a blog post via a PR on the website, or send it to me by text, and I'd be happy to post on your behalf.

  319. Tobias

    Ge0rG could write about how snarky comments in open standards communities result in improved protocols ;)

  320. Ge0rG

    Guus: sounds good to me. I'm sure nobody wants ME to write a guest post.

  321. Tobias

    or more seriously, about his efforts on improving UX and usability

  322. Guus

    Ge0rG: guest? you're a member, right?

  323. Ge0rG

    Guus: right. But I'm not a regular contributor to the blog.

  324. Ge0rG

    Tobias: im sure that would get flagged immediately because of neutrality concerns.

  325. Tobias

    Ge0rG, a blog without regular posts doesn't have any regular contributors at all

  326. Tobias

    Ge0rG, we could neutralize it

  327. Guus

    Ge0rG: I wonder if anyone considers themselves a 'regular blogger' here. There's people that posted more than others, but that's more because of a lack of input by the others. :)

  328. nicolas.verite has joined

  329. Ge0rG

    Tobias: also, what would be the target audience? It seems that it's widely irrelevant to users, and there are two camps of developers: the ones who don't care, and the ones who have no time to improve

  330. Tobias

    yeah...try to channel that optimism into words for the blog post

  331. nicolas.verite has left

  332. Guus

    (no response, which presumably means he's drafting a post!)

  333. Guus eyes dwd

  334. Ge0rG

    I feel a bit like Aragorn, having his motivational speech before the fight of helm's deep. Except there is no army. Actually, now that I think of it, it's probably more like Tyrion Lannister's "don't fight for your king" speech.

  335. Guus

    so, you're good with words...

  336. Guus

    Ge0rG: You might be making a bit to much of it :)

  337. nyco has joined

  338. Ge0rG

    Guus: this is probably a sign that I'm overqualified ;)

  339. Guus

    Ge0rG: Perhaps. You should take this as a challange to see if you can lower yourself to our level!

  340. Tobias

    Ge0rG, it might result in more users demanding better usability for their clients, who knows

  341. vurpo has left

  342. Ge0rG

    Tobias: quite seriously, I'm not sure how to frame the whole thing. "Here is this new set of ideas how to make XMPP better"?

  343. vurpo has joined

  344. vurpo has left

  345. vurpo has joined

  346. vurpo has left

  347. Ge0rG

    Tobias: the obvious question for the readers would be "why are they talking about it, instead of just doing it"

  348. Guus

    Ge0rG: perhaps frame the fact that we need a solution for a probem? "Clients look aweful, we could use an effort to stream line things. We've started doing that at xyz"

  349. Guus

    (but nicer)

  350. vurpo has joined

  351. Tobias

    Ge0rG, well..it makes little sense talking here about it, as you already made your point and few new people come here

  352. vurpo has left

  353. Tobias

    i think our blog has a wider target audience than this room

  354. dwd

    Also more tweetable.

  355. Guus

    Tobias: do you have access to pageview stats?

  356. Tobias


  357. vurpo has joined

  358. Tobias

    i'd also would like to have access to xmpp twitter account analytics...to see if all that tweeting increased out followers (it did, but how much)

  359. Ge0rG

    Guus: the next problem is: I'd really like to use specific examples of how things can be improved, namely conversations and (to a degree) yaxim. But then it'd result in something like https://yaxim.org/blog/2017/01/31/yaxim-0-dot-9-security-easy-xmpp/ and obviously violate XSF neutrality in a way that's hard to neutralize

  360. vurpo has left

  361. Guus

    Ge0rG: I'd almost consider that a follow-up post. I'm not to bothered by the neutrality thing (but others disagree), but, referencing to Yaxim as an example should be fine I think - more so if you can reference another implementation too

  362. vurpo has joined

  363. vurpo has left

  364. vurpo has joined

  365. Ge0rG

    I fear that even mentioning https://github.com/ge0rg/easy-xmpp-invitation which is really client-agnostic (except for the hardcoded list of yaxim+conversations) would be seen as a violation

  366. Guus

    There's always goign to be someone that sees something as a violation of something. If that stops people, nothign would get done.

  367. jonasw

    Guus: +1

  368. Ge0rG

    Guus: I just extrapolate the previous feedback I've received from XSF members to my public statements about the state of XMPP.

  369. Ge0rG

    Guus: if I disregard that, I can imagine writing a call-to-action post about Easy XMPP. And I'll try hard to make it as positive as possible

  370. Guus

    Ge0rG: you might generate more feedback than others here :)

  371. Ge0rG

    Guus: I'm not sure if the feedback I generate is of the right sort.

  372. vurpo has left

  373. vurpo has joined

  374. Guus

    Ge0rG: I'd love for you to draft a rough outline of a post. We can do a PR on that, and have some reviews.

  375. Ge0rG

    Guus: deal

  376. Guus

    awesome, thanks!

  377. Guus

    and again - I think it might be a good idea to smear this topic out over a couple of posts. One that describes the problem and the approach taken to start working on a fix - another one that describes a few of the fixes, and more that illustrate how individual implementations are now improved. Then, a final one where you claim victory.

  378. daniel has left

  379. Guus

    Ge0rG: there might be a handful of posts and world dominition in this for you ;)

  380. daniel has joined

  381. Ge0rG

    Guus: I don't aim for world domination

  382. Ge0rG

    Guus: all I want is a nice big yacht. :D

  383. vurpo has left

  384. vurpo has joined

  385. Guus

    Ge0rG: if you want, I can put you in contact with one of my Nigerian royal friends who badly need to transfer money out of the country? Supposedly, that's a win/win and risk-free.

  386. Ge0rG

    Guus: I think I'm already in negotiations with that person

  387. jonasw


  388. Guus

    Ge0rG: I am sure then that your ship will litererally and figuratively come in any minute now.

  389. vurpo has left

  390. Guus

    Tobias: could you do a review of https://github.com/xsf/xmpp.org/pull/185 ?

  391. Guus

    I think it's ready to merge now (finally)

  392. Tobias

    will do this evening

  393. vurpo has joined

  394. Guus


  395. vurpo has left

  396. vurpo has joined

  397. jonasw

    is my dynamic list generation code live already?

  398. Guus

    jonasw: I think so, yes.

  399. jonasw

    then we can start the attack on the quality of listed software, right?

  400. Guus

    I fixed the problem that prevented a bunch of commits to go live, after which the changes that were visible to me popped up.

  401. jonasw

    with requiring projects to re-request their listing and so on

  402. Guus

    jonasw: I see a blogpost in your immediate future :D

  403. jonasw


  404. jonasw

    pelican-based blog?

  405. Guus


  406. jonasw

    can do

  407. Guus


  408. jonasw

    but I might forget

  409. Guus

    add something here: https://github.com/xsf/xmpp.org/tree/master/content/posts/blog

  410. jonasw

    I’m super tired right now, not sure if writes to my task memory persist currently :)

  411. Guus

    no worries, I'll be here to haun...remind you.

  412. Yagiza has joined

  413. Yagiza has joined

  414. Ge0rG

    Guus: https://github.com/xsf/xmpp.org/pull/274 - I'm sure this will ignite a discussion.

  415. vurpo has left

  416. vurpo has joined

  417. vurpo has left

  418. intosi has left

  419. vurpo has joined

  420. suzyo has left

  421. blipp has left

  422. Yagiza has joined

  423. intosi has joined

  424. daniel has left

  425. sonny has joined

  426. daniel has joined

  427. sonny has joined

  428. kalkin has left

  429. kalkin has joined

  430. Yagiza has left

  431. Flow has joined

  432. Alex has joined

  433. Guus

    Thanks Ge0rG. I responded on github

  434. Yagiza has joined

  435. Ge0rG

    Guus: the verbatim tldr will get out, but I'm used to make the first paragraph of long posts effectively a tldr

  436. suzyo has joined

  437. Guus

    Ge0rG: that might be a sign that the text is to long for a blogpost :)

  438. Guus

    but, a matter of personal preference, probably

  439. Guus

    My main point is that I really dislike 'tl;dr'

  440. Ge0rG

    Guus: I'd say it is a sign of respect to the prospective reader. I tell them in a single paragraph if the remaining part worth reading.

  441. Ge0rG


  442. Guus

    personal preference. :)

  443. Guus

    go for it - it's your text.

  444. Flow has left

  445. Ge0rG

    Guus: thanks for your feedback. I'll update the pr when I find some more time

  446. blipp has joined

  447. Zash has joined

  448. Alex has left

  449. Alex has joined

  450. Alex has left

  451. uc has left

  452. uc has joined

  453. mimi89999 has joined

  454. Yagiza has left

  455. mimi89999 has joined

  456. kaboom has left

  457. kaboom has left

  458. kaboom has left

  459. kaboom has left

  460. intosi has left

  461. kaboom has left

  462. jonasw

    Guus: you could call it "Abstract", is that better?

  463. intosi has joined

  464. Ge0rG

    jonasw: what's wrong with an implicit "summary"

  465. jonasw

    I don’t know.

  466. kaboom has left

  467. kaboom has left

  468. kaboom has left

  469. kaboom has left

  470. kaboom has left

  471. mimi89999 has left

  472. Alex has joined

  473. bjc has joined

  474. mimi89999 has left

  475. bjc has left

  476. bjc has joined

  477. mimi89999 has joined

  478. mimi89999 has left

  479. mimi89999 has left

  480. mimi89999 has left

  481. kaboom has left

  482. bjc has left

  483. bjc has joined

  484. kaboom has left

  485. kaboom has left

  486. kaboom has left

  487. Valerian has left

  488. kaboom has left

  489. kaboom has left

  490. kaboom has left

  491. kaboom has left

  492. kaboom has left

  493. kaboom has left

  494. kaboom has left

  495. kaboom has left

  496. winfried has left

  497. kaboom has left

  498. kaboom has left

  499. dwd

    So... The only point where mam:2 makes any difference is in the one place where the XML namespace is not used.

  500. Holger has left

  501. Holger has left

  502. nyco has joined

  503. nicolas.verite has joined

  504. dwd

    ... and this has no impact *at all* on MIX.

  505. nicolas.verite has left

  506. kaboom has left

  507. lskdjf has joined

  508. mimi89999 has joined

  509. kaboom has left

  510. Holger has left

  511. mimi89999 has joined

  512. mimi89999 has left

  513. jere has joined

  514. kaboom has left

  515. mimi89999 has joined

  516. kaboom has left

  517. Yagiza has joined

  518. kaboom has left

  519. kaboom has left

  520. kaboom has left

  521. Yagiza has left

  522. Alex has left

  523. Alex has joined

  524. Yagiza has joined

  525. Tobias has joined

  526. Holger has left

  527. Zash has left

  528. Zash has joined

  529. Mancho has left

  530. Holger has left

  531. Holger has left

  532. Alex has left

  533. bear has joined

  534. waqas has joined

  535. jere has joined

  536. Kev

    Question, UX experts.

  537. Valerian has joined

  538. Kev

    Hypothetically if you were writing an XMPP client and wanted the experience when opening a chat from within a MUC to not suck (i.e. to open to the real JID instead of the room JID) in the usual case, how (if at all) would you protect it against spoofing on untrusted remote MUC services?

  539. jere has joined

  540. lskdjf has left

  541. Ge0rG

    Kev: you are talking about private chats?

  542. dwd

    Hypoethetically, if I were using an untrusted remote MUC service, how stupid would I be to be sending it messages anyway?

  543. Kev

    It depends on the trust, I think?

  544. Ge0rG

    with my UX hat: I'd just open a chat wit the bare JID advertised in the MUC. with my security hat: what dwd said.

  545. dwd

    Kev, What are you trusting it to do and not do?

  546. Kev

    I mean, I may trust my inane discussions to something, but not want it to be able to lie about someone's real JID and have me spam a helpless person directly.

  547. Ge0rG

    Kev: this is the same security concerns I'm pondering about for some weeks already, in the context of mediated vs. direct MUC invitations

  548. dwd

    Kev, That's not a security concern.

  549. Kev

    Turning occupants into a DDoS probably is :)

  550. dwd

    Kev, That's a concern you might annoy someone, not a concern about leaking information.

  551. Kev

    I don't think I said anything about it being a concern leaking information, did I?

  552. Kev

    (Or even security)

  553. dwd

    Kev, Hardly; you're reliant on having users PM people. And if you're a remote MUC, you can spoof the PMs directly, causing people to get any responses.

  554. Kev

    You can't spoof the PM as being from my server, though.

  555. dwd

    Kev, No, but I can spoof them as being from you, via a MUC.

  556. Kev

    Yes. I'm thinking about people not in the room at all.

  557. dwd

    Kev, Who isn't in the room?

  558. Kev

    You annoy me, so I tell all jabber.org MUCs to say that every occupant's real JID is yours, and then you get spammed every time someone tries to send a PM.

  559. dwd

    Kev, That was you?

  560. dwd

    Kev, You git.

  561. Kev

    I do.

  562. Kev

    Although I don't tend to use it as a verb.

  563. jonasw has left

  564. Kev

    Regardless, this feels like it might not be ideal, to me.

  565. dwd

    Kev, True, that would be subversion.

  566. Kev

    Very good.

  567. jonasw has left

  568. dwd

    Kev, OK. So I think the "real-jid" issue here remains irrelevant. It's one case where a (popular) MUC service could abuse trust.

  569. Kev

    I'm pondering possible options being "Meh, you're in the MUC, you're showing some trust", "Do it if it's someone in your roster" (so you can probably work through the social issue if it gets spoofed), "do it if it's a local service". (where 'it' is opening to the real JID).

  570. Ge0rG

    Kev: I think the only sane solution to that is having MUC presence signed by the user's account key.

  571. Kev

    There's also revealing your own JID in the case that you're a moderator in a room.

  572. dwd

    Ge0rG, Seems fair.

  573. Zash

    How do you know what account key is the right one?

  574. dwd

    Kev, I think any of your options is fine.

  575. Kev

    Certainly the irritation of having PMs outside your normal flow is significant and I want to fix it.

  576. dwd

    Zash, By asking the MUC for the public key of its occupant of course. Duh!

  577. Zash

    MUC can't lie

  578. SamWhited

    MUC real-JID dial-back verification? When you want to verify a JID in a MUC you send them a token (through the MUC), and then they echo it back via their real-JID. I'm not sure this is necessary either, but it's fun to think about.

  579. dwd

    Zash, Evil-MUC-bit?

  580. Ge0rG

    Zash: you query the bare JID for a signed presence, or check your roster

  581. Kev

    SamWhited: Sure, but that only works if you've running over jidnssec, which no-one is :)

  582. Ge0rG

    Kev: may I point you to https://mail.jabber.org/pipermail/standards/2017-January/032021.html

  583. SamWhited

    Kev: jidnssec? Not sure if real thing or a joke I didn't get…

  584. Tobias

    it's a DNSSEC deployment joke

  585. SamWhited

    Oh, heh, right

  586. Kev

    SamWhited: It's a joke. You mentioned dialback, which is a fine thing to use for S2S as long as you have dnssec.

  587. nicolas.verite has joined

  588. dwd

    (And you also use TLS).

  589. nicolas.verite has left

  590. Tobias

    and .im domains can't do DNSSEC because people from the isle of man are afraid of locsk

  591. Tobias


  592. SamWhited

    I think it works in this case though if you trust the s2s connection at all

  593. SamWhited

    (the s2s connection doesn't have to do dialback, I just used that name because they're echoing an HMAC or something back at you)

  594. Kev

    Yes, it's not a stupid idea.

  595. SamWhited

    You'd have to do it two ways though for mutual verification, so there's probably a better way

  596. Ge0rG

    SamWhited: like... distributed MUCs

  597. Ge0rG

    or maybe we need to replace JIDs with pubkey-based identities

  598. SamWhited

    Ge0rG: I'm assuming this was a question for a MUC implementation today, not for a future-widely-used-thing implementation.

  599. ralphm has left

  600. Ge0rG

    or we just ignore the problem and pretend it doesn't exist.

  601. Zash

    Let's build an elaborate PKI!

  602. Zash

    The world needs more of those

  603. Ge0rG

    Or we introduce a "security level slider" into our apps, ranging from "I don't care, just make it work" to "I'm ultraparanoid"

  604. Kev

    (And thanks all, BTW)

  605. dwd

    Ge0rG, Excellent. The world need more security options that users don't understand the implications of.

  606. Ge0rG

    Kev: so have you come to a conclusion how to do it?

  607. Zash

    Ge0rG: Key based identity would be interesting, but I don't think that's even XMPP 2, that's gotta be something completely new.

  608. Ge0rG

    dwd: most users don't understand the implications of any of the security options provided to them.

  609. Kev

    Ge0rG: I think the conclusion is "Meh, just do it"

  610. Ge0rG

    Zash: TOX maybe. It's got an "X" in it at least.

  611. Ge0rG

    Kev: this conclusion was also reached at the end of the lively security debate in the thread I pointed to.

  612. Kev

    FWIW, for mediated invitations, Swift shows it but warns that it could have been spoofed.

  613. Kev

    I can't remember if we replied to the thread or not.

  614. Tobias has left

  615. Kev

    But the whole mediated invite thing is horrid anyway and everyone needs to just use direct invites :)

  616. Ge0rG

    Kev: direct invites don't auto-add the receiver to the MUC affiliation

  617. nicolas.verite has joined

  618. mimi89999 has joined

  619. Tobias

    Ge0rG, jet fuel can't melt steel beams

  620. Tobias

    Ge0rG, i think setting up specific affiliations for participants is a quite rare use case

  621. nicolas.verite has left

  622. nyco has left

  623. Ge0rG

    Tobias: I want to have a private group chat with my family members. Do you have an idea of the steps I have to perform to achieve that, client-side?

  624. Ge0rG

    Hint: none of them are described in 0045.

  625. Kev

    Ge0rG: You open Swift, you choose 'start chat' and drag all of them into it? :)

  626. Tobias

    just create a UUID MUC and invite the people you want to join

  627. Ge0rG

    Tobias: but I need to make that MUC invite-only and hidden.

  628. Ge0rG

    I think there are some forms to enable that.

  629. Tobias

    hidden yes, invite-only (why, who will know the JID?)

  630. vurpo has left

  631. Ge0rG

    Tobias: and then I need to add all the folks into the affiliation

  632. vurpo has joined

  633. Tobias has left

  634. Ge0rG

    Tobias: so you are using the JID as a password?

  635. tim@boese-ban.de has joined

  636. Tobias

    basically, yes

  637. Ge0rG

    Am I the only one who thinks this is significantly worse than following invites from a remote untrusted MUC?

  638. Tobias

    Ge0rG, what's your fear? people guessing the JID? that one of the participants leaks the JID?

  639. Ge0rG

    Tobias: accidental leaking of the JID

  640. Tobias


  641. Ge0rG

    Tobias: pastebinned client debug logs, server bugs

  642. Tobias

    what says the way you'd accidentially leak your JID wouldn't also leak the password if it were password protected?

  643. Ge0rG

    Tobias: JIDs are not generally considered "secret"

  644. Ge0rG

    Tobias: by violating that assumption, you are bringing your users one step closer to the abyss

  645. Ge0rG

    Tobias: leaking a password requires gross negligence

  646. SamWhited

    User probably shouldn't see or know that a JID exists (especially if it's really just a UUID), so I don't see why it matters.

  647. Tobias

    well...if you want to provide a true sense of security to your users you should do OMEMO in the MUC anyway

  648. Ge0rG

    Tobias: my point is that it's good to have additional guards

  649. Ge0rG

    and "closed affiliation" is one such

  650. mimi89999 has left

  651. mimi89999 has joined

  652. Ge0rG has left

  653. vurpo has left

  654. vurpo has joined

  655. vurpo has left

  656. vurpo has joined

  657. Holger

    Tobias: For OMEMO you want to have the group members affiliated with the room anyway, though :-)

  658. Holger

    And simply for listing the offline members of your group chat.

  659. Holger

    And because you want that anyway, you can just as well make the room members-only (since *this* step is simple).

  660. Tobias

    i wish there were a XEP for taht

  661. Tobias


  662. Holger

    For what?

  663. Alex has left

  664. Ge0rG

    Holger: for creating a members-only private MUC, I suppose

  665. Ge0rG

    I'm going to add that to yaxim soon, and write it down in the process. I'm interested in such an XEP as well

  666. Ge0rG

    Sufficiently interested to actually write it, if nobdy else *cough*daniel*cough* jumps in.

  667. Ge0rG

    https://wiki.xmpp.org/web/Easy_Group_Chats is the first iteration

  668. Ge0rG

    I've had another crazy idea: to use the "long description" of the MUC to store a link to an http-uploaded avatar

  669. Holger

    I think it's all in 0045 even though it wasn't written with that use-case in mind.

  670. Ge0rG

    Holger: you must be talking of https://xmpp.org/extensions/xep-0045.html#createroom-instant

  671. Holger

    (Except for an option to enable MUC MAM for servers who want to make this configurable.)

  672. Holger

    Ge0rG, no I wasn't suggesting an instant room. Maybe I'm missing something but what I have in mind is simply using a plain members-only room with MAM for private/presence-less group chat.

  673. Ge0rG

    Holger: and where is that written down in the XEP?

  674. Ge0rG

    I'm not quite sure what the use case of the 0045 "instant room" is, except for being comparably bad to instant soup.

  675. Holger

    Only the building blocks are there of course. It doesn't say "to create a private group chat, do this and that".

  676. Ge0rG

    Holger: but I want it to be in there.

  677. Ge0rG

    Holger: your statement is comparable to "all the building blocks for a group chat are in rfc 6120+21" :P

  678. Holger

    Ge0rG: I don't think that's comparable; 0045 adds protocol on top of the RFCs while my point is that you don't really need anything on top of 0045. But I see how a document explaining how to use 0045 to implement group chat would be useful.

  679. SouL has left

  680. Ge0rG

    Holger: I would even 1-up that and say that 0045 should contain it

  681. Ge0rG

    maybe the council will not be strictly opposed to adding a new informational section to 0045

  682. Holger

    Sounds good to me.

  683. Ge0rG

    But first, I need to sort out #418 and #436

  684. Bunneh

    Ge0rG: XEP-0280: Add 'Usability Considerations' section #418 https://github.com/xsf/xeps/pull/418

  685. Holger

    And maybe #204 should be sorted out first as well :-)

  686. Bunneh

    Holger: XEP-0045: Define option name for enabling/disabling MAM #204 https://github.com/xsf/xeps/pull/204

  687. suzyo has joined

  688. Ge0rG

    Holger: btw, being a server developer. Would you rather prefer more rules in 0280 clarifying what to do with [xep 0184] acks and [xep 0333] states, or have those two contain explicit <copy> hints?

  689. Holger

    I think adding more rules to 0280 modules is wrong.

  690. Zash


  691. MattJ


  692. jonasw

    https://xkcd.com/1810/ is sad.

  693. intosi


  694. Alex has joined

  695. Ge0rG

    case in point: 0184 does not mandate to use type=chat

  696. Vinilox has left

  697. Holger

    Indeed. I use local patches that add rules to fix such things :-/

  698. Ge0rG

    but Kev said that we shall not rely on remote clients telling us what to do

  699. Holger

    And I disagree, at least when it comes to addressing accounts vs. individual devices.

  700. dwd has left

  701. SamWhited

    Does anyone here have any idea how communication with IANA should work? I've been googling things like "IANA registration procedure" and "IANA expert review rules" and so far everyting is completely undocumented and worthless as usual⁢… *grumble, grumble*

  702. Zash

    Email someone. ???, PROFIT!

  703. SamWhited

    I found one old document that explicitly said that IANA procedures were currently not documented, so I'm just about ready to assume taht's still right, everything is tribal knowledge, and then just start spamming people until someone updaets the registry.

  704. Guus

    hargh - the US went to/from DST?

  705. intosi


  706. zeank has left

  707. SamWhited

    Guus: Yup; be warned, everyone on this side of the pond is confused and grumpty today (actually, that's most days, but *more so* today)

  708. Guus

    Which explains why this meet is pretty empty...

  709. intosi

    They probably measure DST in furlongs per fortnight or something.

  710. Guus

    It's bad enough that we have DST in the first place - but everyone having a different date when it kicks in does not help either...

  711. suzyo has left

  712. intosi

    DST: collectively tricking your employers into accepting it's okay to start and leave an hour earlier.

  713. suzyo has joined

  714. Lance has joined

  715. Ge0rG

    on a slightly related note, I'd really love board meetings to be one hour earlier.

  716. Alex has left

  717. Vinilox has joined

  718. nicolas.verite has joined

  719. nicolas.verite has left

  720. suzyo has joined

  721. jubalh has joined

  722. suzyo has joined

  723. bjc has joined

  724. bjc has joined

  725. jere has left

  726. jere has joined

  727. SamWhited has left

  728. kalkin has left

  729. intosi has left

  730. vurpo has left

  731. vurpo has joined

  732. SamWhited

    Oh typical, and the IANA contact apparently doesn't work for Cisco anymore so the only email listed is broken.

  733. nicolas.verite has joined

  734. kalkin has joined

  735. SamWhited

    Found a personal email; let's try that.

  736. nicolas.verite has left

  737. SamWhited

    Oh no, matt already forwarded it. Convenient.

  738. intosi has joined

  739. vurpo has left

  740. vurpo has joined

  741. Alex has joined

  742. ralphm has left

  743. vurpo has left

  744. vurpo has joined

  745. Holger has left

  746. intosi has left

  747. Yagiza has left

  748. Guus has left

  749. blipp has left

  750. blipp has joined

  751. goffi has left

  752. suzyo has left

  753. mimi89999 has left

  754. ilmaisin has joined

  755. intosi has joined

  756. mimi89999 has left

  757. Martin has left

  758. SamWhited has left

  759. mimi89999 has left

  760. Guus has left

  761. Steve Kille has left

  762. Steve Kille has left

  763. Steve Kille has joined

  764. Guus has left

  765. vurpo has left

  766. vurpo has joined

  767. jubalh has left

  768. jubalh has joined

  769. nyco has joined

  770. SouL has left

  771. Zash has left

  772. rion has left

  773. Zash has joined

  774. Zash has left

  775. Zash has left

  776. Alex has left

  777. Alex has joined

  778. Valerian has left

  779. Alex has left

  780. Alex has left

  781. Alex has left

  782. SamWhited has left

  783. Alex has left

  784. Valerian has joined

  785. intosi has left

  786. Guus has left

  787. Alex has left

  788. tim@boese-ban.de has joined

  789. tim@boese-ban.de has joined

  790. Valerian has left

  791. Guus has left

  792. efrit has joined

  793. Alex has left

  794. Valerian has joined

  795. goffi has joined

  796. Guus has left

  797. alhiti has joined

  798. alhiti has left

  799. Lance has left

  800. kalkin has left

  801. Alex has left

  802. Laura has joined

  803. Laura has left

  804. Neustradamus has left

  805. daniel has left

  806. Alex has joined

  807. nyco has joined

  808. rion has joined

  809. Alex has left

  810. jonasw has left

  811. Ge0rG has left

  812. nicolas.verite has joined

  813. jubalh has left

  814. nicolas.verite has left

  815. Alex has joined

  816. suzyo has joined

  817. Alex has left

  818. nicolas.verite has joined

  819. alhiti has joined

  820. jubalh has joined

  821. alhiti has left

  822. kaboom has left

  823. Mancho has left

  824. kaboom has left

  825. Guus has left

  826. suzyo has left

  827. Valerian has left

  828. Valerian has joined

  829. Valerian has left

  830. Valerian has joined

  831. Valerian has left

  832. kalkin has left

  833. Valerian has joined

  834. nicolas.verite has left

  835. nyco has joined

  836. uc has left

  837. uc has joined

  838. Ge0rG has left

  839. Valerian has left

  840. kaboom has left

  841. nyco has joined

  842. jonasw has left

  843. nicolas.verite has joined

  844. Valerian has joined

  845. moparisthebest has left

  846. nicolas.verite has left

  847. rion has left

  848. rion has joined

  849. tim@boese-ban.de has joined

  850. tim@boese-ban.de has joined

  851. efrit


  852. suzyo has joined

  853. moparisthebest has joined

  854. nyco has joined

  855. rion has left

  856. rion has joined

  857. rion has left

  858. rion has joined

  859. kaboom has left

  860. SamWhited has left

  861. kaboom has left

  862. lskdjf has joined

  863. lskdjf has left

  864. kaboom has left

  865. nyco has joined

  866. kaboom has left

  867. kaboom has left

  868. kaboom has left

  869. kaboom has left

  870. kaboom has left

  871. nicolas.verite has joined

  872. Valerian has left

  873. kaboom has left

  874. kaboom has left

  875. kaboom has left

  876. kaboom has left

  877. rion has left

  878. SouL has left

  879. kaboom has left

  880. kaboom has left

  881. efrit has joined

  882. nicolas.verite has left

  883. Mancho has left

  884. kaboom has left

  885. Alex has left

  886. kaboom has left

  887. kaboom has left

  888. tim@boese-ban.de has joined

  889. tim@boese-ban.de has joined

  890. sezuan has left

  891. kaboom has left

  892. Alex has joined

  893. Alex has left

  894. suzyo has left

  895. Mancho has left

  896. nicolas.verite has joined

  897. intosi has joined

  898. daniel has left

  899. daniel has joined

  900. sezuan has left

  901. kaboom has left

  902. SouL has left

  903. kaboom has left

  904. SouL has left

  905. kaboom has left

  906. kaboom has left

  907. waqas has left

  908. kaboom has left

  909. jubalh has left

  910. Guus has left

  911. Alex has left

  912. vurpo has left

  913. vurpo has joined

  914. winfried has left

  915. jere has left

  916. Lance has joined

  917. sonny has joined

  918. sonny has joined

  919. Alex has joined

  920. nyco has joined

  921. Tobias has joined

  922. Lance has left

  923. efrit has joined

  924. nicolas.verite has left

  925. sezuan has left

  926. nyco has joined

  927. nicolas.verite has joined

  928. Alex has left

  929. intosi has left

  930. nicolas.verite has left

  931. kaboom has left

  932. kaboom has left

  933. vurpo has left

  934. vurpo has joined

  935. vurpo has left

  936. vurpo has joined

  937. vurpo has left

  938. efrit has joined

  939. nyco has joined

  940. vurpo has joined

  941. Mancho has left

  942. moparisthebest has joined

  943. Mancho has left

  944. nicolas.verite has joined

  945. sonny has left

  946. sonny has joined

  947. moparisthebest

    SamWhited: sorry, I can't help but feel this is all my fault :-)

  948. blipp has left

  949. blipp has joined

  950. kaboom has left

  951. goffi has left

  952. nicolas.verite has left

  953. Holger has left

  954. Holger has left

  955. Holger has left

  956. Holger has left

  957. Holger has left

  958. Holger has left

  959. Holger has left

  960. Holger has left

  961. Holger has left