XSF Discussion - 2017-03-15

subscription request rejections are broadcasted to other resources, right?

Tobias: hmm, I cannot find that in RFC 6121. There is only (in section 3.2.3): The contact's server then MUST send a roster push with the updated roster item to all of the contact's interested resources, where the subscription state is now either "none" or "to" (see Appendix A). CS: <iq id='pw3f2v175b34' to='juliet@example.com/balcony' type='set'> <query xmlns='jabber:iq:roster'> <item jid='romeo@example.net' subscription='none'/> </query> </iq> CS: <iq id='zu2y3f571v35' to='juliet@example.com/chamber' type='set'> <query xmlns='jabber:iq:roster'> <item jid='romeo@example.net' subscription='none'/> </query> </iq> and that doesn’t apply for un-approved contacts because of: Security Warning: Until and unless the contact approves the subscription request as described under Section 3.1.4, the contact's server MUST NOT add an item for the user to the contact's roster. in section 3.1.3

I may be overlooking something but it seems as if this isn’t broadcast.

there is nothing about broadcasting the <presence type="unsubscribed"/> to other resources

hmm..feels strange to distribute the request to all resources, but not the response

could be an oversight

Yes this actually leads to undesired effects when I can't dismiss the notification on the other device

But yes I noticed that before as well

wonder what could be a possible workaround for that

carbons obviously does only deal with messages

That's probably something that should just be fixed at one point or another in the protocol

do we have some kind of tracker for "the RFC needs to be amended in the next revision"?

Probably PSA used to know.

don't we have a wiki page for that?

this one? https://wiki.xmpp.org/web/XEP_and_RFC_Remarks/RFC_6121:_XMPP-IM

the only page with the title containing "6121"

Tobias or daniel: can one of you specify what's exactly going wrong and how it can be fixed, in that page?

Ge0rG, i can write the issue down on that page, yes

Tobias: thanks

ok so lets see who shows up early or late today

dst?

(must die!)

Tobias, daniel: Isn't the roster push sufficient?

Flow, if you add the contact yes, but not if you reject the subscription request

there's no way to tell your other resources that one has rejected it

ahh, the contact is not added as pending to the roster

right...the usual subscription spam scenario :)

so someone should write a xep with a stream future subscription-rejection-broadcasts which clients can negotiate, no?

presence-carbons? :)

or, hmm, not sure, maybe part of bind2?

or just wait for XMPP 2.0

bind2 sorta seems like XMPP 2.0

hmm I thought in XMPP 2.0 we would get rid of priorties

or is there any current use case for priorities?

There are probably non-IM use cases

I forgot priorities were a thing… again.

hmm priority based balanced round-robin fan out

I think I wrote a xep about that

Could do a roster:2 which does all this by storing roster events in a pair of PEP nodes.

(We discussed roster:2 in San José a few years back)

Guus: well our board meetings are UTC, thankfully. before it was british time, which is different daylight savings than everyone else so we switched 4 times a year.

it should be 1700 UTC. so its an hour later today than last week, the question is out of the 5 of us who will show up an hour early expecting a meeting ;-)

Arc: Well, no, British DST is the same as almost everyone else except the US ;)

Kev, For another two years. Then, finally free of the shackles of the EU, we shall be able to select our own DST dates!

Surely this is why we voted to take back control.

Kev: except 2 states in the US that don't do DST like reasonable people

when I run for house in Oregon, i'll introduce a bill to eliminate DST there too.

Arc, I didn't think it had managed to be state-wide; I thought there were states were it split along county lines.

except """Arizona (except for the Navajo, who do observe daylight saving time on tribal lands), Hawaii, and the overseas territories of American Samoa, Guam, the Northern Mariana Islands, Puerto Rico, and the United States Virgin Islands."""

there's bills in 3 states right now to kill DST

its a populist position right now, nobody likes DST.

auspiciously it was created for farmers or industry workers, but its been shown to hurt productivity for both

Arc, no, it's for golfers.

let’s make it UTC everywhere.

+1

MattJ: for you it would be like simply abolishing DST, right? people here always complain when I suggest UTC.

I used to keep my watch, when I wore one, in UTC year-round

I did it a couple of years on my laptop, but it had too many interesting consequences

so I don't bother any more

hm, I had a UTC clock around me until I figured out that having irssi update the clock once per second via wifi can actually be seen on battery drainage :(

hi all

hi nyco

hey nyco

nyco arrived on time!

MattJ: you here?

ralphm: ?

I will be in 5 minutes :-D

always here but not really, but still...

holy crap we have quorum on a DST meeting

huzzah!

Martin: you here?

I am.

Hey

Arc: well, I expected no less. Except possibly you :-D

I'm going to be semi-here, I have another meeting that *was* unfortunately shifted by US DST

Board Meeting | Logs: http://logs.xmpp.org/xsf/ | Agenda https://trello.com/b/Dn6IQOu0/board-meetings

0. Welcome + Agenda

Hi all!

Suggestions for the Agenda?

has the board to deal with PSA stepping down?

I have Executive Director

if so, that should probably be on the Agenda.

As well as reaffirming other officers

Depreciation of deprecated software on the website

I was kinda expecting board members to respond.

Ge0rG, would be good, we kind of reached a rough consensus on what neutrality means, while at the Summit

Should we work through the "Items for discussion" on Trello? Or have we deprecated that.

executive director is a big one. software id like to get a vote on to move forward on it

ralphm, the only thing missing afaics is sponsorship follow-up

Oh, wait, I'm out of sync, ignore me

and due to PSA's resignation we really need to discuss the other roles he held such as liasons

I don't *think* he had any roles left aside from ED and Treasurer.

Ge0rG: +1

dwd: some people believe he held liason positions to IETF and ISO, at least.

dwd: right

i'd have to look back through the minutes on those tho

dwd, hidden/implicit roles, like community leader in the most noble sense?

We don't have a liason to IETF, we are the IETF

(and other people)

Arc, we have no formal liaison to the IETF; never had. We do have several XSF members who are active within the IETF too, though.

ok.

Anyway, still at Agenda

( I believe the IETF to actually be a sort of ongoing event organized by the IAB or ISOC, not an organization )

Thanks Zash

in any case i think those two are more than enough for the next 20 mins

Zash, It's an "activity" of the ISoC, indeed.

Ok, let's go

1. XSF Officers

So, our bylaws state that the Board will have an Annual Meeting to appoint officers

This includes the EO, but also the Secretary and Treasurer.

and we haven't done that yet this year.

(And the Chair)

dwd: sure, but I guess we did do that already

ralphm, Yup. It's daft to try and do the other Officers when you pick a Chair, though.

ok so we put a call out for volunteers? or does someone have someone in mind? or should we seek an experienced EO from outside the community

outside the xmpp community i mean

So, I think that Alex has to announce this Annual Meeting as per 5.5 of the bylaws

And before we do that, we should indeed look for candidates

what's EO?

executive officer

Executive Officer

thx

Bylaws call it CEO

since we only have one, (s)he is by default the CEO ;-)

(And Executive Director, in equal measure. Hmmmm)

Since Peter has been EO for as long as can remember, it will be hard to fill those shoes as he filled them.

As a role, though, we should be able to find someone to take it up

"Unless provided otherwise by a resolution adopted by the Board of Directors, the Executive Director shall be the Chief Executive Officer of the Corporation" (§6.6) but the position is "Executive Director" normally.

many foundations go quite awhile without an EO, searching for the right fit

So "EO" is rather confusing - either ED or CEO, please - and I think you guys mean ED.

I don't have a particular preference for in- or outside of the community, but having some knowledge of the technology would be good, I believe

dwd: CEO.

dwd: thanks for that

Arc, I mean: These two are different positions, though the CEO is normally the ED.

ok, so who?... ;-)

If we have a CEO, we should have one with CEO experience - but who at least knows what XMPP is before we approach them. But I also don't feel strongly that we need an officer position at the moment.

So let's all think hard on how we want to find a candidate

a bad or ineffective CEO is worse than none.

^

In the meanwhile, we should ask the current Officers if they want to resume their position for another year.

Arc, The bylaws seem to suggest the position of ED must be filled, and that the CEO role must be filled (and by the ED by default), so...

dwd: lazywebbing, can the ED be the chair?

I note that Peter suggested he was interested in working with the Board on finding a replacement, didn't he?

Perhaps including him in the discussion would not be stupid, as he has a better idea than anyone else what he's done in that role over the yeras.

And over the years.

Indeed

Arc, Unclear. We have had the same person hold multiple officer positions for some time, though.

I'd be happy to take that up with Peter and see how we can start going about this.

I believe Peter's had a policy of not being on Board because of his ED role, FWIW.

+1 to ralph

Well, the ED actually is another Director, and will be the deciding voice in case of a tie.

(when voting on matters)

ralphm: that sounds like a way to proceed; discuss this with PSA about how we can start going about this

Ok

6 minutes remain

I think that when Peter started handing over the Editor role, he wrote up a job description.

That would seem an excellent start.

Then I motion that Board thanks Peter for huge amount of work he has done as ED and inspiration he's brought to community.

+1

The peanut gallery wishes to support the motion.

Hear hear

+1

Arc: thanks for the reminder

2. Deprecation of deprecated software

How do we commence this?

a suggestion has been made by a few members on this

There's been a lot of talk already. We just need to have people doing this now.

I can comment on what I did to the website.

(with respect to that)

get lazy folks of the iTeam review the stuff that's already in PR and have it work

we ask council, by the end of this year, to draft a 2018 recommended list XEP as they've done in previous years to be published early next year

get a rough consensus on the criteria

non-binary criteria, as we showed during the summit

nyco, I didn't notice your vote on ralphm's motion back there - need something for the mintues.

+1

nyco, Ta!

that was implicit

sorry ;-)

and that for now, this year, we simply send out an announcement to the project maintainers for software currently on the website to apply, and include that in the Q2 or Q3 vote

jonasw, will do a full review of your PR this evening and will try getting it working on the website

and we should offer him a teddy bear

Tobias: that’d be great. that would at least give us semi-automatic expiry.

nyco, Bruno?

why not ;-)

Arc: can we please send out an announcement right now and remove everything that does not reapply in a month?

or, until we have a more formal process, informally ask the project maintainers to put in a PR like someone suggested, and that be that.

Ge0rG: that's what I would like to do, yes.

I think the idea of just requiring a maintainer to 'ping' to keep their project listed each year is pragmatic and non-contentious.

Arc: that's completely orthogonal to compliance suite 2017 / 2018

And, crucially, solves the problem at hand without boiling the ocean.

+1

Ok

I volunteer to send the mail

maybe create a branch on the website github for the projects, remove all software from that branch, and ask that the post a PR against that branch, merging it in next month.

Ge0rG, i suggest doing that as soon as we know that the implementation works and is deployed on the website

Tobias: from what I can tell, it is already merged to master.

https://github.com/xsf/xmpp.org/tree/master/data this at least looks like a lot like what I put in my PR.

jonasw, right...but last i heard it wasn't deployed on the live website :)

will figure that out today

So does Kev's suggestion require that we contact all projects individually, or is a notice on jdev and standards sufficient?

is this a motion we want to vote on?

we can keep all mentionend software as a hall of History... or good services in the past centuries... so another page?

ralphm: I'd say that a post on jdev/standards/members, plus a note on the page about how it's generated would be more than sufficient.

nyco: I would not make it easily discoverable. Users have a talent to find the information they’re not supposed to find for their own good.

ralphm: jdev and the blog, I'd suggest

Ge0rG: +standards

I like Kev's idea. Who else?

jonasw, well yeah ok ;-)

(I do, but I don’t have a vote in this meeting :-))

I think thats a fine idea.

+1

I wouldn't mind an AOB on website ownership, at the end (it's quick, I just want to raise a point for future discussion)

+1

+1

Ok, I see Ge0rG has suggested to draft a message

Can you send that draft to board@?

ralphm: wilco

Thanks

3. EOB

3. AOB

ralphm: Can you create me an "Editor Team" trello under the XSF team?

Kev quickly

SamWhited: I'll see what I can do

(sort of board AOB, sort of personal; we can chat after)

ralphm: And I'd like to have (iteam hat on) some admin over the org please.

Right, website ownership.

I'd like to note that the website currently has no clear owner - once upon a time there was a working, although not perfect, website.

Then there was a Board-led initiative to replace it, which happened, and Board ultimately instructed iteam to deploy it before iteam were comfortable with this.

I'd be happy to say that iteam "owns" the website

i thought content wise the XSF owns the site

*copyright wise

Tobias: of course

"owns" in what sense? Software, content?

Or "has final say"?

the latter?

I think the board is about content, iteam about the mechanics

Now, iteam clearly don't own (responsibility for) the content on the website, as that's unrelated to infrastructure, so I think this means it defaults to Board. But at the same time, when there's stuff submitted to the site that actually runs on the server, iteam should have some say, but ... there's a mess here at the moment, brought to light by Tobi saying iteam were being lazy for not fixing stuff that wasn't theirs in the first place.

Kev: indeed

As an aside, it's a bit of a mystery why the website generation needs to run on the webserver. But still, this might be my ignorance at play.

So 1) I'd like a bit more explicit statement of who is responsible for reviewing and merging content changes to the website. 2) I'd like this to include iteam review where it means running stuff on the server.

I think it is fine for iteam to assume control over how the website works, is generated, etc.

dwd: It shouldn't. This is just an artefact of what's been somewhat thrust upon us :)

FWIW, this can be enforced with github I think

dwd, it doesn't have to, it can also run in your dockerized blockchain or your blockerized docker

Tobias, So some PRs etc to do this would alleviate Kev's problems entirely?

it’s not that simple.

the website consists of many parts, the pelican web content, XEPs, registries, etc.

and soon also the auto generated client software lists

I wasn't looking for answers now, I just wanted to bring it to people's attention for future discussion.

Ok. I thought this was an easy topic. But I see we need some more thinking on this.

Kev, I think there seem to be two issues:

we are T-11 minutes. shall we table and put this on the agenda for next week?

dwd: At least.

Kev, 1) iteam need to have ownership of code running on the servers.

Arc: yeah, that was my feeling, too

Kev, 2) The website should minimize the amount of code running on the servers.

Let's continue this discussion after formal close

Arc: I have no need for further discussion right now.

Kev: this is important tho, thanks for bringing it to the table

4 Date of Next

+1W

5. Close

Thanks all!

Kev: FWIW, I built a setup for another organisation where content and pelican-stuff for generation was separate.

that would allow to place strict requirements on merges to the generation code and less-strict requirements to merges on the content

taking some load off iteam with reviewing stuff

jonasw, i'll get back to you later today to ask some questions about that then

running the website generation code on the server was a default thing - the default was that it was already doing it

jonasw: Yes, that would be the perfect situation.

having it run as part of the build process is easy to implement

And a wild bear appears.

bear, btw: some people in the XSF asked if they could get access to the twitter credentials

i think Kev asked that once

jonasw, bear - I think moving the generation off the webserver would alleviate muhc of Kev's concerns, and just seems the Right Thing to do anyway.

bear: Yes, I'd like (iteam hat) to have the credentials, please.

I can add folks to the twitter group user thingy if they get me a list of IDs and the board nods at me

dwd: where would you put the generation then?

(As opposed to tweetdeck access to actually tweet stuff)

Kev, Tobias, it’s those two + a non-published build.py web-hook thing which I can also pastebin you somewhere. https://github.com/fsfw-dresden/homepage-2.0-build https://github.com/fsfw-dresden/homepage-2.0-content

jonasw, A docker image? Travis?

Wow latency

dwd: I wouldn’t like to have travis build my website, but that’s a matter of taste.

the build would be done on circleci as part of the deploy step

jonasw, I'm demanding solutions, not offering them. ;-)

XSF Discussion | Logs: http://logs.xmpp.org/xsf/ | Agenda https://trello.com/b/Dn6IQOu0/board-meetings

"gasps", even. Harrumph.

Kev let me get you the credentials to twitter

bear: Thanks muchly. RO in my homedir on perseus or similar seems sensible. Although XMPP between private servers works just as well.

also, did the recent months of increased twittering helped with our number of followers?

Kev, Tobias: re the repositories, one should note that the Makefile is not the default pelican makefile, we made some adjustments to make it work with a non-default "content" directory (so that we could build multiple branches without having to mess with the content submodule)

jonasw, one step at a time :) on feel free to create a list of issues :)

I can drop an issue with random notes on the subject, sure

dwd: why?

ralphm, Why what?

Why gasp

ralphm, I didn't notice you'd changed it beforehand. Is this purely to disprove my assertion that nobody remembers to change the subject?

I've been doing that since the Summit yes

Tobias, Kev, https://github.com/xsf/xmpp.org/issues/277

Thanks.

i'll look at that issue tonight and see if I can get all of the build stuff out of the server and onto the lovely circleci free services

if you want to run that in some CI third-party service you probably don’t have to bother with that.

(with that what I describe in the issue, I mean)

i'll read the issue and try to implement the suggestions if they make sense

Yay! Another vulnerability in WhatsApp. Looks like it could have happened with XHTML-IM as well. https://news.ycombinator.com/item?id=13876087

yeah..they should have used RTF

Tobias, https://nakedsecurity.sophos.com/2012/05/09/what-the-rtf-mac-and-windows-users-at-risk-from-boobytrapped-documents/

they sure must have fixed all vulnerabilities by now :D