XSF Discussion - 2017-03-21

Kev, dwd, FWIW, I think the use of namespaced attributes there is very elegant and in the spirit of XML.

dwd: re 'It's useful to have a device-specific token which can then be managed and/or revoked, independent of ISR': that kind of thing exists, it’s used with SASL EXTERNAL and called a Client Certificate ;-)

It might be in the spirit of XML, but it's not in the spirit of XMPP, and I'd say that's more important in this case.

what’s the spirit of XMPP in that regard?

Not to use namespaced attributes.

And to use namespaced child elements instead.

would probably work equally well

I don't think that I've ever seen a namespaced attribute being used in the wild. xml:ns, if that counts, perhaps.

Guus: there are XML-based templating which use namespaced attributes to do magic

think <ul><li engine:loop-over="some expression" engine:loop-var="x"><engine:insert expr="x" /></li></ul>

oh, I'm not arguing that you _can_ use them. i'm just observing that I don't recall ever working with them.

ah, yeah, good old JSTL does use some.

(actually, no, it doesn't I think - what I was thinking of are all namespaced elements)

point being: we can use them, but if there's no urgent need, why break a familiar pattern of not having them?

I also still wonder which XML implementations there are out there which do not support XML Namespaces and which are actually used for XMPP.

the ejabberd implementation was one of them (at least three years ago)

All the regex ones you don't wanna know about.

right, nginx is probably one

That's not even regex

it’s a finite state machine IIRC

pretty much regex

http://www.smbc-comics.com/index.php?id=3907

;P

Our security guy is telling me there's a vulnerability in libpurple, for any folks using Adium or Pidgin.

jus tone?

*just one?

What else is new?

Well, this one has been fixed.

CVE?

I'm sure a new release of Adium will happen in about a year.

Is it CVE-2017-2640? Or something newer?

intosi, Aparently there is an update already.

https://twitter.com/bbhorne/status/681832517096370176 "Libpurple is basically a flock a zero days flying in formation." - @ioerror #32c3

Ge0rG: Minor clarifications to XEP-0198 #32 https://github.com/xsf/xeps/pull/32

Bunneh: no!

lol Bunneh

harharhar

Bad Bunneh!

hrhr

seriously though, CVE?

It wasn't on our internal thing. I've asked.

dwd: don't seen anything newer than 1.5.10.2 (03/09/2016 [sic])

can’t find anything on oss-security :/

(Internal thing: custom UI on top of Buddycloud which acts as our internal social network. Given we're ditching it at some point, I should suggest this gets put out as Open Source as thrown-over-the-wall).

It is indeed CVE-2017-2640

why the heck do they decode entities at all?!

What apps are vulnerable? Only Pidgin and Adium?

mimi89999: anything using libpurple probably.

this notably includes spectrum

jonasw, Most XML libraries decode entities as a matter of course.

yes but why do they have their own entity decoding code then?

(also, not if you’re using SAX, which makes sense for XMPP anyways)

jonasw, Oh, I've not read the CVE. It's obviously more stupid than I thought.

that’s the fix: https://bitbucket.org/pidgin/main/commits/b2fc9e774cb9

I haven’t looked deeply into it, but it contains entity processing.

That's weird.

erm

another question

nevermind

jonasw, we use expat (SAX) and it decodes entities for us

MattJ: with expat + sax I get a callback on entities which I use to raise an exception to kill the stream.

maybe that’s optional

jonasw, Even &#xabcd; stuff?

jonasw, Or &apos;

<stream:error><not-well-formed xmlns='urn:ietf:params:xml:ns:xmpp-streams'/></stream:error>

ah, not those

no, yes, it calls startEntity for those; I explicitly white-listed those

Wha

Even in attributes?

let me write at test for that!

I'm surprised that e.g. &amp; in an attribute would generate a callback, but it's not impossible.

expat actually does that

but the callback only fires when the entity is known to expat

so if you try to use &uuml;, it will reject that before startEntity is called

More importantly than all of this, my children have informed me that "Woof" in Welsh is "Wŵff", which fills me with unaccountable glee.

I haven’t even the slightest idea how to pronounce that.

jonasw: "woof". Basically.

dwd: because it allows one to use Combining Diacritical Marks?

vowels are overrated.

Guus: Welsh loves vowels. It loves them so much it invented more.

classic overcompensation.

Alex: is there / can you create an ics that I can subscribe to, with relevant XSF events (membership meetings primarily, but perhaps board and council meetings too)? I'm always struggling to get the time zone correct in Google's Calendar

Guus, I think Tobias did something. It might even work again.

Tobias: is there / can you create an ics that I can subscribe to, with relevant XSF events (membership meetings primarily, but perhaps board and council meetings too)? I'm always struggling to get the time zone correct in Google's Calendar

(upcoming DST for Europe is going to be yet another source of pain...)

i see if i can revive that

Thanks

Guus: I have suggested something like Google CAL a while ago. I don't know who has access and manages the current calendars right now. I don't think I have write access to them right now.

Alex: that'd also work for me. I was not aware that we have any calendars in the first place.

speaking of which, when’s the next council meeting?

tomorrow afternoon?

there are ICS cals, not sure where the URIs for them are listed

isn’t that when board meeting takes place, Ge0rG?

jonasw: could update-entry.py provide a diff view instead of a 2x raw view?

Ge0rG: can do

jonasw: no, those are on Wed evenings

isn’t today tuesday?

jonasw: yes?

so council and board meetings are on the same day-of-week?

jonasw: as far as I understood, yes.

the council meeting is before the board meeting

fascinating

There are some ICS files under http://xmpp.org/calendar/

2017-03-08, 2017-03-15, I think there's a pattern

but those appear outdated

Guus: gives me a 404

http://xmpp.org/calendar/xsf-council.ics

(there's no listing)

yes, on the old website they were lined from a page

Tobias: where these the ones that you referred to?

yes

they used to be generated from XML. probably not the most user friendly

given that they appear to stop working in 2014 ... perhaps explicitly delete them, and replace them by something else?

a Google Cal, as suggested by Alex, would do just fine for me

dwd: it'd be nice if you could set your mark on https://trello.com/c/wF37u9DJ/169-vote-on-approve-xep-0045-changes-proposed-by-georg

google calendar wfm

want me to create one?

+1

is there a XSF google account?

Guus, good..question...i don't know

There was. I think we dropped it, but we used to have th XSF calendar on a Google account.

Ge0rG, I did.

Pretend that you see the obligatory anti-google rant here.

dwd: oh, sorry. You did it on the ML, it just wasn't updated in trello.

Ge0rG, Yes. FWIW, I'd love it if we formally voted on a webapp for the purpose, I don't think it's fair on the Editors to expect them to track the mailing list in this way.

dwd: I'm not sure what is lacking to achieve that. Write access to trello?

Ge0rG, I'd prefer more than that, something like the IETF's datatracker.

What's the source of truth here?

Zash, The mailing list and/or council chatroom. Depending.

Zash: there is no need in an authoritative source of truth if we assume that council members are well-behaving

dwd: it should be XMPP based!

SCNR

Ge0rG: will do when my update-manual feature branch is merged

I created a public calendar here: https://calendar.google.com/calendar/embed?src=64v3vs15qlalgqv0j7r99ikm1c%40group.calendar.google.com

ical: https://calendar.google.com/calendar/ical/64v3vs15qlalgqv0j7r99ikm1c%40group.calendar.google.com/public/basic.ics

could someone verify that it's behaving correctly please? This is the first time that I create a public calendar

BTW, where are the rules codified how (and if) other people can participate in board/council meetings?

there's one event on it, on May 2nd (the member appl. meeting)

Ge0rG, They're not codified, but we have held both meetings in public by default for years now, and - while ultimately up to the chair - comments from the floor are normally welcomed.

dwd: I've ran into a situation where I had the feeling of misbehaving multiple times already, when I only wanted to contribute to a (board) meeting.

I might have already messed up the time of that first meet, btw.

jonasw: I'd also suggest making the README a .md and not an .rst

why, Ge0rG?

jonasw: my gut feeling is that markdown has become more common among developers

it’s also the worst markup language

worse*

"worse is better"

Ge0rG: does it matter?

It's fine except for the two spaces at the end of a line being a line break… that drives me nuts.

it is readable in plain text, it renders fine on github; for me, rst is easier to write because I do it every day.

SamWhited: Thou shallt not have line breaks

and thou shalt not have trailing spaces

:-)

I would not mind getting rid of both of those, yah.

jonasw: in .md, you could get syntax highlighting of the json in the readme by using ```json quotes

That's only a GitHub thing, FWIW

I may be the only person who doesn't care here. It's a wonderful feeling.

jonasw: personally, I don't care much, just wondered about your choice being anti-popular

dwd, you’re not joining the holy war? heretic.

Ge0rG: it’s because ~all docs for python are written in reStructuredText – and that’s what I do for most of my time.

jonasw: I feel with you, a little bit.

not sure what that’s supposed to mean :)

SamWhited: there are other markdown parsers that support syntax highlighting of quotes

SamWhited: No pandoc can do syntax highlighting too with that syntax.

Pandoc is the best

Pandoc FTW!

SamWhited: A, comma also.

Pandoc is the best; it also supports several flavors of Markdown (yey no proper standard), including GitHub flavored MD, IIRC

SamWhited, "Flavoured".

I'm actually writing my CVEs in Pandoc and converting them to .doc for our "corporate" "processing pipeline".

dwd: Why don't you go drink some tea or something?

Coffee!

SamWhited, Marvellous idea. ✏

(I saw even though I have a cup of tea in front of me at this very moment :) )

say, even.

SamWhited, If only you had a biscuit, you could apply to UK citizenship right away.

Zash: we can't win the coffee-vs-tea war, it seems

nroff ftw

dwd: if you want to fight *that* (gb vs. us) holy war, fix xep 143 (<https://xmpp.org/extensions/xep-0143.html#nt-idp1712848>) ;P

dwd: what about the "flavor" thing above? re SamWhited's citizenship

pandoc can output troff, pandoc win again

jonasw, The irony of that example is: http://grammarist.com/spelling/authorise-authorize/

Whatever that page says is wrong.

dwd: I fail to see the irony

jonasw, The Oxford English Dictionary, which usually favors British spellings, still lists authorize as the primary spelling

ah, haven’t read that far :)

board, council, could you volunteer at least one from yourself to have access to the shared calendar (and add your meetings there?)

Tobias: might be good to explicitly delete the old ICS files.

it might, yes

will do that in a moment

Tobias: please delete the old ICS files? :)

Guus: And I'd like admin on anything XSFish, please.

ok :)

Kev: gladly

I only need a google account for you, I think

Assuming PMs are enabled in here (I forget), I think I just sent you one :)

you did

\o/

Guus, the great thing about the old ICS files was that we had separate ones. I.e. one for board meetings, one for council, etc.

Yes, but they're not updated now, so I'm fine with Guus trying to start something simpler that works instead of the previous better system that isn't used :)

(I prefer the old system in principle, too)

ralphm: if that's of value, we can split them up - I have no issue with that. But so far, we had many, many, unused calendars. :)

Oh, fully agree, Kev. The terrible thing about the ICS files was that they were not being updated.

and it's not comfortable to make a commit every week to update a simple date

Google should give you an easier interface for that

maybe we can tag them in google and have a script that creates filtered ICS based on the one google outputs

I've just added a recurring weekly Council meeting (16:00 - 16:30 Reykjavik time, right?)

it's 17:00 Berlin time

when is the board meeting?

Iceland does not do DST and is therefor UTC. :)

Guus: board meetings follow European UTC usually.

* DST

Guus, ahh

Guus: That's too good; are you sure Iceland is a real place?

Is that why Iceland is not joining the EU?

Iceland is a chain of stores.

SamWhited: I think I recall a story from Arc in which he was locked up in its airport? :)

It's a trap?

Intosi: I'm happy to add the board and council meetings, but board and council should administer these meets themselves, ideally - if only to apply changes.

Guus: what intosi said: peg the meetings to WE(S)T or CE(S)T

"script" and "ics" doesn’t sound like a good combination

ralphm: Or London time, which is what they were traditionally pinned to :)

WE(S)T is London time

guys, please give me a Google account so that you can do that yourselves :)

ralphm.net

What about a caldav server like nextcloud?

ralphm: I stand educated. Marginally :)

Guus: Can you add me so I can add editor meetings (not that those actually happen with any regularity)?

Google Account is the same as my JID

Kev: that's rare. I'm savouring the moment.

moparisthebest: nextcloud is *slightly* more than a caldav server.

moparisthebest: seriously, caldav or any hope of functional interop between clients and servers is a lost cause at this point.

ralphm: I know. Im unteachable :)

also, if this works, I don't see any reason to do yet another thing. Thanks Guus

Sam: you should have access now.

Guus: ralphm.net@gmail.com

Indeed, thanks to Guus.

ralphm: you should have access now

jonasw: doesn't have to be pretty sure it's all plugins now

I just don't like relying on Google meh

happy to help

moparisthebest: If I had to run the server, I wouldn’t like to rely on the bunch of PHP nextcloud is :-)

CalDAV is non-trivial to do.

If I had to have an account on the server and give it a password or any details at all, I wouldn't like to rely on the bunch of PHP nextcloud is…

all of you (+Alex) also have administrative powers - use them as you see fit.

jonasw: there is a python one

Especially compared to hosting static .ics files

Zash: writing static ICS files per hand or even with software is a non-trivial thing to do too though

moparisthebest: seriously, you have no idea how terrible this stuff is in practice. You are free to create your own calendar, though.

jonasw, that's why we used a python script to do that

Kev: FWIW, it has only been since 2002 synchronized DST switchover dates with the EU.

Wait, so does the council meeting move with DST? I didn't actually realize that

ralphm, I mean I use caldav all the time with my stuff, it seems to work pretty well, I can't say ics is better

Sam: I don't know, I changed that by popular demand here (and to avoid a scheduling conflict next week)

I actually don't care caldav vs ics, I'd just prefer not to rely on google

isn’t caldav just ics over http?

+ a few extra methods for querying

SamWhited: it does, so does Board

jonasw: Not even close

That's confusing

no jonasw , totally different

It's WebDAV with support for advanced queries into the calendar data.

I don’t know. It just works™ for me

SamWhited: start a support group with Arc

+1

dst is evil.

right jonasw works great! :) what server do you use for it?

radicale.

nextcloud works good enough for me for now, I need contacts and calendar

I don't love the php, but meh

> ‎SamWhited‎: That's only a GitHub thing, FWIW Certainly not: http://spec.commonmark.org/0.26/#example-110

Huh, didn't realize commonmark was based on GitHub flavored markdown.

github and stackexchange together with some other companies formed CCommonMark: see "Who are you?" at http://commonmark.org/

SamWhited: ^

the funnier part was it originally had a different name and the markdown creator guy chewed them a new one, so they changed it :)

moparisthebest: yeah, that was one nice popcorn show

I guess it's good that they develop it to a spec, but creating something called commonmark just makes me think of that standards XKCD that people post into this room every few days

I'd also like to point out that John MacFarlane is behind CommonMark *and* pandoc

The apocalypse call-out has started: https://lwn.net/SubscriberLink/717076/4c3593aa4cad8e66/ (Y2K38)

iirc they explicitly mentioned that xkcd comic when they released it, so I'm fine with it :)

So it begins

Ge0rG, so all us programmers are totally screwed but also have job security, a bit of a double edged sword :P

Zash: that won't make for a good retirement plan, unless you intend to live forever.

Retirement, like that's going to be a thing in the future.

hmm, is this old news or something we should talk about as XSF http://seclists.org/fulldisclosure/2017/Mar/57

bear, I think that was discussed earlier today

or perhaps your yesterday

ah - thanks Guus

but, you likely are not the only one that has not been part of that discussion :)

so fire away :)

http://logs.xmpp.org/xsf/2017-03-21/#09:32:56

should the new mam id inject on messages give the actual message a different mamid then the carbon copy of it? https://paste.gajim.org/view/157752b2

or im missing something here, is this actually archived two times?

is this again some self messaging corner case

Holger

or is this not even the new inject, was the archiv id always added to self messages

lovetox: it should be <origin-id/> for the outgoing stanzas

see xep359 § 2.2

ahh I'm confused

lovetox: why do you get a carbon *and* the stanza to the same resource?

the question is why has the same message two different mam ids

this happens when you adress a message to your own bare jid

but this is viewed from the other side

we get the actual message

ahh ok, I think you may want to add a <origin-id/>

but then a sent carbon because we are not the sending resource

or dedup by the message-stanza-id

i do this already, but the question is not why i get the messages i get, this was discussed at length and its ok for me

I think nothing in the MAM/stanza-id XEP prevents the involved parties from assigning multiple IDs to the same stanza

the question is why does the server attribute two differen mam ids to the same message

(not saying that this is good)

i would understand if the message was received twice by the server

but it wasnt, we sent out one message