-
jonasw
Kev, dwd, FWIW, I think the use of namespaced attributes there is very elegant and in the spirit of XML.
-
jonasw
dwd: re 'It's useful to have a device-specific token which can then be managed and/or revoked, independent of ISR': that kind of thing exists, it’s used with SASL EXTERNAL and called a Client Certificate ;-)
-
Kev
It might be in the spirit of XML, but it's not in the spirit of XMPP, and I'd say that's more important in this case.
-
jonasw
what’s the spirit of XMPP in that regard?
-
Kev
Not to use namespaced attributes.
-
Kev
And to use namespaced child elements instead.
-
jonasw
would probably work equally well
-
Guus
I don't think that I've ever seen a namespaced attribute being used in the wild. xml:ns, if that counts, perhaps.
-
jonasw
Guus: there are XML-based templating which use namespaced attributes to do magic
-
jonasw
think <ul><li engine:loop-over="some expression" engine:loop-var="x"><engine:insert expr="x" /></li></ul>
-
Guus
oh, I'm not arguing that you _can_ use them. i'm just observing that I don't recall ever working with them.
-
Guus
ah, yeah, good old JSTL does use some.
-
Guus
(actually, no, it doesn't I think - what I was thinking of are all namespaced elements)
-
Guus
point being: we can use them, but if there's no urgent need, why break a familiar pattern of not having them?
-
jonasw
I also still wonder which XML implementations there are out there which do not support XML Namespaces and which are actually used for XMPP.
-
jonasw
the ejabberd implementation was one of them (at least three years ago)
-
Zash
All the regex ones you don't wanna know about.
-
jonasw
right, nginx is probably one
-
Zash
That's not even regex
-
jonasw
it’s a finite state machine IIRC
-
jonasw
pretty much regex
-
Zash
http://www.smbc-comics.com/index.php?id=3907
-
jonasw
;P
-
dwd
Our security guy is telling me there's a vulnerability in libpurple, for any folks using Adium or Pidgin.
-
jonasw
jus tone?
-
jonasw
*just one?
-
Zash
What else is new?
-
dwd
Well, this one has been fixed.
-
Zash
CVE?
-
intosi
I'm sure a new release of Adium will happen in about a year.
-
Zash
Is it CVE-2017-2640? Or something newer?
-
dwd
intosi, Aparently there is an update already.
-
Ge0rG
https://twitter.com/bbhorne/status/681832517096370176 "Libpurple is basically a flock a zero days flying in formation." - @ioerror #32c3
-
Bunneh
Ge0rG: Minor clarifications to XEP-0198 #32 https://github.com/xsf/xeps/pull/32
-
Ge0rG
Bunneh: no!
-
Zash
lol Bunneh
-
Guus
harharhar
-
intosi
Bad Bunneh!
-
jonasw
hrhr
-
jonasw
seriously though, CVE?
-
dwd
It wasn't on our internal thing. I've asked.
-
intosi
dwd: don't seen anything newer than 1.5.10.2 (03/09/2016 [sic])
-
jonasw
can’t find anything on oss-security :/
-
dwd
(Internal thing: custom UI on top of Buddycloud which acts as our internal social network. Given we're ditching it at some point, I should suggest this gets put out as Open Source as thrown-over-the-wall).
-
dwd
It is indeed CVE-2017-2640
-
jonasw
why the heck do they decode entities at all?!
-
mimi89999
What apps are vulnerable? Only Pidgin and Adium?
-
jonasw
mimi89999: anything using libpurple probably.
-
jonasw
this notably includes spectrum
-
dwd
jonasw, Most XML libraries decode entities as a matter of course.
-
jonasw
yes but why do they have their own entity decoding code then?
-
jonasw
(also, not if you’re using SAX, which makes sense for XMPP anyways)
-
dwd
jonasw, Oh, I've not read the CVE. It's obviously more stupid than I thought.
-
jonasw
that’s the fix: https://bitbucket.org/pidgin/main/commits/b2fc9e774cb9
-
jonasw
I haven’t looked deeply into it, but it contains entity processing.
-
dwd
That's weird.
-
jonasw
erm
-
jonasw
another question
-
jonasw
nevermind
-
MattJ
jonasw, we use expat (SAX) and it decodes entities for us
-
jonasw
MattJ: with expat + sax I get a callback on entities which I use to raise an exception to kill the stream.
-
jonasw
maybe that’s optional
-
dwd
jonasw, Even ꯍ stuff?
-
dwd
jonasw, Or '
-
Zash
<stream:error><not-well-formed xmlns='urn:ietf:params:xml:ns:xmpp-streams'/></stream:error>
-
jonasw
ah, not those
-
jonasw
no, yes, it calls startEntity for those; I explicitly white-listed those
-
Zash
Wha
-
Kev
Even in attributes?
-
jonasw
let me write at test for that!
-
Kev
I'm surprised that e.g. & in an attribute would generate a callback, but it's not impossible.
-
jonasw
expat actually does that
-
jonasw
but the callback only fires when the entity is known to expat
-
jonasw
so if you try to use ü, it will reject that before startEntity is called
-
dwd
More importantly than all of this, my children have informed me that "Woof" in Welsh is "Wŵff", which fills me with unaccountable glee.
-
jonasw
I haven’t even the slightest idea how to pronounce that.
-
Kev
jonasw: "woof". Basically.
-
Ge0rG
dwd: because it allows one to use Combining Diacritical Marks?
-
Guus
vowels are overrated.
-
Kev
Guus: Welsh loves vowels. It loves them so much it invented more.
-
Guus
classic overcompensation.
-
Guus
Alex: is there / can you create an ics that I can subscribe to, with relevant XSF events (membership meetings primarily, but perhaps board and council meetings too)? I'm always struggling to get the time zone correct in Google's Calendar
-
dwd
Guus, I think Tobias did something. It might even work again.
-
Guus
Tobias: is there / can you create an ics that I can subscribe to, with relevant XSF events (membership meetings primarily, but perhaps board and council meetings too)? I'm always struggling to get the time zone correct in Google's Calendar
-
Guus
(upcoming DST for Europe is going to be yet another source of pain...)
-
Tobias
i see if i can revive that
-
Guus
Thanks
-
Alex
Guus: I have suggested something like Google CAL a while ago. I don't know who has access and manages the current calendars right now. I don't think I have write access to them right now.
-
Guus
Alex: that'd also work for me. I was not aware that we have any calendars in the first place.
-
jonasw
speaking of which, when’s the next council meeting?
-
Ge0rG
tomorrow afternoon?
-
Alex
there are ICS cals, not sure where the URIs for them are listed
-
jonasw
isn’t that when board meeting takes place, Ge0rG?
-
Ge0rG
jonasw: could update-entry.py provide a diff view instead of a 2x raw view?
-
jonasw
Ge0rG: can do
-
Ge0rG
jonasw: no, those are on Wed evenings
-
jonasw
isn’t today tuesday?
-
Ge0rG
jonasw: yes?
-
jonasw
so council and board meetings are on the same day-of-week?
-
Ge0rG
jonasw: as far as I understood, yes.
-
Ge0rG
the council meeting is before the board meeting
-
jonasw
fascinating
-
Guus
There are some ICS files under http://xmpp.org/calendar/
-
Ge0rG
2017-03-08, 2017-03-15, I think there's a pattern
-
Guus
but those appear outdated
-
Alex
Guus: gives me a 404
-
Guus
http://xmpp.org/calendar/xsf-council.ics
-
Guus
(there's no listing)
-
Alex
yes, on the old website they were lined from a page
-
Guus
Tobias: where these the ones that you referred to?
-
Tobias
yes
-
Tobias
they used to be generated from XML. probably not the most user friendly
-
Guus
given that they appear to stop working in 2014 ... perhaps explicitly delete them, and replace them by something else?
-
Guus
a Google Cal, as suggested by Alex, would do just fine for me
-
Ge0rG
dwd: it'd be nice if you could set your mark on https://trello.com/c/wF37u9DJ/169-vote-on-approve-xep-0045-changes-proposed-by-georg
-
Tobias
google calendar wfm
-
Guus
want me to create one?
-
Alex
+1
-
Guus
is there a XSF google account?
-
Tobias
Guus, good..question...i don't know
-
dwd
There was. I think we dropped it, but we used to have th XSF calendar on a Google account.
-
dwd
Ge0rG, I did.
-
Zash
Pretend that you see the obligatory anti-google rant here.
-
Ge0rG
dwd: oh, sorry. You did it on the ML, it just wasn't updated in trello.
-
dwd
Ge0rG, Yes. FWIW, I'd love it if we formally voted on a webapp for the purpose, I don't think it's fair on the Editors to expect them to track the mailing list in this way.
-
Ge0rG
dwd: I'm not sure what is lacking to achieve that. Write access to trello?
-
dwd
Ge0rG, I'd prefer more than that, something like the IETF's datatracker.
-
Zash
What's the source of truth here?
-
dwd
Zash, The mailing list and/or council chatroom. Depending.
-
Ge0rG
Zash: there is no need in an authoritative source of truth if we assume that council members are well-behaving
-
Ge0rG
dwd: it should be XMPP based!
-
Ge0rG
SCNR
-
jonasw
Ge0rG: will do when my update-manual feature branch is merged
-
Guus
I created a public calendar here: https://calendar.google.com/calendar/embed?src=64v3vs15qlalgqv0j7r99ikm1c%40group.calendar.google.com
-
Guus
ical: https://calendar.google.com/calendar/ical/64v3vs15qlalgqv0j7r99ikm1c%40group.calendar.google.com/public/basic.ics
-
Guus
could someone verify that it's behaving correctly please? This is the first time that I create a public calendar
-
Ge0rG
BTW, where are the rules codified how (and if) other people can participate in board/council meetings?
-
Guus
there's one event on it, on May 2nd (the member appl. meeting)
-
dwd
Ge0rG, They're not codified, but we have held both meetings in public by default for years now, and - while ultimately up to the chair - comments from the floor are normally welcomed.
-
Ge0rG
dwd: I've ran into a situation where I had the feeling of misbehaving multiple times already, when I only wanted to contribute to a (board) meeting.
-
Guus
I might have already messed up the time of that first meet, btw.
-
Ge0rG
jonasw: I'd also suggest making the README a .md and not an .rst
-
jonasw
why, Ge0rG?
-
Ge0rG
jonasw: my gut feeling is that markdown has become more common among developers
-
mathieui
it’s also the worst markup language
-
mathieui
worse*
-
Zash
"worse is better"
-
jonasw
Ge0rG: does it matter?
-
SamWhited
It's fine except for the two spaces at the end of a line being a line break… that drives me nuts.
-
jonasw
it is readable in plain text, it renders fine on github; for me, rst is easier to write because I do it every day.
-
Zash
SamWhited: Thou shallt not have line breaks
-
jonasw
and thou shalt not have trailing spaces
-
jonasw
:-)
-
SamWhited
I would not mind getting rid of both of those, yah.
-
Ge0rG
jonasw: in .md, you could get syntax highlighting of the json in the readme by using ```json quotes
-
SamWhited
That's only a GitHub thing, FWIW
-
dwd
I may be the only person who doesn't care here. It's a wonderful feeling.
-
Ge0rG
jonasw: personally, I don't care much, just wondered about your choice being anti-popular
- intosi grabs popcorn
-
mathieui
dwd, you’re not joining the holy war? heretic.
-
jonasw
Ge0rG: it’s because ~all docs for python are written in reStructuredText – and that’s what I do for most of my time.
-
Ge0rG
jonasw: I feel with you, a little bit.
-
jonasw
not sure what that’s supposed to mean :)
-
Ge0rG
SamWhited: there are other markdown parsers that support syntax highlighting of quotes
-
Zash
SamWhited: No pandoc can do syntax highlighting too with that syntax.
-
Zash
Pandoc is the best
-
Ge0rG
Pandoc FTW!
-
Zash
SamWhited: A, comma also.
-
SamWhited
Pandoc is the best; it also supports several flavors of Markdown (yey no proper standard), including GitHub flavored MD, IIRC
-
dwd
SamWhited, "Flavoured".
- dwd finds a Holy War to join.
-
Ge0rG
I'm actually writing my CVEs in Pandoc and converting them to .doc for our "corporate" "processing pipeline".
-
SamWhited
dwd: Why don't you go drink some tea or something?
-
Zash
Coffee!
-
dwd
SamWhited, Marvellous ida.✎ -
dwd
SamWhited, Marvellous idea. ✏
-
SamWhited
(I saw even though I have a cup of tea in front of me at this very moment :) )
-
SamWhited
say, even.
-
dwd
SamWhited, If only you had a biscuit, you could apply to UK citizenship right away.
-
Ge0rG
Zash: we can't win the coffee-vs-tea war, it seems
-
intosi
nroff ftw
-
jonasw
dwd: if you want to fight *that* (gb vs. us) holy war, fix xep 143 (<https://xmpp.org/extensions/xep-0143.html#nt-idp1712848>) ;P
-
Ge0rG
dwd: what about the "flavor" thing above? re SamWhited's citizenship
-
Zash
pandoc can output troff, pandoc win again
-
dwd
jonasw, The irony of that example is: http://grammarist.com/spelling/authorise-authorize/
-
Zash
Whatever that page says is wrong.
-
jonasw
dwd: I fail to see the irony
-
dwd
jonasw, The Oxford English Dictionary, which usually favors British spellings, still lists authorize as the primary spelling
-
jonasw
ah, haven’t read that far :)
-
Guus
board, council, could you volunteer at least one from yourself to have access to the shared calendar (and add your meetings there?)
-
Guus
Tobias: might be good to explicitly delete the old ICS files.
-
Tobias
it might, yes
-
Tobias
will do that in a moment
-
Guus
Tobias: please delete the old ICS files? :)
-
Kev
Guus: And I'd like admin on anything XSFish, please.
-
Guus
ok :)
-
Guus
Kev: gladly
-
Guus
I only need a google account for you, I think
-
Kev
Assuming PMs are enabled in here (I forget), I think I just sent you one :)
-
Guus
you did
-
Kev
\o/
-
ralphm
Guus, the great thing about the old ICS files was that we had separate ones. I.e. one for board meetings, one for council, etc.
-
Kev
Yes, but they're not updated now, so I'm fine with Guus trying to start something simpler that works instead of the previous better system that isn't used :)
-
Kev
(I prefer the old system in principle, too)
-
Guus
ralphm: if that's of value, we can split them up - I have no issue with that. But so far, we had many, many, unused calendars. :)
-
ralphm
Oh, fully agree, Kev. The terrible thing about the ICS files was that they were not being updated.
-
Tobias
and it's not comfortable to make a commit every week to update a simple date
-
Guus
Google should give you an easier interface for that
-
Tobias
maybe we can tag them in google and have a script that creates filtered ICS based on the one google outputs
-
Guus
I've just added a recurring weekly Council meeting (16:00 - 16:30 Reykjavik time, right?)
-
Tobias
it's 17:00 Berlin time
-
Guus
when is the board meeting?
-
Guus
Iceland does not do DST and is therefor UTC. :)
-
intosi
Guus: board meetings follow European UTC usually.
-
intosi
* DST
-
Tobias
Guus, ahh
-
SamWhited
Guus: That's too good; are you sure Iceland is a real place?
-
ralphm
Is that why Iceland is not joining the EU?
-
intosi
Iceland is a chain of stores.
-
Guus
SamWhited: I think I recall a story from Arc in which he was locked up in its airport? :)
-
Zash
It's a trap?
-
Guus
Intosi: I'm happy to add the board and council meetings, but board and council should administer these meets themselves, ideally - if only to apply changes.
-
ralphm
Guus: what intosi said: peg the meetings to WE(S)T or CE(S)T
-
jonasw
"script" and "ics" doesn’t sound like a good combination
-
Kev
ralphm: Or London time, which is what they were traditionally pinned to :)
-
ralphm
WE(S)T is London time
-
Guus
guys, please give me a Google account so that you can do that yourselves :)
-
ralphm
ralphm.net
-
moparisthebest
What about a caldav server like nextcloud?
-
Kev
ralphm: I stand educated. Marginally :)
-
SamWhited
Guus: Can you add me so I can add editor meetings (not that those actually happen with any regularity)?
-
SamWhited
Google Account is the same as my JID
-
ralphm
Kev: that's rare. I'm savouring the moment.
-
jonasw
moparisthebest: nextcloud is *slightly* more than a caldav server.
-
ralphm
moparisthebest: seriously, caldav or any hope of functional interop between clients and servers is a lost cause at this point.
-
Kev
ralphm: I know. Im unteachable :)
-
ralphm
also, if this works, I don't see any reason to do yet another thing. Thanks Guus
-
Guus
Sam: you should have access now.
-
ralphm
Guus: ralphm.net@gmail.com
-
Kev
Indeed, thanks to Guus.
-
Guus
ralphm: you should have access now
-
moparisthebest
jonasw: doesn't have to be pretty sure it's all plugins now
-
moparisthebest
I just don't like relying on Google meh
-
Guus
happy to help
-
jonasw
moparisthebest: If I had to run the server, I wouldn’t like to rely on the bunch of PHP nextcloud is :-)
-
Zash
CalDAV is non-trivial to do.
-
SamWhited
If I had to have an account on the server and give it a password or any details at all, I wouldn't like to rely on the bunch of PHP nextcloud is…
-
Guus
all of you (+Alex) also have administrative powers - use them as you see fit.
-
moparisthebest
jonasw: there is a python one
- SamWhited cancels all the meetings!
- Guus takes screenshot for eternal blaming purposes.
-
Zash
Especially compared to hosting static .ics files
-
jonasw
Zash: writing static ICS files per hand or even with software is a non-trivial thing to do too though
-
ralphm
moparisthebest: seriously, you have no idea how terrible this stuff is in practice. You are free to create your own calendar, though.
-
Tobias
jonasw, that's why we used a python script to do that
-
ralphm
Kev: FWIW, it has only been since 2002 synchronized DST switchover dates with the EU.
-
SamWhited
Wait, so does the council meeting move with DST? I didn't actually realize that
-
moparisthebest
ralphm, I mean I use caldav all the time with my stuff, it seems to work pretty well, I can't say ics is better
-
Guus
Sam: I don't know, I changed that by popular demand here (and to avoid a scheduling conflict next week)
-
moparisthebest
I actually don't care caldav vs ics, I'd just prefer not to rely on google
-
jonasw
isn’t caldav just ics over http?
-
jonasw
+ a few extra methods for querying
-
ralphm
SamWhited: it does, so does Board
-
Zash
jonasw: Not even close
-
SamWhited
That's confusing
-
moparisthebest
no jonasw , totally different
-
Zash
It's WebDAV with support for advanced queries into the calendar data.
-
jonasw
I don’t know. It just works™ for me
-
ralphm
SamWhited: start a support group with Arc
- SamWhited is going to just make the editors meeting fixed UTC, then I only have to figure out if I'm in DST and not if others are in DST to figure out the difference
-
arc
+1
-
Guus
dst is evil.
-
moparisthebest
right jonasw works great! :) what server do you use for it?
-
jonasw
radicale.
-
moparisthebest
nextcloud works good enough for me for now, I need contacts and calendar
-
moparisthebest
I don't love the php, but meh
-
Flow
> SamWhited: That's only a GitHub thing, FWIW Certainly not: http://spec.commonmark.org/0.26/#example-110
-
SamWhited
Huh, didn't realize commonmark was based on GitHub flavored markdown.
-
Flow
github and stackexchange together with some other companies formed CCommonMark: see "Who are you?" at http://commonmark.org/
-
Flow
SamWhited: ^
-
moparisthebest
the funnier part was it originally had a different name and the markdown creator guy chewed them a new one, so they changed it :)
-
Flow
moparisthebest: yeah, that was one nice popcorn show
-
SamWhited
I guess it's good that they develop it to a spec, but creating something called commonmark just makes me think of that standards XKCD that people post into this room every few days
-
Flow
I'd also like to point out that John MacFarlane is behind CommonMark *and* pandoc
-
Ge0rG
The apocalypse call-out has started: https://lwn.net/SubscriberLink/717076/4c3593aa4cad8e66/ (Y2K38)
-
moparisthebest
iirc they explicitly mentioned that xkcd comic when they released it, so I'm fine with it :)
-
Zash
So it begins
-
moparisthebest
Ge0rG, so all us programmers are totally screwed but also have job security, a bit of a double edged sword :P
- Zash carefully makes sure to leave Y10k bugs everywhere
-
Ge0rG
Zash: that won't make for a good retirement plan, unless you intend to live forever.
-
Zash
Retirement, like that's going to be a thing in the future.
-
bear
hmm, is this old news or something we should talk about as XSF http://seclists.org/fulldisclosure/2017/Mar/57
-
Guus
bear, I think that was discussed earlier today
-
Guus
or perhaps your yesterday
-
bear
ah - thanks Guus
-
Guus
but, you likely are not the only one that has not been part of that discussion :)
-
Guus
so fire away :)
-
Guus
http://logs.xmpp.org/xsf/2017-03-21/#09:32:56
-
lovetox
should the new mam id inject on messages give the actual message a different mamid then the carbon copy of it? https://paste.gajim.org/view/157752b2
-
lovetox
or im missing something here, is this actually archived two times?
-
lovetox
is this again some self messaging corner case
-
lovetox
Holger
-
lovetox
or is this not even the new inject, was the archiv id always added to self messages
-
Flow
lovetox: it should be <origin-id/> for the outgoing stanzas
-
Flow
see xep359 § 2.2
-
Flow
ahh I'm confused
-
Flow
lovetox: why do you get a carbon *and* the stanza to the same resource?
-
lovetox
the question is why has the same message two different mam ids
-
lovetox
this happens when you adress a message to your own bare jid
-
lovetox
but this is viewed from the other side
-
lovetox
we get the actual message
-
Flow
ahh ok, I think you may want to add a <origin-id/>
-
lovetox
but then a sent carbon because we are not the sending resource
-
Flow
or dedup by the message-stanza-id
-
lovetox
i do this already, but the question is not why i get the messages i get, this was discussed at length and its ok for me
-
Flow
I think nothing in the MAM/stanza-id XEP prevents the involved parties from assigning multiple IDs to the same stanza
-
lovetox
the question is why does the server attribute two differen mam ids to the same message
-
Flow
(not saying that this is good)
-
lovetox
i would understand if the message was received twice by the server
-
lovetox
but it wasnt, we sent out one message