XSF Discussion - 2017-10-18

Wiktor, sure, but that’s what mailing lists do.

jonasw: yes, but unfortunately sending emails that claim were authored by you but really aren't is also what spammers do. Even for my little domain I get multiple attempts every single day (thanks dmarcanalyzer.com)

Do they?

ITYM scammers

spammers as well

Wiktor, I’m not saying DMARC/DKIM isn’t a good tool for transactional providers like paypal or amazon or so

but it shouldn’t be applied to private email.

SPF is good enough for the rest of us, or something

Zash: are you sure SPF is not just placebo? Maybe just remove it altogether...

Did you designate mailing list as allowed sender in you SPF record?

No, because I'm not the one sending those, the mailing list is.

(spamassassin agrees)

Look at fail and forwarding here https://en.m.wikipedia.org/wiki/Sender_Policy_Framework

sure, but a mailinglist isn’t forwarding

Fail is similar to dmarc reject but doesn't work in practice as far as I know

Why aren't mailing lists just designed to forward all posts as attachments?

Think Carbons

Zash, probably because UI for those is bad

Let's make MUCarbons!

We could use them to populate MUC history on 1:1 upgrades!

mmm Ge0rG, a pity you reported those vulnerabilities. that could’ve been useful now!

Eg

Zash: thats one of solutions to dmarc problem actually, mentioned in the FAQ I linked previously

(one of those solutions which break UX)

Sorry I'm not mobile can't look it up now

jonasw: https://mail.jabber.org/pipermail/standards/2016-December/031750.html

heh

pep., Zash: maybe interesting for you as well ^

Ge0rG, thanks

Where is the bigger list of xmpp libraries nowadays?

the one on xmpp.org is very short

(and does not list license)

stefandxm, on the github of the xmpp website, in the json source files

so it is not deployed?

the xmpp.org list only lists the ones maintained enough that the maintainers care to update the xmpp.org file once a year

it is

i am talking about the old list that had tones of more clients

j-dev list i guess

stefandxm, those clients didn’t bother to tell us they still exist

or they don’t know

the ones you knew exist lol

if you’re missing any specifically, please point them at https://xmpp.org/2017/03/new-xmpp-software-listing-rules/

jonasw, plz accept my pull request tho :p

mathieui, I can’t

damn

I don’t have the power

but we should ping Guus now that he’s back from the GSoC meetup

ok so its no more then

now the list is mostly commercial libraries

if thats what xmpp.org wants then this is fine i guess

stefandxm, which do you miss?

stefandxm, this is not what xmpp.org wants

i will have to compile my own list :)

xmpp.org aims to have relevant software listings

but now it doesnt

stefandxm, instead of compiling your own list, notify the projects. apparently a post to jdev@ is not enough. so please let them know about https://xmpp.org/2017/03/new-xmpp-software-listing-rules/

but it had before

stefandxm: the problem with clients was that the official list contained software that's unmaintained for years or even decades, leading to user frustration

and broken libraries untouched since 2005 are not part of what I would call a relevant list

georg, and now you have no list

programmers are not stupid

any list which doesn’t include pidgin is a good list.

they can easily see when a library was updated

stefandxm, libraries, maybe, clients, not so much

although, I agree on the lack of a license field

anyhow. i understand i cannot rely on xmpp.org to do this because you dont care about the real life scenario :)

stefandxm, you still didn’t tell me which ones you miss.

lets just say there are no C libraries

stefandxm: if programmers are not stupid, they probably can bother enough to send a PR once a year.

no free c# libraries

stefandxm, that’s not very specific ✏

and the most commonly used js library is not listed

Thankfully, programmers aren't stupid, so they can easily view the full list in the source, irrespective of whether they've been abandoned.

off the top of my head I wouldn’t know which of the four libstrophe-forks is still recent or maintained

libstrophe is not listed either

and i hate libstrophe

I know

still it can be patched

to be decent

anyhow. i am not arguing about what library is good or not

but now the list is simply not usefull for beginners to xmpp

too bad. the old one was :)

stefandxm: so you would say an outdated unmaintained list of broken libraries is more useful than a short list of maintained ones?

stefandxm, https://github.com/xsf/xmpp.org/blob/master/data/libraries.json you still have the full list if you look for it

georg, yes.

mathieui, i cannot send a list to a github json file in a tutorial to xmpp

i will just have to make my own list. wich will be even less maintained

stefandxm, in the time you complained here, you could’ve given a list of things you miss and we can contact the projects.

Ah. A special type of programmer who's not stupid and can easily sift through libraries to tell the quality of them, but is unable to read a json list. I know the type.

but you "obviously" don’t care about a good central listing either if you don’t :-)

i do, but it wont work with the new "rules"

Kev, I know right? JSON is annoying to read.

i have made two libraries myself and i dont want to inform xsf about it every year

xpath -e '...' :-)

so i doubt many other libraries i know about will either

Kev, a json list is quite unpleasant though, I can agree on that

stefandxm, your choice

mathieui: Of course, it should be XML. Everyone would agree on that ;)

Kev: is that the same type of developer who can securely parse markdown, but not XHTML-IM?

:)

if you make stuff a job only proffesionals will do it

since i make free clients for no money i dont want to spend money on talking to xsf about it

its quite simple

and i guess most people think the same, since the list is so small now

stefandxm: I must have forgotten the part about paying the XSF to accept PRs in my announcement.

someone mentioned me?

georg, who said anything about paying?

"spend money"

ah right lol

time of course

money is time tho ;-)

Guus, yeah, there are software listing PRs pending

I don’t have access to the big merge button

stefandxm, it’s swapping the value of 1 byte in a json file once a year, and clicking a link

mathieui, doesnt matter

stefandxm: so your argument is: it is better for dozens of developers to spend hours on evaluating XMPP libraries than on you to invest 10 minutes into marketing your library?

for anyone in here it makes sense. for everyone not even knowing about this channel it does not make sense

jonasw: want to have that power?

most xmpp develoeprs dont use xmpp.org

Guus, dare to give it to me? :)

(I'll happily merge myself, but I'd like others to be able)

the gsoc trip kinda threw off any planning that I had :)

Guus, I’m willing to handle those PRs

stefandxm, but then they don’t care about it then

also, you don’t even have to be the author to submit a library ✏

i think what made xmpp big was the compatibility with many different libraries and people being able to start easily. now xmpp.org has taken responsibility to list clients (used by Wikipedia) but at the same time it removes known libraries

stefandxm: I admit that the reduction of libraries is a side effect of my push to only have relevant _clients_ listed. But still, your arguments are getting less and less convincing.

and why would al ibrary have to be updated more often than the protocol

makes no sense either

nobody says it should be updated

it should be maintained

which are two different things

stefandxm, because software is never finished

open source libraries doesnt get old or insecure because they are not being updated

mathieui, so?

stefandxm: a good library needs to implement all the XEPs with a useful API. There have been many new XEPs in the last year.

LOL

all xeps!!

why even have XEPs then

jonasw: try now.

lets just make XMPP a full blown monolithic beast!

ok, i will stop talking about this now. this only makes me sad

stefandxm: you sound like Evgeny now.

I'm sorry, this channel has temporarily exceeded its quota of hyperbole. Please try again later.

stefandxm, the "update date" stuff is essentially saying "yes, that library is still usable and someone, somewhere, cares enough about it to make a pull request"

Guus, boom

nice :)

mathieui, make it two pages then

one with updated info an one without

or have a parameter or what not

stefandxm, PRs welcome

no i will not make PRs

the list is already there

we’re also just doing this in our freetime :P

> the list is already there Great, we're done.

thats my point

deploy it

as-is

uh, we could link to the JSON file :-)

and I say that as someone who missed the original announcement and made a pull request this week, after 7 months of not being listed

now you complain you dont have time but still you want everyone else to take time to fulfill your silly procedure

stefandxm, that "silly procedure" also takes our time. It’s not as if only others have to do work here.

we don’t do this for fun, we really think it’s a good idea, for the reasons mentioned here already

lol

jonasw: thanks for covering my ass in my evil plan to drive the XSF down with bureaucratic processes everywhere!

Ge0rG, admit it, you’re just sick of your job and want to spin off a Jabber consulting business ;P

Which reminds me to apply for Board, Council and iteam.

you don’t need to apply for iteam, do you?

you only have to ask, afaik

well, and board needs to approve you etc.

(and thanks jonasw for merging)

np

Guus, can you cancel the currently running build in favour of the most recent one? https://hub.docker.com/r/xmppxsf/xmpp.org/builds/

it triggered one build for each PR, which is a waste of time :)

done

I'm not paying attention here, unless I'm called by name (I've got to catch up on a number of things at work)

fine :)

thanks

sure thing

Ge0rG: > you sound like Evgeny now Wanna next round of compliments from me?

zinid: any time you want :P

Ge0rG: just get a life, nerd

http://bash.org/?23396

it’s been years since I saw a bash.org link

zinid: I'm sure you can do better than that!

whatever, can you take that to a query please ;-)

jonasw: no. MUC-PMs are broken.

dwd, ping council

ping board

https://github.com/xsf/xmpp.org/pull/376 shall be merged unless objectuons are raised.

.

Arc is having issues with his server connecting to xmpp.org at the moment.

Hmm

finally

I had to add muc.xmpp.org to s2s_insecure_domains

-certinfo muc.xmpp.org

Zash: muc.xmpp.org has a valid certificate issued by Let's Encrypt Authority X3

-expires muc.xmpp.org

Zash: muc.xmpp.org has a certificate that expires in 3 days and 7 hours

nope. it was something totally stupid on my end

server had a hard reset, failed to save clock on save, so the server believed it was jan 3 and thus every cert it received was invalid

Arc: is the JID sending me requests you? Did you get a new one?

i renewed my certs a few days ago

my certs should be fine. it was a server date issue.

thankfully it doesnt look like i missed a board meeting since nobody else showed up

Matt did. But that was it.

Kev: please sort out tweetdeck

Ah yeah, that dropped off my inbox when I was ill. Let me put a todo in for tomorrow morning.

Thanks

My two cents about the library/client list on xmpp.org: First of all, my respect for staying calm throughout the discussion, I got mad just passively reading it. Second, while it is not a perfect indicator for a project being maintained or not, checking for commits in the last year to guess whether a project is active does sound like an idea. At least for projects hosted on github an automatic script could check for commits in the last year and set that flag in the json file. (sorry if I bring up something that was considered before)

Syndace, actually, that hasn’t been suggested before, interesting idea

the issue would be where to run such code

it’d be unfortunate to run that during the website build; it would have to be somewhat automated

It was discussed at the summit using 'last commit'.

I didn’t know that

But it presupposes that a) source is publicly available and b) a project with no merged commits isn't maintained.

I think 'author is willing to ping github once a year' is a better metric for whether a project's still cared for.

It's all heuristics, of course.

Kev, it is not meant as a replacement to the current pr way of doing it but as an addition to maybe grab a few projects with lazy devs/devs that don't know about the list

Ah. I misunderstood. That doesn't seem unreasonable :)

leaves the question how would that code run automatically and periodically

Probably doesn't need to be run automatically.

fair enough

Syndace, do you happen to volunteer to code something like that up?

maybe add an optional git_url field for projects which want to link to a website but still have a proper git repository.

Yeah sure :) I hope github has an api but i guess it does

Syndace: https://developer.github.com/v3/repos/commits/#list-commits-on-a-repository

ha! Thanks for the googleing. Gonna script it tomorrow. About when and how to run the script: I could just let my raspi run it once a week ^^

Flow, I already said that on list iirc, but "The situation BMH tries to improve is the following: I do have a bunch of data formatted using a markup language, say CommonMark, that I want to send over XMPP to an XMPP client. Because there is no converter from CommonMark to XHTML-IM(-NEXT) and since I don't want to write one [..]" This is really meh. "I don't want to write a converter so I'll write my implementation in a way that all clients have to implement one themselves"

Syndace: nothing like a good ol' cron... :)

Syndace, jonasw: why automate this? Seems like more work than manually supplying/maintaining a couple of entries.

Guus, automation is good, and I think it’s trivial to do

Meh. Don't care much either way 😃

pep. I think the (important) part you might be missing is that it does not hurt if neither the server nor the client understand the format. It is cool if a client happens to understand the format but if it does not it is still a human readable text message. For XHTML-IM the Server MUST understand the format.

pep., The important point is that you still want to stuff CommonMark into <body/>, even if you convert to XHTML-IM

for maximum interoperablitiy

I don't care, I could also run it manually once a month :D

Syndace, I think it hurts, in fact.

it encourages putting non-plaintext content in <body/>. This is a slippery slope.

Flow, I strongly disagree with that.

jonasw, CommonMarkup is in fact plaintext

I also disagree with putting that in <body/>

<body/> is plaintext, it should only ever be plaintext. Markups are not plaintext, even if they are CommonMark or Markdown.

They are not plaintext? Oh..

Syndace, no, it’s not. It abuses some characters in certain combinations as meta-characters to imply emphasis and other styling. That’s a markup which disguises as plaintext. It happens to be human-readable in many cases.

I can see reading #### small-heading is not so much fun

You skipped what jonasw just said?

Syndace, they are plaintext in the sense that they only use printables, but that also applies to XML and nobody would claim XML to be "plaintext" :-)

pep.: No, I get it. Even though it is plaintext it is not fun to read it as plaintext

k

We're not talking about emotions though

but YMMV

What do clients use these days to embed image-urls into a message (e.g. for stickers)?

Flow, OOB

(not for stickers, but http_upload)

I hope that transition to SIMS happens at some point

jonasw, ty

Flow, ugh. sorry. (mail follows)

Flow, you see my messages on the list now? :-°

I'll still get reports but at least I changed my DMARC policy while I figure something out (if there is anything to figure out)