XSF Discussion - 2017-10-18

  1. jonasw

    Wiktor, sure, but that’s what mailing lists do.

  2. Wiktor

    jonasw: yes, but unfortunately sending emails that claim were authored by you but really aren't is also what spammers do. Even for my little domain I get multiple attempts every single day (thanks dmarcanalyzer.com)

  3. Zash

    Do they?

  4. Zash

    ITYM scammers

  5. Ge0rG

    spammers as well

  6. jonasw

    Wiktor, I’m not saying DMARC/DKIM isn’t a good tool for transactional providers like paypal or amazon or so

  7. jonasw

    but it shouldn’t be applied to private email.

  8. Zash

    SPF is good enough for the rest of us, or something

  9. Wiktor

    Zash: are you sure SPF is not just placebo? Maybe just remove it altogether...

  10. Wiktor

    Did you designate mailing list as allowed sender in you SPF record?

  11. Zash

    No, because I'm not the one sending those, the mailing list is.

  12. jonasw

    (spamassassin agrees)

  13. Wiktor

    Look at fail and forwarding here https://en.m.wikipedia.org/wiki/Sender_Policy_Framework

  14. jonasw

    sure, but a mailinglist isn’t forwarding

  15. Wiktor

    Fail is similar to dmarc reject but doesn't work in practice as far as I know

  16. Zash

    Why aren't mailing lists just designed to forward all posts as attachments?

  17. Zash

    Think Carbons

  18. jonasw

    Zash, probably because UI for those is bad

  19. Zash

    Let's make MUCarbons!

  20. Ge0rG

    We could use them to populate MUC history on 1:1 upgrades!

  21. jonasw

    mmm Ge0rG, a pity you reported those vulnerabilities. that could’ve been useful now!

  22. Zash


  23. Wiktor

    Zash: thats one of solutions to dmarc problem actually, mentioned in the FAQ I linked previously

  24. jonasw

    (one of those solutions which break UX)

  25. Wiktor

    Sorry I'm not mobile can't look it up now

  26. Ge0rG

    jonasw: https://mail.jabber.org/pipermail/standards/2016-December/031750.html

  27. jonasw


  28. Ge0rG

    pep., Zash: maybe interesting for you as well ^

  29. pep.

    Ge0rG, thanks

  30. stefandxm

    Where is the bigger list of xmpp libraries nowadays?

  31. stefandxm

    the one on xmpp.org is very short

  32. stefandxm

    (and does not list license)

  33. mathieui

    stefandxm, on the github of the xmpp website, in the json source files

  34. stefandxm

    so it is not deployed?

  35. mathieui

    the xmpp.org list only lists the ones maintained enough that the maintainers care to update the xmpp.org file once a year

  36. mathieui

    it is

  37. stefandxm

    i am talking about the old list that had tones of more clients

  38. stefandxm

    j-dev list i guess

  39. jonasw

    stefandxm, those clients didn’t bother to tell us they still exist

  40. jonasw

    or they don’t know

  41. stefandxm

    the ones you knew exist lol

  42. jonasw

    if you’re missing any specifically, please point them at https://xmpp.org/2017/03/new-xmpp-software-listing-rules/

  43. mathieui

    jonasw, plz accept my pull request tho :p

  44. jonasw

    mathieui, I can’t

  45. mathieui


  46. jonasw

    I don’t have the power

  47. jonasw

    but we should ping Guus now that he’s back from the GSoC meetup

  48. stefandxm

    ok so its no more then

  49. stefandxm

    now the list is mostly commercial libraries

  50. stefandxm

    if thats what xmpp.org wants then this is fine i guess

  51. jonasw

    stefandxm, which do you miss?

  52. mathieui

    stefandxm, this is not what xmpp.org wants

  53. stefandxm

    i will have to compile my own list :)

  54. mathieui

    xmpp.org aims to have relevant software listings

  55. stefandxm

    but now it doesnt

  56. jonasw

    stefandxm, instead of compiling your own list, notify the projects. apparently a post to jdev@ is not enough. so please let them know about https://xmpp.org/2017/03/new-xmpp-software-listing-rules/

  57. stefandxm

    but it had before

  58. Ge0rG

    stefandxm: the problem with clients was that the official list contained software that's unmaintained for years or even decades, leading to user frustration

  59. mathieui

    and broken libraries untouched since 2005 are not part of what I would call a relevant list

  60. stefandxm

    georg, and now you have no list

  61. stefandxm

    programmers are not stupid

  62. jonasw

    any list which doesn’t include pidgin is a good list.

  63. stefandxm

    they can easily see when a library was updated

  64. jonasw

    stefandxm, libraries, maybe, clients, not so much

  65. mathieui

    although, I agree on the lack of a license field

  66. stefandxm

    anyhow. i understand i cannot rely on xmpp.org to do this because you dont care about the real life scenario :)

  67. jonasw

    stefandxm, you still didn’t tell me which ones you miss.

  68. stefandxm

    lets just say there are no C libraries

  69. Ge0rG

    stefandxm: if programmers are not stupid, they probably can bother enough to send a PR once a year.

  70. stefandxm

    no free c# libraries

  71. jonasw

    stefandxm, that’s not very spicific

  72. jonasw

    stefandxm, that’s not very specific

  73. stefandxm

    and the most commonly used js library is not listed

  74. Kev

    Thankfully, programmers aren't stupid, so they can easily view the full list in the source, irrespective of whether they've been abandoned.

  75. jonasw

    off the top of my head I wouldn’t know which of the four libstrophe-forks is still recent or maintained

  76. stefandxm

    libstrophe is not listed either

  77. stefandxm

    and i hate libstrophe

  78. jonasw

    I know

  79. stefandxm

    still it can be patched

  80. stefandxm

    to be decent

  81. stefandxm

    anyhow. i am not arguing about what library is good or not

  82. stefandxm

    but now the list is simply not usefull for beginners to xmpp

  83. stefandxm

    too bad. the old one was :)

  84. Ge0rG

    stefandxm: so you would say an outdated unmaintained list of broken libraries is more useful than a short list of maintained ones?

  85. mathieui

    stefandxm, https://github.com/xsf/xmpp.org/blob/master/data/libraries.json you still have the full list if you look for it

  86. stefandxm

    georg, yes.

  87. stefandxm

    mathieui, i cannot send a list to a github json file in a tutorial to xmpp

  88. stefandxm

    i will just have to make my own list. wich will be even less maintained

  89. jonasw

    stefandxm, in the time you complained here, you could’ve given a list of things you miss and we can contact the projects.

  90. Kev

    Ah. A special type of programmer who's not stupid and can easily sift through libraries to tell the quality of them, but is unable to read a json list. I know the type.

  91. jonasw

    but you "obviously" don’t care about a good central listing either if you don’t :-)

  92. stefandxm

    i do, but it wont work with the new "rules"

  93. jonasw

    Kev, I know right? JSON is annoying to read.

  94. stefandxm

    i have made two libraries myself and i dont want to inform xsf about it every year

  95. jonasw

    xpath -e '...' :-)

  96. stefandxm

    so i doubt many other libraries i know about will either

  97. mathieui

    Kev, a json list is quite unpleasant though, I can agree on that

  98. jonasw

    stefandxm, your choice

  99. Kev

    mathieui: Of course, it should be XML. Everyone would agree on that ;)

  100. Ge0rG

    Kev: is that the same type of developer who can securely parse markdown, but not XHTML-IM?

  101. mathieui


  102. stefandxm

    if you make stuff a job only proffesionals will do it

  103. stefandxm

    since i make free clients for no money i dont want to spend money on talking to xsf about it

  104. stefandxm

    its quite simple

  105. stefandxm

    and i guess most people think the same, since the list is so small now

  106. Ge0rG

    stefandxm: I must have forgotten the part about paying the XSF to accept PRs in my announcement.

  107. Guus

    someone mentioned me?

  108. stefandxm

    georg, who said anything about paying?

  109. mathieui

    "spend money"

  110. stefandxm

    ah right lol

  111. stefandxm

    time of course

  112. stefandxm

    money is time tho ;-)

  113. jonasw

    Guus, yeah, there are software listing PRs pending

  114. jonasw

    I don’t have access to the big merge button

  115. mathieui

    stefandxm, it’s swapping the value of 1 byte in a json file once a year, and clicking a link

  116. stefandxm

    mathieui, doesnt matter

  117. Ge0rG

    stefandxm: so your argument is: it is better for dozens of developers to spend hours on evaluating XMPP libraries than on you to invest 10 minutes into marketing your library?

  118. stefandxm

    for anyone in here it makes sense. for everyone not even knowing about this channel it does not make sense

  119. Guus

    jonasw: want to have that power?

  120. stefandxm

    most xmpp develoeprs dont use xmpp.org

  121. jonasw

    Guus, dare to give it to me? :)

  122. Guus

    (I'll happily merge myself, but I'd like others to be able)

  123. Guus

    the gsoc trip kinda threw off any planning that I had :)

  124. jonasw

    Guus, I’m willing to handle those PRs

  125. mathieui

    stefandxm, but then they don’t care about it then

  126. mathieui

    also, you dongt even have to be the author to submit a library

  127. mathieui

    also, you don’t even have to be the author to submit a library

  128. stefandxm

    i think what made xmpp big was the compatibility with many different libraries and people being able to start easily. now xmpp.org has taken responsibility to list clients (used by Wikipedia) but at the same time it removes known libraries

  129. Ge0rG

    stefandxm: I admit that the reduction of libraries is a side effect of my push to only have relevant _clients_ listed. But still, your arguments are getting less and less convincing.

  130. stefandxm

    and why would al ibrary have to be updated more often than the protocol

  131. stefandxm

    makes no sense either

  132. jonasw

    nobody says it should be updated

  133. jonasw

    it should be maintained

  134. jonasw

    which are two different things

  135. mathieui

    stefandxm, because software is never finished

  136. stefandxm

    open source libraries doesnt get old or insecure because they are not being updated

  137. stefandxm

    mathieui, so?

  138. Ge0rG

    stefandxm: a good library needs to implement all the XEPs with a useful API. There have been many new XEPs in the last year.

  139. stefandxm


  140. stefandxm

    all xeps!!

  141. stefandxm

    why even have XEPs then

  142. Guus

    jonasw: try now.

  143. stefandxm

    lets just make XMPP a full blown monolithic beast!

  144. stefandxm

    ok, i will stop talking about this now. this only makes me sad

  145. Ge0rG

    stefandxm: you sound like Evgeny now.

  146. Kev

    I'm sorry, this channel has temporarily exceeded its quota of hyperbole. Please try again later.

  147. mathieui

    stefandxm, the "update date" stuff is essentially saying "yes, that library is still usable and someone, somewhere, cares enough about it to make a pull request"

  148. jonasw

    Guus, boom

  149. jonasw

    nice :)

  150. stefandxm

    mathieui, make it two pages then

  151. stefandxm

    one with updated info an one without

  152. stefandxm

    or have a parameter or what not

  153. jonasw

    stefandxm, PRs welcome

  154. stefandxm

    no i will not make PRs

  155. stefandxm

    the list is already there

  156. jonasw

    we’re also just doing this in our freetime :P

  157. Kev

    > the list is already there Great, we're done.

  158. stefandxm

    thats my point

  159. stefandxm

    deploy it

  160. stefandxm


  161. jonasw

    uh, we could link to the JSON file :-)

  162. mathieui

    and I say that as someone who missed the original announcement and made a pull request this week, after 7 months of not being listed

  163. stefandxm

    now you complain you dont have time but still you want everyone else to take time to fulfill your silly procedure

  164. jonasw

    stefandxm, that "silly procedure" also takes our time. It’s not as if only others have to do work here.

  165. jonasw

    we don’t do this for fun, we really think it’s a good idea, for the reasons mentioned here already

  166. stefandxm


  167. Ge0rG

    jonasw: thanks for covering my ass in my evil plan to drive the XSF down with bureaucratic processes everywhere!

  168. jonasw

    Ge0rG, admit it, you’re just sick of your job and want to spin off a Jabber consulting business ;P

  169. Ge0rG

    Which reminds me to apply for Board, Council and iteam.

  170. jonasw

    you don’t need to apply for iteam, do you?

  171. mathieui

    you only have to ask, afaik

  172. jonasw

    well, and board needs to approve you etc.

  173. mathieui

    (and thanks jonasw for merging)

  174. jonasw


  175. jonasw

    Guus, can you cancel the currently running build in favour of the most recent one? https://hub.docker.com/r/xmppxsf/xmpp.org/builds/

  176. jonasw

    it triggered one build for each PR, which is a waste of time :)

  177. Guus


  178. Guus

    I'm not paying attention here, unless I'm called by name (I've got to catch up on a number of things at work)

  179. jonasw

    fine :)

  180. jonasw


  181. Guus

    sure thing

  182. zinid

    Ge0rG: > you sound like Evgeny now Wanna next round of compliments from me?

  183. Ge0rG

    zinid: any time you want :P

  184. zinid

    Ge0rG: just get a life, nerd

  185. Guus


  186. jonasw

    it’s been years since I saw a bash.org link

  187. Ge0rG

    zinid: I'm sure you can do better than that!

  188. jonasw

    whatever, can you take that to a query please ;-)

  189. Ge0rG

    jonasw: no. MUC-PMs are broken.

  190. Tobias

    dwd, ping council

  191. MattJ

    ping board

  192. Guus

    https://github.com/xsf/xmpp.org/pull/376 shall be merged unless objectuons are raised.

  193. Kev


  194. Kev

    Arc is having issues with his server connecting to xmpp.org at the moment.

  195. arc


  196. Arc


  197. Arc

    I had to add muc.xmpp.org to s2s_insecure_domains

  198. Zash

    -certinfo muc.xmpp.org

  199. Bunneh

    Zash: muc.xmpp.org has a valid certificate issued by Let's Encrypt Authority X3

  200. Zash

    -expires muc.xmpp.org

  201. Bunneh

    Zash: muc.xmpp.org has a certificate that expires in 3 days and 7 hours

  202. Arc

    nope. it was something totally stupid on my end

  203. Arc

    server had a hard reset, failed to save clock on save, so the server believed it was jan 3 and thus every cert it received was invalid

  204. SamWhited

    Arc: is the JID sending me requests you? Did you get a new one?

  205. Arc

    i renewed my certs a few days ago

  206. Arc

    my certs should be fine. it was a server date issue.

  207. Arc

    thankfully it doesnt look like i missed a board meeting since nobody else showed up

  208. Kev

    Matt did. But that was it.

  209. Guus

    Kev: please sort out tweetdeck

  210. Kev

    Ah yeah, that dropped off my inbox when I was ill. Let me put a todo in for tomorrow morning.

  211. Guus


  212. Syndace

    My two cents about the library/client list on xmpp.org: First of all, my respect for staying calm throughout the discussion, I got mad just passively reading it. Second, while it is not a perfect indicator for a project being maintained or not, checking for commits in the last year to guess whether a project is active does sound like an idea. At least for projects hosted on github an automatic script could check for commits in the last year and set that flag in the json file. (sorry if I bring up something that was considered before)

  213. jonasw

    Syndace, actually, that hasn’t been suggested before, interesting idea

  214. jonasw

    the issue would be where to run such code

  215. jonasw

    it’d be unfortunate to run that during the website build; it would have to be somewhat automated

  216. Kev

    It was discussed at the summit using 'last commit'.

  217. jonasw

    I didn’t know that

  218. Kev

    But it presupposes that a) source is publicly available and b) a project with no merged commits isn't maintained.

  219. Kev

    I think 'author is willing to ping github once a year' is a better metric for whether a project's still cared for.

  220. Kev

    It's all heuristics, of course.

  221. Syndace

    Kev, it is not meant as a replacement to the current pr way of doing it but as an addition to maybe grab a few projects with lazy devs/devs that don't know about the list

  222. Kev

    Ah. I misunderstood. That doesn't seem unreasonable :)

  223. jonasw

    leaves the question how would that code run automatically and periodically

  224. Kev

    Probably doesn't need to be run automatically.

  225. jonasw

    fair enough

  226. jonasw

    Syndace, do you happen to volunteer to code something like that up?

  227. jonasw

    maybe add an optional git_url field for projects which want to link to a website but still have a proper git repository.

  228. Syndace

    Yeah sure :) I hope github has an api but i guess it does

  229. Wiktor

    Syndace: https://developer.github.com/v3/repos/commits/#list-commits-on-a-repository

  230. Syndace

    ha! Thanks for the googleing. Gonna script it tomorrow. About when and how to run the script: I could just let my raspi run it once a week ^^

  231. pep.

    Flow, I already said that on list iirc, but "The situation BMH tries to improve is the following: I do have a bunch of data formatted using a markup language, say CommonMark, that I want to send over XMPP to an XMPP client. Because there is no converter from CommonMark to XHTML-IM(-NEXT) and since I don't want to write one [..]" This is really meh. "I don't want to write a converter so I'll write my implementation in a way that all clients have to implement one themselves"

  232. Wiktor

    Syndace: nothing like a good ol' cron... :)

  233. Guus

    Syndace, jonasw: why automate this? Seems like more work than manually supplying/maintaining a couple of entries.

  234. jonasw

    Guus, automation is good, and I think it’s trivial to do

  235. Guus

    Meh. Don't care much either way 😃

  236. Syndace

    pep. I think the (important) part you might be missing is that it does not hurt if neither the server nor the client understand the format. It is cool if a client happens to understand the format but if it does not it is still a human readable text message. For XHTML-IM the Server MUST understand the format.

  237. Flow

    pep., The important point is that you still want to stuff CommonMark into <body/>, even if you convert to XHTML-IM

  238. Flow

    for maximum interoperablitiy

  239. Syndace

    I don't care, I could also run it manually once a month :D

  240. jonasw

    Syndace, I think it hurts, in fact.

  241. jonasw

    it encourages putting non-plaintext content in <body/>. This is a slippery slope.

  242. jonasw

    Flow, I strongly disagree with that.

  243. Syndace

    jonasw, CommonMarkup is in fact plaintext

  244. pep.

    I also disagree with putting that in <body/>

  245. jonasw

    <body/> is plaintext, it should only ever be plaintext. Markups are not plaintext, even if they are CommonMark or Markdown.

  246. Syndace

    They are not plaintext? Oh..

  247. jonasw

    Syndace, no, it’s not. It abuses some characters in certain combinations as meta-characters to imply emphasis and other styling. That’s a markup which disguises as plaintext. It happens to be human-readable in many cases.

  248. Syndace

    I can see reading #### small-heading is not so much fun

  249. pep.

    You skipped what jonasw just said?

  250. jonasw

    Syndace, they are plaintext in the sense that they only use printables, but that also applies to XML and nobody would claim XML to be "plaintext" :-)

  251. Syndace

    pep.: No, I get it. Even though it is plaintext it is not fun to read it as plaintext

  252. pep.


  253. pep.

    We're not talking about emotions though

  254. Flow enjoys reading CommonMark in plain text

  255. Flow

    but YMMV

  256. Flow

    What do clients use these days to embed image-urls into a message (e.g. for stickers)?

  257. jonasw

    Flow, OOB

  258. jonasw

    (not for stickers, but http_upload)

  259. jonasw

    I hope that transition to SIMS happens at some point

  260. Flow

    jonasw, ty

  261. jonasw

    Flow, ugh. sorry. (mail follows)

  262. pep.

    Flow, you see my messages on the list now? :-°

  263. pep.

    I'll still get reports but at least I changed my DMARC policy while I figure something out (if there is anything to figure out)