-
jonasw
poezio looks confused
-
edhelas
hey guys, already heard about that ? https://software-otomax.com/setting-jabber-di-otomax.html
-
edhelas
some services are using XMPP servers as money transaction system, mostly in Indonesia
-
edhelas
I'm considering those accounts created as spam and deleting them on my server
-
Zash
Isn't this more of an operators@ topic?
-
edhelas
oh sorry, will discuss about that on operators@
-
Arc
wait, crytocurrency transactions, or actual currency?
-
zinid
xmpp can be used for cryptocurrencies, because, despite the intention, they fall into "trust your server" category (e.g. there is full-mode node holding blockchain and lots of tiny clients)
-
Arc
ok
-
Arc
ralphm: nyco: you around?
-
ralphm
Yes
-
Arc
ok so team A today
-
ralphm
Awesome?
-
Arc
sure A can be awesome, refering to we either have mattj + martin, or ralph + nyco
-
Arc
do we have anything for the agenda?
-
dwd
Arc, I believe Martin is travelling right now.
-
Arc
meeting time
-
Arc
but do we have quorum?
-
ralphm
Hi
- ralphm bangs gavel
-
ralphm
0. Welcome + Agenda
-
ralphm
Who do we have?
-
Arc
Here
-
nyco
hey
-
nyco
sorry
-
nyco
late... :'(
-
nyco
quorum achieved
-
ralphm
Besides trello items, anything else we should discuss?
-
nyco
I don't see...
-
Guus
Summit/fosdem?
-
Arc
google code-in is happening
-
Arc
XSF missed the application window tho
-
ralphm
Guus: yeah, I was going to put that on
-
MattJ
Sorry, thought I was in the room but I wasn't
-
ralphm
Hi MattJ
-
ralphm
I see Draft/Stable
-
ralphm
And the eternal editor recruitment that I think we can remove
-
ralphm
Also elections
-
nyco
yeah, summit, only one day this year?
-
ralphm
So let's get going
-
ralphm
1. FOSDEM / XMPP Summit
-
nyco
we got the RTC devroom, thx to Saul, again, thx to him
-
ralphm
Why one day only? Last time we easily filled up two days.
-
nyco
we have no RTC lounge... yet... afaik
-
ralphm
nyco: yeah, I was aware of it all
-
ralphm
I will apply for the Lounge as always
-
nyco
thx
-
nyco
also, isn't that for the SCAM team? what would the board contribute to this?
-
Guus
ralphm: please educate me
-
Guus
So that I can do it next year
-
ralphm
Guus: I know I haven't been very communicative regarding SCAM, but I consider myself associated with it :_D
-
Guus
Scam lacks the experience
-
ralphm
It is just filling in a form, mostly copy/paste
-
ralphm
And the org knows me so that helps too
-
Guus
ralphm:cool, but still, you should not be the only capable one
-
ralphm
Agreed
-
ralphm
So I will list you as contact, too
-
Guus
I'm a car now, let's take this on later, scam MUC?
-
ralphm
Anyway, board-wise I can only think of two things
-
ralphm
a) do we do a Summit?
-
Arc
of course?
-
ralphm
b) what things do we need for Summit/FOSDEM and how much money would we need
-
ralphm
For b) I think we need to make a little plan within SCAM and then tell board
-
ralphm
For a), I totally think we should yes
-
Guus
+1
-
nyco
you are a car ?
-
ralphm
I am not a car.
-
Guus
In a car
-
nyco
summit, yeah, of course, why not?
-
nyco
I guessed, joking ;-)
-
nyco
question is rather: 1 or 2 days? and is it a real question?
-
ralphm
I'd go with 2 as always
-
nyco
why not 5? ;-)
-
nyco
2 days, +1 for me as well
-
ralphm
I pensiled in Feb 1 and 2
-
nyco
so, we pass the hot potato to the SCAM team?
-
ralphm
if SCAM has a good plan for more days, I'm very curious about it :-D
-
nyco
we can ask this team
-
nyco
team answers: none so far
-
Arc
the first 365-day summit
-
ralphm
Hah
-
nyco
oh wow
-
nyco
how about 366?
-
Arc
because after 365, the next summit begins
-
nyco
and, still an open question to the SCAM team: do we keep the very same format?
-
ralphm
Good questions. I'd love to answer that with Guus and whoever is in SCAM these days
-
ralphm
Is that just nyco?
-
Guus
Will formulate answer for next weeks board meeting
-
Guus
Daniel too
-
ralphm
Ok
-
nyco
and Daniel, and you
-
ralphm
right
-
nyco
left
-
ralphm
I didn't leave?
-
Zash
↑↓↑↓
-
ralphm
ah
-
ralphm
funny
-
ralphm
anyway
-
ralphm
2. Elections
-
nyco
oh
-
Arc
they're up
-
ralphm
I read in the minutes from last time that Alex was on this, but no update?
-
Arc
the pages are on the wiki, official announcements have been made
-
Guus
Announcement was made
-
Arc
https://wiki.xmpp.org/web/Membership_Applications_Q4_2017
-
nyco
so, what do we have to discuss here?
-
Arc
https://wiki.xmpp.org/web/Board_and_Council_Elections_2017
-
Guus
Board should find candidates of possible
-
ralphm
Well, I haven't seen an announcement on that we are looking for candidates?
-
nyco
oh, Joe Demo is a candidate, welcome Joe Demo
-
ralphm
In any case, if anyone currently on Board wants to do another term, do add your name there
-
Arc
is joe demo a person or a placeholder page
-
nyco
placeholder
-
Arc
that's what i thought
-
ralphm
Well, it is a red link, so not even a page
-
Arc
i guess someone could be named Joe Demo...
-
nyco
why Joe Demo? we have Juliet and Romeo all over the places...
-
nyco
ok, interesting debate
-
nyco
so, what do we have to discuss/decide here?
-
ralphm
Well, we are responsible for making sure elections can happen
-
nyco
so, checklist ok?
-
ralphm
So I wanted to know what the current state is. I don't see Alex here
-
Arc
we're responsible for handing over the baton to the new board
-
ralphm
well that too
-
nyco
I don't have a baton
-
nyco
ok then
-
nyco
next agenda item?
-
ralphm
yes
-
ralphm
3. XEP-0001 Draft/Stable
-
ralphm
Where are we on this?
-
Guus
Iirc a request for more feedback was supposed to be sent, but in think our was not
-
ralphm
Minutes says MattJ will send a proposal
-
Guus
Mattj?
-
ralphm
didn't see one
-
MattJ
Errr, sorry, totally dropped that one
-
ralphm
Can we remove this from 'to be discussed'?
-
MattJ
Yeah
-
MattJ
Writing it on my todo now, like I should have done at the time
-
ralphm
I'll put it in commitments
-
MattJ
Thanks
-
Guus
Tx
-
ralphm
Ok
-
ralphm
I think that was it
-
ralphm
4. AOB?
-
ralphm
Anything?
-
ralphm
Taking that as a no.
-
ralphm
5. Date of Next
-
ralphm
+1W
-
ralphm
6. Close
-
ralphm
Thanks all!
- ralphm bangs gavel
-
nyco
ok, thx ;-)
-
nyco
wow, finished before :30!!!
-
ralphm
Yeah, I'm getting back to be on top of the game
-
Arc
thats amazing
-
nyco
great to see
-
Guus
Arc: Observatory docker status?
-
Guus
You volunteer ed for that iirc
-
Arc
still working on it
-
Arc
i have a bit of docker to do this month
-
Guus
Cool. Dare to ETA?
-
zinid
> So with 3 (+1) votes and 2 (-1) votes, we decide to change the state of XEP-0071: XHTML-IM to Obsolete Hehe
-
zinid
ah, then council decided not to deprecate, neat
-
edhelas
can't wait for JSON-IM
-
SamWhited
It was a misunderstanding of the rules; 0001 was confusing.
-
SamWhited
We thought it was a simple majority, but it's a majority +1s and no -1s
-
MattJ
(in this case I'm glad, *ducks*)
-
SamWhited
:'(
-
MattJ
We have problems, but declaring that we essentially don't have any way of communicating formatted messages (especially when most clients support it) would be wrong
-
Kev
Council didn't know how their voting worked, but thankfully someone else did ;)
-
MattJ
It's not like declaring it obsolete will solve the security issues, people will still implement it if other clients do, if there is no replacement
-
Zash
Rewrite it as 90% security considerations and get an audited JS implementation?
-
zinid
we can write it in ocaml, prove it in coq and compile to javascript :D
-
edhelas
I have a question, do we really need XHTML-IM at first ? I mean who is using it ?
-
edhelas
I'd like to have some clear usecases here, because if it's about embedding pictures and so we already have other XEPs for that
-
Link Mauve
Zash, sounds like the best course of action.
-
Link Mauve
zinid, I’d love if you did that. <3
-
Wiktor
edhelas: I'm sending command outputs as pre tags
-
Link Mauve
Wiktor, about that, I’m going to change poezio’s implementation to send <pre><code class="lang-python">print('Hello world!')</code></pre> instead of the current way, and hopefully specify this usage of the class attribute at the same time.
-
Wiktor
Sounds good 👍
-
Wiktor
With this nice Google coloring library I can just insert it into DOM...
- Wiktor ducks
-
Wiktor
No just kidding but images are already solved in a different way so for me preformatted text is the most important use case... I like code snippets and nicely aligned ASCII tables...
-
MattJ
XHTML-IM should be a whitelist of tags, no CSS and no dangerous attributes, it needs to have very clear guidelines on how to implement it safely
-
MattJ
and maybe that's a new XEP that replaces the current one, that's fine
-
MattJ
But changing the status of the current one is not the fix for the issue
-
waqas
MattJ: I went with a whitelist of attribute values, CSS keys and values
-
MattJ
Sanitizing CSS is not easy
-
Zash
Throw out CSS but have some predefined list of classes
-
Zash
{fg,bg}-$colorname if you want that kind of thing
-
waqas
So, I don't think the implementations are really paying attention to the spec's exact langauge…
-
jonasw
nice, one week away and still the same discussion <3. I was afraid I would be missing the key part :)
-
Wiktor
Also remember while list of protocol schemes so that <a href="javascript:... is unsafe
-
waqas
Wiktor: That too
-
waqas
(as part of allowed attribute values for a.href)
-
waqas
But really, I expect language lawyering in a XEP to have exactly zero impact on the security in the wild.
-
Link Mauve
waqas, the specification is currently quite unclear about the possible attacks on web clients.
-
Link Mauve
It should state what every web dev should know wrt user input, but it doesn’t currently.
-
zinid
jonasw: nah, I just resurrected it here :) /troll
-
Wiktor
Also enabling strict Content Security Policy mitigates a lot of these attacks, including script injection
-
Link Mauve
Yeah, that should be part of the security considerations.
-
Link Mauve
But that header obviously didn’t exist back in 2003.
-
lovetox
omg im here
-
zinid
"As for me; I recently moved from XMPP to matrix, mostly because I couldn't get XMPP to work reliably on ios, with my server"
-
zinid
citation from reddit
-
zinid
is everything bad on ios?
-
ThurahT
yes.
-
SamWhited
ios is fine, the clients are just terrible as far as I can tell. People complain because it kills TCP connections aggressively, but we should be tolerating that anyways.
-
zinid
yeah...
-
SamWhited
Although, does anything actually describe how reconnect behavior should work with XMPP? That might make a nice informational XEP.
-
zinid
there is a more fundamental problem
-
Zash
SamWhited: :´(
-
zinid
ios assumes your application to run as little as possible
-
zinid
so you almost always in "push" mode
-
zinid
and we have problems with IQs here
-
zinid
the solution is to implement A/V (jingle, sip, no matter) and then ios will allow you to run in background :)
-
Zash
Suppose you could do BOSH with high timeouts.
-
pep.
zinid, that seems like a win/win, for users and devs :P
-
SamWhited
but then you'd have to implement BOSH, and that way lies madness.
-
zinid
pep.: yes, however "voip certification" was quite notorious in apple store
-
zinid
dunno how it's now
-
pep.
I see
-
zinid
"For me the biggest advantage that Matrix gives over XMPP is the very simple JSON based communication over plain HTTP"
-
zinid
this reddit thread is brilliant
-
pep.
Nice :)
-
SamWhited
That is an advantage of Matrix, regardless of how complicated that all is under the hood it makes it way easier for most developers to get up and running. We can scorn it all we want, but it's a valid reason that a lot of people would chose to use something else.
-
Zash
Without a TCP socket, what's left of XMPP? You basically have to become a stateless HTTP-like thing and then we're competing againtst something that is that already.
-
SamWhited
I'm not suggesting we need to change the protocol or anything, just that pretending that advantages our competitors have aren't advantages isn't helpful.
-
Zash
I'd like to strongly object to the statement that iOS is fine. // FOSS person who wants to be in control
-
zinid
SamWhited: we have BOSH 😁
-
Zash
As a server dev, I'm not sure what madness lies in the direction of BOSH
-
Zash
Works fine afaik and negates the need for 198
-
Wiktor
Zinid, just for a little bit of context this is written by a Matrix developer: "For me the biggest advantage that Matrix gives over XMPP is the very simple JSON based communication over plain HTTP. XMPP on the other hand is complex XML."
-
Wiktor
The entire thread: https://www.reddit.com/r/privacytoolsIO/comments/678xfm/xmpp_vs_matrix_could_someone_explain_me_the/
-
zinid
Zash: there are several bug reports in ejabberd bugtracker and I have no idea how to fix them because the logic is very complicated (there is some mess with how to handle out of order or duplicates)
-
SamWhited
It's true. I don't especially like JSON or think it was the right tool for the job, but we have a culture that ignores the end user or developer point of view and only thinks about the experts designing the protocols point of view for whatever reasson. XML *is* too complex, to the point where the XMPP specs have to use a restricted subset of it.
-
zinid
Wiktor: ah, ok
-
zinid
Wiktor: we should have our spy on Reddit then 😀
-
ralphm
I mentioned this before and I think most agree: it is not about the actual wire protocol, but about libraries.
-
Zash
ralphm: Sounds true enough. Even SOAP is probably fine if the libs hide it from you :)
-
zinid
Lol
-
SamWhited
Indeed.
-
Zash
And yeah, trying to write your own lib from scratch when you actually want to make a client is not a recipie for a good time
-
ralphm
Right
-
Zash
Question is, is it better to take a tool that doesn't have what you need and hack those things on, or take a tool that has too much and disable features in it?
-
ralphm
Not sure. Somebody asked me if it was a good idea to build a chat system on MQTT. My response: if you don't mind inventing your own chat semantics from scratch.
-
SamWhited
On an unrelated note, I just gave an XMPP intro or overview sort of talk to my office, which was fun.
-
ralphm
Yay
-
SamWhited
(we do a Wednesday lunc-and-learn sort of thing and today was my day to present)
-
SamWhited
lunch-and-learn, even.
-
Guus
Sam, do you have some sort of template for that? Either to reproduce, or to distill in a blogpost or intro article or something.
-
SamWhited
Guus: not really, you can steal my slides if you want (warning, the PDFs are out of date): git@bitbucket.org:SamWhited/xmpp-intro-slides.git
-
SamWhited
But I never try to make presentation slides work well on their own; I probably should
-
zinid
ralphm: people indeed resort to using hand made chats because they think it's easier to write from scratch instead of fiddling with existing tools/libraries
-
Zash
Also don't underestimate the siren song of NIH
-
ralphm
SamWhited: I made these a while ago: https://ralphm.net/publications/xmpp_intro/#/
-
ralphm
zinid: writing a chat system is easy. Writing a good one is incredibly hard. In any language or protocol.
-
SamWhited
ralphm: oh nice! mind if I borrow from that?
-
ralphm
Totally, you have the source right there
-
zinid
ralphm: I understand that 😀
-
SamWhited
Thanks; I want to go back through and remove some of the XEPs I talk about (which were tailored for the same presentation for HipChat but which others probably don't care about) and add some of the bigger ones for common chat features.
-
SamWhited
So I might steal your bullets for Jingle/MUC/etc.
-
Guus
Nice, ralphm
-
SamWhited
I don't have my login on me to update the PDF of mine, but do have my SSH key so I just lazily comitted it to version control like a bad person: https://bitbucket.org/SamWhited/xmpp-intro-slides/src/f4e4c6fe52afd5783f8444325e69b2520fd02514/slides.pdf?at=master&fileviewer=file-view-default
-
dwd
Currently at Surevine, we have two guys working on XMPP clients (of sorts), and neither is touching XML.
-
dwd
Well. Almost not, anyway.
-
Guus
You make 'm work in the office at 10:27pm while the rest of you are at home? Harsh.
-
Arc
SamWhited: where you working these days?
-
SamWhited
Arc: Cloudflare