XSF Discussion - 2017-10-25

poezio looks confused

hey guys, already heard about that ? https://software-otomax.com/setting-jabber-di-otomax.html

some services are using XMPP servers as money transaction system, mostly in Indonesia

I'm considering those accounts created as spam and deleting them on my server

Isn't this more of an operators@ topic?

oh sorry, will discuss about that on operators@

wait, crytocurrency transactions, or actual currency?

xmpp can be used for cryptocurrencies, because, despite the intention, they fall into "trust your server" category (e.g. there is full-mode node holding blockchain and lots of tiny clients)

ok

ralphm: nyco: you around?

Yes

ok so team A today

Awesome?

sure A can be awesome, refering to we either have mattj + martin, or ralph + nyco

do we have anything for the agenda?

Arc, I believe Martin is travelling right now.

meeting time

but do we have quorum?

Hi

0. Welcome + Agenda

Who do we have?

Here

hey

sorry

late... :'(

quorum achieved

Besides trello items, anything else we should discuss?

I don't see...

Summit/fosdem?

google code-in is happening

XSF missed the application window tho

Guus: yeah, I was going to put that on

Sorry, thought I was in the room but I wasn't

Hi MattJ

I see Draft/Stable

And the eternal editor recruitment that I think we can remove

Also elections

yeah, summit, only one day this year?

So let's get going

1. FOSDEM / XMPP Summit

we got the RTC devroom, thx to Saul, again, thx to him

Why one day only? Last time we easily filled up two days.

we have no RTC lounge... yet... afaik

nyco: yeah, I was aware of it all

I will apply for the Lounge as always

thx

also, isn't that for the SCAM team? what would the board contribute to this?

ralphm: please educate me

So that I can do it next year

Guus: I know I haven't been very communicative regarding SCAM, but I consider myself associated with it :_D

Scam lacks the experience

It is just filling in a form, mostly copy/paste

And the org knows me so that helps too

ralphm:cool, but still, you should not be the only capable one

Agreed

So I will list you as contact, too

I'm a car now, let's take this on later, scam MUC?

Anyway, board-wise I can only think of two things

a) do we do a Summit?

of course?

b) what things do we need for Summit/FOSDEM and how much money would we need

For b) I think we need to make a little plan within SCAM and then tell board

For a), I totally think we should yes

+1

you are a car ?

I am not a car.

In a car

summit, yeah, of course, why not?

I guessed, joking ;-)

question is rather: 1 or 2 days? and is it a real question?

I'd go with 2 as always

why not 5? ;-)

2 days, +1 for me as well

I pensiled in Feb 1 and 2

so, we pass the hot potato to the SCAM team?

if SCAM has a good plan for more days, I'm very curious about it :-D

we can ask this team

team answers: none so far

the first 365-day summit

Hah

oh wow

how about 366?

because after 365, the next summit begins

and, still an open question to the SCAM team: do we keep the very same format?

Good questions. I'd love to answer that with Guus and whoever is in SCAM these days

Is that just nyco?

Will formulate answer for next weeks board meeting

Daniel too

Ok

and Daniel, and you

right

left

I didn't leave?

↑↓↑↓

ah

funny

anyway

2. Elections

oh

they're up

I read in the minutes from last time that Alex was on this, but no update?

the pages are on the wiki, official announcements have been made

Announcement was made

https://wiki.xmpp.org/web/Membership_Applications_Q4_2017

so, what do we have to discuss here?

https://wiki.xmpp.org/web/Board_and_Council_Elections_2017

Board should find candidates of possible

Well, I haven't seen an announcement on that we are looking for candidates?

oh, Joe Demo is a candidate, welcome Joe Demo

In any case, if anyone currently on Board wants to do another term, do add your name there

is joe demo a person or a placeholder page

placeholder

that's what i thought

Well, it is a red link, so not even a page

i guess someone could be named Joe Demo...

why Joe Demo? we have Juliet and Romeo all over the places...

ok, interesting debate

so, what do we have to discuss/decide here?

Well, we are responsible for making sure elections can happen

so, checklist ok?

So I wanted to know what the current state is. I don't see Alex here

we're responsible for handing over the baton to the new board

well that too

I don't have a baton

ok then

next agenda item?

yes

3. XEP-0001 Draft/Stable

Where are we on this?

Iirc a request for more feedback was supposed to be sent, but in think our was not

Minutes says MattJ will send a proposal

Mattj?

didn't see one

Errr, sorry, totally dropped that one

Can we remove this from 'to be discussed'?

Yeah

Writing it on my todo now, like I should have done at the time

I'll put it in commitments

Thanks

Tx

Ok

I think that was it

4. AOB?

Anything?

Taking that as a no.

5. Date of Next

+1W

6. Close

Thanks all!

ok, thx ;-)

wow, finished before :30!!!

Yeah, I'm getting back to be on top of the game

thats amazing

great to see

Arc: Observatory docker status?

You volunteer ed for that iirc

still working on it

i have a bit of docker to do this month

Cool. Dare to ETA?

> So with 3 (+1) votes and 2 (-1) votes, we decide to change the state of XEP-0071: XHTML-IM to Obsolete Hehe

ah, then council decided not to deprecate, neat

can't wait for JSON-IM

It was a misunderstanding of the rules; 0001 was confusing.

We thought it was a simple majority, but it's a majority +1s and no -1s

(in this case I'm glad, *ducks*)

:'(

We have problems, but declaring that we essentially don't have any way of communicating formatted messages (especially when most clients support it) would be wrong

Council didn't know how their voting worked, but thankfully someone else did ;)

It's not like declaring it obsolete will solve the security issues, people will still implement it if other clients do, if there is no replacement

Rewrite it as 90% security considerations and get an audited JS implementation?

we can write it in ocaml, prove it in coq and compile to javascript :D

I have a question, do we really need XHTML-IM at first ? I mean who is using it ?

I'd like to have some clear usecases here, because if it's about embedding pictures and so we already have other XEPs for that

Zash, sounds like the best course of action.

zinid, I’d love if you did that. <3

edhelas: I'm sending command outputs as pre tags

Wiktor, about that, I’m going to change poezio’s implementation to send <pre><code class="lang-python">print('Hello world!')</code></pre> instead of the current way, and hopefully specify this usage of the class attribute at the same time.

Sounds good 👍

With this nice Google coloring library I can just insert it into DOM...

No just kidding but images are already solved in a different way so for me preformatted text is the most important use case... I like code snippets and nicely aligned ASCII tables...

XHTML-IM should be a whitelist of tags, no CSS and no dangerous attributes, it needs to have very clear guidelines on how to implement it safely

and maybe that's a new XEP that replaces the current one, that's fine

But changing the status of the current one is not the fix for the issue

MattJ: I went with a whitelist of attribute values, CSS keys and values

Sanitizing CSS is not easy

Throw out CSS but have some predefined list of classes

{fg,bg}-$colorname if you want that kind of thing

So, I don't think the implementations are really paying attention to the spec's exact langauge…

nice, one week away and still the same discussion <3. I was afraid I would be missing the key part :)

Also remember while list of protocol schemes so that <a href="javascript:... is unsafe

Wiktor: That too

(as part of allowed attribute values for a.href)

But really, I expect language lawyering in a XEP to have exactly zero impact on the security in the wild.

waqas, the specification is currently quite unclear about the possible attacks on web clients.

It should state what every web dev should know wrt user input, but it doesn’t currently.

jonasw: nah, I just resurrected it here :) /troll

Also enabling strict Content Security Policy mitigates a lot of these attacks, including script injection

Yeah, that should be part of the security considerations.

But that header obviously didn’t exist back in 2003.

omg im here

"As for me; I recently moved from XMPP to matrix, mostly because I couldn't get XMPP to work reliably on ios, with my server"

citation from reddit

is everything bad on ios?

yes.

ios is fine, the clients are just terrible as far as I can tell. People complain because it kills TCP connections aggressively, but we should be tolerating that anyways.

yeah...

Although, does anything actually describe how reconnect behavior should work with XMPP? That might make a nice informational XEP.

there is a more fundamental problem

SamWhited: :´(

ios assumes your application to run as little as possible

so you almost always in "push" mode

and we have problems with IQs here

the solution is to implement A/V (jingle, sip, no matter) and then ios will allow you to run in background :)

Suppose you could do BOSH with high timeouts.

zinid, that seems like a win/win, for users and devs :P

but then you'd have to implement BOSH, and that way lies madness.

pep.: yes, however "voip certification" was quite notorious in apple store

dunno how it's now

I see

"For me the biggest advantage that Matrix gives over XMPP is the very simple JSON based communication over plain HTTP"

this reddit thread is brilliant

Nice :)

That is an advantage of Matrix, regardless of how complicated that all is under the hood it makes it way easier for most developers to get up and running. We can scorn it all we want, but it's a valid reason that a lot of people would chose to use something else.

Without a TCP socket, what's left of XMPP? You basically have to become a stateless HTTP-like thing and then we're competing againtst something that is that already.

I'm not suggesting we need to change the protocol or anything, just that pretending that advantages our competitors have aren't advantages isn't helpful.

I'd like to strongly object to the statement that iOS is fine. // FOSS person who wants to be in control

SamWhited: we have BOSH 😁

As a server dev, I'm not sure what madness lies in the direction of BOSH

Works fine afaik and negates the need for 198

Zinid, just for a little bit of context this is written by a Matrix developer: "For me the biggest advantage that Matrix gives over XMPP is the very simple JSON based communication over plain HTTP. XMPP on the other hand is complex XML."

The entire thread: https://www.reddit.com/r/privacytoolsIO/comments/678xfm/xmpp_vs_matrix_could_someone_explain_me_the/

Zash: there are several bug reports in ejabberd bugtracker and I have no idea how to fix them because the logic is very complicated (there is some mess with how to handle out of order or duplicates)

It's true. I don't especially like JSON or think it was the right tool for the job, but we have a culture that ignores the end user or developer point of view and only thinks about the experts designing the protocols point of view for whatever reasson. XML *is* too complex, to the point where the XMPP specs have to use a restricted subset of it.

Wiktor: ah, ok

Wiktor: we should have our spy on Reddit then 😀

I mentioned this before and I think most agree: it is not about the actual wire protocol, but about libraries.

ralphm: Sounds true enough. Even SOAP is probably fine if the libs hide it from you :)

Lol

Indeed.

And yeah, trying to write your own lib from scratch when you actually want to make a client is not a recipie for a good time

Right

Question is, is it better to take a tool that doesn't have what you need and hack those things on, or take a tool that has too much and disable features in it?

Not sure. Somebody asked me if it was a good idea to build a chat system on MQTT. My response: if you don't mind inventing your own chat semantics from scratch.

On an unrelated note, I just gave an XMPP intro or overview sort of talk to my office, which was fun.

Yay

(we do a Wednesday lunc-and-learn sort of thing and today was my day to present)

lunch-and-learn, even.

Sam, do you have some sort of template for that? Either to reproduce, or to distill in a blogpost or intro article or something.

Guus: not really, you can steal my slides if you want (warning, the PDFs are out of date): git@bitbucket.org:SamWhited/xmpp-intro-slides.git

But I never try to make presentation slides work well on their own; I probably should

ralphm: people indeed resort to using hand made chats because they think it's easier to write from scratch instead of fiddling with existing tools/libraries

Also don't underestimate the siren song of NIH

SamWhited: I made these a while ago: https://ralphm.net/publications/xmpp_intro/#/

zinid: writing a chat system is easy. Writing a good one is incredibly hard. In any language or protocol.

ralphm: oh nice! mind if I borrow from that?

Totally, you have the source right there

ralphm: I understand that 😀

Thanks; I want to go back through and remove some of the XEPs I talk about (which were tailored for the same presentation for HipChat but which others probably don't care about) and add some of the bigger ones for common chat features.

So I might steal your bullets for Jingle/MUC/etc.

Nice, ralphm

I don't have my login on me to update the PDF of mine, but do have my SSH key so I just lazily comitted it to version control like a bad person: https://bitbucket.org/SamWhited/xmpp-intro-slides/src/f4e4c6fe52afd5783f8444325e69b2520fd02514/slides.pdf?at=master&fileviewer=file-view-default

Currently at Surevine, we have two guys working on XMPP clients (of sorts), and neither is touching XML.

Well. Almost not, anyway.

You make 'm work in the office at 10:27pm while the rest of you are at home? Harsh.

SamWhited: where you working these days?

Arc: Cloudflare