XSF Discussion - 2017-10-26

cloudflare is doing xmpp now?

no, I don't do anything related to XMPP anymore

I just gave a lunch-and-learn presentation

ah ok

seems i dont have a wiki account anymore

Arc: all accounts got lost during the crash earlier this year. We can create a new account for you.

Guus: cool, ArcRiley arcriley@gmail.com would be great

i just thought i already had one setup since the restore

Ge0rG appears to have beat me to the punch

There doesn't appear to be any other 'Arc' account

cool. and thanks Ge0rG

Guus: https://www.youtube.com/watch?v=o0oV8RzcXCI heh

you are in a car.

(needing to break the doors to a locked building, K9 reminds: you are in a car. cars can go through doors)

Guus: sorry, I wasn't sure whether you were there.

I wasn't here :)

nor do I break into buildings using a car. :)

How do you do it?

Have you seen Mission Impossible, that scene where he drops in on a rope through a shaft?

> I don't do anything related to XMPP anymore I don't think it's acceptable for a council member though

that's why we lose reality and don't understand what users/customers want

ralphm, SamWhited: it would be great to link your presentations from https://wiki.xmpp.org/web/SCAM/Material

Ge0rG: do it

ralphm: is there a timestamp / place-of-presentation for your slide deck? Also, why is it sometimes scrolling to the right and sometimes to the bottom?

...and sometimes diagonally?!

Ge0rG: that for you not to get bored

Ah, a second attempt made me realize that it's a kind of chapter structure

good idea Ge0rG, thanks.

zinid: I think what Sam ment is that he's not doing anything related to XMPP in his day-job.

Guus: so he doesn't depend financially

which is ... a good thing, right?

I've always dreamed of getting paid for doing XMPP.

which is kind of irrelevant, I'd say.

Ge0rG: make it so!

I disagree here, it's a bad thing

Yesterday I was in a pitch presentation for a large project tender, and had a list of my CVEs on a slide (some of which are very XMPP-related). the customer asked whether I collaborated on those and was really surprised that I was the one who actually researched them.

it's easy to say "hey, let's deprecate everything" when you're not responsible for anything

zinid: I think that most people in here actually attempt to make XMPP better.

Ge0rG: well, then you need to try harder :) because xmpp is degrading

And there are horrible things in XMPP that well deserve to get deprecated. I'm just not sure if XHTML-IM is one of them.

zinid, you don’t need to do XMPP in your day-job to have incentive to make things right.

jonasw: but I still think that there are more incentives if you do that job

also, "not getting paid for anything" doesn't equal "not taking responsibility"

zinid: actually, if you are getting paid for XMPP related work, this is adding bias to your opinion, making it potentially worse for XMPP.

zinid, hm, that’s different for different people I suppose.

not getting paid to do something can also avoid being pressured into something that's commercially interesting, but affects the larger community badly.

I’m more with Ge0rG on this

so, I think it's good to have a nice mix of people in here :)

a MIX of people?

Ge0rG: bias is good actually, and we should rely on consensus

Ge0rG: d'oh!

zinid: are you paid to say that?

Ge0rG: nice try ;)

I think you want interested, intelligent, knowledgeable and responsible people, and whether they're paid for XMPP or not isn't the most important thing.

I agree

You can have a ludicrous bias with or without being paid.

And you can be disinterested or not particularly knowledgeable in XMPP despite being paid for it.

Maybe let's not take this too extremes but there is a difference when someone runs a business critical system on top of XMPP vs hobby projects. Not to say hobby projects are bad, I'm using them daily, but depending on XMPP also gives unique perspective that is not to be ignored.

Wiktor, if you’re like me: I’m more invested in my hobby projects than in my dayjob.

Yeah, but do you want xmpp to be only hobbyists network?

not necessarily, but the use-cases are the same, no matter who’s running the development, aren’t they?

Is it an either-or?

jonasw: sorry to hear that. We are hiring :P

Ge0rG, I know

you have been taken into consideration, but I’m waiting for the offer of the local company ;-)

Zash: it is not but it's important to hear both sides, if you had hobbyists only in XSF that'd be dangerous IMO

Wiktor, sure, but it shouldn’t in any way be a criteria for or against council membership.

jonasw: yes, definitely not, especially if Sam is already evangelizing XMPP, but I hope not everyone in the council is doing xmpp as a side project, that'd be... Almost like matrix! ;)

are there any guys in council who actually get paid?

ah, Kev

zinid: paid for being on council? Or for working on XMPP?

working on xmpp

I once got two days off for attending Summit, but it required some discussing with my boss.

zinid: you're not running for a member? you'd be a perfect 10th man ( https://movies.stackexchange.com/questions/12616/ )

Wiktor: that sounds like emergency law or law of war.

lol, I don't know what membership gives me except some boring beuracracy stuff (like polling)

zinid: it's like with political elections. If you don't vote, you have no right to complain about the people who got elected and their actions.

Okay, Russia is probably different in that regard :>

lol

and it's so hard to elect a council in a more democratic way? why one would be a member for that?

Ge0rG: I've heard voices that software development is similar to warfighting: https://youtu.be/2u0sNRO-QKQ?t=34m32s

,oO( http://cdn2.spiegel.de/images/image-290455-galleryV9-gxvy-290455.jpg )

typical russian elections

> I think you want interested, intelligent, knowledgeable and responsible people

all feats combined in a person? *quietly revokes candidacy*

“09:42:25 zinid> […] I don't think it's acceptable for a council member though”, I’m not doing anything XMPP-related at $dayjob either, it probably reduces the conflicts of interest, but I don’t think people who are doing it are bad either, it’s just different perspectives.

and it's good to have a mix of different perspectives.

This.

“10:58:57 Wiktor> […] I hope not everyone in the council is doing xmpp as a side project, that'd be... Almost like matrix! ;)”, what do you mean by that? Just like jonasw I am generally more interested in my side projects (otherwise I’d do something else with my free time ^^), even though I have to be at work eight hours a day.

“11:07:27 Ge0rG> zinid: it's like with political elections. If you don't vote, you have no right to complain about the people who got elected and their actions.”, I strongly disagree on this, when no choices are proposed to you, that’s not an election and you have full rights to complain before, during and after that simulacre.

> not necessarily, but the use-cases are the same, no matter who’s running the development, aren’t they? Very much not.

Link Mauve: I mean that for a healthy project you probably need some kind of push to a business success, it's like "analysis paralysis", sometimes you need to make things pragmatic. Don't get me wrong I also spend a lot of time polishing my side projects but the best approach is a balanced approach :)

zinid: Of the people currently on Council, at least three currently are paid for XMPP work, and one other was in the past.

Kev: Wouldn't it vary depending on what they are doing?

Zash: I don't think so. I think hobbyists don't tend to address some of the requirements that are not-fun, in the general case.

In principle a hobbyist might do such things, but it's not tremendously likely.

agreed, and we have examples for this

also, bussiness tends to make things faster because of financial pressure

for example we in p1 had push support since 2008 or so, while XSF still didn't produce anything meaningful

...to hack things together in a more or less working way

zinid, from what I’ve seen, when there is pressure to make something, a business will abandon its principles and hack something which is most likely harmful to the long term.

I don't see why 'hack something in' and 'harmful long term' have to be linked.

Don't be evil.

We’ve consciously done development that was going to be impossible to upstream next, just because a customer wanted it fast.

Hacking something in that's not long-term suitable is actually a good way of getting experience and feeding into a 'correct' fix.

Kev, sure, but when we have the time we prototype something and then do it the correct way.

Not spending time polishing the prototype.

Zash, No bullshit, since 1999

did anyone take minutes during yesterdays board meeting?

ah, Edwin fixed the logs

People, to get some feel of who's interested in joining us in Brussels for Summit 22 and/or FOSDEM, I'd appreciate if you guys sign up on the corresponding wiki pages: https://wiki.xmpp.org/web/Summit_22 and FOSDEM_2018

this will help SCAM to get an indication of the amount of people + required housing etc.

also, thoughts on content, please, share!

(copy and pasting is hard. Here's the proper FOSDEM 2018 wiki page link: https://wiki.xmpp.org/web/FOSDEM_2018 )

It would be great to have a discussion of what's broken in XMPP, but I'm not sure I can attend

We'll do proper announcements on the mailing lists soon.

Ge0rG: in the interest of perception: let's have a discussion on fixes. :)

Guus: we can't discuss fixes before having a consensus on the problems, right?

Sure. I'm just suggesting to word it differently. Starting off in a negative frame will likely hurt.

Guus: "Making XMPP ready for the next decade"?

"You're an ass!" vs "You'd be more awesome if you'd ...."

Though "Making XMPP ready for the last decade" would be technically more accurate.

.oO(previous decade rather)

jonasw: ✋

Guys, don't want to sound like anyone's dad (or project lead, or scrum master) but I think that funny-yet-negative remarks can annoy/upset some people - even while they're not intended to do so. Let's try to keep things on the + side of things.

Guus, I agree

there's a distinct negative vibe that we really should try to get rid of.

I'm not blaming you guys specifically at all, but it's the little stuff like this that I think we can all improve on.

Guus: your scrum dad attitude is much appreciated.

Thank you. I shall be organizing retrospectives soon.

so I need to figure out whether I want to go to that summit

I do want, in some way, but stress

(would also be an excellent use for my remaining vacation day)

so you need to figure out how you can make it :)

kindof

jonasw: some employers will cover some of the attendance, when asked

Guus, I’m not *that* employed yet (just a student)

who's in charge of your vacation day budget then?

(apart from yourself :P )

attending stuff like this is an excellent way to improve various skills that can-be-defined-in-a-way-that-suits-your-vaction-day-decision-maker-best ;)

also: it's good fun :)

ugh, 13:30 and I still need to get started with work

Guus, sure, employer, but I work like 8h/week due to being a student.

I doubt that they would cover any conference based on that

(which also means that vacation day == vacation week for me)

I see

jonasw: you might get funding from your university.

jonasw: depends on the budget situation of course, but it might be possible. At my former institute, that would probably have worked if I made a presentation there.

Ge0rG, I’m not really close to any department, so that’d be kind of out-of-the-blue there

funding also isn’t the issue for now, I need to figure out whether I want to stay at a hotel and all that

I usually don’t want that

jonasw: we'll likely arrange for a group discount, in which you'll have your own room, against a reduced price.

as I said, budget is not necessarily an issue. the circumstances of a hotel (or other non-home accomodation, I really like my own bed) stay are.

jonasw: that, I cannot change :) If it's any comfort: last years hotel was pretty nice!

dwd, could you re-join open_chat? We've deployed that XMPP parse PR there

Looks like my xmpp-wiki account became victim to the death of the server. Who can I contact for a new account?

vanitasvitae: me or Guus for example

vanitasvitae: just say your anticipated user name and email address in here :)

Ah, I'll ask Guus, since he's in my roster :D

Has anyone worked with broadsoft's UC (unified communications) platform? My understanding it it's all XMPP but finding much about it - like what XEP's they support - hasn't been easy

actually this should probably be asked in operators - sorry

Arc, arc, could you share the sources of your Prosody flyer with SCAM (and us)? I’d like to translate it to French and distribute it at an upcoming event.

youre referring to http://www.sheut.net/xmpp_guide_2017.pdf ?

Yes, this one.

if so change the end to _1.svg and _2.svg for the two sides, tho im not certain that's the best source format

the pdf might be better

Did you create it directly in SVG?

inkscape yea

then saved it to pdf, and used a command line tool to combine the two pages for printing

Perfect, it works fine in Inkscape!

maybe throw on https://check.messaging.one/index.php to test?

oh I guess xmpp.net directs you there

we're less than an hour before GCI is announced

https://wiki.xmpp.org/web/SCAM/Material <-- Arc's pdf was already in there, but please, add source files if available.

its possible we wont be in this year, which frees up my winter considerably

did we even apply for GCI?

no but copyleft games did, and we always have XMPP tasks

ah, cool

Link Mauve: can you update your diecut sticker template for the new logo?

got to pick up the kids, ttyl

Arc, which one?

Link Mauve, maybe delete it and use https://github.com/xsf/xmpp.org/blob/master/xmpp.org-theme/static/images/xmpp-logo.svg instead?

having a canonical version is good :)

Right.

I'll update the SCAM repo (still points to your site)

Link Mauve: Die-cut logo (roughly 2x2 inch) Take an image of the logo, like the one on https://linkmauve.fr/svg/xmpp.svg

Arc: I just replaced that link

really got to pick up the kids now :)

later

There, fixed. :)

I also removed a duplicate for the gradient, it’s the same on both sides so it’s better to have only one.

Guus: if you still want them, I put the slides I used yesterday: https://bitbucket.org/SamWhited/xmpp-intro-slides/downloads/

Arc, your(?) http server doesn't serve over tls :( ✏

SamWhited: just noticed a typo on your cloudflare_slides, "Mobile Considerations" is 0286 and not 0268 :)

oops, thanks

I should change those anyways; the XEPs I used were for the same presentation somewhere else, for more general things where people don't care about any specific XMPP thing I should probably just do big XEPs that are nice fancy features (Jingle, MAM, MUC, etc.)

pep.: sheut.net? no it doesnt

pep.: the server itself supports TLS and runs it for other domains, but not this one.

and we're NOT in GCI this year.

Jingle and PubSub. The apogee of XMPP.

Arc, yeah I've noticed it doesn't

pep.: congrats, you noticed

why does it matter to you

Because there's a link and I wanted to click on it. *compulsive clicker*

But now that I know it doesn't support tls, there's still the link, but I can't see the other side. sadness

SamWhited: a link to your slides were already added to the SCAM repo

Oh, well that link is probably broken now unless you rehosted them somewhere

Can you update it please? I'm on mobile mow

Now

Link to the wiki based repo was posted earlier

I don't have any "earlier" because mcabber (unless it was very recently earlier) :(

found it though

oh, that was the right link anyways, it just didn't actually have up-to-date slides in it until just now

pep.: you have it set so you can only view TLS?

tisk, tisk

now I know how to keep you out of my links :-P

:(

I'm not sure I get what people have against TLS

Arc, I could if I wanted, I just filter them. (manually still, even if httpseverwhere helps, but only on the browser)

i dont have anything against TLS. its just not automatic, and I don't think every domain warrants it

I think every public domain should

well, feel free to do it on your own domains

i would rather spend the time I would otherwise spend maintaining TLS certs, writing code

I wouldn't mind taking time and helping you, but I'm sure you know how to do it already :)

that's not an obsession I have

Arc, once it is setup, there is no maintainance.

if a domain has a xmpp server on it, it gets a TLS cert.

And if a domain has an HTTP server on it, same, that way everyone is happy. :)

Arc, why would xmpp require a cert and not http

Link Mauve: that's complete bullshit. seriously. TLS certs expire. There's a duty to care that they don't expire, and to fix them when the scripts fail to perform as expected. Its a time investment I'm not going to put into every domain I have

Maybe you haven't heard of the new chap in town, let's encrypt

pep.: I use lets encrypt. it is not flawless, ive found my scripts for it break about once a year

It solves *all* problems!!

Zash, all!

I've got monitoring set up for my domains, adding one with tls is O(1), but then again I'm an infrastructure nerd.

i just spent 3 days fixing a host of domains that it broke on, and because the domains were set to use https only, and because the certs were expired, letsencrypt couldn't renew them without reconfiguring the domains to non-https first

bootstrap is annoying indeed

if a domain has a login, or has anything private, sure. if it has xmpp, sure. those are valid reasons.

I've never seen letsencrypt break though, with lego.

But you should serve on 80 and 443 anyway, you can redirect 80 to 443, but have /.well-known/acme-challenge go to whatever folder letsencrypt requires

pep.: again, this is your obsession, not mine.

If you're really this concerned about a little personal domain that someone else rusn I question the validity of your threat model.

SamWhited, it's just one part of it

sheut.net is my personal LAN domain. www.sheut.net <http://www.sheut.net> is used for sharing tiny files on non-indexed URLs

www.sheut.net <http://www.sheut.net> gives a 403 Forbidden

but if you really want to get into a infrastucture pissing contest, I'd love to get into it on IPv6 :-P

Sure, I have ip6 at home and at work as well

Something something self-hosting DNSSEC, mumble

But that's not the point here anyway

i dont host anything unless it has an ipv6 address

Arc, it seems to work in IPv6 from here.

Link Mauve: i would expect as such, since its hosted by he.net

I have a VPN into he.net too, with native ipv6

You mean you have native ip6 _and_ the vpn?

i have native ipv6 at he.net and at home. but with the vpn i have layer 3 native ipv6 everywhere i go

if I'm at starbucks I have ipv6

Anyway, my concern about tls is that every one who enables it helps "cover the tracks" (or however you want to call it) for any other concerned person. ✏

then dont load my links :-P

Another reason is to avoid an evil MitM from seeing what we download, or even from tampering with them.

Arc, the thing is that it's not just about you

uh-huh. ok I'm done engaging in this conversation

im reading up on ALPN API callbacks in openssl this morning

IT systems have fractal complexity.

Arc, you have a 6in4 tunnel or you have a VPN that gives you a native v6 address?

jjrh: I have a layer 2 VPN into a native dual stack network running in my own server cabinet at he.net

ah - nice :)

my home network is pretty awful, the owner *THINKS* he knows enough to do it, but the IPv4 LAN ip block is 192.169.0.0/16

does that play nice on android?

there are currently 9 active devices on it, 2 of them are printers.

jjrh: yep. my phone is on it.

I like the idea - might look into it myself. Make some things much easier

the biggest reason is being able to SSH into any system, from any of my systems, anywhere i happen to be

my car has native IPv6 wifi

Yeah I would use sixxs for that (before it shutdown) haven't got around to configuring a HE tunnel for my laptop yet

jjrh: im not sure HE runs that service anymore, but I'm happy to offer a VPN operated on your own physical ARM microserver

HE still runs their 6in4 tunnel

1 IPv4 address, /64 IPv6

ah cool.

https://tunnelbroker.net/ yeah tunnel broker is still live - sixxs died last year

HE are good people, ive hosted with them for almost a decade now

I still have a subnet from them before I had native v6 at home just haven't configured it for my laptop, and I don't believe the daemon (forget what HE uses - not aiccu) runs on android so a VPN I guess is my only option

whats the VPN protocol you're using?

openvpn

ah

bbiab need to drive

> If the UID contained within an <after> or <before> is not present in the archive, the server MUST return an item-not-found error Has this changed? I distinctly remember that you were to behave as if the ids were outside the range of the archive

And when did 'stable' appear?

> we can't discuss fixes before having a consensus on the problems, right? we can't reach an agreement on something we almost don't discuss

zinid: context would be good

Arc: what context? there are pending topics in the ML where Ge0rG provided some summary, but it's virtually not discussed

anyway, since we're done with xhtml-im ranting, can we discuss problems of push notifications finally?

some devs disagree there should be any pubsub, so the suggestion is to get rid of it

zinid: xhtml-im discussion will continue until the XEP is retired with prejudice. the topic has only gone to sleep for X weeks, it will reawaken

the webchat im working on does not, and will not support it.

Arc: I don't give a shit actually

there are simply too many surfaces to protect against

Arc: I care about other topics

ok so what topic are you referring to

Arc: I already said about the topic

I am preparing an email to gather requirements for a potential XHTML-IM replacement. Afterwards hopefully we can discuss how the alternative could also be safer.

SamWhited: we did a trial on that last year, it was very successful

media attachments

why are there cloudflare logos in the scam pdf slides? Is cloudfare a huge sponsor to the xsf?

I work there and I was the one giving the presentation

and giving it internally iirc

but cloudflare has nothing to do with the xsf in general?

not as far as I know

ah. Good.

but yah, putting the place paying for you to be at the conference on your slides is just habit (though in this case I wasn't anywhere, so kind of pointless I guess)

I see. Thanks for clarifying

SamWhited: im developing a handshake for an external authentication server, any advice?

Arc: I'm probably not the best person to ask about authentication servers, but sounds fun! :)

sending a client's connection info, TLS cert when available, and having it take over the SASL component

also in-band registration, when supported

That sounds cool; is this to use LDAP or some other directory thing?

the idea is its for anything

allow the service to implement any authentication they want without having to edit the xmpp server, or worse, write their own

Good idea

OAUTH2 for example, you'll commonly want a custom auth server, even if oauth2 is already available you'll want to customize it

How would you delegate to it? Do servers give you a way to plugin stream features that delegate to another service?

https://xmpp.org/extensions/xep-0077.html#redirect provides a simple way to send registering clients to a website url. that will need to be tightly linked to the authentication chosen.

SamWhited: im thinking when the server needs to auth for a user, it gives details to the auth server, which replies with the SASL mechanisms it supports. the existance of the auth server implies in-band registration and SASL are supported in the appropriate places

im not trying to make it a generic component

though on initial connection to the auth server it could reply back with a xmpp feature set it supports.

i want to keep it simple, tho. not to place undue burden on implementors