-
ralphm
Hi all
-
MattJ
Hey
- ralphm bangs gavel
-
Ge0rG
What? End of Meeting?
-
ralphm
0. Welcome and agenda
-
ralphm
Who do we have?
-
MattJ
I'm here
-
MattJ
Guus and Martin both said they couldn't make it today
-
ralphm
right
-
ralphm
and no nyco?
-
ralphm
Ok, so no quorum. Let's try next week and follow up on list.
- ralphm bangs gavel
-
MattJ
wfm
-
Ge0rG
ralphm: don't forget to change the topic for our multi-year ongoing Board meeting
-
ralphm
set the topic to
XSF Discussion | Logs: http://logs.xmpp.org/xsf/ | Agenda https://trello.com/b/Dn6IQOu0/board-meetings
-
ralphm
There
-
Ge0rG
Phew!
-
Ge0rG
thanks very much.
-
Ge0rG
BTW, whom should I approach about the administration of jabber.org and xmpp.org the Jabber servers?
-
jonasw
stpeter maybe?
-
jonasw
xmpp.org is iteam
-
jonasw
xmpp.org isn’t a public server in any way though
-
jonasw
AFAIK
-
Kev
Iteam for xmpp.org. Peter for jabber.org. Although you can always approach me and see if I can help.
-
Ge0rG
Maybe I should just make it (more) public now.
-
jonasw
your manifesto?
-
Ge0rG
Kev: I'm working on a Public Servers Anti-Spam manifesto - https://gist.github.com/ge0rg/2e4accf6950821ca45f743fdf587c08e - I'd like to get some feedback from large public servers' admins to create a consensus that can be signed off
-
mathieui
if only the third item was possible
-
Ge0rG
mathieui: monitoring registrations from TOR?
-
mathieui
yes
-
Ge0rG
mathieui: it is possible, at least on prosody
-
Kev
I think it's millions of users, FWIW, although not all active.
-
Kev
jabber.org has millions of registered users on its own.
-
mathieui
well, if "monitoring" consists of adding one log line to the prosody debug file, then sure, it’s possible
-
mathieui
but also useless
-
Ge0rG
mathieui: you can have a script grep your log
-
moparisthebest
And do what
-
moparisthebest
Xmpp over tor is perfectly legitimate
-
jonasw
moparisthebest, treat the accounts with more scrunity until it’s clear they’re not abusers?
-
jonasw
limit resource usage etc.
-
mathieui
moparisthebest, it’s perfectly legitimate but mass account creation is not
-
jonasw
protecting public servers against tor-helped abuse is also perfectly legitimate :)
-
moparisthebest
jonasw: sounds hard for a script but sounds ok
-
mathieui
also from my homemade statistics we’ve got around 1000 registrations for one legitimate user from those ips
-
Ge0rG
> protecting public servers against tor-helped abuse is also perfectly legitimate :) We really need to differentiate here. There _are_ legitimate use cases for Tor
-
jonasw
Ge0rG, that’s why I’m saying "tor-helped abuse" and not "tor itself"
-
mathieui
yeah, it’s not about banning Tor at all (hell, I run a relay myself)
-
moparisthebest
So will there be a public list of servers that should be blocked or will that be up to individual servers to determine
-
jonasw
I suggested to run a public DNS block list
-
jonasw
but Ge0rG was against the name I proposed :)
-
moparisthebest
That would be ideal, but then someone has to manage it
-
jonasw
I wanted to try that
-
moparisthebest
The reason it's ideal is because large servers have enough info to determine bad domains, small servers do not
-
jonasw
yes
-
moparisthebest
And I'm biased, I'm the only one on my server to get spam :)
-
Ge0rG
jonasw: I was not opposed to you actually running it, but you might give it a better name, like xmpp-rbl
-
jonasw
I know
-
jonasw
RBL doesn’t seem to be a reasonable name though
-
jonasw
because it won’t be real-time or blackhole, will it?
-
Kev
Is there any reason for it to be DNS-based for XMPP?
-
jonasw
Kev, exploiting existing cache infrastructures and speed?
-
Kev
But you're talking about running your own, aren't you?
-
jonasw
what does that have to do with anything?
-
jonasw
with existing cache infrastructtures, I mean global and local resolvers
-
Kev
"Exploiting existing infrastructure" and "bringing your own new infrastructure" don't seem compatible.
-
jonasw
DNS is also easily replicated
-
Kev
Anyway, I don't have a particular reason it needs to not be DNS.
-
Ge0rG
jabber.org doesn't have offline storage :(
-
Kev
It doesn't?
-
Ge0rG
Nope.
-
Kev
I don't remember that being disabled.
-
Ge0rG
At least I get `503 - cancel: Service unavailable` when messaging stpeter
-
Kev
I just tested on myself, and it worked.
-
Ge0rG
I never was able to message stpeter when he wasn't online.
-
jonasw
subscribed?
-
Ge0rG
yep
-
SamWhited
syn?
-
Ge0rG
syn ack
-
SamWhited
syn?
-
SamWhited
wow, took a,long time to send but apparently I can connect for free on Delta flights' terrible wifi.
-
Ge0rG
SamWhited: your `syn?` was delivered twice.
-
mathieui
yeah
-
mathieui
I have that from time to time with conversations
-
SamWhited
odd
-
Holger
SM resume fails so Conversations resends to fail on the safe side?
-
SamWhited
They claim to only allow Whatsapp, Facebook, and sonething else for free but I can use my server and jmp.chat's SI. server, this is rather nice.
-
SamWhited
SIP, even.
-
Ge0rG
Holger: shouldn't it wait for the MUC sync to complete before re-sending?
-
Ge0rG
SamWhited: maybe they are only blocking HTTP(S) ;)
-
Holger
(SM resume fails and the server doesn't include the 'h' attribute with the <failed/> response, that is ...)
-
jonasw
Ge0rG, this muc is anonymous, isn’t it?
-
jonasw
so there’s no point in syncing
-
Holger
Ge0rG: How would that help?
-
Ge0rG
jonasw: right, all bets are off.
-
jonasw
Holger, if you received the history in a non-anon muc you could be sure whether your message got delivered :)
-
Ge0rG
personally, I just ignore impersonation attacks and sync away.
-
Holger
jonasw: Hm with some proper ID (origin-id?) I guess so, yes.
-
marc
Ge0rG, how did our discussion of user invitation URI end? Do we need the "ibr" query parameter?
-
Ge0rG
marc: yes
-
marc
Ge0rG, in what case?
-
marc
I remeber I agreed that we don't need an action parameter :)
-
Ge0rG
marc: the ibr parameter indicates that the preauth token can be used in an IBR request to the server
-
marc
Ge0rG, but the authority part of the URI already indicates it
-
Ge0rG
marc: wait, we are talking of account invitation?
-
Ge0rG
marc: we need a good glossary
-
marc
Ge0rG, no, "account creation" uses the "register" action query :)
-
Ge0rG
marc: so how does the contact invitation indicate ibr?
-
marc
Ge0rG, xmpp://example.com/inviter@example.com?preauth=TOKEN
-
marc
xmpp:inviter@example.com?preauth=TOKEN for client-side PARS
-
moparisthebest
did you mean https for the first one marc ?
-
Ge0rG
marc: so which one of those?
-
marc
Okay, wait
-
marc
Account creation: xmpp://newuser@example.com/inviter@example.com?register;preauth=TOKEN User invitation: xmpp://example.com/inviter@example.com?preauth=TOKEN Client-side PARS: xmpp:inviter@example.com?preauth=TOKEN
-
marc
moparisthebest, no
-
Ge0rG
xmpp:inviter@example.com?preauth=TOKEN;ibr is a perfect match for both second and third use case
-
marc
Ge0rG, no
-
Ge0rG
And the account invitation doesn't need the inviter URL
-
marc
The authority part can indicate the domain to create an account
-
moparisthebest
not really sure the need for all the different urls but I'll just shut up until I see xep :P
-
marc
moparisthebest, no, just ask
-
moparisthebest
well what do each of those do?
-
Ge0rG
marc: you are making it too complicated
-
moparisthebest
and why are there more than one format if all have to be handled by xmpp client?
-
marc
moparisthebest, 1: create an account, 2: invite a user and give the choice to register on the server 3: PARS
-
Ge0rG
marc: stop adding edge cases. If the inviter and invitee domains differ, this is not our use case any more
-
moparisthebest
hmm how is 1 different than 2 ?
-
moparisthebest
like how would you get link #1
-
marc
moparisthebest, #1 is more or like admin stuff
-
moparisthebest
so why isn't it the same?
-
marc
Ge0rG, don't get why this makes it more complicated than using an additional "ibr" parameter
-
moparisthebest
I still don't see any reason for more than 1 url
-
moparisthebest
whatever it may be
-
moparisthebest
it looks like all those have exactly the same info in slightly different formats, why?
-
marc
moparisthebest, no, they don't
-
marc
moparisthebest, because they are different? ;)
-
moparisthebest
what is different
-
moparisthebest
what info do they have?
-
moparisthebest
bet you wish you would have just let me wait for xep now lol
-
moparisthebest
you can go back to ignoring me if you want I don't mind :)
-
marc
moparisthebest, #1: contains the new account JID (newuser@example.com)
-
marc
moparisthebest, #2 contains the domain for IBR (example.com)
-
moparisthebest
do they not all contain domain for IBR ?
-
Ge0rG
marc: just completely delete #2
-
moparisthebest
so looks like 1 & 2 are same except extra useless 'register' and optional account name
-
marc
Ge0rG, we already agreed on it ;)
-
Ge0rG
marc: on deleting it
-
Ge0rG
And implementing the same functionality in #3
-
marc
And IIRC you liked the idea of different domains
-
moparisthebest
what does 'register' get you?
-
marc
moparisthebest, indicates account registration
-
moparisthebest
doesn't newuser@ indicate that?
-
marc
moparisthebest, no, because newuser is optional :P
-
moparisthebest
So what does it do differently
-
marc
moparisthebest, as I said, you could have xmpp://example.com/inviter@example.com?register;preauth=TOKEN
-
marc
But don't tell Ge0rG :D
-
Ge0rG
marc: that won't work if the invitee already has an account!
-
moparisthebest
marc: point being you have to check if they have an account or not already so I think it's useless
-
moparisthebest
And how do you validate it meh
-
marc
Ge0rG, don't get your point
-
marc
Ge0rG, you're talking about #1, right?
-
Ge0rG
marc: no, #2
-
marc
Ge0rG, okay, what's the problem if the invitee already has an account?
-
marc
Why doesn't it work? You just show an dialog to add via the PARS token
-
marc
And show a short button or whatever that the invitee can also create an account on the server
-
Ge0rG
marc: because you need a #3 link for that to work
-
marc
s/short/small
-
marc
Ge0rG, why?
-
marc
Ge0rG, if the server doesn't support this XEP the client can generate #3 itself
-
marc
As fallback, the user doesn't even notice it
-
marc
The same applies if the server doesn't allow IBR for invitation
-
marc
It just sends #3
-
marc
(This is what you describe as server-side PARS in your XEP)
-
Ge0rG
marc: if the server allows ibr and generates the link, I still want it to be in #3 format, because that's most widely supported
-
Ge0rG
marc: if the server allows ibr and generates the link, I still want it to be in #3 format, because that's most widely supported
-
marc
Ge0rG, if these clients are implemented correctly it is even backward compatible ;)
-
marc
Ge0rG, #2 is backward compatible to #3 if you parse the URI properly IMO
-
Ge0rG
marc: no, it's something different
-
marc
Ge0rG, if you correctly parse the #3 URI you would extract the JID from the "path" component
-
marc
The same for #2
-
marc
Ge0rG, in #3 the authority part is empty and the JID in the "path" component
-
Ge0rG
marc: except that #2 has completely weird semantics with a host as the authority
-
Ge0rG
marc: just leave it away, please
-
marc
Ge0rG, that's the sematinc of XMPP URIs
-
marc
Ge0rG, xmpp:///inviter@example.com?preauth=TOKEN if no domain is provided
-
Ge0rG
"this URI points to a jabber server."
-
Ge0rG
marc: xmpp:inviter@domain;preauth;ibr is an invitation to a user JID, with the hint that you can register on that domain
-
marc
Ge0rG, but you can not provide a good argument why that's a better solution ;)
-
Ge0rG
marc: I've provided multiple good arguments multiple times already
-
marc
Ge0rG, both are backward compatible
-
Ge0rG
marc: I'm on my mobile client right now, and I really don't want to repeat them all
-
Ge0rG
marc: there are no clients supporting #2 dnd it has the wrong semantics
-
marc
Ge0rG, #1 has the same wrong semantic then?
-
Ge0rG
marc: #1 is sharing an account on a server
-
marc
Ge0rG, okay, what about xmpp://example.com?register;preauth=TOKEN (#1 without specified username)?
-
Ge0rG
marc: I still think we could completely cover most situations with just #3, but #1 adds some value
-
Ge0rG
marc: nope! Use #3
-
marc
Ge0rG, I'm talking about #1 scenario
-
marc
Ge0rG, is this URI correct?
-
marc
for #1 scenario...
-
marc
No trick question ;) I'll use "ibr" for user invitation
-
Ge0rG
marc: if you don't supply a username, just skip the authority completely
-
marc
Hm, I don't know but we agree on the following: User invitation: xmpp:inviter@example.com?preauth=TOKEN;ibr User invitation (without IBR, server-side PARS) xmpp:inviter@example.com?preauth=TOKEN
-
marc
If the server doesn't support this XEP the client generates #2 itself
-
marc
Okay?
-
Ge0rG
marc: yes
-
marc
Ge0rG, okay, I'll adapt the XEP accordingly
-
Flow
marc, is the (proto)xep online somewhere?
-
Ge0rG
marc: that is exactly what we agreed about, plus account invitation with xmpp://invitee@domain with a token
-
marc
Flow, no, but I can upload it tomorrow or so
-
Flow
+1