XSF Discussion - 2018-02-08

We lost a few more things in /extensions, such as e.g. gps_datum.html (referenced from XEP-0080)

I'm not quite sure where we should put such files.

Being in /extensions, the xeps repo would be a logical choice, but it feels a little like pollution as well.

If anyone cares to review my minor change to the xeps repo, that would be so kind: https://github.com/xsf/xeps/pull/584

intosi: editors are going to do a batch of work done tonight. if its fine, we'll take care of it then

FWIW, it's only adding building of refs to the Dockerfile, not editorial work really.

But tonight is fine.

vanitasvitae: so you implemented 0392 in Java? https://github.com/pfleidi/yaxim/blob/master/src/org/yaxim/androidclient/util/XEP0392Helper.java

Ge0rG: yep

I'm still missing the mix-colors part and the inversion stuff

vanitasvitae: feel free to steal from me, whatever you need

vanitasvitae: should've asked before :D

Ge0rG: nah, I like the challenge

Also the GPL is incompatible to Apache2 ;)

well if the copyright holder gives you the permission to use his code under a different licence, then it is fine

`static final double`

pep., I also thought about the white-male-thing when remotely participating. I have no idea how to fix that though.

jonasw: apply a color filter to the webex video stream.

given that the IM mission is kinda bringing *people* together, I’m not sure if or if not the (however true it may be) "women prefer 'people' over 'gadgets'" argument should be applicable to the situation. It could be very applicable, because communication is very much about people, but on the other hand, the XSF is a technical standards organization. The potential JSF would probably be more the realm of people who care about the effects of IM more than the means.

also, disclaimer: if I make statements anyone finds offensive, *please* point it out to me, publicly or private.

what was that about? I'm lost

zinid: the paste I linked yesterday

pep., ah, ok

Wow. What the f***ing f***! Four server admins signed in the last 4 hours.

is it too much or too little?

zinid: I'm amazed!

signed in where?

SaltyBones, https://github.com/ge0rg/jabber-spam-fighting-manifesto

Ge0rG, I asked current jabber.ru admin, he should sign soon too

zinid: thanks very much!

Hm. I am unhappy about the Tor discrimination.

I would prefer if this said everybody has to fill out a captcha and not discriminate.

SaltyBones: I'm unhappy with it too. Do you have a really better proposal?

What's wrong with captchas?

SaltyBones: what's *not* wrong with captchas?

They work?

Ge0rG, maybe write something like "care should be taken for Tor exit nodes" ✏

zinid: "Monitor or block registrations from IP addresses with bad reputation (open proxy servers, Tor exit nodes)" means the same as what you wrote.

Ah,

ok, then I don't see the problem

zinid: did you read the manifesto? ;)

Ge0rG, yeah, I just trusted SaltyBones :) I don't remember it word by word

Well, I think this encourages blocking of Tor...

and I don't see discrimination in this case: when we say that care should be taken when using knife we don't discriminate knives

It says "monitor or block" . . . . . . or do something else

And I think monitoring and blocking are shitty and I only want the something else. :)

SaltyBones: 99% of logins from Tor are spammers. 5% from non-Tor are spammers. What now?

I banned all exit nodes on jabber.ru (when I used to be an admin there)

just spam and flood

those, who want to stay anonymous should buy 5$ service like digitalocean

zinid: you can't buy things anonymously

Just say "ask for captchas or similar" and leave out the part where you suggest blocking exit nodes per se.

Ge0rG, you cannot use internet anonymously

Well, you can always use your neighbour's wifi :D

As an occasional Tor user I can tell you that it makes Tor a lot less valuable if it gets blocked everywhere and I think Tor goes a long way towards online anonymity.

Seve/SouL, then you don't need Tor ;)

I'd prefer something like "apply stricter spam rule on tor users"

vanitasvitae: isn't that what the manifesto says?

Ge0rG, just leave out the part about blocking

drama :)

No drama, just discussing

-* Monitor or block registrations from IP addresses with bad reputation +* Monitor and review registrations from IP addresses with bad reputation

"Monitor and review" are virtually the same actions /bikeshedding

Ge0rG, why not Monitor and take corresponding actions?

Well, whatever.

zinid: monitoring is often an automatic process, but review is manual

Ge0rG, as you wish

11:53:27 SaltyBones> As an occasional Tor user I can tell you that it makes Tor a lot less valuable if it gets blocked everywhere and I think Tor goes a long way towards online anonymity. → as an occasional tor user, and a relay operator, but also an XMPP server operator, I think blocking registrations from tor is often necessary

Or to stick with Georg's presentation: general message routing doom :)

XMPP doom!

Doom Over XMPP

XHTML-IM is so 2017

Doom I is so 1993.

I played Doom I a bit on a portable audio player from 2004.

jonasw Rockbox :p

edhelas, exactly.

http://cdn.instructables.com/FZQ/U0RN/FAKWPHHK/FZQU0RNFAKWPHHK.MEDIUM.jpg

I played Monkey Island II on an Xbox 1, when it was still cool.

daniel, okay, so I probably wasn’t there: *my* client would do weird things at least :D

(I’m pretty sure)

(but that can be fixed)

(re vcard presence avatar muc room thing)

oh really? weird

lol

anyway, I will check briefly some clients against ejabberd before commiting

let’s give it a test…

oh wait

if the presence does *not* contain a MUC User element, we’re fine

and I don’t see a reason why it should

so that’s probably fine

what happens though?

will it create a user with a null username?

no

if it doesn’t contain a <x xmlns="that muc user namespace"/> thing, it is ignored entirely

(it’ll probably log something about an unhandled presence, at worst)

i meant if it would include that tag

oh, that would probably lead to quite a bit of breakage

either null user name, or some crash

i see.

probably fix that no matter what :-)

the MUC code itself would probably deal with it just fine, but everything which expects a string for a nickname down the stream/road would be... surprised

yeah, explicitly ignoring bare-JID presences for occupant handling is probably a good idea.

there you go: https://github.com/horazont/aioxmpp/commit/5df66eeafe24047d55d3d6b9b849538674f121e5

Ge0rG, SaltyBones, fwiw, I was talking with a freenode person at fosdem, and she said they were trying to study the "tor issue". ATM they allow tor users if they register first, with registration not via tor iiuc (which defeats the point of tor). She told me they were discussing with tor people to look for ways to solve this

pep.: I'm sure there is no solution to this problem.

Yeah I'm not really optimistic either

...captchas? :)

stfupchas.

Be nice!

Seriously, what's wrong with captchas?

they don’t work

they are an additional step, which always sucks when competing with WhatsDown

Don't work how?

they are not efficient is what I meant to say

SaltyBones, not fond of captchas either, or rather, google-owned captchas, which is the biggest implementation out there. (And probably not any other third-party owned impl. either anyway)

and they are a problem with accessibility

SaltyBones: https://shkspr.mobi/blog/2017/11/captchas-dont-prove-youre-human-they-prove-youre-american/

Also often out-of-band, which is annoying

Their whole point is to be non-efficient and if you want to compete with whatsapp you can just use phone authentication but freenode via tor is a different use case.

SaltyBones, no, with efficient I mean efficient at blocking spam

or abuse in general

when considering the cost to UX and accessibility

(or, if you’re using google, data privacy)

Yes, but if I want to use Tor from freenode I would rather fill out captchas for 3 minutes instead of just being told "no".

Actually if you use Tor you get so many captchas you probably spend more than 10 minutes a day on it. :p

I'd prefer they came up with another solution

pep., So would I but I would prefer this solution to statements like "a solution does not exist". :)

Maybe easy to deploy but as jonasw said, and I as well, it breaks lots of things

It doesn't break them more than breaking them on purpose though...

sorry I didn't catch this

I mean I currently cannot access freenode from my Tor VM, which is more broken than a captcha.

> Actually if you use Tor you get so many captchas you probably spend more than 10 minutes a day on it. :p True. I once tried to use Tor and it was funny experience, never want to repeat it again 😁

Yeah, it's awful...

That's why they distribute these "f*ck cloudflare" stickers. ;)

SaltyBones: I can understand the position cloudflare is taking.

sure, I can too :)

I do not speak for the company, etc. But for what it's worth they have tried really hard to ensure Tor users had a good experience by trying to get buy in from the IETF and W3C on a standard thing that could be done instead. There's an open source extension that implements it and bypasses the captchas.

https://blog.cloudflare.com/cloudflare-supports-privacy-pass/

:o

I will have to try this.

I’ll first try to figure out how that works

"magically identifies you without enabling tracking" sounds too good to be true

Anyway, yes that's another way to solve the problem. just pay in proof-of-work would also be one.

jonasw, it's pretty straightforward crypto magic ;)

SaltyBones: pay in proof-of-work is still not a solution to the spam problem.

https://craphound.com/spamsolutions.txt

Ge0rG, depends I would say

SaltyBones: nope.

SaltyBones: the efficiency difference in PoW between mobile clients and custom ASICs is so horribly high, you can't make any sensible abuse-prevention scheme on top

That's not true. There are plenty of memory-hard hashes that are hard to do in cheap ASICs and even if you assume that they exist you have to consider the expected worth of sending a message which is painfully low for most spam schemes.

even the difference between a desktop/server CPU and a mobile CPU is enough to make it break, I think

also, memory-hard on mobile won’t fly either, SaltyBones

(for certain values of "memory-hard")

scrypt is a memory-hard PoW scheme and there are ASICs for it.

(but those values might be lower for ASICs than for mobile CPUs; GPUs and mobile CPUs is a different story though, now that we’ve reached GPUs with several GiB of memory)

I don't want to play devil's advocate, I generally agree with you.

SaltyBones: when doing PoW on my smartphone, I'm manually implementing things in Java bytecode.

why would you do that in java bytecode?

I'm just saying for many spam schemes the return on value is so low people wouldn't even bother implementing the PoW code. Maybe this assumption is wrong.

SaltyBones, "spamsolutions.txt" seems to suggest that you’re wrong, because one of the reasons is: > ( ) Extreme profitability of spam ✏

MR 20171128T16:55:45Z 000 <Ge0rG>  Okay, just to get some numbers. "I managed to pull around 5.6KHash/sec on my Nexus 7 with all fou r threads." from https://rumorscity.com/2014/01/07/how-to-mine-litecoin-with-android/ MR 20171128T16:56:10Z 000 <Ge0rG>  So we are at ~20 KHashes for a first-contact MR 20171128T17:01:02Z 000 <Ge0rG>  you can rent 500MH/s for three hours for ~3USD. That accounts for 100 Millions spam messages. MR 20171128T17:01:26Z 000 <Ge0rG>  if you price a single spam message at 20KH scrypt.

now I could sift through the spam I get to check how much they charge for 10k XMPP spam message to see if that works out ;-)

jonasw: 20$ for 100k JIDs or so.

so that’s probbaly well within their capabilities

TIL...

I guess I have underestimated the amount of morons who fall for spam by several orders of magnitude...

I also love the "philosophical objection": > ( ) Killing them that way is not slow and painful enough

Ge0rG: where can I get paid for sending spam?

Sounds interesting

zinid: send spam advertising your services

INDEED :D

zinid: I'll tell you for 200$

ha

yeah, maybe it's a ponzi scheme

send spam for money to find customers who will pay you for sending spam

SaltyBones, actually, that’s what has been happening a few months ago for a few months, now they seem to have found customers who actually want to spam something >.>

SaltyBones: blockchain 🤔

(aside from the carding spam which has been there forever)

SaltyBones: it kind of is. "we will scan your forum for jids for $20, and use those jids to send your spam"

zinid, it's about time we had a dedicated blockchain emoji ;)

⏹️⛓️

ha.

SaltyBones: but with a zwj in between

ah what? O_o

a SJW.

Unicode humor

or a jwz?

I don't get it. :(

SaltyBones: https://emojipedia.org/zero-width-joiner/

My alternative carrier path is to remake the emoji movie with more weird unicode humor

Fewer people will get it. But it will actually be funny

"career"?

daniel: did you actually watch that movie?

That one

> daniel: did you actually watch that movie? LOL no

Phew, I was worried for a moment.

Apparently there is a joke about how there is no use case for the eggplant emoji. Which probably tells you a lot about the writers

Ge0rG, I'm having a seizure just reading this crap.

daniel, oh dear

SaltyBones: And it's not even the worst thing about Unicode Emoji.

I’m just sad that there’s no Hydnora visseri emoji. it’d go great with an eggplant.

While I'm around, I am still in a company meeting and might not be able to follow the discussion here.

ralphm, this discussion shoudl also probably be in the off-topic room, sorry.

daniel: you mean the aubergine emoji?

and...

bang?

SaltyBones: http://unicode.org/repos/cldr/trunk/specs/ldml/tr35-general.html#SynthesizingNames will make you puke without end.

Time for a board meeting

hi nyco

hi Guus

(got a stable network this time, we'll see with the clients)

right, board time

Ralphm just mentioned he was busy-ish... Mattj announced that he was likely unavailable now. Martin?

Martin appears offline to me

wel...

on my side, just about the board prios meeting, we finally chose not to do it around summit/fosdem

I'll reschedule

Thanks. As it's just you and me being active now, I propose that we skip this meeting, and try again next week.

archiving: https://trello.com/c/vFYiyf9I/300-summit-sponsoring https://trello.com/c/8XwcLKzf/301-summit-dinner

Martin's on unexpected childcare duty, sorry!

thx Dave Cridland

ah, ok. A random child, or his? ;)

on the big things to do, we got the prios, but also funding/financing and survey

also bus factor on bank account

True, but I don't want to discuss that with just the two of us here.

agree

bye!

thx

see you next week :)

I'll send off a quick mail for posterity

Thx

SamWhited, I think you meant XEP-0137 is Draft, not XEP-0159.

err, oops, yes

The council card is right anyways

Unrelated, https://clojuriststogether.org/ just distributed its first funding round for Clojure projects that are important to the community. I wonder if a similar model would work for the XMPP community, or if we would never end up with enough people to make it sustainable.

/cc Ge0rG

I had some trouble parsing that domain name into words.

Still better than expertsexchange.com (which actually used to be their domain)

SamWhited: it looks like a nice thing, and I'd love to direct some money in the direction of JC (and then to you for auditing it ;))

I do not have the qualifications to reasonably audit code, but thanks for your confidence :)

They appear to be working with an existing non-profit so that people can make donations tax deductable without them having to do all the paperwork and legal nonsense, that's rather nice.

SamWhited: but you have the qualifications to find XSS, which is a good first step

"qualifications" == "basic testing"

SamWhited: is that a non-profit we can apply at as well?

or "copy-pasting"

JabberistsTogether.com now!

Ge0rG: the SFC; alternatively, it could be under the XSF umbrella presumably

Go for it

SamWhited: the XSF barely has the time to do its own work.

Ge0rG: it doesn't have to do anything but file taxes; the conservancy isn't doing work, just being the official business so that the fund can be tax exempt

Although, I say that, presumably they have lawyers who know this stuff and we don't, so maybe something else would be better

Anyways, it's an interesting structure and I think it's a cool idea… now someone else do it!

SamWhited: I have no strong opinions on that, just that I have zero knowledge of US-based non-profits

Ge0rG, to direct money to JC, you can simply use liberapay or patreon, as we learned yesterday or so

jonasw: but I want to direct other people's money

hah

I would want that too, but I’m not sure I’d be so selfless here ;-)

Damn, I barely can follow the "manifesto discussion", yet, you guys are capable of writing a wall of text, lol

just make everyone sign up and pledge 3$ / month

it has to start somewhere, right?

heck, let everyone pledge half the amount that they spend on <luxury item x> in the same period

Guus, okay, find an X and I’ll consider it

jonasw: coffee? fastfood? games on your smartphone? candy?

Obscure cheese only produced in a small village near where I live?

I don’t drink coffee, I avoid fastfood, I don’t have any paid apps on my smartphone. You might’ve got me with candy though.

comics? board games? legos?

movie tickets? concert tickets?

do components for hobby projects count? ✏

Look at mr rich over here

whatever you want counts :)

if so, I’m screwed ;-)

I'm just trying to make the point that if you're happy to spend money on <luxury item x>, spending some of it on XMPP is probably OK for you too. If it's not, it's not - that's up to you - but this logic works for myself :)

a hobby is by definition something that can consume infinite money

Guus, I have a similar opinion in general, but I like to believe that due to my own contributions to XMPP software I’m exempt from that. You’re being a counter-example here and that’s making me uncomfortable ;-)

Ge0rG, what if your job is your hobby? :)

Then you are doomed

or lucky, depends.

zinid: it's not possible. it's a job if you end up with more money than before, and a hobby if it takes money

because then you’ve actually one of those rare hobbies which actually pay more than they cost you :<

jonasw: it's really up to you, and no-one else- to tell you if you're comfortable with donating any amount of money or time.

Ge0rG: Pretty sure the tax rules are more complicated than that

I for one am insanely grateful for all the time that you're putting in.

Ge0rG, ah, so this is a question of definition, ok

Guus, I know that, it just starts some thought process.

zinid: yes. In the end, you have a great job.

jonasw, I'm personally trying to avoid to think along the lines of: "I'm doing this so that I don't have to do that", but rather "what type/amount of resources am I willing to spend on this?"

Guus, that makes sense

hm

speaking of things I do

I put some XEP into last call and forgot to send that email

I probably have to move the LC end date by a few days now

*cooks some Brussels sprouts*

cooking sounds like a great idea actually

Thought so :)

jonasw: Why another LC on 280?

Ge0rG, council switch

feel free :D

I’m just the mechanic in this case

:)

Ge0rG, so how will we blocklist spam servers?

I like the idea of test day, so we probably need some mechanism by then

blockchain

(sorry)

you're not serious :(

IIRC jonasw suggested a DNS blacklist maintained by him and ... others.

yeah, I heard about DNS blacklist, who will maintain it? :)

probably "him and others" :)

I think he was asking for volunteers but nobody responded.

Not sure.

Holger: I will

zinid: prosody can firewall all traffic from a list of domains placed in a http or local text file.

zinid: tell me your domain and I'll blacklist you

yeah, because local text files is a best source of distributed data

Ge0rG, the domain is yax.im

mod_firewall can fetch lists via http (periodically)

Zash, these are details, the question is who will maintain the list?

who will add entries?

who will process deletion requests?

Someone else™

But in all seriousness, that's a thing that wound need figuring out

we haven't figured out enough yet?

I'm wondering if we could partner with any of the existing spam list orgs

last time I operated an email server a decade ago, so I don't even know how it's done now and who manages that

Zash, spamhaus is doof, sorbs seem to be reasonable at least

doof?

zinid: nice try.

Department of ooooo fffff?

zinid, probably not an adjective which is used frequently by Till Lindemann. it means dumb or silly or something in that order.

Ge0rG, you have more stars than signers btw

zinid: I feel like Donald Trump!

Something something russian bots?

Zash: more stars than supporters

zinid: ping

yeah, with some german bots

.

oh

it works finally

just was very slow

zinid, I starred, but I won’t sign, because I don’t operate a public server

I think that makes sense

jonasw, yeah, me too

I'm just joking

ping

what's wrong with this conference?

ping

what

who's there?

What the <--- jonasw has left the room (the MUC server is not responding)

Bunneh: ping muc.xmpp.org

Zash: Pong from muc.xmpp.org in 0.144 seconds

Zash, yeah, poezio wasn’t happy

I sent a mail to the list with an inline image but it does not appear to have arrived. I don't see it in the pending moderation queue and it doesn't appear to match any of the content type rejection rules (it's just a png). Any idea where it might have gone?

nevermind, just being *really* slow today.

SamWhited: Hm, that graph could do with some colors on the nodes for states...