sort of, it's polling based by default, IIRC so even with only two servers in a 1:1 it's not very efficient.
SamWhited
not that it really matters in that case for most people
tuxhas joined
tuxhas left
tuxhas joined
Guushas left
Kevhas left
Dave Cridlandhas left
lskdjfhas left
Dave Cridlandhas left
nycohas left
Syndacehas left
Syndacehas joined
matlaghas left
Dave Cridlandhas left
jjrhhas left
jjrhhas left
jjrhhas left
Yagizahas joined
Dave Cridlandhas left
Guushas left
waqashas joined
jjrhhas left
jjrhhas left
jjrhhas left
lskdjfhas left
efrithas joined
Dave Cridlandhas left
Dave Cridlandhas left
danielhas left
danielhas joined
lskdjfhas left
Dave Cridlandhas left
efrithas left
Zashhas left
Zashhas left
Zashhas joined
la|r|mahas left
SamWhitedhas left
Zashhas left
Zashhas left
Zashhas left
rionhas joined
Zashhas left
rionhas left
rionhas joined
andyhas joined
lskdjfhas joined
rionhas left
Dave Cridlandhas left
la|r|mahas left
Guushas left
Guushas left
la|r|mahas left
suzyohas joined
jjrhhas left
jjrhhas left
Dave Cridlandhas left
Dave Cridlandhas left
Dave Cridlandhas left
Dave Cridlandhas left
Dave Cridlandhas left
SamWhitedhas left
uchas left
mimi89999has left
mimi89999has left
Dave Cridlandhas left
mimi89999has joined
uchas joined
Dave Cridlandhas left
andyhas left
Dave Cridlandhas left
Dave Cridlandhas left
Dave Cridlandhas left
Dave Cridlandhas left
Neustradamushas left
Neustradamushas joined
rionhas joined
andyhas joined
rionhas left
Yagizahas left
Yagizahas joined
Guushas left
ralphmhas joined
ralphmhas left
Dave Cridlandhas left
Holger
Yeah I think everyone runs it 24/7 so there's too little incentive to implement MAM.
Holger
(Er, the message I was responding to was old.)
Dave Cridlandhas left
Dave Cridlandhas left
Zash
Threads plz
Zash
Or an in-reply-to thing
andyhas left
Guushas left
valohas left
valohas joined
Seve
Or real quotes and not just quotes :)
ralphmhas joined
Dave Cridlandhas left
Dave Cridlandhas left
lovetoxhas joined
rionhas joined
Ge0rG
Seve: did you talk to KDE yet? 😉
Seve
Not yet, sorry. I've got a lot of work and haven't been able to put my hands on it :(
lovetoxhas left
Dave Cridlandhas left
tim@boese-ban.dehas joined
Dave Cridlandhas left
waqashas left
Dave Cridlandhas left
blablahas left
moparisthebesthas joined
Kevhas joined
stefandxmhas left
goffihas joined
Dave Cridlandhas left
Dave Cridlandhas left
ralphmhas joined
ralphmhas joined
Dave Cridlandhas left
Dave Cridlandhas left
Dave Cridlandhas left
Guushas left
@Alacerhas left
@Alacerhas joined
jubalhhas joined
matlaghas left
Guushas left
Steve Killehas left
nycohas left
marchas joined
Dave Cridlandhas left
Steve Killehas joined
rionhas left
rionhas joined
Dave Cridlandhas left
Guushas left
Dave Cridlandhas left
Dave Cridlandhas left
moparisthebesthas left
Steve Killehas left
intosihas joined
nycohas left
Dave Cridlandhas left
Dave Cridlandhas left
Guushas left
moparisthebesthas joined
Dave Cridlandhas left
Dave Cridlandhas left
Dave Cridlandhas left
ralphmhas left
Dave Cridlandhas left
Dave Cridlandhas left
jubalhhas left
Alexhas joined
ralphmhas joined
ralphmhas left
ralphmhas joined
ralphmhas left
Dave Cridlandhas left
Holgerhas left
Dave Cridlandhas left
Syndacehas joined
danielhas left
stefandxmhas joined
Dave Cridlandhas left
danielhas left
danielhas left
edhelas
I'll have to work on a new XEP to store the user pubsub subscriptions in a PEP node
Ge0rGhas left
edhelas
basically this XEP will be the same as https://xmpp.org/extensions/xep-0333.html
edhelas
https://xmpp.org/extensions/xep-0330.html sorry
remkohas joined
edhelas
except that the node will be configured in "whitelist"
jonasw
who would manage that list?
jonasw
the client?
edhelas
the clients
jonasw
hmm
jonasw
wouldn’t it be better to have the server manage its✎
jonasw
wouldn’t it be better to have the server manage it? ✏
edhelas
each time you subscribe to a pubsub node you add your subscription in that list, the same way 0330 is doing
edhelas
jonasw I've mentionned that years ago, this need deep refactoring of how pubsub is handled in XMPP
Ge0rG
shouldn't the server automatically do the plumbing whenever you change that list, then?
jonasw
edhelas, does it?
Ge0rG
XMPP 2.0!
jonasw
the server can sniff the traffic just like it does for MIX
edhelas
so for now I'm going for this solution, I'm doing that in Movim for a while already
Kev
This is what Dave's PAM is for.
jonasw
alternatively, turn it the other way like Ge0rG suggests (modifications to the PEP node you’re proposing cause subscribes/unsubscribes)
jonasw
Kev, #?
edhelas
jonasw why not
Kev
376
Ge0rG
edhelas: that would conveniently solve multi-client too
edhelas
Ge0rG how do you think this will fit with https://xmpp.org/extensions/xep-0330.html ?
jonasw
oh yes, XEP-0376 looks good
Ge0rG
edhelas: I think it would be good to have a private list for subscription maintenance and a public list which is a subset of that
danielhas left
Syndacehas joined
blablahas joined
stefandxmhas left
stefandxmhas joined
danielhas left
Flow
I always wonder if PAM couldn't be designed transparent using standard xep60 <subscription/>
Dave Cridlandhas left
jonasw
Flow, yeah, like mix does it
Flow
jonasw, isn't/wasn't MIX supposed to be using PAM for that?
jonasw
I don’t think it does
Flow
IIRC PAM was a result of Dave's and Kev's persistent groupchat discussion
Kev
jonasw: It uses something very like PAM.
Kev
Flow: PAM was a Dave thing that I just jumped on because it makes sense for MIX, IIRC.
Flow
so if it makes sense, then why isn't MIX using it?
Kev
MIX is using the same model, waiting to see if it makes sense to merge into PAM, or keep out.
Kev
" In future, the specifications in this section MAY be moved to a separate XEP or it MAY be incorporated into Pubsub Account Management (XEP-0376) [18] (PAM) which follows a similar model. "
danielhas left
Steve Kille
When I did the MIX editing, there was nothing I could usefully reference, so MIX includes what it needs.
danielhas left
danielhas left
danielhas left
stefandxmhas left
stefandxmhas joined
danielhas left
andyhas joined
danielhas left
jubalhhas joined
danielhas left
suzyohas joined
danielhas left
Guus
daniel, regarding your HTTP Upload 0.5 change: As various network components between the HTTP client and server might inject headers of their own, it feels wrong to me to impose a MUST on what headers clients are allowed to add. It implies that this defines the set of headers that the server receives. I suggest dropping the client requirement (as it's not really enforceable), and instead stress on a need for the server to ignore headers other than the allowed set.
jonasw
Guus, did you follow the can-of-worms discussion this was in the last few days :)
jonasw
the argument is that the server could exploit the client to send a request to a third party, for example your home router
jonasw
(essentially use the client as an HTTP proxy into the clients LAN)
jubalhhas left
Kev
Sounds useful.
jonasw
to reduce the impact of that, the selection of headers was restricted; even though it’s not entirely clear to me how that helps in that scenario, really.
Flow
what jonasw said
jonasw
but Ge0rG kinda insisted on it
Guus
jonasw, I didn't follow that discussion, no.
Zash
Ough
Guus
I'm also not understanding the argument.
Zash
Bottomless can-of-worms?
danielhas left
jonasw
Guus, essentially, it’s something along the lines of the Same Origin Policy enforced by browsers and the Cross-Origin Request Sharing policies
Zash
jonasw: Double infinite bottomless can-of-worms?
Ge0rG
We can't fix web security, we can only restrict how much we are affected by it
daniel
Guus: I don't not fully understand the argument either. But I'm not bothered by it and it won't go through council w/o that change
Guus
I'm not seeing how the client being prohibited to send certain headers prevents the server from sending anything it wants, abusive or not.
daniel
And I didn't even put headers into my original http upload
Ge0rG
Guus: with arbitrary headers you will make the xmpp client a reverse proxy for malicious xmpp servers.
daniel
Or let me rephrase that. I understand the problem (broken http interfaces in your local network). I'm not sure that limiting the headers does anything to fix your china router
Guus
can you spell out that attack vector for me Ge0rG?
Guus
(or point me to an archive?)
Ge0rG
Guus: have a look at http://blog.portswigger.net/2017/07/cracking-lens-targeting-https-hidden.html#host please
andyhas left
Dave Cridlandhas left
suzyohas joined
stefandxmhas left
stefandxmhas joined
Holger
Ge0rG: Isn't large parts of that article about playing with the request URI and the Host header? Which we place no restrictions on at all in XEP-0363?
Alexhas left
Zashhas left
remkohas joined
andyhas joined
Guus
How does the client not sending certain headers outwards prevent the server from crafting malicious requests inwards?
Holger
Guus: The reasoning is preventing your XMPP server from crafting malicious HTTP PUT requests performed by your client.
Flow
Guus, hmm? It does not. But it's about the client performing requests
Flow
And those requests are handled by your (broken) home router
danielhas left
Guus
right, now I get it.
lskdjfhas joined
danielhas left
Guus
Thanks. I retract my earlier request to change the text :)
Guus
(it was initially unclear to me that the text restricts only the headers-to-be-copied-from-the-server-instructions)
Holger
I get the idea too, I just still don't agree with imposing an arbitrary restriction due to a diffuse feeling this might reduce the impact on an attack performed by your trusted XMPP service we have not yet understood. But meh.
Guus
<lunch>
edhelas
I'd like to know if it's possible to "rename" a pubsub node
edhelas
would be really useful, especially when you have namespaces bump
andyhas left
suzyohas joined
suzyohas joined
Holger
edhelas: Won't the namespace usually only be bumped if the node contents change in some way?
remkohas joined
Alexhas joined
edhelas
well sometime you have clients that are developping features with their own namespace
edhelas
then it get standardized
edhelas
like for OMEMO and Conversations
jonasw
precisely the reason why the X-* antipattern was deprecated in the IETF
Ge0rGhas left
daniel
Just wait for Ge0rG to find out that you can use jingle to port scan your contacts network 😂
daniel
Or have your contact scan other networks
remkohas joined
daniel
But we'll just grab the low hanging fruit before we get to the fancy stuff
Ge0rG
daniel: don't make me change my mind on Jingle Ft!
daniel
Idk. I vetoed it anyway
daniel
Not for that particular reason though
andyhas joined
Ge0rG
daniel: ah, right. outstanding feedback
daniel
but now i want to write a jingle portscanner. you could even distribute this among your contacts
Holger
Hehe I was thinking about Jingle exploits as well.
jonasw
daniel, build a webrtc portscanner. that should be much more impactful :)
well, SOCKS5 is a proxy protocol. it is meant to be a proxy and open connections, people will probably have put the appropriate security measures on it to prevent abuse
Ge0rG
Also https://github.com/beefproject/beef/wiki/Module:-Port-Scanner
Ge0rG
jonasw: probably.
Holger
jonasw: Wenn but I meant abusing the SOCKS5 client as a proxy in the Ge0rG sense.
jonasw
oh;
jonasw
how does one trick a socks5 client into doing that?
Holger
jonasw: The server could send the client SI/Jingle initiation requests?
jonasw
I’m probably not familiar how things work here
andyhas left
Holger
The nice thing is that the server could do so actively, rather than waiting for the client to request upload slots.
daniel
Holger, clients might not (auto) accept that though
Holger
Yes it will probably fail because they only support a different Jingle revision anyway.
daniel
:-)
andyhas joined
jubalhhas joined
jubalhhas left
suzyohas joined
lumihas joined
andyhas left
andyhas joined
Guushas left
danielhas left
remkohas joined
andyhas left
jubalhhas left
jubalhhas left
Guushas left
Ge0rGhas left
Tobiashas left
jjrhhas left
la|r|mahas joined
Yagizahas left
Yagizahas left
stefandxmhas left
stefandxmhas joined
Guushas left
lumihas left
Guushas left
Dave Cridlandhas left
Dave Cridlandhas left
Tobiashas joined
la|r|mahas left
la|r|mahas joined
edhelashas left
blablahas joined
intosi
Hiding/obfuscation of your nickname on your (re)application is an unhelpful thing.
lskdjfhas joined
Ge0rGhas left
andyhas joined
Guus
yet, not new.
intosi
Not new, but that doesn't mean we shouldn't mention it when it happens, nor that we should consider whether we'd even want that.
Guus
Wasn't it Steve Jobs who didn't want his car to be identifiiable, and utilizing a legislation loophole where he could drive with a car without a number plate - thus making the car immediately stand out as his, as he was the only one doing that?
intosi
I'm not intimately familiar with the car collections of tech CEOs.
Guus
I always considered N********** to be a playful act.
In Finland we have a saying for this sort of process: climbing a tree butt-first.
lovetoxhas joined
tuxhas joined
tuxhas left
jubalhhas left
remkohas joined
lovetoxhas left
lovetoxhas joined
MattJ
I went to a Lua meet-up at FOSDEM, and at the end someone asked how the Lua community stayed in touch. "Maybe we should use Telegram?" - I broke down on the spot
lovetoxhas left
Seve
moparisthebest, yeah, decided to change my name here. It felt weird to me to say 'I'm SouL' in person at FOSDEM hah
Seve
I discovered that email because I've been reading all KDE emails regarding their migration from IRC to something else
Neustradamus
Seve: ah ah
Neustradamushas left
moparisthebest
Seve: try saying hi I'm moparisthebest
moparisthebest
I solve that by just never meeting people in real life lol
mathieui
I still haven’t come up with a way of saying my nick in english non-awkwardly
moparisthebest
Also once I had to say lighttpd out loud in person
moparisthebest
Rough if you hadn't considered it before
moparisthebest
MattJ: did you chew them a new one lol
SamWhitedis always tempted to change his name to abarthisthebest
SamWhited
or maybe: "acuraisthebestbutonlythensxandoldpreludes"
moparisthebesthad to Wikipedia abarth
moparisthebest
I only like American, no replacement for displacement
Seve
MattJ, did you tell them: 'Do you know who are you talking with!?'
Sad to hear that, though.
SamWhited
It wasn't a great comparison… I was trying to think of other car companies that had something like mopar, but I think the others named divisions all actually make cars
moparisthebest
SamWhited: GM is the analogy I always use
moparisthebest
General Motors
Neustradamushas joined
SamWhited
Do they have a named division or something like that?
SamWhited
(what do you even call that?)
moparisthebest
Like GM is to Chevrolet, GMC, Buick, Pontiac, Cadillac as Mopar is to Chrysler, Dodge, Jeep, Plymouth
Neustradamushas left
SamWhited
GM is just the parent company of those brands though, isn't it? Mopar just sells parts for Fiat and Chryslers and builds the occasional rally car
SamWhited
GM is to Chevrolet as Fiat is to Jeep or something like that
moparisthebest
Maybe technically but those cars are just collectivity called mopars
SamWhited
ah, okay
moparisthebest
And they share plants and engines and such
moparisthebest
The big yearly meet drag race and car show is called the Mopar Nationals etc
SamWhited
GM is to Chevrolet as Fiat is to Mopar then
SamWhited
This is an important classification to get correct in this chat room, obviously.
moparisthebest
Haha so abarth and Chrysler/jeep/Dodge are all seemed by Fiat now looks like
Neustradamushas joined
SamWhited
I think Fiat and Chrysler merged, and Chrysler owned Jeep and maybe Dodge? I can never keep it straight.
moparisthebest
Well again business wise maybe, but I'd just call them GM vehicles
moparisthebest
Well it changes yearly I think
SamWhited
Huh, apparently fiat owns Alfa Romeo too, I didn't realize that
SamWhited
And Lancia, weird. Wish they'd bring them back.
SamWhitedgoes down the Wikipedia rabbit hole
moparisthebest
Let me know when it loops back around to XMPP, good luck
jubalhhas joined
SamWhited
We were talking about this at work yesterday actually… wikipedia races where each person starts on a random topic and has to get to a different topic only by clicking links on the page. Shortest path wins.