-
SamWhited
sort of, it's polling based by default, IIRC so even with only two servers in a 1:1 it's not very efficient.
-
SamWhited
not that it really matters in that case for most people
-
Holger
Yeah I think everyone runs it 24/7 so there's too little incentive to implement MAM.
-
Holger
(Er, the message I was responding to was old.)
-
Zash
Threads plz
-
Zash
Or an in-reply-to thing
-
Seve
Or real quotes and not just quotes :)
-
Ge0rG
Seve: did you talk to KDE yet? 😉
-
Seve
Not yet, sorry. I've got a lot of work and haven't been able to put my hands on it :(
-
edhelas
I'll have to work on a new XEP to store the user pubsub subscriptions in a PEP node
-
edhelas
basically this XEP will be the same as https://xmpp.org/extensions/xep-0333.html
-
edhelas
https://xmpp.org/extensions/xep-0330.html sorry
-
edhelas
except that the node will be configured in "whitelist"
-
jonasw
who would manage that list?
-
jonasw
the client?
-
edhelas
the clients
-
jonasw
hmm
-
jonasw
wouldn’t it be better to have the server manage its✎ -
jonasw
wouldn’t it be better to have the server manage it? ✏
-
edhelas
each time you subscribe to a pubsub node you add your subscription in that list, the same way 0330 is doing
-
edhelas
jonasw I've mentionned that years ago, this need deep refactoring of how pubsub is handled in XMPP
-
Ge0rG
shouldn't the server automatically do the plumbing whenever you change that list, then?
-
jonasw
edhelas, does it?
-
Ge0rG
XMPP 2.0!
-
jonasw
the server can sniff the traffic just like it does for MIX
-
edhelas
so for now I'm going for this solution, I'm doing that in Movim for a while already
-
Kev
This is what Dave's PAM is for.
-
jonasw
alternatively, turn it the other way like Ge0rG suggests (modifications to the PEP node you’re proposing cause subscribes/unsubscribes)
-
jonasw
Kev, #?
-
edhelas
jonasw why not
-
Kev
376
-
Ge0rG
edhelas: that would conveniently solve multi-client too
-
edhelas
Ge0rG how do you think this will fit with https://xmpp.org/extensions/xep-0330.html ?
-
jonasw
oh yes, XEP-0376 looks good
-
Ge0rG
edhelas: I think it would be good to have a private list for subscription maintenance and a public list which is a subset of that
-
Flow
I always wonder if PAM couldn't be designed transparent using standard xep60 <subscription/>
-
jonasw
Flow, yeah, like mix does it
-
Flow
jonasw, isn't/wasn't MIX supposed to be using PAM for that?
-
jonasw
I don’t think it does
-
Flow
IIRC PAM was a result of Dave's and Kev's persistent groupchat discussion
-
Kev
jonasw: It uses something very like PAM.
-
Kev
Flow: PAM was a Dave thing that I just jumped on because it makes sense for MIX, IIRC.
-
Flow
so if it makes sense, then why isn't MIX using it?
-
Kev
MIX is using the same model, waiting to see if it makes sense to merge into PAM, or keep out.
-
Kev
" In future, the specifications in this section MAY be moved to a separate XEP or it MAY be incorporated into Pubsub Account Management (XEP-0376) [18] (PAM) which follows a similar model. "
-
Steve Kille
When I did the MIX editing, there was nothing I could usefully reference, so MIX includes what it needs.
-
Guus
daniel, regarding your HTTP Upload 0.5 change: As various network components between the HTTP client and server might inject headers of their own, it feels wrong to me to impose a MUST on what headers clients are allowed to add. It implies that this defines the set of headers that the server receives. I suggest dropping the client requirement (as it's not really enforceable), and instead stress on a need for the server to ignore headers other than the allowed set.
-
jonasw
Guus, did you follow the can-of-worms discussion this was in the last few days :)
-
jonasw
the argument is that the server could exploit the client to send a request to a third party, for example your home router
-
jonasw
(essentially use the client as an HTTP proxy into the clients LAN)
-
Kev
Sounds useful.
-
jonasw
to reduce the impact of that, the selection of headers was restricted; even though it’s not entirely clear to me how that helps in that scenario, really.
-
Flow
what jonasw said
-
jonasw
but Ge0rG kinda insisted on it
-
Guus
jonasw, I didn't follow that discussion, no.
-
Zash
Ough
-
Guus
I'm also not understanding the argument.
-
Zash
Bottomless can-of-worms?
-
jonasw
Guus, essentially, it’s something along the lines of the Same Origin Policy enforced by browsers and the Cross-Origin Request Sharing policies
-
Zash
jonasw: Double infinite bottomless can-of-worms?
-
Ge0rG
We can't fix web security, we can only restrict how much we are affected by it
-
daniel
Guus: I don't not fully understand the argument either. But I'm not bothered by it and it won't go through council w/o that change
-
Guus
I'm not seeing how the client being prohibited to send certain headers prevents the server from sending anything it wants, abusive or not.
-
daniel
And I didn't even put headers into my original http upload
-
Ge0rG
Guus: with arbitrary headers you will make the xmpp client a reverse proxy for malicious xmpp servers.
-
daniel
Or let me rephrase that. I understand the problem (broken http interfaces in your local network). I'm not sure that limiting the headers does anything to fix your china router
-
Guus
can you spell out that attack vector for me Ge0rG?
-
Guus
(or point me to an archive?)
-
Ge0rG
Guus: have a look at http://blog.portswigger.net/2017/07/cracking-lens-targeting-https-hidden.html#host please
-
Holger
Ge0rG: Isn't large parts of that article about playing with the request URI and the Host header? Which we place no restrictions on at all in XEP-0363?
-
Guus
How does the client not sending certain headers outwards prevent the server from crafting malicious requests inwards?
-
Holger
Guus: The reasoning is preventing your XMPP server from crafting malicious HTTP PUT requests performed by your client.
-
Flow
Guus, hmm? It does not. But it's about the client performing requests
-
Flow
And those requests are handled by your (broken) home router
-
Guus
right, now I get it.
-
Guus
Thanks. I retract my earlier request to change the text :)
-
Guus
(it was initially unclear to me that the text restricts only the headers-to-be-copied-from-the-server-instructions)
-
Holger
I get the idea too, I just still don't agree with imposing an arbitrary restriction due to a diffuse feeling this might reduce the impact on an attack performed by your trusted XMPP service we have not yet understood. But meh.
-
Guus
<lunch>
-
edhelas
I'd like to know if it's possible to "rename" a pubsub node
-
edhelas
would be really useful, especially when you have namespaces bump
-
Holger
edhelas: Won't the namespace usually only be bumped if the node contents change in some way?
-
edhelas
well sometime you have clients that are developping features with their own namespace
-
edhelas
then it get standardized
-
edhelas
like for OMEMO and Conversations
-
jonasw
precisely the reason why the X-* antipattern was deprecated in the IETF
-
daniel
Just wait for Ge0rG to find out that you can use jingle to port scan your contacts network 😂
-
daniel
Or have your contact scan other networks
-
daniel
But we'll just grab the low hanging fruit before we get to the fancy stuff
-
Ge0rG
daniel: don't make me change my mind on Jingle Ft!
-
daniel
Idk. I vetoed it anyway
-
daniel
Not for that particular reason though
-
Ge0rG
daniel: ah, right. outstanding feedback
-
daniel
but now i want to write a jingle portscanner. you could even distribute this among your contacts
-
Holger
Hehe I was thinking about Jingle exploits as well.
-
jonasw
daniel, build a webrtc portscanner. that should be much more impactful :)
-
Holger
Or SI/SOCKS5.
-
Ge0rG
https://medium.com/hownetworks/how-did-i-turn-my-browser-into-a-port-scanner-tricksy-but-doable-c37db85f9adc
-
jonasw
well, SOCKS5 is a proxy protocol. it is meant to be a proxy and open connections, people will probably have put the appropriate security measures on it to prevent abuse
-
Ge0rG
Also https://github.com/beefproject/beef/wiki/Module:-Port-Scanner
-
Ge0rG
jonasw: probably.
-
Holger
jonasw: Wenn but I meant abusing the SOCKS5 client as a proxy in the Ge0rG sense.
-
jonasw
oh;
-
jonasw
how does one trick a socks5 client into doing that?
-
Holger
jonasw: The server could send the client SI/Jingle initiation requests?
-
jonasw
I’m probably not familiar how things work here
-
Holger
The nice thing is that the server could do so actively, rather than waiting for the client to request upload slots.
-
daniel
Holger, clients might not (auto) accept that though
-
Holger
Yes it will probably fail because they only support a different Jingle revision anyway.
-
daniel
:-)
-
intosi
Hiding/obfuscation of your nickname on your (re)application is an unhelpful thing.
-
Guus
yet, not new.
-
intosi
Not new, but that doesn't mean we shouldn't mention it when it happens, nor that we should consider whether we'd even want that.
-
Guus
Wasn't it Steve Jobs who didn't want his car to be identifiiable, and utilizing a legislation loophole where he could drive with a car without a number plate - thus making the car immediately stand out as his, as he was the only one doing that?
-
intosi
I'm not intimately familiar with the car collections of tech CEOs.
-
Guus
I always considered N********** to be a playful act.
-
Guus
https://thenextweb.com/apple/2011/10/27/mystery-solved-why-steve-jobs-car-never-had-a-license-plate/
-
intosi
Amusing :)
-
jonasw
I don’t even know who that N****+ is
-
Ge0rG
or what?
-
Guus
Go down the occupants list of this room, and you'll figure it out :)
-
jonasw
Guus, unless I’m stupid, there’s none whose nickname length macthes
-
mathieui
there’s a letter missing I think
-
mathieui
two levels of obfuscation!
-
Guus
I didn't count, but rough comparison will do :)
-
Dave Cridland
French... N***... It's Nÿco, right?
-
SaltyBones
this is discussion is exhausting
-
SaltyBones
my brain autocompletes "N****" like "the N word" and this is all very inappropriate
-
pep.
Dave Cridland: there's another French N
-
mathieui
I like how nobody wants to invoke Neu stradamus
-
Neustradamus
:D
-
Seve
https://listarchives.libreoffice.org/global/projects/msg02257.html
-
moparisthebest
Wait Seve you are soul?
-
Guus
yes he is
-
moparisthebest
Ah ok was confused, I hate name changes :)
-
moparisthebest
That email has the best quote ever
-
moparisthebest
In Finland we have a saying for this sort of process: climbing a tree butt-first.
-
MattJ
I went to a Lua meet-up at FOSDEM, and at the end someone asked how the Lua community stayed in touch. "Maybe we should use Telegram?" - I broke down on the spot
-
Seve
moparisthebest, yeah, decided to change my name here. It felt weird to me to say 'I'm SouL' in person at FOSDEM hah
-
Seve
I discovered that email because I've been reading all KDE emails regarding their migration from IRC to something else
-
Neustradamus
Seve: ah ah
-
moparisthebest
Seve: try saying hi I'm moparisthebest
-
moparisthebest
I solve that by just never meeting people in real life lol
-
mathieui
I still haven’t come up with a way of saying my nick in english non-awkwardly
-
moparisthebest
Also once I had to say lighttpd out loud in person
-
moparisthebest
Rough if you hadn't considered it before
-
moparisthebest
MattJ: did you chew them a new one lol
- SamWhited is always tempted to change his name to abarthisthebest
-
SamWhited
or maybe: "acuraisthebestbutonlythensxandoldpreludes"
- moparisthebest had to Wikipedia abarth
-
moparisthebest
I only like American, no replacement for displacement
-
Seve
MattJ, did you tell them: 'Do you know who are you talking with!?' Sad to hear that, though.
-
SamWhited
It wasn't a great comparison… I was trying to think of other car companies that had something like mopar, but I think the others named divisions all actually make cars
-
moparisthebest
SamWhited: GM is the analogy I always use
-
moparisthebest
General Motors
-
SamWhited
Do they have a named division or something like that?
-
SamWhited
(what do you even call that?)
-
moparisthebest
Like GM is to Chevrolet, GMC, Buick, Pontiac, Cadillac as Mopar is to Chrysler, Dodge, Jeep, Plymouth
-
SamWhited
GM is just the parent company of those brands though, isn't it? Mopar just sells parts for Fiat and Chryslers and builds the occasional rally car
-
SamWhited
GM is to Chevrolet as Fiat is to Jeep or something like that
-
moparisthebest
Maybe technically but those cars are just collectivity called mopars
-
SamWhited
ah, okay
-
moparisthebest
And they share plants and engines and such
-
moparisthebest
The big yearly meet drag race and car show is called the Mopar Nationals etc
-
SamWhited
GM is to Chevrolet as Fiat is to Mopar then
-
SamWhited
This is an important classification to get correct in this chat room, obviously.
-
moparisthebest
Haha so abarth and Chrysler/jeep/Dodge are all seemed by Fiat now looks like
-
SamWhited
I think Fiat and Chrysler merged, and Chrysler owned Jeep and maybe Dodge? I can never keep it straight.
-
moparisthebest
Well again business wise maybe, but I'd just call them GM vehicles
-
moparisthebest
Well it changes yearly I think
-
SamWhited
Huh, apparently fiat owns Alfa Romeo too, I didn't realize that
-
SamWhited
And Lancia, weird. Wish they'd bring them back.
- SamWhited goes down the Wikipedia rabbit hole
-
moparisthebest
Let me know when it loops back around to XMPP, good luck
-
SamWhited
We were talking about this at work yesterday actually… wikipedia races where each person starts on a random topic and has to get to a different topic only by clicking links on the page. Shortest path wins.
-
SamWhited
Fiat to XMPP would be a good one
-
moparisthebest
That would be fun to program