-
Guus
If a server would like to be able to let its clients look up a semi-static, web-based resource, do we have a mechanism for that?
-
Guus
XEP-0215?
-
jonasw
I’m not sure
-
jonasw
HTTP over XMPP?
-
jonasw
what are you trying to achieve?
-
Seve
The MUC participants list?
-
Guus
I'm trying to let clients figure out the URL for a webrtc conference service that can be used
-
jonasw
ah
-
jonasw
hm
-
jonasw
no idea :-)
-
Ge0rG
put it into the server's disco#items
-
flow
I think the issue is that we have multiple mechanisms for that
-
flow
but basically a well-known location to lookup, if it's disco#info, xep215 or just a defined IQ
-
jonasw
Ge0rG, for it to be useful in disco#items it needs to reply to disco#info (to discover its identity and features)
-
Ge0rG
jonasw: right.
-
flow
is an external webrtc based conference really an identity of an XMPP entity?
-
flow
guess it depends on how tightly coupled they are
-
jonasw
flow, no
-
jonasw
but the issue is that the disco#items item has ~no information
-
flow
jonasw, you mean only crude hacks would allow the URL of the webrtc conference service to be included in disco#info?
-
jonasw
flow, I’m confused
-
flow
yeah, me too
-
flow
so you are actually takling about the item, hmm
-
flow
ok, sure you need a follow up disco#info on the item, as you already said, then you could possibly put the URL into a form field of the disco#info response
-
jonasw
the question is, what would be the JID+node of the item?
-
flow
well if you want MUCs to announce a related webrtc conference, then it would be simply the MUCs bare JID I'd say
-
flow
Guus, does that help?
-
Guus
Sorry, got dragged into a phone call
-
Guus
well, it's not always related to an existing MUC. I'd also like to use this for people to invite each-other into a new 1-on-1 call
-
Guus
Flow brought up the same alternatives as that I found
-
Guus
plain discovery doesn't feel quite right. I'd like to prevent running something custom, so that leaves 0215 - my concern there is that it's highly geared towards STUN/TURN - or at least, that's how I've used it.
-
Guus
I'll try to see where 0215 gets me, and work from there.
-
Guus
Thanks guys.
-
jonasw
\o/
-
jonasw
make sure to report back, so that we can maybe get that Un-Deferred
-
Guus
I've actually implemented it in Openfire
-
Guus
In some setups, Jitsi is also using it
-
Guus
so, yeah, maybe dusting that off isn't the worst idea
-
Guus
I think Prosody has two modules for it
-
Tobias
so what do people do against subscription spam?
-
Holger
One idea is requiring a CAPTCHA ...
-
Tobias
what clients support thatß✎ -
Tobias
what clients support that? ✏
-
Guus
I've actually not had spam in along time
-
Guus
I did blacklist some domains though
-
Tobias
i get 2-3 spam requests a week or so
-
Guus
I'm also reaching out to server admins from where I see spam, with mixed results.
-
Guus
I've added xep-0157 support in the last release of Openfire, which should gradually start to help with that, in the future
-
Zash
I usually check if source servers have in-band registration enabled and if there's any 157 addrs, then block.
-
Guus
and yeah, I want to do the captch thing too, server-sided, but haven't found the time yet.
-
Holger
Tobias: Well you'd include an HTTP(S) URL in the <body/> for those clients that don't support it. (But quite a few do I think.)
-
Zash
captcha-like thing that's just an user-set question with a predefined answer sounded promising, anyone looked into having that serverside?
-
Guus
Zash, there's a XEP for it that appear to cover it pretty well
-
Zash
Oh?
-
Guus
I don't know if I like it's suggestion of tying it in with privacy lists, but at least it's a definition that we can already use, today.
-
Guus
let me find it
-
Guus
-0159
-
Zash
-xep 159
-
Bunneh
Zash: Spim-Blocking Control (Standards Track, Deferred, 2006-07-11) See: https://xmpp.org/extensions/xep-0159.html
-
Guus
it doesn't explicitly tell you to do CAPTCHA, but it does explain how the server-sided blocking process should work, and when it should start spim recognition procedures
-
Seve
I like user-set questions, but the problem on the other hand maybe providing several questions, one for each language you speak, for instance.
-
Seve
I haven't check the XEP though
-
Zash
-xep pars
-
Bunneh
Zash: Pre-Authenticated Roster Subscription (Standards Track, Experimental, 2017-02-16) See: https://xmpp.org/extensions/xep-0379.html
-
Ge0rG
Zash: can we have automatically maintained JID whitelist for all JIDs that a local user ever sent messages to?
-
Ge0rG
Also I really dislike the word "spim".
-
Zash
seriosuly pointless instant messages
-
Guus
Ge0rG, 0159 refers to those lists as 'correspondents lists'
-
Zash
Ge0rG: Technically, with MAM, you do.
-
Zash
`SELECT DISTINCT "with"` pretty much
-
Ge0rG
Zash: are we talking `SELECT DISTINCT with`?
-
Ge0rG
Eww.
-
Ge0rG
That has O(fail) complexity
-
Zash
Ge0rG: My point is, it can be derived from MAM data already.
-
Ge0rG
Zash: except for the "ever" part
-
Holger
Ge0rG: Privacy people won't like you keeping such metadata forever!
-
Zash
Ge0rG: Why tho?
-
Ge0rG
Holger: bloom filters everywhere!
-
Ge0rG
Zash: as a whitelist against incoming spam
-
Holger
Isn't the MAM data is good enough in practice for whitelisting people from anti-spam mechanisms? In case that was the idea.
-
Ge0rG
Holger: maybe, except if you don't use mam
-
Holger
Then you're an unhappy person anyway.
-
Guus
if you haven't talked to someone long enough for them to still be in your mam archive... yeah.
-
Holger
Ge0rG: I'm still bit undecided on whether to like how we can offer an IM solution with server-side storage being optional vs. hating this fact because we need to solve everything twice, for the MAM and for the non-MAM case.
-
Zash
Can't we be happy with rosters (and directed presence) as whitelist?
-
Holger
If I bug you with a Prosody question despite you not being on my roster, I'd prefer you not also having to cope with a CAPTCHA because you're probably annoyed by my question anyway.
-
Zash
We have a chatroom for that :)
-
Holger
But I'm a user, I prefer bugging you in private.
-
Zash
Not that I really believe in CAPTCHAs anyways
-
Holger
Yes they're not the proper solution. But a hack that works better than other hacks, in my book.
-
Holger
I still think the proper solution is SpamAssassin. Auto-classifying traffic based on as many factors as we can get hold of.
-
Holger
Well the proper solution is ditching capitalism.
-
Guus
does SpamAssassin work for non-email environments?
-
Holger
Guus: No I just meant the concept.
-
Guus
kk
-
MattJ
Holger, I'm less convinced that will work with IM, since messages are shorter
-
MattJ
All it takes is spammers to adapt to sending 'Hi' messages, although what they currently send is pretty email-like (whole advert in a self-contained message)
-
Holger
MattJ: But then again we have things email doesn't have, such as the roster, and proper s2s authentication.
-
Guus
There's no one silver bullet here. We'll likely need multiple, partial solutions.
-
Holger
MattJ: The email body is just one of *many* things SpamAssassin looks at.
-
MattJ
That is true, but in any "learning" anti-spam system, it's just going to learn that not being on the roster is a very high indicator of spam
-
MattJ
which is just what we knew already :)
-
MattJ
I can count the number of times I get legitimate out-of-roster messages in a year on the fingers of a single hand
-
Holger
Exactly? I'm just proposing to take all such indicators into account, add them up and divide by 42, look at the resulting score and decide.
-
MattJ
and for a normal user, I'd expect that to be even lower
-
Holger
So you'd rather not look at other indicators and just block strangers or what?
-
Holger
Single hand per year sounds realistic to me (actually it's a bit more for me I think), and I'd rather not kill that communication off.
-
MattJ
No, I'm just saying I don't think the added complexity is worth it compared to a human figuring out the same factors (and there aren't many)
-
Holger
I think there are actually quite a few factors a server can look at but a user can't.
-
Holger
Traffic frequency, blacklists, I don't know.
-
Holger
And I believe we could get a good classification rate without having to bother the user. Like we can for email. I might be wrong of course.
-
Zash
Stick all the classifiers we know into a tag on the message?
-
Zash
Wasn't one of the spam XEPs something like that?
-
Zash
-xep spim markers
-
Bunneh
Zash: Multiple matches: Spim Markers and Reports https://xmpp.org/extensions/inbox/spim.html Spim Markers and Reports https://xmpp.org/extensions/xep-0287.html
-
Zash
Bunneh: how about you skip the inbox one if it's published?
-
Ge0rG
Holger: the problem with a server-side classifier is that it needs to delay messages
-
Holger
Ge0rG: Because?
-
Ge0rG
Holger: to gain sufficient context to identify spam patterns
-
Ge0rG
Holger: like "(presence followed by message with a link) sent to ten users"
-
Holger
Well this sounds like just one of many things you could check, to me. If it seems too undesirable, don't do it.
-
Holger
I heard of someone getting good results with simpler mod_firewall rules.
-
Ge0rG
Holger: mod_firewall can't block presence that comes right before the spam message.
-
Zash
Holger, Ge0rG: It stops being Instant Messaging if you gotta hold on to stuff for checks before delivering.
-
Ge0rG
Zash: let me tell you about the irony of your response taking over three hours.
-
Tobias
:)
-
Zash
I was out
-
Ge0rG
Zash: with CSI, that presence subscription will be delayed anyway.
-
Holger
Subscription request should not be delayed.
-
Ge0rG
Still, I'm sure we could delay spammy looking things for like 10 seconds
-
Ge0rG
And that would give us a window of opportunity to detect spammy patterns
-
Holger
But imagine someone says something WRONG and you can't respond IMMEDIATELY.
-
Zash
THE HORROR
-
Zash
That would just violate the entire purpose of the Internet !
-
Ge0rG
I'll violate the purpose of the internet now and go offline.
-
Guus
Don't overreact guys. There will still be images of cats.
-
moparisthebest
well then spammers would just wait 11 seconds Ge0rG
-
moparisthebest
it's *always* going to be an arms race
-
moparisthebest
there is no solution, only 'good enough for now'
-
Zash
as long as the incentives and the roi are there
-
Holger
https://www.eveonline.com/article/p4g5k3/preparing-for-the-future-retirement-of-eve-voice
-
Kev
OK, this was not a channel I expected to see linking to Eve.
-
Kev
That ejabberd?
-
Holger
No idea.
-
Holger
Ah so I learnt from Neustradamus that this is old stuff. Wasn't aware and the article's date says 2018-02-20 ...
-
SaltyBones
not convinced
-
SaltyBones
the forum thread it links to is also recent
-
Kev
Holger: It's not old stuff, it's newly announced today.
-
Kev
And yes, it's a fork of ejabberd.
-
Kev
Or, at least, CCP have a fork of ejabberd on github.
-
Neustradamus
Kev: Yes but an upgrade of ejabberd, not a new service, XMPP is used since a long time :)
-
Kev
Why would CCP lie?
-
Kev
I think some sort of reference is in order here.
-
Ge0rG
That's something we need to put on our marketing banners either way!
-
Ge0rG
"listen, KDE dudes and dudettes! Eve Online is using xmpp, and you can too!"
-
Guus
as are riot games, right?
-
Guus
League of Legends (or what's it called)?
-
Ge0rG
Guus: yes and yes.
-
Ge0rG
Is there an online gaming imperium running in the matrix?
-
SamWhited
I suspect the KDE peoples use case is significantly different from an online game's chat system, unfortunately
-
SamWhited
Although it's probably still good marketing
-
daniel
Some other game engine (maybe unreal?) also has an xmpp client build in for team chat
-
Ge0rG
I think the strength is rather in match making, where you need to have a real time connection to many thousands users, and not so much for chats in a small team that's exchanging data all the time anyway
-
daniel
Oh yeah that might by right. Just stumbled over the api docs one days. Never really questioned what exactly they are using it for
-
Guus
daniel, game-wise, I know that Quake-live used it.
-
Guus
I'm actually considering parsing the user-input provided in our setup field named 'database URL' to drop [ and ]
-
Guus
The template that we provide is: jdbc:postgresql://[host-name]:5432/[database-name]
-
Guus
we just had someone with problems, connecting to [localhost]
-
moparisthebest
are those valid characters for the database-name part though?
-
moparisthebest
but you could also just change that to HOST-NAME-HERE
-
Guus
I'm guessing that we save more people from their own stupidity than bother those machosists that actually use [ or ] in a database name.
-
moparisthebest
you can change some stuff, but in the end, you can't fix stupid :)
-
Guus
maybe don't ask for the URL, but use explicit fields for hostname and databasename
-
moparisthebest
in my experience that's a bad time, unless you only ever support postgresql or something
-
moparisthebest
because different jdbc drivers take different crazy arguments you can only supply via URL
-
Guus
nah, a couple different ones. but all basically require a host, port and some kind of database identifier. We can change the input field label where needed.
-
moparisthebest
I have to do this for example jdbc:mysql://localhost:3306/rcrdit?user=rcrdit&password=rcrdit&serverTimezone=America/New_York
-
Guus
and the people that want to use a URL, are savvy enough to simply use our XML config instead.
-
Guus
databasename=username=password, nice :)
-
moparisthebest
oracle has a whole thing about using a host:port:instance-or-something vs host:port/service-name
-
moparisthebest
and you can't set those seperately without tying your code exclusively to oracle at compile-time, if you don't just use the URL
-
moparisthebest
yea as long as you keep a URL an option it should be fine
-
moparisthebest
also on everything matching this is example config :)
-
moparisthebest
my point being had to set the serverTimezone in the URL which is obnoxious
-
Guus
(on a side-note: can't you configure that server-side in mysql - something like: 'these are the default client connection params')
-
moparisthebest
you'd think, the jdbc driver still crashed though, didn't look into it much
-
Neustradamus
https://oldforums.eveonline.com/?a=topic&threadID=665867 :)
-
moparisthebest
it's probably like charset in mysql where you have to set it all 16 places
-
Guus
yeah, mysql is fun :)
-
moparisthebest
migrating to postgres has been on my todo list awhile now
-
moparisthebest
hard to fix what ain't broke though when other stuff needs fixing :)
-
Guus
I know the feeling all to well
-
Kev
Neustradamus: What's the relevance of that link?
-
Kev
That Eve corps commonly use XMPP servers for pings is common knowledge, and unrelated to Eve chat.
-
moparisthebest
it says "It's an Instant Messaging server for EVE players, with some EVE API integration."
-
Kev
Some player ran an XMPP server and sold access to Eve players.
-
Kev
I'm still missing the relevance.
-
moparisthebest
ah I see
-
Neustradamus
https://engineering.riotgames.com/news/chat-service-architecture-servers 2015 here
-
pep.
"and thanking opponents for a good game." haha
-
pep.
I'd be interested to have stats for that, I believe insults are more frequent
-
Holger
Neustradamus: Than one I'm aware of, but Riotgames is unrelated to CPP/Eve, no?
-
Kev
Yes.
-
Neustradamus
Kev: http://uu.diva-portal.org/smash/get/diva2:408940/FULLTEXT01.pdf maybe better here?
-
jjrh
If i'm making a online game why on earth would I roll my own chat system when something like XMPP already exists?
-
jjrh
with a long list of deployments serving huge numbers of users :)
-
jjrh
Did RIOT employees ever write or contribute any XEPs?
-
Kev
Is that important? If every user of XMPP needs to write a bunch of XEPs, we're probably not doing a great job.
-
jjrh
no certainly not - just interesting
-
stefandxm
riotgames .. same as riot entertainment? :D
-
stefandxm
"I survived riot entertainment" :o