-
Yagiza
Hello!
-
Yagiza
Is there author of XEP-0363 around?
-
Guus
it'd be helpful if you tell us who that is :)
-
Guus
oh, HTTP File Upload
-
Guus
that's Daniel Gultsch
-
Guus
(His JID is in the XEP, in case you're having trouble reaching him)
-
Guus
he's usually very responsive.
-
daniel
Yes
-
Yagiza
daniel, I'd like to discuss it
-
Yagiza
Guus, I guess, discussing XEPs in the MUC is better than privately
-
Yagiza
daniel, I don't know if this was already discussed, but I believe the XEP is missing file hash support.
-
Yagiza
daniel, how do you feel about adding it?
-
daniel
Yagiza: who should add and who should check the hash?
-
Yagiza
daniel, client should add and server should check
-
Yagiza
The idea is providing file hash in <request/> element instead of or along with file name.
-
Yagiza
A server must check the hash. If it already has file with provided hash, it must reply with <slot/> without <put/> element. Instead, it must contain <exist/> element.
-
Yagiza
Once client received such reply it must consider that file was already uploaded to the server before and should use URL provided in <get/> element to access the file.
-
daniel
So this is about dedup and not integrity?
-
Yagiza
daniel, we may neglect this possibility, like we do it with Avatars, Entity Caps and so on.
-
Yagiza
daniel, even bitcoin neglects possibility of duplicated wallet address. It just generates random hash. Probability of uploading two different files with the same SHA-1 (or SHA-256) on the server is about zero. So, I don't see any problem here.
-
Yagiza
daniel, but we get rid of unnecessary uploads, which is very useful.
-
daniel
Yagiza: I'm gonna keep this in mind in case I'm going to work on the XEP again
-
Yagiza
daniel, ok
-
Yagiza
daniel, if you have no time for that, I can try to make a PR or some other way send updates for the XEP if you like.
-
marc
Keep in mind that this extension may leak "sensitve" information
-
SaltyBones
Yagiza, if you dedup across users make sure to consider the privacy implications.
-
marc
SaltyBones: what I said :)
-
Holger
Ah I thought this was only about your own uploads. And didn't get the point.
-
Holger
Yes you don't want to dedup across users.
-
SaltyBones
marc, I know, just wanted to be explicit. ;)
-
Kev
It looks like a nice way to check if a service has certain files uploaded, yes.
-
Yagiza
SaltyBones, marc, what do you mean? Someone knowing file hash may and knowing a server where it is may get access to the file?
-
marc
Yagiza: One would be able to automatically check if a file was shared on the server
-
Holger
Yagiza: What's your use case in practice? You and me uploading the same cat pic?
-
Yagiza
Holger, not only.
-
daniel
Also dog pics
-
Holger
Ah.
-
Yagiza
Holger, 1st use case: I've uploaded a pic, to embed it into my message with HXTML-IM.
-
Yagiza
Holger, then I try o send a message with the same pic to another contact.
-
Kev
In that case you already know the URI and can re-use it?
-
Yagiza
Kev, I must cache those URLs somewhere.
-
goffi
Kev: only if you are on the same device.
-
Yagiza
Kev, but why client must do such stupid things, if a server can?
-
goffi
(and client)
-
Yagiza
goffi, yes
-
Yagiza
Holger, another use case:
-
marc
Yagiza: you could restric it for own file uploads but it would not work with OMEMO without leaking information I think
-
Holger
So the first use case doesn't cross user boundaries. Sounds like a corner case to me though. Not sure you want a protocol extension for optimizing a corner case.
-
Yagiza
marc, which leaks are you talking about?
-
daniel
marc: well the hash would be on the encrypted file
-
daniel
Which breaks the dedup of course
-
Yagiza
Holger, why not?
-
marc
daniel: indeed
-
goffi
do we have a XEP for storing encrypted files?
-
Holger
Yagiza: Because keep it simple. If you start optimizing corner cases you end up with an unnecessarily bloated extension nobody wants to implement. 0363 is widely adopted because of its simplicity.
-
marc
daniel: you could use the plain file hash but then you have to store the correspondig key on the device which leaks info and has the same issue as without this extension
-
flow
What Holger said
-
Yagiza
Holger, what do you mean by "corner cases" now? What are use cases for this XEP, if not uploading files for sharing (and) reusing links to them?
-
Holger
Yagiza: By my definition, a corner case is one that applies to no more than 7.846 percent of the uploads in practice. According to my crystal ball, your case is way below that threshold.
-
Yagiza
Holger, so, please tell me your vision of use cases of XEP-0363
-
SaltyBones
This is not super interesting in practice because http upload is restricted to small files anyway so reuploading is and storing copies is cheap.
-
marc
Yagiza: sharing files is the main goal
-
marc
Asynchronous and across multiple devices
-
marc
And in group chats of course
-
Holger
Yagiza: Sharing cat pics.
-
Holger
Or maybe even dog pics. Daniel seems to support those as well.
-
Holger
So don't tell me I have no great visions!
-
Yagiza
Holger, ok. And when you share cat pics, it's not supposed to share the same pic with different contacts?
-
Holger
Yagiza: 0363 supports that. You just re-upload.
-
SaltyBones
Yagiza, with small files adding dedup is just not worth the effort...
-
jonasw
Yagiza, either re-upload, or keep a cache of the last N links shared in your client
-
jonasw
you can even do that across devices, because you’[l download them for display anyways
-
SaltyBones
Yagiza, if you want to share larger files maybe http_upload is not the right tool for the job?
-
goffi
Yagiza: Jingle-FT is more adapted for bigger file, and it already support hashes
-
jonasw
if Http upload implementations were using SIMS, you’d even get the hash carbon-copied for free
-
jonasw
so you can easily dedup locally without privacy implications :)
-
Yagiza
Holger, well. The idea is avoiding unnecessary reuploading. And now you telling that you have to reupload the file. So, why do you call that a coner case, if you admit that the problem is common?
-
Holger
Yagiza: I admitted that? Didn't I already quote my crystal ball?
-
SaltyBones
Yagiza, he is not saying that at all. He said it is uncommon and if it happens you should reupload.
-
Yagiza
SaltyBones, I just want to add optimization where it may be easily implemented. Why do we have such optimizations for avatars, entity caps, BOB and other cases where amounts data we share is also small?
-
SaltyBones
Yagiza, why do you want to add that optimization?
-
Holger
Yagiza: Your optimization is simple, and so are the next 10 enhancements people might suggest for special use cases. The end result is no longer simple.
-
jonasw
Yagiza, those are vastly different use-cases
-
Yagiza
Holger, so, you don't agree with your crystal ball ;-)
-
jonasw
Yagiza, avatars optimize having to re-download the same avatar of the same entity on each presence update. This is a way more massive optimization than optimizing the upload of a link shared twice which can easily be done by the client itself.
-
Kev
I don't buy that the optimisation is simple, FWIW.
-
Yagiza
SaltyBones, 'cause I like optimizations of course! Optimizations (if they are easy to implement) are always good.
-
Holger
Yagiza: You lost me. Whatever. You didn't convince me it's worth it, and I'd only repeat myself at this point.
-
SaltyBones
Yagiza, that reason is not good enough to justify the work and complexity that it generates.
-
Kev
Clients remembering URIs is a pretty simple optimisation. Server doing hash checking changes the model for how it needs to be implemented on the server.
-
Yagiza
jonasw, IIRC making clients as simple as it possible, leaving all the job to server always was a good idea, wasn't it?
-
Holger
Right, it's not simple on the server side.
-
jonasw
Yagiza, true, but I don’t think that the use-case is even worth the trouble on either
-
Yagiza
SaltyBones, which complexity are you talking about?
-
Holger
Yagiza: The idea wasn't making servers unnecessary complex though.
-
Yagiza
jonasw, which troubles?
-
jonasw
Holger, actually, a very trivial implementation could be: (a) use hash as file name, (b) handle uploads atomically (like rsync does, it’s not too bad), (c) hash check is trivial now
-
jonasw
Yagiza, having to think the privacy implications especially for single-user servers through
-
Holger
jonasw: Sure it could be done.
-
jonasw
that’s not much more complex than what implementations are doing already tbh.
-
jonasw
but I’d be worried about the privacy implications. ideally, the URLs would still be unique and ranodm per user, and that’s where things get complicated
-
Holger
jonasw: But changing an existing model is not trivial no matter how simple the new solution is.
-
jonasw
that can probably not be done without a database anymore (for the reverse lookup (hash, user) -> user_file_url)
-
Yagiza
Holger, server's job become much more complex, if it will check hashes of files it store? Seriously?
-
jonasw
Yagiza, at leaast it will require a namespace bump
-
jonasw
we don’t want those
-
Holger
jonasw: There's existing code to handle quotas and whatnot.
-
Holger
Yagiza: Yes.
-
jonasw
Holger, on *some* implementation s:>
-
Holger
jonasw: So?
-
Yagiza
jonasw, namespace bump? Why?
-
jonasw
Yagiza, you’re going to require the client to send a hash, IIUC
-
Yagiza
jonasw, yes. But all modern clients already have code to calculate SHA-1, 'cause most of XEPs implemented nowadays require it.
-
jonasw
Yagiza, but you still need to change the protocol
-
jonasw
-> namespace bump
-
Kev
jonasw: I don't think that's true.
-
Yagiza
jonasw, but the protocol is still EXPERIMENTAL, so what's the problem?
-
Holger
It *should* be true. 🙂
-
jonasw
Yagiza, it has massive deployment, that’s the problem
-
Holger
(We keep having that discussion.)
-
jonasw
the last namespace bump caused quite a bit of disruption already
-
Kev
Holger: Why should it be true?
-
Kev
You're adding an attribute that it's easy to have backwards compat for being missing.
-
jonasw
Holger, Kev, yeah okay, a namespace bump *or* a discoverable feature; but then the servers are going to complain that they can’t rely on the hash and so on.
-
Kev
No attribute, no de-dup.
-
Kev
I don't see why that should need a bump.
-
SaltyBones
jonasw, isn't the point of the namespaces that bumps shouldn't cause disruption? :)
-
jonasw
SaltyBones, they cause disruption if part of the network stops supporting one specific version
-
jonasw
they don’t cause *erratic* disruption, just well-defined disruption, kinda
-
Kev
SaltyBones: No, the opposite. The point of a bump is to cause disruption.
-
SaltyBones
:)
-
Yagiza
jonasw, anyone, who implement and deploy EXPERIMENTAL XEP's do know that everything may change dramatically from version to version. SO, once again: what's the problem?
-
SaltyBones
In that case I agree.
-
Holger
Kev: I know the idea is ignoring unknown attributes, I just don't like it.
-
SaltyBones
Yagiza, the problem is that you are trying very hard to ignore what people here are saying..
-
jonasw
Yagiza, that users don’t care about EXPERIMENTAL vs. DRAFT. they care that they can’t share their catpics anymore.
-
Yagiza
jonasw, so, why do we need to develop XEP's? Let's just make every XEP FINAL from the beginning to avoid such problems for users.
-
jonasw
Yagiza, I see your point, and I often concur. I’m just not sure your use-case is impactful enough to warrant a breakage. and also the feature creep mentioned by Holger.
-
SaltyBones
Indeed, maybe this XEP shouldn't be experimental anymore if it is practically not experimental anymore.
-
jonasw
if we could batch this up with another breaking change (should another one happen with 0363 before it goes to draft), I think that’d be okay.
-
Yagiza
SaltyBones, I didn't ignore anything, replying to almost every statement. I just want to understand your point of view.
-
jonasw
or making it entirely optional, as Kev suggested.
-
jonasw
might be the case that nobody implements it. which will lead to clients not supporting it and when a server does eventually implement it, they’ll notice that no client can do it and *bam* they drop support of it
-
SaltyBones
jonasw, that's a lot of wasted effort ;)
-
jonasw
yeah
-
jonasw
I try to recall where that kind of thing happened to me… I think with vcard-avatar vs. pep-avatar. or pep-bookmarks vs. private-xml-bookmarks.
-
Yagiza
jonasw, yes. Making it optional is a good idea. But this solution will work even with a DRAFT XEP.
-
jonasw
lots of effort only to realize that nobody supports it.
-
jonasw
anyways, lunch
-
SaltyBones
Yagiza, the problem is that it will always be too much work to do anything if people don't believe that it is necessary. And at least the people in here apparently don't.
-
Yagiza
SaltyBones, I'm not sure. You and Holger. Who else?
-
SaltyBones
You don't have to be sure you can keep discussing but I'm out. ;)
-
Yagiza
Yes. I guess, discussion is over. Everyone, who was interested shared their opinion, Now it's up to daniel, what to do next.
-
SaltyBones
Maybe this is a silly question but what is "Jingle"?
-
goffi
SaltyBones: XEP-0166, or in short a way to establish P2P session
-
Tobias
It's an abstract peer-to-peer signaling protocol based on XMPP
-
Zash
If you are familiar with SIP, it's like that
-
Tobias
just not encoding things in HTTP like headers but in XML
-
SaltyBones
thanks
-
SaltyBones
goffi, and you want to use that to build file sharing?
-
goffi
SaltyBones: yes, it's already working actually
-
SaltyBones
but you have some sort of dedicated, always-on end-point so it's not really p2p, right?
-
goffi
SaltyBones: it can work between 2 devices
-
moparisthebest
if they are on the same LAN and, in practice, in virtually no other case
-
goffi
(but I have also a component to store files, in this case it's not P2P)
-
moparisthebest
otherwise you have to go through a TURN server which seems far worse than http upload
-
moparisthebest
especially if you need such a component to store files, why re-invent http ?
-
Kev
Jingle isn't P2P.
-
Kev
It's a signalling protocol, nothing about it implies it must be P2P (indeed, it's how you negotiate IBB)
-
SaltyBones
goffi, what is this for?
-
moparisthebest
goffi, why is a custom component to store files in any way preferred over an http server?
-
goffi
in my experience the connection is direct most of time. jingle try to establish P2P, but if it can't it will fall back to other mechanisms (proxy, IBB, ...)
-
goffi
SaltyBones: many things. Keeping file for yourself, sharing with other, transmitting files between devices, etc.
-
SaltyBones
goffi, just install nextcloud?
-
goffi
moparisthebest: I don't want/need the HTTP overhead, jingle FT is good, and there are already XEPs for file sharing
-
goffi
SaltyBones: why installing and maintaining an other software?
-
moparisthebest
what http overhead ?
-
moparisthebest
surely it's far less than anything you'll come up with in jingle/xmpp ?
-
moparisthebest
just the negotiation probably takes far more time than an entire http download
-
Tobias
moparisthebest, additional code to maintain, all the HTTP corner cases. If you don't have HTTP in your project yet it's a reasonable questions to ask whether you really need to add the full HTTP support.
-
moparisthebest
in my opinion you should use the right tool for the job without reinventing the wheel if possible, if that job is putting files on a server for multiple clients to download, that tool is http
-
moparisthebest
chances are you already have http in your project, but if not, adding it is surely less code to maintain than a custom xmpp component to store files?
-
goffi
there is already a right tool for that with XMPP, and I'm building a XMPP client
-
SaltyBones
I didn't mean to criticize just curious.
-
goffi
it's OK to criticize, as long as it's not aggressive :)
-
moparisthebest
there is the saying that if all you have is a hammer everything looks like a nail, it's still not always the right tool for the job
-
SaltyBones
So you are building synchronizing on top of jingle ft?
-
Kev
moparisthebest: And that's a significant problem with people thinking everything needs to happen over HTTP, right? :)
-
goffi
SaltyBones: no synchronizing (at least not for now), just sharing files.
-
goffi
and also everything is linked to my XMPP account, so permission is trivial to handle.
-
SaltyBones
goffi, how is file sharing different from file transfer then?
-
Tobias
goffi, +1...getting permissions right with different user groups that fetch stuff via HTTP server gets tricky
-
Holger
The right tool for the job is FTP.
-
moparisthebest
Kev, the reverse is true also, matrix was the opposite mistake :P
-
Kev
Holger: SFTP, I think.
-
Tobias
Holger, right...which is for files, not just for Hypertext
-
goffi
SaltyBones: you can have a list of files, hierarchy, check XEP-0329 it's the one I'm using
-
moparisthebest
FTP is the right tool for no job :P
-
Zash
Nothing wrong with FTP
-
moparisthebest
nothing wrong with SFTP, loads wrong with FTP
-
Tobias
Zash, as long as you tunnel it over HTTPS, right? :)
-
Zash
Hrr
-
SamWhited
Which one is SFTP? Is that file transfer over SSH or FTP over TLS?
-
moparisthebest
over ssh, the other is ftps
-
SamWhited
One day I will remember which one is SFTP and which one is FTPS
-
goffi
(jingle can use HTTP by the way)
-
Zash
sftp isn't related to ftp afaik, other than in purpose
-
moparisthebest
yep completely different
-
moparisthebest
there was a really good rundown of all the reasons FTP is terrible written by the author of a really popular FTP server, but I can't seem to find it now...
-
Zash
Everything is terrible
-
Zash
If you think something isn't terrible, you aren't looking close enough
-
SamWhited
Not everything is equally terrible though. Some things are less terrible than others.
-
moparisthebest
https://mywiki.wooledge.org/FtpMustDie ah there it is
-
SaltyBones
magic wormhole is kind of cute
-
Zash
"It's old, therefore obsolete"
-
Holger
Bashing FTP is so boring.
-
Holger
Yeah.
-
daniel
Complains about FTP being obsolete. Does so on a website that is impossible to read on a mobile phone...
-
moparisthebest
not being usable behind NAT or knowing whether uploads/downloads completed etc is also a thing not great for a file transfer mechanism
-
moparisthebest
it's not just the 'old' part
-
Zash
NAT is the evil here, not FTP
-
Holger
moparisthebest: It's usable behind NAT if your firewall admin isn't stupid, or if you use passive FTP.
-
moparisthebest
not disagreeing with you, but can't change the world
-
SamWhited
It doesn't matter which thing is broken and wrong if the thing I want to use doesn't work. I don't really care whos fault it is or who did or did not work around NATs.
-
Holger
moparisthebest: It's unencrypted if you don't use TLS, just like HTTP.
-
moparisthebest
it also allows data to be unencrypted even if you do use TLS, unless you do special things
-
SamWhited
I am tempted to say that there is no situation in which FTP is the correct tool for the job when rsync exists, except that as far as I can tell the rsync protocol is completely undocumented.
-
SaltyBones
The universal law of users: Whatever changed last is responsible for all problems. :)
-
Holger
moparisthebest: What? I don't know of an FTPS client that requests unencrypted transfer by default.
-
Holger
SamWhited: rsync is *very* expensive.
-
moparisthebest
hopefully not
-
SamWhited
Holger: that's fair
-
SaltyBones
goffi, does the jingle ft understand when your devices are both on lan and then send the file locally?
-
SamWhited
although it's not a problem I run into most of the time, I can see that being an issue if you have older or very limited hardware
-
jjrh
Zash, amen.
-
moparisthebest
anyway this is what I have against jingle for file transfer for, you end up doing complicated negotiation, and then 99.9% of the time uploading to a TURN server anyway
-
moparisthebest
except unlike HTTP, you have to do it multiple times for each resource that wants the file
-
Maranda
FTP? Who uses FTP nowadays anyways...
-
moparisthebest
and if you don't have access to a TURN server it just fails, most xmpp servers support http upload nowadays, many more than have turn servers...
-
jjrh
Maranda, a surprisingly large amount of people.
-
SamWhited
Unencrypted anonymous FTP is still the only decent way I've found of transfering files between my phone and my computer, although I desperately wish there were another way
-
moparisthebest
that's my 2 cents anyway goffi , you are going to put all this work into this amazing software that just won't work on the majority of servers for the majority of users...
-
jjrh
adb push / pull?
-
daniel
SamWhited: locally or over the network?
-
moparisthebest
SamWhited, android phone?
- Maranda thinks he presses that SCP button in SSH clients from quite a while.
-
SamWhited
moparisthebest: yes
-
SamWhited
daniel: either, I normally do it over lan
-
daniel
mtp works fine for me
-
jjrh
mtp is kinda slow
-
SamWhited
yah, mtp always takes forever for me; not sure why.
-
Zash
I use scp/rsync on my phone.
-
daniel
Probably depends on the implementation?
-
daniel
I don't transfer large files though
-
jonasw
mtp doesn’t work for me :(
-
moparisthebest
nextcloud/syncthing or also I had an sftp server on my phone looking now...
-
SamWhited
I tend to be backing up lots of little-to-medium sized files. Pictures and music mostly.
-
jjrh
just do it with ADB
-
moparisthebest
SamWhited, https://arachnoid.com/android/SSHelper/
-
SamWhited
I really should figure out how to do ssh/rsync, that would be nicer.
-
SamWhited
oh hey, that looks promising, thanks.
-
jonasw
jjrh, so the only way to sensibly transfer files from a commodity device to another one is with a CLI command? seriously? :D
-
moparisthebest
that supports ssh/rsync, I recall having permissions issues though...
-
Zash
tarpipes!
-
jonasw
SamWhited, I use KDE Connect and MTP, and if neither works (which happens, annoyingly) I eject the SD card.
-
moparisthebest
haha Zash yes that's actually how I ended up transfering a whole internal sdcard once
-
jjrh
jonasw, of course not. But adb is pretty easy to script, plug in your phone and have a udev rule pull everything.
-
moparisthebest
something like tar [stuff] | adb shell su tar [stuff]
-
moparisthebest
adb over wifi
-
Maranda
and usb file transfers on my phone aren't that slow anyways.
-
Maranda
brb
-
SaltyBones
I have nextcloud. Works fine for small files or if you have time. :)
-
daniel
> SamWhited, https://arachnoid.com/android/SSHelper/ Oh that looks cool. Thx
-
Holger
You guys are all too bored (like me). A useless comment mentioning FTP is enough to spawn a 30 minute discussion on random file transfer issues.
-
Yagiza
Well... is there any XEP, which describes using TURN servers for Jingle FT?
-
SamWhited
This is great, I've already got it working better than the last SSH thing I tried…
-
SamWhited
thanks for the recommendation.
-
moparisthebest
Holger, clearly file transfer is one of the great unsolved problems of computing
-
daniel
Yagiza: the jingle ft xep is agnostic of transport. So it should just work(tm)
-
daniel
I don't know if many people do implement it though
-
Holger
moparisthebest: True. But I think this works with more or less arbitray IT questions.
-
daniel
Most people use socks
-
moparisthebest
this morning a co-worker was trying to send me a 3kb PDF over skype for business and it wouldn't work, ended up emailing it :'(
-
moparisthebest
also companies pay a lot for that software
-
MattJ
I tried emailing a tarball of .lua files to someone this morning, Gmail rejected it for security reasons and I ended up scp'ing to my server and sending them a URL
-
Yagiza
daniel, I thought Jingle FT uses the same transport types, which SI FT uses: IBB, SOCKS5 and OOB.
-
moparisthebest
so, http upload is the only thing that worked? :P
-
Zash
Yay only the popular thing works because it's popular.
-
Zash
Ya'll know how much I hate things that are popular because of their popularity?
-
moparisthebest
I still agree that sucks, but your choice is just never transfer the file on principle, or, use the way that works
-
SamWhited
It's not popular because of it's popularity, it's popular because it's simple and HTTP is a better tool for the job. It was literally made for downloading small files. Sucks for larger files, but most users want to send cat gifs so I don't really care.
-
moparisthebest
you could also use sneakernet with a flash drive, but http is easier
-
goffi
SaltyBones: yes, that's one of the interest of the thing
-
Zash
But it's suffocating everything else :(
-
Zash
We can't have innovation at the lower layers anymore, and that makes me sad
-
moparisthebest
that's true, udp/tcp is all we can ever have
-
moparisthebest
and even then tcp is just getting re-invented over udp with things like QUIC
-
Zash
And soon only TCP/TLS/HTTP
-
goffi
moparisthebest: it's not only with the server, it's also between users (ex. tranfering files from your phone to your desktop machine)
-
Maranda
cat gifs 😻 💙
-
Maranda
But didn't someone just want to use BoB for those things :P?
-
Zash
goffi?
-
goffi
Zash: yes?
-
Zash
Wait, wanted to not use bob because of size restrictions
-
goffi
no
-
Yagiza
Maranda, I'm using BOB for small pics. For large pics I need to implement using something like HTTP File Upload.
-
goffi
it's not because of one thumbnail, it's if I want to transfer large amount of pictures/vidéos
-
goffi
and also to avoid sending them to the server
-
Yagiza
BTW, I don't see a way to use HTTP File Upload for file transfer without using Jingle FT or SI FT as session negotiation protocol.
-
SaltyBones
goffi, I wonder how the fuck that works... :D
-
Maranda
You do..?
-
SamWhited
I don't understand what innovating at the lower layers has to do with this; if you want to innovate and make something better than HTTP, do that. Using a bad thing that's complicated and not the right tool for the job isn't going to make it more likely that you displace HTTP.
-
goffi
SaltyBones: many candidate are tested, with priorities. The direct connection on local network is tried first.
-
Maranda
To me it looked like XEP 363 used PUTs... But maybe I'm just having allucinations as usual.
-
Maranda
I'm not sure where the Jingleing is required in there 🤔🤔
-
moparisthebest
goffi, it's just highly unlikely p2p will work ever except in the case of LANs, seems odd to optimize for that, but even if you do go that way for p2p transfers, an http server would still be a better place to put uploads than a custom jingle component
-
goffi
the LAN case in one major use case for me.
-
goffi
and in my experience P2P is working quite often
-
goffi
and I have already all jingle implemented, so why should I implement something else ? Specially when there are already XEPs doing what I need
-
goffi
I really don't see the point of the whole discussion, I've implemented something which is working, based on current XEPs and I'm happy with it (except the point I'm trying to solve on standard@).
-
jonasw
goffi, how do you solve broadcast/multicast (MUCs) and retrievability while the user is offline?
-
jonasw
is that the Jingle Component you’re talking about? if so, that’s amazing
-
goffi
MUC is no my use can for now, but anyway I have a component so offline retrieving is not a problem at all.
-
jonasw
I can’t parse that sentence, sorry.
-
goffi
my use case*. Sorry to disturb your parser.
-
moparisthebest
goffi, what transfer method is used if both clients are on different LANs behind NAT ?
-
goffi
moparisthebest: check XEP-0234. Socks5 direct, w/ proxy, IBB in that order.
-
moparisthebest
goffi, and how does this work with multiple clients?
-
moparisthebest
same account logged in on different resources that is
-
goffi
I don't get your question, this always work with different clients.
-
moparisthebest
just super wasteful bandwidth-wise?
-
moparisthebest
you end up uploading it once for each client?
-
goffi
what are you talking about?
-
jonasw
moparisthebest, IIUC, the jingle transfer is handled by a component. the sender uploads once, everyone downloads from componet.
-
jonasw
it’s kinda like HTTP Upload, but with Jingle instead of HTTP.
-
moparisthebest
if I want to share a picture from my mobile phone to a contact connected from 5 clients, my phone ends up uploading that once for each client no?
-
Yagiza
moparisthebest, FT XEPs usually used to transfer file from one client to another. Not to share a file.
-
Yagiza
moparisthebest, for file sharing something like HTTP Upload is better.
-
moparisthebest
but this is about file sharing no?
-
Yagiza
moparisthebest, Jingle FT? No.
-
Yagiza
moparisthebest, it's just a modern way to do the same as SI FT does.
-
goffi
I think I'll publish a blog post with schematics to make things clear.
-
jonasw
goffi, sounds like a good plan
-
moparisthebest
Yagiza, I meant goffi's thing, but yea that'd be nice goffi
-
Yagiza
moparisthebest, ah, ok
-
jonasw
what do you folks think about Trust-On-First-Use pinning for certificate public keys for XMPP servers?
-
Zash
It's fine until you change the key for whatever reason.
-
Maranda
Uhhh that annoying iChat disco# bug.
- Maranda pfts.
-
moparisthebest
jonasw, hpkp-type system would be better, there is even a not-yet-submitted xep
-
moparisthebest
I would love that
-
moparisthebest
jonasw, xnyhps is the one who wrote it but I cannot seem to find a copy...
-
jonasw
moparisthebest, NOOOO
-
jonasw
we have TLSA for a reason!
-
moparisthebest
well obviously that's best I agree, but when entire domains never implement DNSSEC...
-
moparisthebest
sorry entire TLDs is what I meant to say
-
Ge0rG
jonasw: I've written a TOFU kind of library for Android back then for yaxim...
-
moparisthebest
TOFU is better than nothing but not as good as HPKP
-
moparisthebest
because you end up asking the user 'SHOULD THEY KEY HAVE CHANGED TO THIS CHUNK OF HEX/BASE64: XXXXX'
-
moparisthebest
and they have absolutely no way to tell
-
moparisthebest
as an admin *I* know, and can just set my pins correctly
-
Ge0rG
moparisthebest: yes, server admins are the ones to know that best.
-
Ge0rG
moparisthebest: except for the ones who don't give a yota and have self signed certificates in the first place.
-
Zash
Isn't that being deprecated because people shoot themselves in their foots too often?
-
moparisthebest
they don't go the extra mile and set up pinned keys either, generally
-
moparisthebest
well iirc chrome is dropping support sometime, I still think that's dumb though
-
moparisthebest
you can bet they'll leave it enabled for google owned domains
-
Zash
Isn't that hardcoded in the binary?
-
Zash
As in, not protocol
-
moparisthebest
google ones are iirc
-
Ge0rG
You can get your domain onto the preload list with Google and Mozilla. No idea how that scales.
-
moparisthebest
Ge0rG, only for HSTS, not for HPKP
-
Ge0rG
moparisthebest: oh, I thought you can get both.
-
moparisthebest
HSTS == only ever visit this site via HTTPS and enforce valid CA-issued certs, do not allow click-through bypass
-
moparisthebest
not unless they changed it
-
Ge0rG
You still can bypass HSTS with the hot key formerly known as "badidea"
-
Ge0rG
HSTS is probably easier to scale with a bloom filter, as opposed to having a gazillion of server fingerprints shipped in your binary
-
moparisthebest
mere mortals can't bypass it though, my mom couldn't
-
Ge0rG
Before I learned that trick I couldn't either, and it was bothering me much.
-
moparisthebest
very rarely do you want to bypass it
-
moparisthebest
the whole point is because given the choice, people always click through, and if the site says not to, you shouldn't give people the choice
-
Ge0rG
But *I* do know what I'm doing, sometimes even better than the admin of the site I want to visit.
-
Kev
Actually, it's something I'd like to do quite often.
-
Kev
Because hotels and capture portals.
-
moparisthebest
yea but you nor I are what anyone would consider average computer users
-
moparisthebest
Kev, so you allow the MITM to proceed? or you just mean to get to their terrible agreement page?
-
Kev
I mean to get to the agreement page.
-
Kev
I typically browse to 8.8.8.8 these days.
-
moparisthebest
I usually type in like bob.com for that
-
moparisthebest
but yea bad systems
-
Zash
example.com!
-
daniel
neverssl.com
-
moparisthebest
daniel, nice!
- Ge0rG used to use a large German news portal, but then they switched to https... 😒
-
Guus
someone, invite me to a muc please?
-
daniel
Ge0rG: me too 😁
-
daniel
Would probably be a good business model not to offer ssl on your news site. Then people would use it to get around captive portals and spend time on your website while there at it
-
jonasw
Ge0rG, heise has SSL by now? :-O
-
moparisthebest
out of curiousity, how many captive portals do you deal with on a weekly basis?
-
moparisthebest
I see 1 or 2 a year :P
-
daniel
moparisthebest: our high speed trains have them
-
moparisthebest
ah, makes sense
-
SamWhited
Lucky you; I see a captive portal basically every time I'm on the bus, train, or in most coffee shops.
-
SamWhited
Not that I take the train much (there is a small one, but it doesn't realy go anywhere here) and only some of the busses have wifi, so mostly just coffee shops.
-
moparisthebest
I see them at hotels, but then there are no trains or buses around here and I don't go to coffee shops so...
-
daniel
And yes what Sam says. A lot of coffee shops have them
-
SamWhited
Oh yah, and hotels. Every time I travel.
-
daniel
There is probably a Firefox plugin that can auto accept the standard ones
-
daniel
Or if there isn't there should be
-
daniel
Or just put it in Systemd 😆
-
SamWhited
I have strict revocation checking on in Firefox, which is unfortunate since they all block their own OCSP servers and CRLs.
-
SamWhited
So I generally have to curl to login
-
moparisthebest
the first thing I do on strange networks is connect to my VPN though, not open up firefox
-
Kev
I'm not sure how that would help. You won't be able to VPN until you've clicked through the page.
-
moparisthebest
openconnect/ocserv is great for speed and firewalls
-
moparisthebest
yea it doesn't work, then I know I need firefox...
-
SamWhited
At least one place I go sometimes works by stealing DNS, so if you use a VPN and know your IP (or hardcode 8.8.8.8 or something) then you don't need to sign in…
-
SamWhited
That same place also has "admin:password" for the credentials on the router though, so now I don't have a portal at all and if anyone is eating the coffee shop bandwidth with Bittorrent they get mysteriously QoSed.
-
jonasw
:D
-
moparisthebest
sounds like a case of nephew bob the IT guy setting it up for them
-
Ge0rG
When I'm desperate enough I fire up iodine and tunnel through the captive portal dns
-
moparisthebest
Been meaning to set that up
-
moparisthebest
Sounds awful but as a last resort...