XSF Discussion - 2018-02-27


  1. edhelas

    I'm reading the Standards ML, before putting Bookmark to Final would it maybe be wise to update it, like to clarify which method is prefered for storing them ?

  2. flow

    edhelas, isn't that done in xep48 § 3. ?

  3. marc

    hm, if matrix requires an additional push protocol (GCM for Android), is it not possible to use riot without Google services installed?

  4. Ge0rG

    marc: AFAIU it falls back to polling the server.

  5. jonasw

    marc, I think it is, but that ^

  6. marc

    yes, okay :D

  7. Ge0rG

    Life is great, isn't it?

  8. marc

    Ge0rG, it just means to me that it sucks and has a big disadvantage in comparison to XMPP :D

  9. Ge0rG

    marc: what did you expect from HTTP? WebSockets?

  10. daniel

    Well that's what signal does

  11. daniel

    And rocket.chat

  12. marc

    daniel, signal requires GCM and if not available falls back to polling?

  13. daniel

    marc: no. It falls back to websockets

  14. daniel

    The well that was signal does was a response to what Ge0rG said

  15. SaltyBones

    should it be obvious why websockets works?

  16. marc

    websockets allow permanent connections, right?

  17. daniel

    Yeah using websockets is reasonable

  18. Zash

    I wouldn't count on "permanent"

  19. daniel

    Compared to polling http that is

  20. SaltyBones

    oh weird..so the os does the connection part for you and just gives you some magical permanent socket?

  21. Zash

    If that worked, everyone would be doing it

  22. Zash

    I imagine it has the same restrictions on mobile OSes as plain TCP

  23. Ge0rG

    Zash: but better firewall piercing capabilities

  24. moparisthebest

    but only over HTTPS, at which point, you can also just use TLS on 443

  25. Tobias

    https://twitter.com/ivucica/status/968538897604075521

  26. jonasw

    Seve, ^ might be of interest to you

  27. SaltyBones

    I like vvoip

  28. SaltyBones

    had not seend that before

  29. SaltyBones

    unfortunately the distinction is lost in pronounciation

  30. Alex

    will start our Q1 member meeting in 3 minutes

  31. jonasw

    uh

  32. jonasw

    today’s the day

  33. moparisthebest

    slipped my votes in just now, right under the buzzer

  34. Alex

    ;-)

  35. Alex

    okay

  36. Alex bangs the gavel

  37. Alex

    here is our agenda for today: https://wiki.xmpp.org/web/Membership_Applications_Q1_2018

  38. Alex

    sorry here: https://wiki.xmpp.org/web/Meeting-Minutes-2018-02-27

  39. Alex

    let me update the first section and add the vote which just came in

  40. moparisthebest

    (sorry)

  41. Alex

    not a problem

  42. Alex

    1) Call for Quorum

  43. Alex

    as you can see 32 members voted via memberbot

  44. Alex

    so we have a quorum

  45. Alex

    2) Items Subject to a Vote

  46. Alex

    new and returning members, you can see all the applicantions here: https://wiki.xmpp.org/web/Membership_Applications_Q1_2018

  47. Alex

    3) Opportunity for XSF Members to Vote in the Meeting

  48. jonasw

    Alex, did pep. reach out to you?

  49. jonasw

    or did you receive his attempts to reach out?

  50. Alex

    anybody here who has not voted yet, and want to vote in teh meeting?

  51. jonasw

    did the MUC just die or is it just me?

  52. Alex

    jonasw: I don't think so. At least I do not remember

  53. jonasw

    Alex, he tried to reach you sevearl times since memberbot didn’t talk to him :(

  54. jonasw

    he also said that he probably wouldn’t be able to make this meeting though :(

  55. Alex

    my client blocks all messaged from unsubscribed users silently, becuase I get tons of spam

  56. jonasw

    ah I see

  57. Alex

    I he is around we can fix now and get his vote in

  58. jonasw

    I told him to try email though

  59. Alex

    otherwise we fix for the next voting period

  60. Ge0rG

    Alex [20:07]: > my client blocks all messaged from unsubscribed users silently, becuase I get tons of spam This policy fails to work for people with public roles.

  61. jonasw

    Ge0rG, he accepts subscriptions though

  62. jonasw

    also probably not the right time to discuss this

  63. Alex starts counting now, for working on the results

  64. Ge0rG

    Right, sorry.

  65. Alex

    looks like nobody wants to vote

  66. Alex

    Ge0rG: lets put it under otehr business and discuss at the end of our meeting

  67. Alex

    4) Announcement of Voting Results

  68. Alex

    when you reload the page at: https://wiki.xmpp.org/web/Meeting-Minutes-2018-02-27#Announcement_of_Voting_Results you can see the results

  69. Alex

    all new and returning members are accepted

  70. Alex

    congrats to everyone

  71. jonasw

    \o/

  72. Alex

    5) Any Other Business?

  73. jonasw

    Ge0rG, that’s your cue

  74. Alex

    Ge0rG: I use XMPP since the very early days when Jers first server came out. my jabber.org Jid is probably on every spammer list, and its a huge pain for me these days

  75. moparisthebest

    wouldn't a better system than bugging Alex just be to automatically import all member JIDs into memberbot ?

  76. Alex

    sometimes I log in and have 100 spams in the morning

  77. jonasw

    Alex, ugh

  78. moparisthebest

    and, while we have a database of member JIDs, tie that into the wiki and use xmpp for auth, slightly different topic though :)

  79. jonasw

    I fell your pain, even though probably 1.5 orders of magnitude less worse

  80. Ge0rG

    Alex: I'm blocking 99% of spam messages with some simple heuristics, and I had to implement "reject all requests" against presence spam

  81. Alex

    because of the server crash we had last year I lost the whitellist

  82. Guus

    Can we give someone else privs to add people to memberbot?

  83. Guus

    So that we don't depend solely on Alex ?

  84. Alex

    but usually I add all new members to the list, and when people contact me by email or xmpp it takes only some seconds to add them to teh whitelist

  85. Ge0rG

    https://yaxim.org/blog/2017/12/22/spam-reduction-on-yax-dot-im/

  86. moparisthebest

    we have a list of all XSF members surely right?

  87. Alex

    memberbot is pretty smart and support xdata commands for administration

  88. moparisthebest

    can't memberbot just always use that list?

  89. Alex

    Guus: memberbot also has a list of admins IIRC

  90. Alex

    Happy to add someone else who can execute the commands and add peopel to teh whitelist

  91. Ge0rG

    Jabber.org being de facto unmaintained doesn't help much, I suppose

  92. Alex

    its just executing 2 coommands 1) submit the Jid 2) reload the whitelist

  93. Guus

    Alex: add me if you want

  94. Alex

    Guus: done

  95. Alex

    restarting the bot, you can check if commands are working for you

  96. Guus

    Alex: later. Kid just got sock

  97. Guus

    Sick

  98. Guus

    Thanks though

  99. Guus

    Afk

  100. SaltyBones

    Ah, I thought he was a house elf

  101. Alex

    moparisthebest: jave seen this post, and its on my todo list to add this to my personal prosody server, but my main Jid is still on jabber.org

  102. Alex

    I mean Ge0rG ;-)

  103. Alex

    but we have to solve this SPAM problem in general, it could kill our technology when its getting worse

  104. jonasw

    yeah

  105. SaltyBones never gets any spam and feels left out.

  106. jonasw

    SaltyBones, you can have mine

  107. jonasw

    Alex, sent you a subscription request

  108. moparisthebest

    I didn't until I became XSF member and XEP author

  109. moparisthebest

    but that happened around the same time, so I don't know which or both

  110. Alex

    jonasw: accepted, becuase teh Jid did not conatain 3 numbers ;-)

  111. Alex

    6) Formal Adjournment

  112. Alex

    I motion that we adjourn

  113. jonasw

    seems reasonable :)

  114. Kev

    Seconded.

  115. Alex bangs the gavel

  116. Alex

    thanks guys

  117. Kev

    Thanks Alex.

  118. jonasw

    thanks for doing the work and again congrats to all (re-)accepted folks

  119. Alex

    we send out mail to memberslist tomorrow in the AM, and create the applications page for Q2 ASAP

  120. SamWhited

    I was getting a lot of spam for a while, but it was all from 3 or 4 domains that had IBR enabled so I blocked those and now I don't get any. ¯\_(ツ)_/¯

  121. SamWhited

    I don't think I ever got the presence spam that some people get though, so maybe I'm just not on the right lists.

  122. jonasw

    contextswitch: how does XEP-0401 interoperate with the European GDPR thingy? if an offering server provides MAM etc. it would have to acquire explicit consent. Or maybe we need to change clients to make consent to MAM explicit and show the privacy policy of the server beforehands? That would probably require some protocol.

  123. j.r

    I haven't had spam on any of my accounts

  124. Zash

    I got one the other day

  125. Kev

    I know it's not a popular viewpoint, but I still think that signing up for services through web interfaces makes sense, rather than doing it inband.

  126. Zash

    Why not both?

  127. Zash

    We have protocol to register inband, or to redirect to a website from inband.

  128. Alex

    the spam I get since the last ~4 weeks is always from different domains. Some of those domains look very weird and like they just get automatically created only for this purpose

  129. Alex

    sometimes its from "well known" domains which still have IBR open, this is a very low percentage

  130. moparisthebest

    do you have strict s2s requiring encryption and valid certs turned on?

  131. moparisthebest

    I think I'd get a lot more spam judging by my failed s2s logs

  132. Alex

    moparisthebest: its on my jabber.org Jid

  133. moparisthebest

    today for instance: Establishing a secure connection from rosolina.estate to burtrum.org failed

  134. moparisthebest

    what are the chances that's a legit xmpp server? (I haven't checked hehe)

  135. moparisthebest

    well does jabber.org require valid s2s certs and TLS ?

  136. Kev

    No. Requires TLS, but allows dialback.

  137. moparisthebest

    how many legitimate servers don't have valid TLS certs nowadays with letsencrypt?

  138. jonasw

    I run one

  139. jonasw

    because I couldn’t be bothered to set up letsencrypt for that thing

  140. moparisthebest

    I mean illegitimate ones can easly get valid TLS certs from letsencrypt too

  141. jonasw

    it’s still CACert

  142. moparisthebest

    but, I'd say turn it on, force bad admins to stop being lazy

  143. jonasw

    I actually keep it renewed

  144. moparisthebest

    :P

  145. jonasw

    *shrugh*

  146. jonasw

    I’d simply turn off that service instead.

  147. moparisthebest

    it has to be harder for you to renew CACert once than set up letsencrypt

  148. jonasw

    moparisthebest, no

  149. jonasw

    in fact it’s not

  150. jonasw

    letsencrypt is tedious for XMPP

  151. moparisthebest

    besides CACert has always been useless, just self-sign

  152. jonasw

    the only way to do it right is with DNS Challenge

  153. jonasw

    and that’s it’s own ratsnest

  154. jonasw

    *shrug*

  155. Alex

    jonasw: agree

  156. Guus

    jonasw: indees

  157. jonasw

    CACert takes the load of managing signatures off of my head :)

  158. moparisthebest

    it's not, you can use DNS, but I also find it rare that you can't just listen on HTTP

  159. jonasw

    something something CA signature serial I have no idea what I’m even talking about

  160. SaltyBones

    jonasw, switch to letsencrypt

  161. jonasw

    moparisthebest, it’s just wrong to listen on HTTP for chat.domain.example

  162. jonasw

    simple as that.

  163. SaltyBones

    it is easier to maintain and they have certificates that don't use md5...

  164. jonasw

    it’s not an HTTP service.

  165. Alex

    on my personal server I renew the lets sncrypt cert every 3 month and it sucks

  166. jonasw

    I’m not even going to set A/AAAA records up for that.

  167. Alex

    on my k8s clusters with kube lego its awesome

  168. SaltyBones

    Alex, really? I just did it three days ago. "certbot renew" and restarting/reloading a few services...that's it

  169. Alex

    maybe we need to invest a bit more in letsencrypt modules for all mayor servers

  170. jonasw

    yeah

  171. jonasw

    with DNS challenge please.

  172. jonasw

    I’d really love to have a thing which just implements a very trivial DNS server

  173. moparisthebest

    Alex, you manually renew them every 3 months?

  174. jonasw

    and then just delegate to it

  175. Alex

    SaltyBones: I host HTTP on a different server, my DNS provider cannot be automated, so I always have to add TXT records manual for validation which sucks

  176. moparisthebest

    jonasw, why is it wrong to listen on chat.domain.example and only serve 1 thing? :/

  177. SaltyBones

    ah...yeah that's a pain :D

  178. SaltyBones

    I just have apache vhosts for imap and jabber

  179. jonasw

    moparisthebest, because it is not a friggin HTTP service.

  180. Kev

    And then you move the certs from the http server to the xmpp one? :)

  181. jonasw

    Alex, lovely :<

  182. jonasw

    Alex, consider hosting a tiny pdns instance with RFCsoandso support (that DNS update thin>)

  183. SaltyBones

    Kev, that's why it's a pain if the servers are different. Although, given http_upload I suppose a letsencrypt module for servers would not be absurd...

  184. jonasw

    and delegating the _acme-challenge subdomains to it

  185. jonasw

    I do that, it works

  186. moparisthebest

    no Kev , I just have this nginx config on all my servers:

  187. moparisthebest

    server { listen 0.0.0.0:80; listen [::]:80; location ~ "^/\.well-known/acme-challenge/([-_a-zA-Z0-9]+)$" { default_type text/plain; return 200 "$1.YOUR_LETSENCRYPT_ACCOUNT_KEY_HASH"; } }

  188. moparisthebest

    and all letsencrypt challenges pass without any communication between servers

  189. moparisthebest

    easy and done

  190. Alex

    moparisthebest: it would be easy when I would have a subdomain for my XMPP server, or a domain which I don't use on other servers

  191. SaltyBones

    wait..isn't there something wrong with this? that allows me to get certs for your machine, no?

  192. moparisthebest

    SaltyBones, only if you have my letsencrypt account key

  193. Kev

    moparisthebest: So that on the HTTP server is enough to be able to generate a cert on the XMPP server?

  194. moparisthebest

    which is the same on all servers

  195. SaltyBones

    Oh, is that included in the cert?

  196. moparisthebest

    yes Kev

  197. SaltyBones

    Because I can just say "letsencrypt gimme cert for $yourdomain" and it will go to your domain and check if the file is there, think that it is, give me the cert...no?

  198. moparisthebest

    SaltyBones, this part return 200 "$1.YOUR_LETSENCRYPT_ACCOUNT_KEY_HASH";

  199. moparisthebest

    letsencrypt expects it to return the hash of the requesting key in there

  200. SaltyBones

    kk

  201. moparisthebest

    you'd have to have that key for the challenge to pass

  202. SaltyBones

    so I actually need to prove that I have a key with that hash?

  203. moparisthebest

    so if you hack into my server and steal that key you can get certs for my domains, but, if you hack into a server that's true anyway

  204. moparisthebest

    yep

  205. SaltyBones

    okay

  206. Alex

    this is exactly how all the big web providers handle it in their apache or nginx configurations

  207. Alex

    and part of my problem, because I use PAAS for my HTTP servers, they don't allow me to control the ./sell-known/ route :( The automatcially handly it with their key always

  208. moparisthebest

    ah yea then you have to use the DNS challenge

  209. moparisthebest

    this works perfect in my setup because I have 2 http servers, one for burtrum.org and one for moparisthebest.com, and 1 xmpp server that serves both, so it's nice they don't need to communicate and each can get the proper certs automatically

  210. Kev

    Which only works if you're prepared to set up 'bad' A records for your things like pubsub, MUC etc. pointing to the HTTP server.

  211. moparisthebest

    I guess, all mine just redirect you to the right domain anyway, don't see the harm

  212. moparisthebest

    but if you don't want to mess with it, DNS challenge

  213. daniel

    what clients do support micro blogging?

  214. vanitasvitae

    daniel: afaik the mangosta android app does

  215. SaltyBones

    doesn't movim also support it?