XSF Discussion - 2018-02-27

I'm reading the Standards ML, before putting Bookmark to Final would it maybe be wise to update it, like to clarify which method is prefered for storing them ?

edhelas, isn't that done in xep48 § 3. ?

hm, if matrix requires an additional push protocol (GCM for Android), is it not possible to use riot without Google services installed?

marc: AFAIU it falls back to polling the server.

marc, I think it is, but that ^

yes, okay :D

Life is great, isn't it?

Ge0rG, it just means to me that it sucks and has a big disadvantage in comparison to XMPP :D

marc: what did you expect from HTTP? WebSockets?

Well that's what signal does

And rocket.chat

daniel, signal requires GCM and if not available falls back to polling?

marc: no. It falls back to websockets

The well that was signal does was a response to what Ge0rG said

should it be obvious why websockets works?

websockets allow permanent connections, right?

Yeah using websockets is reasonable

I wouldn't count on "permanent"

Compared to polling http that is

oh weird..so the os does the connection part for you and just gives you some magical permanent socket?

If that worked, everyone would be doing it

I imagine it has the same restrictions on mobile OSes as plain TCP

Zash: but better firewall piercing capabilities

but only over HTTPS, at which point, you can also just use TLS on 443

https://twitter.com/ivucica/status/968538897604075521

Seve, ^ might be of interest to you

I like vvoip

had not seend that before

unfortunately the distinction is lost in pronounciation

will start our Q1 member meeting in 3 minutes

uh

today’s the day

slipped my votes in just now, right under the buzzer

;-)

okay

here is our agenda for today: https://wiki.xmpp.org/web/Membership_Applications_Q1_2018

sorry here: https://wiki.xmpp.org/web/Meeting-Minutes-2018-02-27

let me update the first section and add the vote which just came in

(sorry)

not a problem

1) Call for Quorum

as you can see 32 members voted via memberbot

so we have a quorum

2) Items Subject to a Vote

new and returning members, you can see all the applicantions here: https://wiki.xmpp.org/web/Membership_Applications_Q1_2018

3) Opportunity for XSF Members to Vote in the Meeting

Alex, did pep. reach out to you?

or did you receive his attempts to reach out?

anybody here who has not voted yet, and want to vote in teh meeting?

did the MUC just die or is it just me?

jonasw: I don't think so. At least I do not remember

Alex, he tried to reach you sevearl times since memberbot didn’t talk to him :(

he also said that he probably wouldn’t be able to make this meeting though :(

my client blocks all messaged from unsubscribed users silently, becuase I get tons of spam

ah I see

I he is around we can fix now and get his vote in

I told him to try email though

otherwise we fix for the next voting period

Alex [20:07]: > my client blocks all messaged from unsubscribed users silently, becuase I get tons of spam This policy fails to work for people with public roles.

Ge0rG, he accepts subscriptions though

also probably not the right time to discuss this

Right, sorry.

looks like nobody wants to vote

Ge0rG: lets put it under otehr business and discuss at the end of our meeting

4) Announcement of Voting Results

when you reload the page at: https://wiki.xmpp.org/web/Meeting-Minutes-2018-02-27#Announcement_of_Voting_Results you can see the results

all new and returning members are accepted

congrats to everyone

\o/

5) Any Other Business?

Ge0rG, that’s your cue

Ge0rG: I use XMPP since the very early days when Jers first server came out. my jabber.org Jid is probably on every spammer list, and its a huge pain for me these days

wouldn't a better system than bugging Alex just be to automatically import all member JIDs into memberbot ?

sometimes I log in and have 100 spams in the morning

Alex, ugh

and, while we have a database of member JIDs, tie that into the wiki and use xmpp for auth, slightly different topic though :)

I fell your pain, even though probably 1.5 orders of magnitude less worse

Alex: I'm blocking 99% of spam messages with some simple heuristics, and I had to implement "reject all requests" against presence spam

because of the server crash we had last year I lost the whitellist

Can we give someone else privs to add people to memberbot?

So that we don't depend solely on Alex ?

but usually I add all new members to the list, and when people contact me by email or xmpp it takes only some seconds to add them to teh whitelist

https://yaxim.org/blog/2017/12/22/spam-reduction-on-yax-dot-im/

we have a list of all XSF members surely right?

memberbot is pretty smart and support xdata commands for administration

can't memberbot just always use that list?

Guus: memberbot also has a list of admins IIRC

Happy to add someone else who can execute the commands and add peopel to teh whitelist

Jabber.org being de facto unmaintained doesn't help much, I suppose

its just executing 2 coommands 1) submit the Jid 2) reload the whitelist

Alex: add me if you want

Guus: done

restarting the bot, you can check if commands are working for you

Alex: later. Kid just got sock

Sick

Thanks though

Afk

Ah, I thought he was a house elf

moparisthebest: jave seen this post, and its on my todo list to add this to my personal prosody server, but my main Jid is still on jabber.org

I mean Ge0rG ;-)

but we have to solve this SPAM problem in general, it could kill our technology when its getting worse

yeah

SaltyBones, you can have mine

Alex, sent you a subscription request

I didn't until I became XSF member and XEP author

but that happened around the same time, so I don't know which or both

jonasw: accepted, becuase teh Jid did not conatain 3 numbers ;-)

6) Formal Adjournment

I motion that we adjourn

seems reasonable :)

Seconded.

thanks guys

Thanks Alex.

thanks for doing the work and again congrats to all (re-)accepted folks

we send out mail to memberslist tomorrow in the AM, and create the applications page for Q2 ASAP

I was getting a lot of spam for a while, but it was all from 3 or 4 domains that had IBR enabled so I blocked those and now I don't get any. ¯\_(ツ)_/¯

I don't think I ever got the presence spam that some people get though, so maybe I'm just not on the right lists.

contextswitch: how does XEP-0401 interoperate with the European GDPR thingy? if an offering server provides MAM etc. it would have to acquire explicit consent. Or maybe we need to change clients to make consent to MAM explicit and show the privacy policy of the server beforehands? That would probably require some protocol.

I haven't had spam on any of my accounts

I got one the other day

I know it's not a popular viewpoint, but I still think that signing up for services through web interfaces makes sense, rather than doing it inband.

Why not both?

We have protocol to register inband, or to redirect to a website from inband.

the spam I get since the last ~4 weeks is always from different domains. Some of those domains look very weird and like they just get automatically created only for this purpose

sometimes its from "well known" domains which still have IBR open, this is a very low percentage

do you have strict s2s requiring encryption and valid certs turned on?

I think I'd get a lot more spam judging by my failed s2s logs

moparisthebest: its on my jabber.org Jid

today for instance: Establishing a secure connection from rosolina.estate to burtrum.org failed

what are the chances that's a legit xmpp server? (I haven't checked hehe)

well does jabber.org require valid s2s certs and TLS ?

No. Requires TLS, but allows dialback.

how many legitimate servers don't have valid TLS certs nowadays with letsencrypt?

I run one

because I couldn’t be bothered to set up letsencrypt for that thing

I mean illegitimate ones can easly get valid TLS certs from letsencrypt too

it’s still CACert

but, I'd say turn it on, force bad admins to stop being lazy

I actually keep it renewed

:P

*shrugh*

I’d simply turn off that service instead.

it has to be harder for you to renew CACert once than set up letsencrypt

moparisthebest, no

in fact it’s not

letsencrypt is tedious for XMPP

besides CACert has always been useless, just self-sign

the only way to do it right is with DNS Challenge

and that’s it’s own ratsnest

*shrug*

jonasw: agree

jonasw: indees

CACert takes the load of managing signatures off of my head :)

it's not, you can use DNS, but I also find it rare that you can't just listen on HTTP

something something CA signature serial I have no idea what I’m even talking about

jonasw, switch to letsencrypt

moparisthebest, it’s just wrong to listen on HTTP for chat.domain.example

simple as that.

it is easier to maintain and they have certificates that don't use md5...

it’s not an HTTP service.

on my personal server I renew the lets sncrypt cert every 3 month and it sucks

I’m not even going to set A/AAAA records up for that.

on my k8s clusters with kube lego its awesome

Alex, really? I just did it three days ago. "certbot renew" and restarting/reloading a few services...that's it

maybe we need to invest a bit more in letsencrypt modules for all mayor servers

yeah

with DNS challenge please.

I’d really love to have a thing which just implements a very trivial DNS server

Alex, you manually renew them every 3 months?

and then just delegate to it

SaltyBones: I host HTTP on a different server, my DNS provider cannot be automated, so I always have to add TXT records manual for validation which sucks

jonasw, why is it wrong to listen on chat.domain.example and only serve 1 thing? :/

ah...yeah that's a pain :D

I just have apache vhosts for imap and jabber

moparisthebest, because it is not a friggin HTTP service.

And then you move the certs from the http server to the xmpp one? :)

Alex, lovely :<

Alex, consider hosting a tiny pdns instance with RFCsoandso support (that DNS update thin>)

Kev, that's why it's a pain if the servers are different. Although, given http_upload I suppose a letsencrypt module for servers would not be absurd...

and delegating the _acme-challenge subdomains to it

I do that, it works

no Kev , I just have this nginx config on all my servers:

server { listen 0.0.0.0:80; listen [::]:80; location ~ "^/\.well-known/acme-challenge/([-_a-zA-Z0-9]+)$" { default_type text/plain; return 200 "$1.YOUR_LETSENCRYPT_ACCOUNT_KEY_HASH"; } }

and all letsencrypt challenges pass without any communication between servers

easy and done

moparisthebest: it would be easy when I would have a subdomain for my XMPP server, or a domain which I don't use on other servers

wait..isn't there something wrong with this? that allows me to get certs for your machine, no?

SaltyBones, only if you have my letsencrypt account key

moparisthebest: So that on the HTTP server is enough to be able to generate a cert on the XMPP server?

which is the same on all servers

Oh, is that included in the cert?

yes Kev

Because I can just say "letsencrypt gimme cert for $yourdomain" and it will go to your domain and check if the file is there, think that it is, give me the cert...no?

SaltyBones, this part return 200 "$1.YOUR_LETSENCRYPT_ACCOUNT_KEY_HASH";

letsencrypt expects it to return the hash of the requesting key in there

kk

you'd have to have that key for the challenge to pass

so I actually need to prove that I have a key with that hash?

so if you hack into my server and steal that key you can get certs for my domains, but, if you hack into a server that's true anyway

yep

okay

this is exactly how all the big web providers handle it in their apache or nginx configurations

and part of my problem, because I use PAAS for my HTTP servers, they don't allow me to control the ./sell-known/ route :( The automatcially handly it with their key always

ah yea then you have to use the DNS challenge

this works perfect in my setup because I have 2 http servers, one for burtrum.org and one for moparisthebest.com, and 1 xmpp server that serves both, so it's nice they don't need to communicate and each can get the proper certs automatically

Which only works if you're prepared to set up 'bad' A records for your things like pubsub, MUC etc. pointing to the HTTP server.

I guess, all mine just redirect you to the right domain anyway, don't see the harm

but if you don't want to mess with it, DNS challenge

what clients do support micro blogging?

daniel: afaik the mangosta android app does

doesn't movim also support it?