XSF Discussion - 2018-03-11

https://pidgin.im/pipermail/announce/2018-March/000020.html The libpurple changes have some RCE galore > Properlly shell escape URI's when opening them.

https://security-tracker.debian.org/tracker/source-package/pidgin

Hot damn

Only one CVE from 2017, is that good or bad?

good argument for Moved XEP: could easily become a requirement with the EU-GDPR

-ping cridland.im

Dave Cridland: Ping failed (remote-server-not-found): Server-to-server connection failed: Connecting failed: closed

Bunneh, Thanks. Yes, I have broken *everything*.

"closed" is the most informative error message

Maranda: Ping failed (remote-server-not-found): Server-to-server connection failed: Connecting failed: connection refused 🤔

-ping cridland.im

Dave Cridland: Ping failed (remote-server-not-found): Server-to-server connection failed: connection-timeout

-ping cridland.im

Dave Cridland: Ping failed (remote-server-not-found): Server-to-server connection failed: dialback authentication failed

Dave Cridland: Having fun?

Zash, Well, maybe.

Zash, For various reasons, I replaced the autoconf build system of libunbound with cmake, and introduced some interesting errors.

-ping cridland.im

Dave Cridland: Ping failed (remote-server-not-found): Server-to-server connection failed: dialback authentication failed

I think this is actually working now - remaining errors are because I've not got TLS enabled.

lovely, replace all autotools with cmake <3

Zash [12:26]: > Only one CVE from 2017, is that good or bad? I think this is because libpurple lost popularity, not because it lost all its bugs.

hah

-ping cridland.im

Dave Cridland: Pong from cridland.im in 10.289 seconds

Ah, sweet smell of success.

jonasw, Metre and all its dependencies build with cmake, now, except for OpenSSL because that has the most terrifying build system ever.

lovely

are you handing that to upstream?

jonasw, For libunbound? Doubtful, it's nothing like done yet. Just enough to build on Linux for now. I'm gradually working on Windows.

jonasw, But git@github.com:dwd/unbound has it, anyway. "Patches welcome" - especially for the Windows support, actually.

hm ok

jonasw, Don't get me wrong - *eventually* I'd like to get it into upstream. But it's a long way to go yet - unbound's flexibility with autoconf is pretty high - although it does things like check for fork(), but fails dead at runtime if it doesn't have it.

:/

Good news Dave Cridland

jonasw, Oh, and that's not mentioning that unbound works with a wide variety of OpenSSL versions, *and* libsodium, *and* ...

Dave Cridland: sounds like a huge load of fun -- and good work

-ping dave.cridland.net

Dave Cridland: Pong from dave.cridland.net in 1.559 seconds

-ping dave.cridland.net

Dave Cridland: Pong from dave.cridland.net in 0.073 seconds

Better.

:)

even more fun for doing that on a live service, right?

jonasw, Yeah. cridland.im is a domain I use for running arbitrary servers on for testing. But since the very basic tests worked on Metre, I deployed it on prod a little optimistically...

jonasw, I wasn't expecting unbound to completely fail. :-)

:D

Weird, though, that so many of my contacts are still using a StartSSL certificate.

(Metre rejects all of them since the CRLDP is down now)

crldp?

Little question: A friend request me news about XEP Diff tool, any news about it?

Neustradamus: no

:/

jonasw, Certificate Revocation List Distribution Point. And amazingly, some of StartSSL's still seem to be up.

we either need an external service or a way to build the xeps incrementally

Zash, Do you have a working TLS1.3 server around?

https://www.theregister.co.uk/2018/03/09/slack_cuts_ties_to_irc_and_xmpp/

Gotta get that sweet sweet vendor lock-in

If only we had some alternative to offer.

Most accurate comment from there:

Hey, Facebook Messenger also used XMPP once... But when users are the product, you don't want anyone to access "your" users without paying your toll.

That's basically what it boils down to

moparisthebest: on slack you actually pay for using it, and it's very expensive

moparisthebest: maybe the issue was that you could create remote backups easily by parking a client in there, to circumvent the free account limit

Ge0rG: The "very expensive" part doesn't apply to actual companies. Slack is one of the cheaper services.

waqas: all the companies that I've seen using slack were on the free tier because it was too expensive

waqas: it's something like one third of an Office 365 subscription, and it only has chat

Here's from my company's slack account's billing page that I pay for: "Your workspace is on the Standard plan, paying Monthly. Your plan will renew on April 9, 2018 for $174.20. $160 for 20 users $14.20 sales tax"

And I think the average spend for a tech company is ~$10k/month/employee around these parts.

I simply can't see the slack bill as being expensive. See what I mean?

We probably subscribe to 10-20 services in that category (slack, github, jira, etc), and all that combined comes out to probably >1% of total company spend.

So I can absolutely understand that there are companies out there who'd consider Slack's expense burdensome, but most companies in the US tech sector probably would not.

agree with waqas

Same. There's ways to compete with Slack, but cost isn't it.

Ge0rG: we have all the XEPs to compete. but we do not have any good modern client ;-)

Desktop clients I refer to

That's what it really boils down to. Almost nobody cares about the underlying protocol. People like slack because of the client.

And there's an opportunity there: the memory usage and sluggishness of their client is almost universally complained about

waqas, Right. And they moan about all sorts in the client, too - but the overall expeience is really positive.

Yep

Which is why despite being a Prosody author it's hard for me to push XMPP, as there's no client that can compete in Slack's niche

I think a tough problem we have to deal with is the integrations, though. The general "hook" concept for services heavily assumes a single service to hook into, not a federation.

-ping cridland.im

lets take a JS lib, electron and start one ;-)

Dave Cridland: Pong from cridland.im in 14.527 seconds

Wow. Still works.

-ping cridland.im

waqas: Pong from cridland.im in 0.096 seconds

Also, https://github.com/surevine/web-chat

I mean, it's a start.

Dave Cridland: is there a hosted version available somewhere? d you have some screenshots?

I was going to ask about screenshots too

Slack's integrations aren't that difficult. Writing a bridge that let's an XMPP server expose Slack's webhook/API system isn't that hard, followed by evangelism to popular integration authors for support for custom API end-points.

Jonny, who wrote it, said that "in the absence of budget available for this project to perform detailed user interviews, we elected to take design cues from a well-known IM service".

In other words, he copied Slack, mostly.

That's compelling :)

thats a great start dave ;-)

But it's React+Redux+stanza.io, so it's a good base whatever.

But it *only* does MUC, for now (well, and FDP and a weird snippets thing I really need to document).

looks like a reference is missing: ./~/react-toastify/lib/ToastContainer.js Module not found: Can't resolve 'glamor' in 'C:\Users\Alex\Downloads\web-chat-master\node_modules\react-toastify\lib'

after npm install glamor it starts up

Oh. That's odd. I'll see if I can get it running locally, but I believe it works.

after installing this module it seems to work

have to figure out where to set the server

config.js

I assume this modile is missing in package.json

Alex: Screenshots and review please, when you can ;)

waqas: https://www.dropbox.com/s/pgluxp1gy28iynv/acreen1.png?dl=0 https://www.dropbox.com/s/59yibqys5ax2hee/screen2.png?dl=0

does not display messages for some reason

probably becuase no histor is there. But looks pretty good