XSF Discussion - 2018-03-19

For what it's worth, we copied the password text straight from the original, and the security considerations are really a first cut, but I think passwords are fine here, it's just that they're not real security.

Passwords are not real security? :)

Ge0rG’s implementing at-least-once semantics :)

SaltyBones: MUC passwords aren't

Ge0rG, why not? I have no clue how those work...

<password>foo</password>

seen by your server

I haven't really seen many password-protected MUCs

yeah, members-only feels more effective and useful anyways

A one-time-use password that grats membership would have been nice. Probably could hack it serverside, but are clients going to keep sending the password?

Zash, that’s the MUC invitation thing I asked for a few months ago when the whole PARS stuff was going on

How often are people changing their bookmarks from two clients at once?

I had the same question about MAM settings IIRC

As I said on the list, the same applies to just about every operation we have

-xep 0395

Zash: Atomically Compare-And-Publish PubSub Items (Standards Track, Experimental, 2017-11-29) See: https://xmpp.org/extensions/xep-0395.html

Oh dear publish-options

MattJ: Oh, you said that now? I was still reading the one before yours :)

xep395 was written with things like groupchat subject nodes in mind, FWIW

i.e. items that could be potentially modified by multiple entities

Fun fact, related to the groupchat terminology thread, https://docs.mattermost.com/help/getting-started/organizing-conversations.html, Mattermost has "private channels" _and_ "group messages", that are literally the same thing from what I understand, apart that group messages are limited to 7 members.

*puzzled*

"Group message channels are useful for fluid/ad-hoc conversations among users. Private channels are more useful when there's a concrete topic to discuss and you want to preserve the message history, or at least have an easy way to collect and refer to it later. You can also add more people to an existing private channel conversation and make it public later." From a mattermost person.

so for group messages there’s no history?

apparently.

hmm

I don't like this split personally

I want history, everywhere, all the time

that solves the "what about history in an ad-hoc group discussion?" issue clearly :D

pep., was discussed at summit, it’s not trivial

how so

for example, group conversation between Alice, Bob and Carol. At some point, Bob and Carol talk about Dianne, maybe planning an Intervention for her weird behaviour regarding hats. Then the discussion evolves and they need to invite Dianne to discuss some plans next week.

if Dianne has access to the history, that’s bad

if Alice, Bob and Carol need to do UI dances to prevent her from doing so, that’s also bad.

they create another channel and move on?

I like Slack's approach here, personally.

Kev, how does slack handle this?

"Would you like to preserve history? If you do, Dianne will be able to see it. If you don't, it will be removed for everyone"

(also, I have no idea how I came up with the hats thing and now I kinda want to know what Dianne does with hats.)

Kev, when inviting a new person or when first creating the channel?

It's not perfect, obviously, but it's functional enough and not surprising.

When inviting a new person to a private channel.

that’s neat

It's possible to restrict history to only those present to see it

Zash, with MUC, that’s not great either, because you drop out temporarily during connectivity issues.

jonasw: Well, you can base it on affiliation, not presence.

Zash, right

Most people have no affiliation

But yes.

Depends on the room

Kev, in private channels, you’d typically need member affiliation

because you want them to be members-only

If it's for private team chat then they probably do

so that makes sense.

I usually set affiliations on my channels

It's not hugely straightforward to limit per-message history based on affilation at that time, though.

But that could be automated anyway

Possible, obviously, but not hugely straightforward.

Kev, implementation-wise?

Yeah.

jonasw> if Dianne has access to the history, that’s bad jonasw> if Alice, Bob and Carol need to do UI dances to prevent her from doing so, that’s also bad. pep.> they create another channel and move on? jonasw ^, probably what's happening internally in mattermost already

When inviting a new person

I imagine it gets complicated if you want newly invited persons to see some history from before they were invited, but not all

Where on the metaphorical scale from 'actual private room' to 'written notes on a public board' scale do you wanna be?

"bulletin board" was the term

Everybody's got different use cases, so trying to please everyone is hard

I think we should just give up already

rm -rf xmpp.org

git push

The life of a potato-farming hermit is the ultimate solution

Is there any "goal" defined by the XSF as to what they're trying to achieve. What public they're targetting

ln -s xmpp.org matrix.org

edhelas, :(

pep., no

pep.: XEP-hearding

If not I thought that should be on the list

yeah, that

herd-ing?

how2engrish

I think.

the XSF isn’t targeting any public. the folks authoring XEPs and developing software are.

Yeah, that's a bit too broad

the subgroup of that which is interested in making a good IM system should probably come up with something though.

I do think it'd be nice if Council or Board wrote some kind of vision statement.

the issue is that lots of app are also using XMPP for non-IM stuff

Then I can just read the statement and say "Ok I want in", or "It's not for me", and not try hard to move it my way when it's never going to go where I want

I fully understand that it's the core thing but sometime it's a bit too focused

https://mail.jabber.org/pipermail/standards/2018-March/034655.html

also with the Markdown/XHTML-IM thing

I wish we had a way to link to/show in the XEP list different versions of the same XEP easily.

in the context of the compliance suites

that would be great indeed

it would be great to have a current version which is shown by default when accessing the link

and a staging version where development of the new release takes place

Its frustrating to find out what changed from one version to another without using git

also the attic is often missing versions which complicates the situation even more

yeah, I’m sorry

attic is a manual process

gotta run, see you later

it shouldn't be though

🙂

"historical reasons"

We used to have the difftool, but history wasn't kind to it.

I do have a half-working markdown based comparison tool

Just needs motivation and time

There's no standard place for a server to advertise privacy policy, EULA, etc., from what I understand. It would be good to have one

yes.

Would it make sense to incorporate that in an existing XEP? A New one?

pep., cp xep-template.xml inbox/eula.xml && $EDITOR inbox/eula.xml

:P

Something à la {xep contact}?

pep.: Multiple matches: Contact Addresses for XMPP Services https://xmpp.org/extensions/xep-0157.html Metacontacts https://xmpp.org/extensions/xep-0209.html

0157

Something in IBR(2?) probably

Would make sense. I guess you can already do that with forms? Or just redirect to a web page for the whole thing, but I do prefer the "in-band" part of IBR.

Though admittedly, EULA would most likely be an http link

it would be good to hvae the common things as structured data so that clients can display a summary

like: [ ] encrypted storage data automatically deleted after [ ] days …

It would be good if this could be negotiated

As in, that the client can say "I understand these things"

Or you end up like if you try to use extended registration forms now, with nothing working and no way to indicate why

Zash, yeah sure

yeah, having data forms support for IBR in clients would help

"XEP-XXXX Standardized list of things server admins can lie about" ?

keeps logs, encrypted storage, we promise to try SUPER HARD not to look at your data

moparisthebest, better than non standardized list of things that server admins can lie about? :)

moparisthebest, sure, they can lie about, but if they make false statements they’re liable for that

Can't just go on the internet and tell lies

but statements are required as per EU-GDPR

just seems super useless

so better have some standardised way to make it easy for everyone

oh who would have guessed govt regulation would turn out to be useless :)

Um

moparisthebest, you trust or you don't trust statements of your server admin, that's your issue

But let them tell their lies

pep., I'd rather avoid the false sense of security and foster a healthy distrust of server admins

Civilized society needs its privacy statements and agreements.

moparisthebest, I want my users to be aware of how I operate

Otherwise they don't get to use my service

meh I don't think it does Zash , I'd prefer to just solve the problem with technology

otherwise why even bother with things like TLS ? just ask intermediaries to promise not to look at your traffic?

You know what they say about technical solutions to social problems?

Why bother with locks. It's pretty easy to pick them anyways.

Locks aren't entirely a techical thing. It's part social signal, part technical.

And then things like the legaly system to deal with people who break it. And insurance to reduce the damages.

Main reason why TLS needs to basically be perfect is that those civilization things don't scale to Internet-sized groups

I guess the scaling thing is the concern, if I run a server for friends/family, we don't need any statements/agreements, and if I run a server for the public, statements/agreements are useless because they are unenforceable anyway, and they don't trust me

I do wonder how GDPR relates to self-/small-group-of-friends hosting

Zash, tricky, I’m not sure if third parties can hold you liable.

moparisthebest: Myeah, we haven't completely figured out how society works with Internet-scale communications yet.

moparisthebest, let’s talk about unenforceable again when the privacy regulator comes knocking on your door because there’s evidence that your public service stored my messages without my consent :)

(of course, you can point at your records and say "but you enabled MAM" and then I’m like "wtf are you talking about" and then we figure out that my client did that behind my back and now nobody knows who the f* is actually liable for that)

We can't have 100% perfect enforcement. But most people are mostly honest most of the time, so usually things work out fine.

(alternatively, you figure out that prosody has been enabling MAM without explicit consent since forever and you’re screwed because you didn’t properly vet the software you’re using)

> THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, etc...

pep., speaking of things, one probably also needs versioning for the privacy policy when we’re doing that

Zash, that’s why I said "you’re screwed" and not "the prosody folks are screwed" :)

pep., so that servers can keep track of the version of the policy accepted by the user and re-ask them when things ch ange

The balancing act between consent of the user, intent of the admin, UX ...

also how do they expect to enforce this over the 90% of internet they have 0 control over?

I'm not even sure if, being a US citizen, this applies to me if my server is in germany...

Yeah, how do these things work with federation?

moparisthebest, it obviously only affects entities offering services in the EU.

moparisthebest, doesn’t matter, it applies to you if you have EU customers.

(or users)

jonasw, citizens of EU, servers of EU, or users in EU

ok, so users in EU, and if I don't comply, how do they expect to force me to?

I have no idea

but users may prefer EU services over US services for this reason.

if I visit the EU one day they arrest me? :P

Extradition agreements are fun.

I'll just never come to EU then I guess

just like I’ll never come to the US :-)

or russia for that matter.

Zash, I can't imagine those would apply, that'd be kind of crazy

oops an EU user accessed the server you run in your house in USA, we are gonna send you to EU prison now...

moparisthebest, EU is taking data protection rather seriously nowadays, I’m not sure what the punishments are though.

moparisthebest: Uh, I'd rather imagine that the EU isn't insane like that.

Glob help you if you share some copyrighted files tho

having the GDPR stuff pre-IBR via stream feature magic would be great, it could be incorporated into xmpp.net

if anybody dares to touch the code that is.

so speaking of what Zash said, bob.com promises no logs, but bob@bob.com messages tom@tom.com and tom.com logs *everything*

how does this work?

moparisthebest, no idea.

did the administrator of bob.com just break a law

probably not

moparisthebest: As I said, clarity on how these things relate to non-commercial self-hosting would be good.

ah that gives you a warm and fuzzy feeling

can the XSF sponsor a lawyer to figure out those use-cases?

I'm probably not going to jail for running a public xmpp server :)

jonasw: and/or the IETF?

Zash, maybe

should put that on boards agenda

everyone run their own xmpp server! you might not even go to jail for it in the EU! :)

Operators of email and other federated things are probably interested as well

yea the answer would probably be identical for email

moparisthebest: It depends!

Email is store-and-forward.

IM is ... not?

Wasn't.

Is now, with MAM :/

Data at rest is considered differently from data in flight.

Sometimes? IANAL.

well smacks is kinda store and forward, so is offline messaging, muc backlog thing

I think it's safe to say 99% of xmpp messages today are store and forward, or at least you can't tell when sending them so you have to treat them as such?

Technically, it's all store and forward

Down to the packet routing

yea...

seems odd to treat them differently

Legally ... hrrrr

I mean, this is what happens when you get politicians dictating technology, nothing but bad things

> A series of tubes

jonasw, re versioning, yes that'd be cool

Also keep track of acks?

Re that, you could check how it's done in ACME

IIRC you reply with a hash of the legalstuff.pdf

Zash, I'll have a look thanks

gonna send board@ an email

done

http://logs.xmpp.org/xsf/ not available on https?

I guess the disconnect makes sense, I'm a programmer, I like technical solutions, politicians are lawyers, they like legal solutions :P

domain not in SANs

and of course only 1 is the correct way... :)

Who do I need to ping to add it?

at least Romeo Montague and Juliet Capulet are actually useful examples in this case (regarding Article 9, "Processing of […] data concerning a natural person’s sex life […] shall be prohibited.")

pep., probably someone from iteam. intosi maybe.

jonasw: I'm probably half in jail already for running a public xmpp server in the EU

Ge0rG, \o/

you’ll be interested in next board meeting then ;-)

I'll watch closely as well

Regarding that Sex life thing, now I'm supposed to check all http upload files and immediately delete dick pics?

Ge0rG, no, you just need consent.

Article 9 (2) is a long list of exceptions to teh general "shall be prohibited", one of which is "the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject;"

jonasw: I've asked a GDPR specialist recently, and he ran away crying after seeing my server deployment

haha

I bet.

:D

explicit consent like "By continuing to use this service, you explicitly consent to..." ?

dunno

I'm going to https://www.cambridgenetwork.co.uk/events/gdpr-itgovernance-march2018/ this week. Let's see if I gather anything interesting

I need to convince my boss that writing a policy for yax.im will be a nice exercise for our younger colleagues

pep., neat.

I’ll dump the things I threw at board here so you can mention it there, pep.: There was some discussion in xsf@ today (actually, is right now). Some of the points which were mentioned: General question: Are IM messages to be considered "personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation" in general (article 9)? (I suspect so, IANAL.) If not, I think most of the following points are moot-ish. Situation A: romeo@montague.lit talks to juliet@capulet.lit. While romeo is aware of the privacy policy of montague.lit (he acknowledged it when registering), he is not aware of the privacy policy of capulet.lit. capulet.lit decided to store all IM messages forever, which is probably(? IANAL) something they need explicit consent for even from other domains. Situation B: capulet.lit has a MAM service, but it is opt-in to ensure consent from the users. (Suppose here that we have protocol to actually show a privacy policy when users opt-in to MAM.) juliet uses a client which turns on MAM by default. Who is liable when juliet complains that capulet.lit is storing messages? And how to avoid this? Situation C: coven@chat.shakespeare.lit is a private MUC with MUC MAM enabled. Is this covered by Article 9 (2) (e) ("processing relates to personal data which are manifestly made public by the data subject;")? I suspect not, and then we’d need ways to convey the terms of archival and to express consent when joining such a MUC. Is this situation different if the MUC is public? I suspect that this will have to do a lot with how the UI presents it.

moparisthebest: like with the EU cookie warning...

I've been working on GDPR compliance stuff for weeks now… I'm starting to get chills whenever someone mentions it. Opened this room and thought I'd accidentally started work chat instead.

SamWhited, :)

SamWhited, :D

Does anyone actually have the answers to these questions?

MattJ: do you consider "pay a €100k compliance violation fee and stop the offending behavior" a valid answer?

it seems to me the law was specifically crafted to target walled gardens, not federated systems, and it basically makes it impossible to run federated systems...

MattJ, you’ll find out thursday! (board@xmpp.org is the right adress to dump board agenda at, isn’t it?)

jonasw, I don't know... I haven't received any email, so I don't know where it went to

which, politicians ignoring xmpp, fair, but they ignored email too? surely they know about email

moparisthebest, they might not know how email works

true, if they think of email as gmail...

jonasw, their technical team *might*

MattJ, I can’t add an agendum to the board trello, can you do that for me when I forward you my email?

jonasw, shall do

Ge0rG, I mean, I understand a lot of people are making money from GDPR consulting, but has anyone to date received a €100k compliance violation fee?

what if everyone just pulls what I pull on my IRC server, put a statement like "Due to GDPR, citizens of EU are forbidden from using this server" up

and then just not enforce it in practice?

MattJ: no, because the GDPR isn't in effect yet

Exactly

MattJ, enforcement afaik only starts on may 25th

So nobody knows how the legislation will be interpreted by the courts

I find it unlikely that they would conclude that a non-commercial XMPP service that does not make any money would be forced to pay a €100k fine because they stored someone's groupchat message in an archive

MattJ: the first step will be for the data protection offices to ask companies for their policy documents

MattJ: unlikely isn't impossible

MattJ, and what about a commercial xmpp service that charges $2 per month or something

No, nothing is impossible

moparisthebest, fines are usually proportional to company revenue

MattJ: I'm not sure if you would bet your private possessions on that low probability

IANAL, I'm not telling anyone they shouldn't worry about GDPR, I'm just questioning how much you can take a lawyers word today about whether e.g. storing chatroom messages in an archive is legal or not

MattJ: the lawyers don't know either, so they predict the worst case

of course

but we already know the worst case, without paying the lawyers anything

If you have to ask, you probably shouldn't be storing it if you want to be 100% safe

I tried to ask very fundamental questions though. questions to which we should already have an answer before the first xmpp service is sued.

like the federation thing

and with answer I mean a technical way to achieve what’s needed to comply.

like what we were discussing earlier with the potential privacy policy XEP

There was a nice court ruling in Germany recently, regarding WhatsApp. A WhatsApp User requires written consent from all contacts to put their phone number into the cloud.

That sounds like we need consent from each MUC participant

oddly, people haven’t stopped using whatsapp :(

jonasw: yes, probably out of ignorance.

Ge0rG, for public MUCs probably not due to Article 9 (2) (e), I guess.

Ge0rG, no, probably because nobody sues their friends and relatives or people with whom they do business over a phone number upload.

I wish $unlovedRelative was using whatsapp. that’s a perfect way to break off contact *and* get some money out ouf it :> ✏

jonasw, but only if the relative is unloved by the whole family :-)

tim@boese-ban.de, true :)

jonasw: you will have a hard time getting money out. The best thing you can hope for is a fine, and you need to tell the relative in advance that you don't consent with sharing of your information with third parties

Ge0rG, do I? isn’t it default that I don’t consent?

jonasw: maybe, but you need a willful violation to provoke a fine

fine.

jonasw: I see what you did here.

fine :)

Ge0rG, "willful violation"?

🤔

pep.: knowing that your behavior is illegal and still continuing. IANAL

I see

"But but, I didn't know"

wait, are you saying ignorance of the law IS an excuse?

moparisthebest: only regarding the level of fines you expose yourself to.

moparisthebest: if you are not a commercial entity, you are not required to understand and implement all of the GDPR requirements.

Maybe.

At least it is rather improbable that you will be sued for uploading your grandma's cookie receipt to AWS

how about your grandmas erotic friend fictions?

jonasw: it depends whether those are real or imaginary friends. With fiction you are subject to copyright, where the civil liability depends on the number of potential readers, with non fiction you are subject to GDPR, and you know the fines there.

well your grandma would be a real person and thus at least one subject in that fiction story would be real.

(at least that’s the limited understanding I got on erotic friend fictions)

jonasw: I would argue that fiction doesn't count as sensitive PII, but probably only if it's clearly labeled as fiction.

also a possibly upcoming EU law would require disabling e2e and scanning/filtering all stanzas sent https://blog.github.com/2018-03-14-eu-proposal-upload-filters-code/ :'(

I'd be the first one to deploy an OMEMO block filter...

*sigh* I can never decide which I hate more, how much we under-regulate the tech industry, or how much Europe overregulates it.

("we" being the U.S.)

Depends on the regulations?

I'm in a different camp, I think all the regulations are bad

jonasw, you mentioned "encryption" when talking about server policies. Disk encryption? Protecting against the hosting provider? They have do have full control over the equipment, I guess paranoïa can go pretty far, how would you deploy that?

pep., I have no idea. I was desperately trying to think of a second thing :)

hehe

moparisthebest‎, I'm wondering, how the world would look, if not only artificial regulations but also the natural one "only the fittest will survive" would disappear...

hah

andrey.g, not really sure what you mean, but I'm fine with natural regulations, the artificial ones are the problem

also wouldn't call them 'natural regulations' but meh :)

moparisthebest‎, so we have different meanings of "all" regulations.

like I said I wouldn't call like natural laws regulations

jonasw, a bit more thinking tells me I can't be technically sure the hosting provider doesn't have access to my system. Best is to be the provider.. I guess that works for small deployments but that's about it

jonasw, https://trello.com/c/t79C3Yds/307-gdpr-advice added

pep.: Intel SGX attempts to work around that, with limited success

I thought intel SGX was completely broken

Ge0rG, if it was my hardware in the DC that would be a bit easier to do encryption I guess?. That still doesn't prevent DC people from fiddling with it. Is that what SGX is for?

If it's just a question of liability then I guess I don't need encryption at all, if a leak was caused by a hardware issues, or software issues at the virtualization level, I was told I could probably take it to the hosting provider.

Otherwise, if it's mistrust towards the provider, first I'm in a bad position, second, if I still want to do something about it, I guess LUKS on my rootfs with dropbear-in-initramfs would prevent "casual snooping". But protects in no way against a bit more elaborated "attacks"

(They have access to the virtualization software after all)

pep., yea that's how my dedicated server in germany is set up, but it's really just to protect against the 'hard drives re-used without wiping' attack

MattJ, thank you very much

moparisthebest, did you get around to set up your XEP-0368 test setup?

nope, also need to revive that thread and try to get some type of consensus

dino is still doing it wrong (imho), gajim just released 368 support but not sure if it's right or wrong :)

what is "wrong"?

trying first xep-368 record, failing to connect, not trying any subsequent record

mmm

Does it work?

in my specific case, the error it encountered was not-valid-xml, it gets HTTP back

we have a PR for ALPN for aioxmpp, but I’m hesitant to merge it without testing.

'It compiles, ship it'.

Kev, that’s a very very very bad idea for python code ;-)

Or in the case of Python, 'It commits, ship it'.

jonasw, I can give you an account on my server, which requires alpn for ipv4 as the first SRV record, for informal testing

moparisthebest, that would already be a good start.

'It turns into .pyc, ship it'

send credentials to xmpp:jonas@wielicki.name. but don’t forget your privacy policy, I’m in the EU! ;-)

oh right, well just tell me you aren't in the EU and I'll send you one :)

I may or may not be in the EU.

good enough for me, will send you one in a few :)

google talk's xmpp support doesn't support message carbons does it?

jjrh, I thought google completely turned off xmpp a couple months ago?

but it never supported carbons anyway I think

Nah you can still connect with username @ gmail.com

(I just tested it today)

Federation is gone tho

oh, so they just killed federation

zash: they closed port 5269?

fippo: Yup

Connection refused on all SRV targets

IIRC they gave out not-authorized errors just before that

so how long will it take them to remove the dns records...

ENOENT

moparisthebest, > oh, so they just killed federation Curse their sudden but inevitable betrayal!

well it hasn't worked acceptably for years so, meh

Andrew Nenakhov, it's not sudden, they announced it at the beginning of 2017, for late June 2017 iirc

Hasn't it basically been outdated since 2006?

zash: well, someone said "the future is jingle" in 2011

but these days the future is stun2, turn2 and rtp3

pep., > Andrew Nenakhov, it's not sudden, they announced it at the beginning of 2017, for late June 2017 iirc It's actually dates much earlier. After Google announced Hangouts, they began gradually chopping off parts of xmpp functionality one by one in a period of over 2 years.

Andrew Nenakhov: yeah but they officially announced it then

Not really. They announced that 'nothing changes for current users', but it did, gradually. I'd even call it death by 1000 cuts, because it was clearly done so not to have another uproar like when they killed RSS Reader

Maybe the responsible project lead was just promoted to greener pastures and the project fell victim to bit rot?

that's the less cynical view

I think what really happened is they wanted to lock users into their walled garden :P

Probably a bit of both.

moparisthebest: yes, Google Management stated to lock in users some time around 2005. But I think there is still a large portion of CADT involved.

you like that acronym, don’t you?

ge0rg: pah, getting rid of xmpp was clearly a technical decision because xmpp is based on http!

jonasw: it perfectly fits how Google does IM.

Ge0rG, to me, it feels more like what I’m hearing peripherially (I don’t follow sports, at all) about german football. Team didn’t perform for three weeks? Replace all training personnel and start over! ✏

jonasw: CADT as well.

Except maybe for the higher age of the involved functionaries

define CADT?

zash: https://www.jwz.org/doc/cadt.html

zash: you might also want to read up on the kevlar-shitting spiders

Ah, yes

wat

ah hadn't seen CADT before but I like it

I don't think what google turning off federation was to lock their users in - google doesn't have any issue with that.

I think they mostly just didn't want to support XMPP. Probably turning off federation made sense since they didn't need to deal with that UI aspect.

I'm guessing the majority of users didn't really use any of the federation stuff either.

I never understood the google news reader thing though - ALOT of people used it, there were tons of apps that took advantage of the fact all your RSS subscriptions were on a account just about every android user has.

Google Reader was good, but current Feedly is better. Though RSS seems to be on decline too, so many websites opt for this stupid telegram channels thing, locking themselves into yet another proprietary service

The thing that was nice about google reader was you had a dozen or so apps that connected to google reader so you had a good amount of choice.

ooh, I haven't seen that one I don't think. I looked desperately for another feed reader that I actually liked after Google Reader shut down, but never found one and eventually gave up.

tt-rss

good web ui, and good android client

That would require that I do work.

on the other hand, no one else can turn it off on a whim SamWhited :)

Don't care since I can export an OPML bundle

I used liferea back in the day

Also, even if I wanted to self host I'm not running PHP on my server.

good choice.

Yeah there are a few other 'self hosted' choices https://github.com/Kickball/awesome-selfhosted#feed-readers

Now I just randomly go to sites when I remember them. Or I hear about stuff because people link to things.

Can liferea sync to some sort of backend and stay in sync with a mobile version? That's basically my only requirement (that and I don't want to host whatever that backend is)

Never got why it had to be a fkn web service

SamWhited: I have no idea that was even a thing people did

Feedly is probably what you want - it has a web reader and a android app

Oh yes; I don't care if it's a desktop app or a webapp as long as I can read stuff on the bus and not have to figure out what I'd already read later.

Feedly does look like waht I was looking for at the time; I might give it a shot.

What drives me nuts is so many sites don't actually post the whole article in the RSS feed.

Ooh yah, that always annoyed me

Reading on a bus seems like a recipie for feeling sick

it's like a 2 line sentence with a link to the website - and I mean the whole point is I want to read the article in the rss reader optionally offline.

Doesn't bother me unless it's one of the big commuter busses

tt-rss lets you write plugins to go to the website and grab the whole article anyway jjrh

because yes, that's obnoxious

That's nice.

It's probably all just fake news anyways!

Liferea looks nice, but doesn't appear to sync to anything, sadly :(

Fake news is still news because people believe it's news and that's relevant

That's why I only subscribe to The Onion.

I mostly read about Canadian politics and no cares about Canada enough about us to create a fake news conspiracy

> it's like a 2 line sentence with a link to the website - and I mean the whole point is I want to read the article in the rss reader optionally offline. Websites need eyeballs to show ads. So it's understandable, but is still a nuisance

In some cases - in many others I think they just don't have a clue.

but unfortunately for them, google doesn't care about their ad dollars and scrapes their site with their 'newsstand' app or whatever it's called.

some newspaper sites that have the 'you can read 2 articles for free then you gotta pay' thing are totally defeated by this.

Some of the paywall sites also allow you to read stuff if you come from a social network referrer

dafuq xmpp? somebody just sent a message without a username to a muc ..by accident!