For what it's worth, we copied the password text straight from the original, and the security considerations are really a first cut, but I think passwords are fine here, it's just that they're not real security.
lovetoxhas left
Guushas left
lumihas left
lumihas joined
Guushas left
Guushas left
Dave Cridlandhas left
Dave Cridlandhas left
valohas joined
SamWhitedhas joined
Guushas left
waqashas left
waqashas joined
waqashas left
nycohas left
nycohas joined
waqashas joined
waqashas left
waqashas joined
waqashas left
waqashas joined
waqashas left
waqashas joined
Guushas left
Guushas left
blablahas joined
Syndacehas left
Syndacehas joined
Guushas left
Steve Killehas left
jerehas joined
Guushas left
Guushas left
valohas joined
Guushas left
Guushas left
mrdoctorwhohas left
Guushas left
moparisthebesthas joined
lskdjfhas left
Guushas left
alexishas left
ralphmhas left
Guushas left
Guushas left
jerehas joined
Dave Cridlandhas left
Dave Cridlandhas left
tuxhas joined
Guushas left
Guushas joined
SamWhitedhas left
la|r|mahas joined
rionhas joined
Guushas left
rionhas left
rionhas joined
Guushas left
Guushas left
rionhas left
Guushas left
ralphmhas left
Dave Cridlandhas left
Dave Cridlandhas left
Dave Cridlandhas left
Dave Cridlandhas left
Guushas left
alexishas left
Nekithas joined
rionhas joined
Guushas left
Guushas left
Guushas joined
rionhas left
Dave Cridlandhas left
Dave Cridlandhas left
alexishas left
Guushas left
lumihas left
Yagizahas joined
alexishas left
Guushas left
Guushas joined
Zashhas joined
rionhas joined
matlaghas joined
matlaghas joined
Guushas left
mimi89999has left
mimi89999has left
mimi89999has joined
j.rhas joined
j.rhas joined
Ge0rGhas left
Guushas left
ralphmhas left
j.rhas joined
j.rhas joined
Guushas left
goffihas joined
Guushas left
Dave Cridlandhas left
Dave Cridlandhas left
marmistrzhas left
LNJhas joined
Guushas left
Guushas left
Dave Cridlandhas left
Dave Cridlandhas left
marmistrzhas left
Dave Cridlandhas left
waqashas left
Guushas left
LNJhas left
ralphmhas left
Dave Cridlandhas left
goffihas left
Dave Cridlandhas left
Dave Cridlandhas left
Dave Cridlandhas left
Dave Cridlandhas left
alexishas left
SaltyBones
Passwords are not real security? :)
ludohas joined
@Alacerhas left
jonasw
Ge0rG’s implementing at-least-once semantics :)
@Alacerhas joined
@Alacerhas left
remkohas joined
@Alacerhas joined
Ge0rG
SaltyBones: MUC passwords aren't
rionhas left
Dave Cridlandhas left
Dave Cridlandhas left
j.rhas joined
tim@boese-ban.dehas joined
marchas left
Guushas left
moparisthebesthas left
j.rhas joined
nycohas left
nycohas joined
ralphmhas joined
SaltyBoneshas left
Kevhas joined
Guushas left
ludohas left
Dave Cridlandhas left
Dave Cridlandhas left
Andrew Nenakhovhas left
Andrew Nenakhovhas joined
alexishas left
Andrew Nenakhovhas left
Andrew Nenakhovhas joined
Steve Killehas joined
Guushas left
Guushas left
rionhas joined
SaltyBoneshas joined
Dave Cridlandhas left
Guushas left
Dave Cridlandhas left
Ge0rGhas left
Zashhas left
Dave Cridlandhas left
SaltyBones
Ge0rG, why not? I have no clue how those work...
jonasw
<password>foo</password>
jonasw
seen by your server
Steve Killehas left
Zash
I haven't really seen many password-protected MUCs
jonasw
yeah, members-only feels more effective and useful anyways
Steve Killehas joined
alexishas left
alexishas joined
Ge0rGhas joined
Valerianhas joined
Steve Killehas left
Valerianhas left
Valerianhas joined
remkohas left
danielhas left
moparisthebesthas joined
danielhas left
remkohas left
Zash
A one-time-use password that grats membership would have been nice. Probably could hack it serverside, but are clients going to keep sending the password?
jonasw
Zash, that’s the MUC invitation thing I asked for a few months ago when the whole PARS stuff was going on
Ge0rGhas joined
Guushas left
Alexhas joined
ludohas joined
ralphmhas left
ralphmhas joined
Zash
How often are people changing their bookmarks from two clients at once?
Zash
I had the same question about MAM settings IIRC
MattJ
As I said on the list, the same applies to just about every operation we have
MattJ: Oh, you said that now? I was still reading the one before yours :)
ludohas left
xnyhpshas left
SaltyBoneshas left
SaltyBoneshas joined
Dave Cridlandhas left
marmistrzhas left
flow
xep395 was written with things like groupchat subject nodes in mind, FWIW
tuxhas joined
flow
i.e. items that could be potentially modified by multiple entities
Guushas left
Dave Cridlandhas left
Dave Cridlandhas left
Dave Cridlandhas left
Dave Cridlandhas left
Nekithas joined
Dave Cridlandhas left
Guushas left
SaltyBoneshas left
Ge0rGhas left
Alexhas left
Ge0rGhas left
danielhas left
Ge0rGhas left
efrithas joined
ludohas joined
Alexhas joined
ludohas left
ludohas joined
danielhas left
danielhas joined
Guushas left
ludohas left
tim@boese-ban.dehas left
jubalhhas joined
jubalhhas left
lumihas joined
efrithas left
ludohas joined
pep.
Fun fact, related to the groupchat terminology thread, https://docs.mattermost.com/help/getting-started/organizing-conversations.html, Mattermost has "private channels" _and_ "group messages", that are literally the same thing from what I understand, apart that group messages are limited to 7 members.
pep.
*puzzled*
Valerianhas left
Valerianhas joined
ludohas left
alexishas left
alexishas joined
alexishas joined
alexishas left
Valerianhas left
alexishas joined
pep.
"Group message channels are useful for fluid/ad-hoc conversations among users.
Private channels are more useful when there's a concrete topic to discuss and you want to preserve the message history, or at least have an easy way to collect and refer to it later. You can also add more people to an existing private channel conversation and make it public later."
From a mattermost person.
jonasw
so for group messages there’s no history?
pep.
apparently.
jonasw
hmm
pep.
I don't like this split personally
pep.
I want history, everywhere, all the time
jonasw
that solves the "what about history in an ad-hoc group discussion?" issue clearly :D
jonasw
pep., was discussed at summit, it’s not trivial
pep.
how so
jonasw
for example, group conversation between Alice, Bob and Carol. At some point, Bob and Carol talk about Dianne, maybe planning an Intervention for her weird behaviour regarding hats. Then the discussion evolves and they need to invite Dianne to discuss some plans next week.
jonasw
if Dianne has access to the history, that’s bad
jonasw
if Alice, Bob and Carol need to do UI dances to prevent her from doing so, that’s also bad.
pep.
they create another channel and move on?
Kev
I like Slack's approach here, personally.
jonasw
Kev, how does slack handle this?
Kev
"Would you like to preserve history? If you do, Dianne will be able to see it. If you don't, it will be removed for everyone"
jonasw
(also, I have no idea how I came up with the hats thing and now I kinda want to know what Dianne does with hats.)
jonasw
Kev, when inviting a new person or when first creating the channel?
Kev
It's not perfect, obviously, but it's functional enough and not surprising.
Kev
When inviting a new person to a private channel.
alexishas joined
jonasw
that’s neat
Zash
It's possible to restrict history to only those present to see it
jonasw
Zash, with MUC, that’s not great either, because you drop out temporarily during connectivity issues.
marmistrzhas left
Zash
jonasw: Well, you can base it on affiliation, not presence.
jonasw
Zash, right
Kev
Most people have no affiliation
Kev
But yes.
Zash
Depends on the room
jonasw
Kev, in private channels, you’d typically need member affiliation
jonasw
because you want them to be members-only
Zash
If it's for private team chat then they probably do
jonasw
so that makes sense.
pep.
I usually set affiliations on my channels
Kev
It's not hugely straightforward to limit per-message history based on affilation at that time, though.
efrithas joined
pep.
But that could be automated anyway
Kev
Possible, obviously, but not hugely straightforward.
jonasw
Kev, implementation-wise?
Kev
Yeah.
pep.
jonasw> if Dianne has access to the history, that’s bad
jonasw> if Alice, Bob and Carol need to do UI dances to prevent her from doing so, that’s also bad.
pep.> they create another channel and move on?
jonasw ^, probably what's happening internally in mattermost already
pep.
When inviting a new person
Zash
I imagine it gets complicated if you want newly invited persons to see some history from before they were invited, but not all
Zash
Where on the metaphorical scale from 'actual private room' to 'written notes on a public board' scale do you wanna be?
jonaswhas left
jonaswhas joined
Zash
"bulletin board" was the term
pep.
Everybody's got different use cases, so trying to please everyone is hard
pep.
I think we should just give up already
jonasw
rm -rf xmpp.org
pep.
git push
Zash
The life of a potato-farming hermit is the ultimate solution
nycohas left
Andrew Nenakhovhas left
Andrew Nenakhovhas joined
pep.
Is there any "goal" defined by the XSF as to what they're trying to achieve. What public they're targetting
edhelas
ln -s xmpp.org matrix.org
jonasw
edhelas, :(
jonasw
pep., no
Zash
pep.: XEP-hearding
pep.
If not I thought that should be on the list
jonasw
yeah, that
Zash
herd-ing?
Zash
how2engrish
Andrew Nenakhovhas joined
pep.
I think.
jonasw
the XSF isn’t targeting any public. the folks authoring XEPs and developing software are.
pep.
Yeah, that's a bit too broad
jonasw
the subgroup of that which is interested in making a good IM system should probably come up with something though.
Zash
I do think it'd be nice if Council or Board wrote some kind of vision statement.
edhelas
the issue is that lots of app are also using XMPP for non-IM stuff
pep.
Then I can just read the statement and say "Ok I want in", or "It's not for me", and not try hard to move it my way when it's never going to go where I want
edhelas
I fully understand that it's the core thing but sometime it's a bit too focused
Would make sense. I guess you can already do that with forms? Or just redirect to a web page for the whole thing, but I do prefer the "in-band" part of IBR.
pep.
Though admittedly, EULA would most likely be an http link
jonasw
it would be good to hvae the common things as structured data so that clients can display a summary
jonasw
like:
[ ] encrypted storage
data automatically deleted after [ ] days
…
Zash
It would be good if this could be negotiated
Zash
As in, that the client can say "I understand these things"
Zash
Or you end up like if you try to use extended registration forms now, with nothing working and no way to indicate why
jonasw
Zash, yeah sure
pep.
yeah, having data forms support for IBR in clients would help
lskdjfhas left
moparisthebest
"XEP-XXXX Standardized list of things server admins can lie about" ?
moparisthebest
keeps logs, encrypted storage, we promise to try SUPER HARD not to look at your data
pep.
moparisthebest, better than non standardized list of things that server admins can lie about? :)
jonasw
moparisthebest, sure, they can lie about, but if they make false statements they’re liable for that
Zash
Can't just go on the internet and tell lies
jonasw
but statements are required as per EU-GDPR
moparisthebest
just seems super useless
jonasw
so better have some standardised way to make it easy for everyone
moparisthebest
oh who would have guessed govt regulation would turn out to be useless :)
Zash
Um
pep.
moparisthebest, you trust or you don't trust statements of your server admin, that's your issue
pep.
But let them tell their lies
moparisthebest
pep., I'd rather avoid the false sense of security and foster a healthy distrust of server admins
Zash
Civilized society needs its privacy statements and agreements.
pep.
moparisthebest, I want my users to be aware of how I operate
pep.
Otherwise they don't get to use my service
moparisthebest
meh I don't think it does Zash , I'd prefer to just solve the problem with technology
moparisthebest
otherwise why even bother with things like TLS ? just ask intermediaries to promise not to look at your traffic?
Zash
You know what they say about technical solutions to social problems?
Zash
Why bother with locks. It's pretty easy to pick them anyways.
Zash
Locks aren't entirely a techical thing. It's part social signal, part technical.
Zash
And then things like the legaly system to deal with people who break it. And insurance to reduce the damages.
Zash
Main reason why TLS needs to basically be perfect is that those civilization things don't scale to Internet-sized groups
waqashas joined
moparisthebest
I guess the scaling thing is the concern, if I run a server for friends/family, we don't need any statements/agreements, and if I run a server for the public, statements/agreements are useless because they are unenforceable anyway, and they don't trust me
Zash
I do wonder how GDPR relates to self-/small-group-of-friends hosting
marmistrzhas joined
jonasw
Zash, tricky, I’m not sure if third parties can hold you liable.
marmistrzhas left
Zash
moparisthebest: Myeah, we haven't completely figured out how society works with Internet-scale communications yet.
jonasw
moparisthebest, let’s talk about unenforceable again when the privacy regulator comes knocking on your door because there’s evidence that your public service stored my messages without my consent :)
jonasw
(of course, you can point at your records and say "but you enabled MAM" and then I’m like "wtf are you talking about" and then we figure out that my client did that behind my back and now nobody knows who the f* is actually liable for that)
alexishas joined
Zash
We can't have 100% perfect enforcement. But most people are mostly honest most of the time, so usually things work out fine.
jonasw
(alternatively, you figure out that prosody has been enabling MAM without explicit consent since forever and you’re screwed because you didn’t properly vet the software you’re using)
Zash
> THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
etc...
jonasw
pep., speaking of things, one probably also needs versioning for the privacy policy when we’re doing that
jonasw
Zash, that’s why I said "you’re screwed" and not "the prosody folks are screwed" :)
jonasw
pep., so that servers can keep track of the version of the policy accepted by the user and re-ask them when things ch ange
Zash
The balancing act between consent of the user, intent of the admin, UX ...
moparisthebest
also how do they expect to enforce this over the 90% of internet they have 0 control over?
moparisthebest
I'm not even sure if, being a US citizen, this applies to me if my server is in germany...
Zash
Yeah, how do these things work with federation?
jonasw
moparisthebest, it obviously only affects entities offering services in the EU.
jonasw
moparisthebest, doesn’t matter, it applies to you if you have EU customers.
jonasw
(or users)
moparisthebest
jonasw, citizens of EU, servers of EU, or users in EU
moparisthebest
ok, so users in EU, and if I don't comply, how do they expect to force me to?
jonasw
I have no idea
jonasw
but users may prefer EU services over US services for this reason.
moparisthebest
if I visit the EU one day they arrest me? :P
Zash
Extradition agreements are fun.
moparisthebest
I'll just never come to EU then I guess
jonasw
just like I’ll never come to the US :-)
jonasw
or russia for that matter.
moparisthebest
Zash, I can't imagine those would apply, that'd be kind of crazy
moparisthebest
oops an EU user accessed the server you run in your house in USA, we are gonna send you to EU prison now...
jonasw
moparisthebest, EU is taking data protection rather seriously nowadays, I’m not sure what the punishments are though.
Zash
moparisthebest: Uh, I'd rather imagine that the EU isn't insane like that.
Zash
Glob help you if you share some copyrighted files tho
jonasw
having the GDPR stuff pre-IBR via stream feature magic would be great, it could be incorporated into xmpp.net
jonasw
if anybody dares to touch the code that is.
moparisthebest
so speaking of what Zash said, bob.com promises no logs, but bob@bob.com messages tom@tom.com and tom.com logs *everything*
moparisthebest
how does this work?
jonasw
moparisthebest, no idea.
danielhas left
moparisthebest
did the administrator of bob.com just break a law
jonasw
probably not
danielhas joined
Zash
moparisthebest: As I said, clarity on how these things relate to non-commercial self-hosting would be good.
moparisthebest
ah that gives you a warm and fuzzy feeling
jonasw
can the XSF sponsor a lawyer to figure out those use-cases?
moparisthebest
I'm probably not going to jail for running a public xmpp server :)
Zash
jonasw: and/or the IETF?
jonasw
Zash, maybe
jonasw
should put that on boards agenda
moparisthebest
everyone run their own xmpp server! you might not even go to jail for it in the EU! :)
Zash
Operators of email and other federated things are probably interested as well
moparisthebest
yea the answer would probably be identical for email
Zash
moparisthebest: It depends!
Zash
Email is store-and-forward.
Zash
IM is ... not?
Zash
Wasn't.
Zash
Is now, with MAM :/
Zash
Data at rest is considered differently from data in flight.
Zash
Sometimes? IANAL.
moparisthebest
well smacks is kinda store and forward, so is offline messaging, muc backlog thing
moparisthebest
I think it's safe to say 99% of xmpp messages today are store and forward, or at least you can't tell when sending them so you have to treat them as such?
Zash
Technically, it's all store and forward
Zash
Down to the packet routing
moparisthebest
yea...
moparisthebest
seems odd to treat them differently
Zash
Legally ... hrrrr
moparisthebest
I mean, this is what happens when you get politicians dictating technology, nothing but bad things
Zash
> A series of tubes
pep.
jonasw, re versioning, yes that'd be cool
pep.
Also keep track of acks?
Zash
Re that, you could check how it's done in ACME
Zash
IIRC you reply with a hash of the legalstuff.pdf
pep.
Zash, I'll have a look thanks
Kevhas joined
jonasw
gonna send board@ an email
jonasw
done
pep.
http://logs.xmpp.org/xsf/ not available on https?
moparisthebest
I guess the disconnect makes sense, I'm a programmer, I like technical solutions, politicians are lawyers, they like legal solutions :P
pep.
domain not in SANs
moparisthebest
and of course only 1 is the correct way... :)
pep.
Who do I need to ping to add it?
danielhas left
danielhas joined
jonasw
at least Romeo Montague and Juliet Capulet are actually useful examples in this case (regarding Article 9, "Processing of […] data concerning a natural person’s sex life […] shall be prohibited.")
jonasw
pep., probably someone from iteam. intosi maybe.
Ge0rG
jonasw: I'm probably half in jail already for running a public xmpp server in the EU
jonasw
Ge0rG, \o/
jonasw
you’ll be interested in next board meeting then ;-)
pep.
I'll watch closely as well
Ge0rG
Regarding that Sex life thing, now I'm supposed to check all http upload files and immediately delete dick pics?
jonasw
Ge0rG, no, you just need consent.
jonasw
Article 9 (2) is a long list of exceptions to teh general "shall be prohibited", one of which is "the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject;"
Ge0rG
jonasw: I've asked a GDPR specialist recently, and he ran away crying after seeing my server deployment
jonasw
haha
jonasw
I bet.
pep.
:D
moparisthebest
explicit consent like "By continuing to use this service, you explicitly consent to..." ?
Guushas left
Guushas left
jonasw
dunno
pep.
I'm going to https://www.cambridgenetwork.co.uk/events/gdpr-itgovernance-march2018/ this week. Let's see if I gather anything interesting
Ge0rG
I need to convince my boss that writing a policy for yax.im will be a nice exercise for our younger colleagues
jonasw
pep., neat.
jonasw
I’ll dump the things I threw at board here so you can mention it there, pep.:
There was some discussion in xsf@ today (actually, is right now). Some of the
points which were mentioned:
General question: Are IM messages to be considered "personal data revealing
racial or ethnic origin, political opinions, religious or philosophical
beliefs, or trade union membership, and the processing of genetic data,
biometric data for the purpose of uniquely identifying a natural person, data
concerning health or data concerning a natural person’s sex life or sexual
orientation" in general (article 9)? (I suspect so, IANAL.) If not, I think
most of the following points are moot-ish.
Situation A:
romeo@montague.lit talks to juliet@capulet.lit. While romeo is aware of the
privacy policy of montague.lit (he acknowledged it when registering), he is
not aware of the privacy policy of capulet.lit. capulet.lit decided to store
all IM messages forever, which is probably(? IANAL) something they need
explicit consent for even from other domains.
Situation B:
capulet.lit has a MAM service, but it is opt-in to ensure consent from the
users. (Suppose here that we have protocol to actually show a privacy policy
when users opt-in to MAM.) juliet uses a client which turns on MAM by default.
Who is liable when juliet complains that capulet.lit is storing messages? And
how to avoid this?
Situation C:
coven@chat.shakespeare.lit is a private MUC with MUC MAM enabled. Is this
covered by Article 9 (2) (e) ("processing relates to personal data which are
manifestly made public by the data subject;")? I suspect not, and then we’d
need ways to convey the terms of archival and to express consent when joining
such a MUC. Is this situation different if the MUC is public? I suspect that
this will have to do a lot with how the UI presents it.
Ge0rG
moparisthebest: like with the EU cookie warning...
SamWhited
I've been working on GDPR compliance stuff for weeks now… I'm starting to get chills whenever someone mentions it. Opened this room and thought I'd accidentally started work chat instead.
jonasw
SamWhited, :)
pep.
SamWhited, :D
MattJ
Does anyone actually have the answers to these questions?
Ge0rG
MattJ: do you consider "pay a €100k compliance violation fee and stop the offending behavior" a valid answer?
moparisthebest
it seems to me the law was specifically crafted to target walled gardens, not federated systems, and it basically makes it impossible to run federated systems...
jonasw
MattJ, you’ll find out thursday! (board@xmpp.org is the right adress to dump board agenda at, isn’t it?)
MattJ
jonasw, I don't know... I haven't received any email, so I don't know where it went to
moparisthebest
which, politicians ignoring xmpp, fair, but they ignored email too? surely they know about email
jonasw
moparisthebest, they might not know how email works
moparisthebest
true, if they think of email as gmail...
pep.
jonasw, their technical team *might*
jonasw
MattJ, I can’t add an agendum to the board trello, can you do that for me when I forward you my email?
MattJ
jonasw, shall do
MattJ
Ge0rG, I mean, I understand a lot of people are making money from GDPR consulting, but has anyone to date received a €100k compliance violation fee?
moparisthebest
what if everyone just pulls what I pull on my IRC server, put a statement like "Due to GDPR, citizens of EU are forbidden from using this server" up
moparisthebest
and then just not enforce it in practice?
Ge0rG
MattJ: no, because the GDPR isn't in effect yet
MattJ
Exactly
jonasw
MattJ, enforcement afaik only starts on may 25th
MattJ
So nobody knows how the legislation will be interpreted by the courts
MattJ
I find it unlikely that they would conclude that a non-commercial XMPP service that does not make any money would be forced to pay a €100k fine because they stored someone's groupchat message in an archive
Ge0rG
MattJ: the first step will be for the data protection offices to ask companies for their policy documents
Ge0rG
MattJ: unlikely isn't impossible
moparisthebest
MattJ, and what about a commercial xmpp service that charges $2 per month or something
MattJ
No, nothing is impossible
MattJ
moparisthebest, fines are usually proportional to company revenue
Ge0rG
MattJ: I'm not sure if you would bet your private possessions on that low probability
MattJ
IANAL, I'm not telling anyone they shouldn't worry about GDPR, I'm just questioning how much you can take a lawyers word today about whether e.g. storing chatroom messages in an archive is legal or not
Ge0rG
MattJ: the lawyers don't know either, so they predict the worst case
MattJ
of course
MattJ
but we already know the worst case, without paying the lawyers anything
MattJ
If you have to ask, you probably shouldn't be storing it if you want to be 100% safe
jonasw
I tried to ask very fundamental questions though. questions to which we should already have an answer before the first xmpp service is sued.
jonasw
like the federation thing
jonasw
and with answer I mean a technical way to achieve what’s needed to comply.
jonasw
like what we were discussing earlier with the potential privacy policy XEP
Ge0rG
There was a nice court ruling in Germany recently, regarding WhatsApp. A WhatsApp User requires written consent from all contacts to put their phone number into the cloud.
Ge0rG
That sounds like we need consent from each MUC participant
jonasw
oddly, people haven’t stopped using whatsapp :(
Ge0rG
jonasw: yes, probably out of ignorance.
jonasw
Ge0rG, for public MUCs probably not due to Article 9 (2) (e), I guess.
jonasw
Ge0rG, no, probably because nobody sues their friends and relatives or people with whom they do business over a phone number upload.
alexishas joined
jonasw
I wish $unlovedRelative was using whatsapp. that’s a perfect way to break off contact ✎
jonasw
I wish $unlovedRelative was using whatsapp. that’s a perfect way to break off contact *and* get some money out ouf it :> ✏
tim@boese-ban.de
jonasw, but only if the relative is unloved by the whole family :-)
jonasw
tim@boese-ban.de, true :)
Ge0rG
jonasw: you will have a hard time getting money out. The best thing you can hope for is a fine, and you need to tell the relative in advance that you don't consent with sharing of your information with third parties
jubalhhas joined
jonasw
Ge0rG, do I? isn’t it default that I don’t consent?
Ge0rG
jonasw: maybe, but you need a willful violation to provoke a fine
jonasw
fine.
jubalhhas left
Ge0rG
jonasw: I see what you did here.
marmistrzhas left
jonasw
fine :)
pep.
Ge0rG, "willful violation"?
Ge0rG
🤔
Ge0rG
pep.: knowing that your behavior is illegal and still continuing. IANAL
pep.
I see
pep.
"But but, I didn't know"
moparisthebest
wait, are you saying ignorance of the law IS an excuse?
j.rhas joined
Ge0rG
moparisthebest: only regarding the level of fines you expose yourself to.
Ge0rG
moparisthebest: if you are not a commercial entity, you are not required to understand and implement all of the GDPR requirements.
Ge0rG
Maybe.
Ge0rG
At least it is rather improbable that you will be sued for uploading your grandma's cookie receipt to AWS
jonasw
how about your grandmas erotic friend fictions?
Ge0rG
jonasw: it depends whether those are real or imaginary friends. With fiction you are subject to copyright, where the civil liability depends on the number of potential readers, with non fiction you are subject to GDPR, and you know the fines there.
jonasw
well your grandma would be a real person and thus at least one subject in that fiction story would be real.
jonasw
(at least that’s the limited understanding I got on erotic friend fictions)
Ge0rG
jonasw: I would argue that fiction doesn't count as sensitive PII, but probably only if it's clearly labeled as fiction.
moparisthebest
also a possibly upcoming EU law would require disabling e2e and scanning/filtering all stanzas sent https://blog.github.com/2018-03-14-eu-proposal-upload-filters-code/ :'(
Ge0rG
I'd be the first one to deploy an OMEMO block filter...
SamWhited
*sigh* I can never decide which I hate more, how much we under-regulate the tech industry, or how much Europe overregulates it.
SamWhited
("we" being the U.S.)
pep.
Depends on the regulations?
moparisthebest
I'm in a different camp, I think all the regulations are bad
LNJhas joined
j.rhas left
j.rhas joined
rionhas left
Dave Cridlandhas left
lumihas left
pep.
jonasw, you mentioned "encryption" when talking about server policies. Disk encryption? Protecting against the hosting provider? They have do have full control over the equipment, I guess paranoïa can go pretty far, how would you deploy that?
jonasw
pep., I have no idea. I was desperately trying to think of a second thing :)
pep.
hehe
Dave Cridlandhas left
andrey.g
moparisthebest, I'm wondering, how the world would look, if not only artificial regulations but also the natural one "only the fittest will survive" would disappear...
jonasw
hah
alexishas left
alexishas joined
Valerianhas left
Valerianhas joined
moparisthebest
andrey.g, not really sure what you mean, but I'm fine with natural regulations, the artificial ones are the problem
moparisthebest
also wouldn't call them 'natural regulations' but meh :)
andrey.g
moparisthebest, so we have different meanings of "all" regulations.
waqashas left
moparisthebest
like I said I wouldn't call like natural laws regulations
pep.
jonasw, a bit more thinking tells me I can't be technically sure the hosting provider doesn't have access to my system. Best is to be the provider.. I guess that works for small deployments but that's about it
pep.: Intel SGX attempts to work around that, with limited success
Valerianhas left
Valerianhas joined
moparisthebest
I thought intel SGX was completely broken
pep.
Ge0rG, if it was my hardware in the DC that would be a bit easier to do encryption I guess?. That still doesn't prevent DC people from fiddling with it. Is that what SGX is for?
pep.
If it's just a question of liability then I guess I don't need encryption at all, if a leak was caused by a hardware issues, or software issues at the virtualization level, I was told I could probably take it to the hosting provider.
pep.
Otherwise, if it's mistrust towards the provider, first I'm in a bad position, second, if I still want to do something about it, I guess LUKS on my rootfs with dropbear-in-initramfs would prevent "casual snooping". But protects in no way against a bit more elaborated "attacks"
pep.
(They have access to the virtualization software after all)
moparisthebest
pep., yea that's how my dedicated server in germany is set up, but it's really just to protect against the 'hard drives re-used without wiping' attack
j.rhas joined
j.rhas joined
alexishas left
alexishas joined
LNJhas left
Kevhas left
jonasw
MattJ, thank you very much
alexishas left
alexishas joined
tim@boese-ban.dehas left
waqashas joined
Dave Cridlandhas left
jonasw
moparisthebest, did you get around to set up your XEP-0368 test setup?
moparisthebest
nope, also need to revive that thread and try to get some type of consensus
moparisthebest
dino is still doing it wrong (imho), gajim just released 368 support but not sure if it's right or wrong :)
jjrhhas left
jjrhhas left
jjrhhas left
jonasw
what is "wrong"?
moparisthebest
trying first xep-368 record, failing to connect, not trying any subsequent record
jonasw
mmm
Zash
Does it work?
moparisthebest
in my specific case, the error it encountered was not-valid-xml, it gets HTTP back
jonasw
we have a PR for ALPN for aioxmpp, but I’m hesitant to merge it without testing.
Kev
'It compiles, ship it'.
jonasw
Kev, that’s a very very very bad idea for python code ;-)
Kev
Or in the case of Python, 'It commits, ship it'.
moparisthebest
jonasw, I can give you an account on my server, which requires alpn for ipv4 as the first SRV record, for informal testing
jonasw
moparisthebest, that would already be a good start.
Zash
'It turns into .pyc, ship it'
jonasw
send credentials to xmpp:jonas@wielicki.name. but don’t forget your privacy policy, I’m in the EU! ;-)
moparisthebest
oh right, well just tell me you aren't in the EU and I'll send you one :)
jonasw
I may or may not be in the EU.
jubalhhas joined
moparisthebest
good enough for me, will send you one in a few :)
j.rhas joined
danielhas left
j.rhas joined
jjrhhas left
Valerianhas left
Valerianhas joined
danielhas left
jjrhhas left
jjrhhas left
LNJhas joined
matlaghas joined
vanitasvitaehas left
waqashas left
waqashas joined
j.rhas joined
j.rhas joined
Dave Cridlandhas left
@Alacerhas left
@Alacerhas joined
ralphmhas left
Dave Cridlandhas left
Dave Cridlandhas left
Dave Cridlandhas left
Dave Cridlandhas left
Dave Cridlandhas left
jubalhhas left
jubalhhas joined
Dave Cridlandhas left
tuxhas left
jubalhhas left
danielhas left
ralphmhas joined
Dave Cridlandhas left
j.rhas joined
jubalhhas joined
jubalhhas left
SaltyBoneshas left
ralphmhas joined
marmistrzhas joined
marmistrzhas joined
Dave Cridlandhas left
SaltyBoneshas joined
Yagizahas left
lovetoxhas joined
Dave Cridlandhas left
Dave Cridlandhas left
Seve/SouLhas left
Dave Cridlandhas left
had-hochas left
Dave Cridlandhas left
j.rhas joined
Dave Cridlandhas left
marchas joined
SaltyBoneshas left
SaltyBoneshas joined
Steve Killehas left
Steve Killehas left
j.rhas joined
Steve Killehas joined
Dave Cridlandhas left
Andrew Nenakhovhas left
Andrew Nenakhovhas joined
Guushas left
Andrew Nenakhovhas left
Andrew Nenakhovhas joined
j.rhas joined
Dave Cridlandhas left
iiro.laihohas joined
Guushas left
Dave Cridlandhas left
Steve Killehas left
Valerianhas left
Valerianhas joined
Guushas left
jjrh
google talk's xmpp support doesn't support message carbons does it?
moparisthebest
jjrh, I thought google completely turned off xmpp a couple months ago?
moparisthebest
but it never supported carbons anyway I think
Nekithas left
jjrh
Nah you can still connect with username @ gmail.com
jjrh
(I just tested it today)
Zash
Federation is gone tho
moparisthebest
oh, so they just killed federation
Dave Cridlandhas left
LNJhas left
fippo
zash: they closed port 5269?
Zash
fippo: Yup
Zash
Connection refused on all SRV targets
lumihas joined
Zash
IIRC they gave out not-authorized errors just before that
Dave Cridlandhas left
Dave Cridlandhas left
fippo
so how long will it take them to remove the dns records...
Zash
ENOENT
Andrew Nenakhov
moparisthebest, > oh, so they just killed federation
Curse their sudden but inevitable betrayal!
moparisthebest
well it hasn't worked acceptably for years so, meh
LNJhas joined
winfriedhas joined
pep.
Andrew Nenakhov, it's not sudden, they announced it at the beginning of 2017, for late June 2017 iirc
Zash
Hasn't it basically been outdated since 2006?
Valerianhas left
ralphmhas left
marmistrzhas left
Syndacehas left
Syndacehas joined
Dave Cridlandhas left
efrithas joined
LNJhas left
LNJhas joined
Dave Cridlandhas left
fippo
zash: well, someone said "the future is jingle" in 2011
fippo
but these days the future is stun2, turn2 and rtp3
Andrew Nenakhov
pep.,
> Andrew Nenakhov, it's not sudden, they announced it at the beginning of 2017, for late June 2017 iirc
It's actually dates much earlier. After Google announced Hangouts, they began gradually chopping off parts of xmpp functionality one by one in a period of over 2 years.
Dave Cridlandhas left
Dave Cridlandhas left
pep.
Andrew Nenakhov: yeah but they officially announced it then
j.rhas joined
nycohas left
nycohas joined
Valerianhas joined
Guushas left
jubalhhas joined
Dave Cridlandhas left
Dave Cridlandhas left
Dave Cridlandhas left
nycohas left
marchas left
Dave Cridlandhas left
tim@boese-ban.dehas joined
@Alacerhas left
tim@boese-ban.dehas joined
tim@boese-ban.dehas left
lskdjfhas joined
jubalhhas left
marchas left
tim@boese-ban.dehas joined
j.rhas joined
Guushas left
Nekithas left
Nekithas joined
tim@boese-ban.dehas joined
Dave Cridlandhas left
j.rhas joined
Guushas left
waqashas left
Dave Cridlandhas left
Andrew Nenakhov
Not really. They announced that 'nothing changes for current users', but it did, gradually.
I'd even call it death by 1000 cuts, because it was clearly done so not to have another uproar like when they killed RSS Reader
Seve/SouLhas joined
Guushas left
tuxhas joined
Dave Cridlandhas left
Andrew Nenakhovhas left
Andrew Nenakhovhas left
vanitasvitaehas left
waqashas joined
Ge0rG
Maybe the responsible project lead was just promoted to greener pastures and the project fell victim to bit rot?
Tobiashas joined
LNJhas left
j.rhas joined
Tobiashas joined
lskdjfhas joined
moparisthebest
that's the less cynical view
moparisthebest
I think what really happened is they wanted to lock users into their walled garden :P
ralphmhas joined
Zash
Probably a bit of both.
j.rhas joined
marmistrzhas left
Valerianhas left
Valerianhas joined
Dave Cridlandhas left
Andrew Nenakhovhas left
Andrew Nenakhovhas joined
tuxhas left
vanitasvitaehas left
Dave Cridlandhas left
jonaswhas left
Ge0rG
moparisthebest: yes, Google Management stated to lock in users some time around 2005. But I think there is still a large portion of CADT involved.
jonasw
you like that acronym, don’t you?
fippo
ge0rg: pah, getting rid of xmpp was clearly a technical decision because xmpp is based on http!
Ge0rG
jonasw: it perfectly fits how Google does IM.
Dave Cridlandhas left
jonasw
Ge0rG, to me, it feels more like what I’m hearing peripherially (I don’t follow sports, at all) about german football. Team didn’t perform for three weeks? Replace all training personnel.✎
jonasw
Ge0rG, to me, it feels more like what I’m hearing peripherially (I don’t follow sports, at all) about german football. Team didn’t perform for three weeks? Replace all training personnel and start over! ✏
Ge0rG
jonasw: CADT as well.
Ge0rG
Except maybe for the higher age of the involved functionaries
LNJhas joined
Zash
define CADT?
goffihas left
fippo
zash: https://www.jwz.org/doc/cadt.html
fippo
zash: you might also want to read up on the kevlar-shitting spiders
Zash
Ah, yes
Zash
wat
Dave Cridlandhas left
LNJhas left
Dave Cridlandhas left
Guushas left
vanitasvitaehas left
Andrew Nenakhovhas left
Andrew Nenakhovhas joined
Andrew Nenakhovhas left
Andrew Nenakhovhas joined
Andrew Nenakhovhas left
Andrew Nenakhovhas joined
Andrew Nenakhovhas left
Andrew Nenakhovhas joined
moparisthebest
ah hadn't seen CADT before but I like it
Andrew Nenakhovhas joined
Andrew Nenakhovhas left
Andrew Nenakhovhas joined
marmistrzhas left
Dave Cridlandhas left
jjrh
I don't think what google turning off federation was to lock their users in - google doesn't have any issue with that.
Guushas left
jjrh
I think they mostly just didn't want to support XMPP. Probably turning off federation made sense since they didn't need to deal with that UI aspect.
jjrh
I'm guessing the majority of users didn't really use any of the federation stuff either.
jjrh
I never understood the google news reader thing though - ALOT of people used it, there were tons of apps that took advantage of the fact all your RSS subscriptions were on a account just about every android user has.
Guushas left
Andrew Nenakhov
Google Reader was good, but current Feedly is better. Though RSS seems to be on decline too, so many websites opt for this stupid telegram channels thing, locking themselves into yet another proprietary service
jjrh
The thing that was nice about google reader was you had a dozen or so apps that connected to google reader so you had a good amount of choice.
SamWhited
ooh, I haven't seen that one I don't think. I looked desperately for another feed reader that I actually liked after Google Reader shut down, but never found one and eventually gave up.
moparisthebest
tt-rss
Alexhas left
moparisthebest
good web ui, and good android client
SamWhited
That would require that I do work.
moparisthebest
on the other hand, no one else can turn it off on a whim SamWhited :)
SamWhited
Don't care since I can export an OPML bundle
Zash
I used liferea back in the day
SamWhited
Also, even if I wanted to self host I'm not running PHP on my server.
jonasw
good choice.
marmistrzhas left
jjrh
Yeah there are a few other 'self hosted' choices https://github.com/Kickball/awesome-selfhosted#feed-readers
Zash
Now I just randomly go to sites when I remember them. Or I hear about stuff because people link to things.
SamWhited
Can liferea sync to some sort of backend and stay in sync with a mobile version? That's basically my only requirement (that and I don't want to host whatever that backend is)
Zash
Never got why it had to be a fkn web service
Zash
SamWhited: I have no idea that was even a thing people did
waqasmumbles something about webscale
jjrh
Feedly is probably what you want - it has a web reader and a android app
SamWhited
Oh yes; I don't care if it's a desktop app or a webapp as long as I can read stuff on the bus and not have to figure out what I'd already read later.
SamWhited
Feedly does look like waht I was looking for at the time; I might give it a shot.
jjrh
What drives me nuts is so many sites don't actually post the whole article in the RSS feed.
SamWhited
Ooh yah, that always annoyed me
Zash
Reading on a bus seems like a recipie for feeling sick
jjrh
it's like a 2 line sentence with a link to the website - and I mean the whole point is I want to read the article in the rss reader optionally offline.
SamWhited
Doesn't bother me unless it's one of the big commuter busses
moparisthebest
tt-rss lets you write plugins to go to the website and grab the whole article anyway jjrh
moparisthebest
because yes, that's obnoxious
jjrh
That's nice.
Zash
It's probably all just fake news anyways!
SamWhited
Liferea looks nice, but doesn't appear to sync to anything, sadly :(
marmistrzhas left
jjrh
Fake news is still news because people believe it's news and that's relevant
SamWhited
That's why I only subscribe to The Onion.
jjrh
I mostly read about Canadian politics and no cares about Canada enough about us to create a fake news conspiracy
j.rhas left
j.rhas joined
remkohas left
Alexhas joined
Andrew Nenakhov
> it's like a 2 line sentence with a link to the website - and I mean the whole point is I want to read the article in the rss reader optionally offline.
Websites need eyeballs to show ads. So it's understandable, but is still a nuisance
lskdjfhas joined
Tobiashas joined
jerehas joined
jjrh
In some cases - in many others I think they just don't have a clue.
j.rhas left
j.rhas joined
jjrh
but unfortunately for them, google doesn't care about their ad dollars and scrapes their site with their 'newsstand' app or whatever it's called.
jjrh
some newspaper sites that have the 'you can read 2 articles for free then you gotta pay' thing are totally defeated by this.
Guushas left
iiro.laihohas left
Nekithas joined
tuxhas left
Nekithas left
Dave Cridlandhas left
moparisthebesthas left
blablahas joined
marchas joined
blablahas left
ralphmhas left
Valerianhas left
SamWhitedhas left
ralphmhas joined
blablahas joined
marchas left
Alexhas left
ralphmhas joined
ralphmhas left
la|r|mahas left
Ge0rG
Some of the paywall sites also allow you to read stuff if you come from a social network referrer
jubalhhas joined
marchas joined
blablahas left
SaltyBones
dafuq xmpp? somebody just sent a message without a username to a muc ..by accident!