-
edhelas
https://techcrunch.com/2018/04/07/rss-is-undead/
-
edhelas
> I think the solution is a set of improvements. RSS as a protocol needs to be expanded so that it can offer more data around prioritization as well as other signals critical to making the technology more effective at the reader layer. This isn’t just about updating the protocol, but also about updating all of the content management systems that publish an RSS feed to take advantage of those features.
-
edhelas
Pubsub :-° ?
-
Andrew Nenakhov
I've read that article in my RSS reader. To me, RSS is pretty much alive.
-
edhelas
Andrew Nenakhov don't wanna use Pubsub :D Movim is my news reader B-)
-
edhelas
https://nl.movim.eu/?node/news.movim.eu/TechCrunch
-
jonasw
GDPR meeting in 5
-
jonasw
according to my clock and calendar at least
-
winfried
jonasw: according to mine too ;-)
-
jonasw
neat.
-
jonasw
pep., Ge0rG, you there?
-
Ge0rG
jonasw: kind of
-
Ge0rG
I fixed my poezio, but this is still the worst monday I've had this year
-
jonasw
yet.
-
Ge0rG
right.
-
jonasw
Ge0rG, set up a disk quota for your borg things so that they can’t eat all the disk space.
-
jonasw
disk quotas aren’t deep magic
-
Ge0rG
jonasw: good point. But then I couldn't prune the old backups any more because pruning would exceed the quota
-
jonasw
also allows you to disable/unset the quota while pruning when you need that
-
jonasw
it’s all a matter of invoking edquota and increasing the limit temporarily :)
-
Ge0rG
I didn't even anticipate the backups to grow that large.
-
jonasw
or maybe use that cuteborg alpha software which schedules prunes automatically. (shameless plug)
-
pep.
My computer has decided to be angry at me this morning, should be here soon
-
jonasw
okay, now I’m getting wary, why hasn’t any of my stuff failed today.
-
winfried
bad digital karma today, what did we do to our computers to make them so upset?
-
pep.
made it!
-
jonasw
\o/
-
jonasw
I’m not up for chairing or anything, having mild headache.
- winfried bangs a gavel and looks around in mild bewilderment, what to do now?
-
pep.
!
-
winfried
Would it be ok, to slowly progress through the list at the wiki?
-
jonasw
seems good
-
pep.
Ah I haven't updated with last week's
-
Ge0rG
Yes please
-
winfried
Ge0rG: you mentioned there are discussions about ip-adresses being pii or not, maybe we should settle that one first
-
Ge0rG
winfried: I don't think we should.
-
jonasw
I don’t think that’s useful.
-
pep.
Can _we_ settle anything?
-
winfried
ok, we don't settle it ;-)
-
Ge0rG
winfried: in our context it's best to consider them as PII
-
jonasw
first, what pep. says, lots of laywers have been fighting over that already before the GDPR, and second I think that would let us lose ourselves in details.
-
Ge0rG
winfried: my point was just to show the ambiguity of the legal framework
-
winfried
Ge0rG: clear and good course of action
-
winfried
Q1.1d, do we dig into that one further?
-
Ge0rG
For the logs and newcomers: https://wiki.xmpp.org/web/GDPR
-
Ge0rG
winfried: I think we weren't done with 1.1c for s2s
-
winfried
ok, 1,1c it will be
-
pep.
I want s/Archiving/user content/ on the notes to make it just like the others✎ -
pep.
I would s/Archiving/user content/ on the notes to make it just like the others ✏
-
Ge0rG
Yes please
-
winfried
+1
-
Ge0rG
We are also lacking logs of 1.1b s2s in the wiki
-
pep.
yes, let me put last week's in there
-
Ge0rG
Maybe somebody could paste from the minutes
-
Ge0rG
So that we can proceed from there
-
winfried
maybe it is good to make clear: transfer itself is a processing, but needs explicitation about what data is transfered, what processing is done on the other side and with what purpose...
-
jonasw
can we know the processing on the other side, really?
-
jonasw
since there’s no contract or something which would be binding for the other side.
-
pep.
I don't think we can
-
jonasw
they could store the message forever even without advertising MAM
-
pep.
I think we'd best assume the worst once the messages are gone over s2s
-
jonasw
yes. the question is: how do we tell the users?
-
pep.
Just as I did? :/
-
winfried
maybe we can define a xep & service discovery that just says: this server keeps to these rules....
-
jonasw
and how do we tell the users in a way that they can give consent properly, and don’t wander off to silo services?
-
jonasw
winfried, hmm, you mean the GDPR-policy-XEP pep. wanted to write for c2s could be used for s2s too?
-
jonasw
interesting.
-
jonasw
question is, would a user still have to consent for each remote domain?
-
pep.
Also, I trust my own server, I'm not sure I trust many others
-
Ge0rG
jonasw: I tend to slightly disagree
-
winfried
jonasw: think that in many cases it does't, but it is our task to find out
-
jonasw
Ge0rG, with what exactly? I think I mostly asked questions at this point :D
-
Ge0rG
as winfried said last time, this is handing off of data to another controller. The other controller is also bound by GDPR rules, so they can't just do anything they want with the data. In theory
-
winfried
pep.: yeah, we move to the delicate field legal trust...
-
jonasw
Ge0rG, sooo... if one federates with servers which have users which are inside the EU you’re under GDPR?✎ -
jonasw
Ge0rG, sooo... if you federate with servers which have users which are inside the EU you’re under GDPR? ✏
-
Ge0rG
What I'd like to know more about is whether we need some explicit legal framework for handing off data, or if this is covered by the user's implicit consent of wanting the message delivered
-
Ge0rG
jonasw: basically, yes.
-
jonasw
neat
-
jonasw
so everything is under GPDR now.
-
Ge0rG
jonasw: as if it wasn't before
-
jonasw
yeah, with "now" I mean "when it takes effect"
-
Ge0rG
winfried: I suggest we have a look at the "incoming s2s" situation first, and then try to reverse the approach for "outgoing"
-
winfried
Ge0rG: smart!
-
Ge0rG
obviously, with incoming s2s we are already required to be GDPR compliant.
-
winfried
Ge0rG: if you are situated in the EU or if you are targeting EU users
-
Ge0rG
We receive data via s2s (s2s meta-data, user content, user meta-data), and we are kindly asked to process that data in some way that was implied by the user
-
Ge0rG
winfried: s/targeting/not explicitly blocking/ ;)
-
winfried
Ge0rG: hmmm... my reading up to now was targeting, but that maybe the old legal framework....
-
jonasw
you can’t block EU users s2s-wise
-
jonasw
but also you can’t really target EU users s2s-wise
-
jonasw
so I’m like 😕
-
pep.
jonasw, not like it's impossible
-
Ge0rG
winfried: targeting is implied if you don't exclude them explicitly, AFAIU
-
Ge0rG
winfried: but back to the topic.
- winfried is diving in his bible
-
pep.
When does a service become "accepting EU users" exactly? Say as an EU citizen I go to a japanese website, with their server located in Japan, there's not GDPR applying is there
-
pep.
(I'm here to ask the dumb questions)
-
Ge0rG
I'd say that processing of received data is covered by Art6 1.f "processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party" - the legitimate interest is to deliver the message to the appropriate user
-
jonasw
if LQ1 evaluates to "yes", it’s more tricky than that though
-
winfried
We are moving a bit forward and backward trough the topics...
-
Ge0rG
This means two things basically: a) we are allowed to do everything appropriate to deliver the content; b) we are not allowed to do anything that's not directly required for that
-
jonasw
winfried, okay, where were we?
- Maranda processing hints mandatory *coughs*
-
Ge0rG
GDPR hints.
-
pep.
Maranda, we can see for technical details later
-
winfried
1.1c s2s wasn't it?
-
Ge0rG
winfried: yes please
-
winfried
incoming and outgoing
-
winfried
incoming
-
winfried
- store in roster of peer
-
Ge0rG
We should cover each one of these: s2s meta-data (IPs, hostnames, sessions, server logs?) - GDPR probably doesn't apply user meta-data (presence, subscriptions, message routing) user content (messages, pubsub, etc.) MUC history, MUC MAM Remote components (e.g., roster management)
-
winfried
Ge0rG: yes that was what I was looking for
-
Ge0rG
s2s meta-data: R49 if at all
-
jonasw
user metadata: minimal: forwarded to receiving users connections typical: stored while receiving user is online (to avoid having to send out probes for new resources)
-
Ge0rG
jonasw: subscription requests and roster info is stored
-
jonasw
Ge0rG, that’s content though?
-
jonasw
from the categories in Q1.1b
-
pep.
(update the wiki I added 1.1c from the minutes)
-
Ge0rG
jonasw: ah, right
-
jonasw
user content: minimal: forwarded to receiving users connections if online; storage of roster-related things with account. typical: minimal + offline-storage if offline or even MAM for undefined period of time for messages
-
Ge0rG
I'm not sure if A in user B's roster is subject to user B's privacy laws, user A's or both'.
-
jonasw
probably mostly B
-
winfried
yes
-
jonasw
I can have you in my phone book and you can’t force me to erase that, I think, due to private use.
-
winfried
but the transfer to jurisdiction B is a processing
-
Ge0rG
jonasw: but I can get you fined it you upload my phone number to whatsapp.
-
jonasw
Ge0rG, yes.
-
pep.
Which is what's happening here
-
jonasw
Ge0rG, but the roster is my phone book in this case.
-
pep.
Well not whatsapp
-
Ge0rG
jonasw: so maybe I can also get you fined if you store my JID and name on your server?
-
jonasw
mmm
-
pep.
Ge0rG, so what do you propose? When a user calls for their right to erasure, that's propagated to every other server? And they magically disappear from everybody's roster at the same time?
-
winfried
no, when I am uploading pii of somebody else to a server without consent from that somebody I can be fined. Not because of that server but because of the uploading
-
jonasw
sooo..... spammers are in violation of the GDPR?
-
winfried
s/consent/groud for processing/
-
jonasw
because they upload my email adress to some server?
-
winfried
jonasw: yes
-
pep.
That wouldn't really surprise me
-
pep.
It's not like they weren't already in violation of any other laws
-
Ge0rG
we have two s2s data specials not yet covered in 1.1c: - MUC (is that different from plain s2s?) - remote roster management
-
jonasw
hm, delivering a message is probalby "ground for processing"
-
winfried
jonasw: it is needed for delivering a service you have agreed to (or not, in the case of spam)_
-
jonasw
I think for (semi-)anonymous MUCs, we really need to show users a message that the MUC is anonymous and they have to assume that all messages are public?✎ -
jonasw
For (semi-)anonymous MUCs, do we need to show users a message that the MUC is anonymous and they have to assume that all messages are public? ✏
-
pep.
What about adding 170 when MAM MUC is enabled
-
jonasw
because we can’t have any type of s2s-consent in that case because we don’t know to which domains the messages may go
-
jonasw
pep., mandatory, IMO
-
pep.
worksforme
-
pep.
I asked something similar on jdev@ not so long ago
-
pep.
And I think maranda also did talk about that
-
Maranda
👌🧝♂️
-
jonasw
the exact definition is:> Inform occupants that room logging is now enabled✎ -
jonasw
the exact definition is: > Inform occupants that room logging is now enabled which fits this use-case exactly. ✏
-
jonasw
(note that it does not include "public")
-
jonasw
(we might want to have a different status code for *public* logging)
-
jonasw
(as opposed to members-only MUC MAM access)
-
Ge0rG
jonasw: MAM is subject to the same rules as room access
-
Ge0rG
in theory.
-
jonasw
Ge0rG, yes.
-
Maranda
Gajim does exactly that for status 170/171 without making dumb distinctions
-
Ge0rG
I wouldn't be surprised if some implementations make MAM access public ;)
-
winfried
so a possible processing may be "publicising the MUC logs on different channels or to non-members"? (bringing it back to 1.1c)
-
jonasw
winfried, yes.
-
Maranda
Aka just "room logging" enabled/disabled
-
pep.
Nothing prevents a muc owner from changing the member-only policy though, and suddenly everything that's been said before is public
-
Ge0rG
pep.: nothing prevents a muc owner to publish their local log of the MUC in the New York Times
-
winfried
maybe some laws prevent that?
-
Ge0rG
I would consider that all these deliberate actions by a MUC participant to leak data fall under their respective responsibility
-
jonasw
winfried, one processing is at least "store the whole conversation on the MUC service"
-
Ge0rG
and not under "s2s data processing"
-
jonasw
+1 Ge0rG
-
winfried
+1
-
pep.
k
-
Ge0rG
so it's "store on the service and make it available to room members"
-
winfried
and it /may/ be also publishing it
-
jonasw
I’d like to have a status code for that, btw
-
jonasw
because that could save us from 9.1 trouble (there’s something about "manifestly made public" in there, and if we can get clients to show "THIS ROOM IS PUBLICLY LOGGED", we’re out of trouble there I think)
-
jonasw
do we have a technical ToDo list?
-
winfried
jonasw: not yet ;-)
-
pep.
Can make one
-
jonasw
pep., that’d be great
-
pep.
I can add EULA XEP in there :x
-
jonasw
I wouldn’t act on this right away, but instead keep it a WIP until we figure that we really need it.✎ -
jonasw
I wouldn’t act on the ToDo list right away, but instead keep it a WIP until we figure that we really need it. ✏
-
winfried
(BTW one of my cats is hunting my phiysical mouse, the other one the cursor on the screen, am a bit distracted)
-
winfried
jonasw: +1
-
pep.
jonasw, the status code you're talking about is 170 or similar right
-
jonasw
pep., yes
-
jonasw
winfried, pics or it didn’t happen ;-)
-
winfried
jonasw: my cats have their privacy, I am not publishing them on the internet!
-
pep.
So.. what do we have atm, 1.1c S2S is split in two,
-
Maranda
And attach those to the Meeting Minutes.
-
Maranda
(cat pictures)
-
Ge0rG
Don't forget remote roster management. It's technically well designed, so no problems there, but we need to mention it
-
winfried
Ge0rG: +1
-
pep.
Ge0rG, what about it
-
winfried
it is a nice example of privacy by design, but it is a possible processing of the s2s case
-
winfried
thinking about it, it is also a processing of the c2s case...
-
winfried
we need to list it and mention it is covered by explicit consent
-
jonasw
RRM ist really good, taking a look at it for the first time now
-
pep.
I'm not sure I get all these comments. How is it privacy by design
-
pep.
What changes from normal roster management
-
jonasw
except that it has XMPP-technical flaws
-
jonasw
pep., the roster is managed by an entity which may be outside the domain of the user
-
jonasw
read-write
-
pep.
jonasw, yeah I get that, so it's worse possibly
-
pep.
I mean GDPR-speaking
-
pep.
Than normal c2s
-
jonasw
pep., but the entity has to ask permission and it gets only the roster entries related to their own domain, so that’s neat
-
winfried
it is privacy by design because the spec demands explicit consent
-
winfried
I lost my overview over 1.1c
-
winfried
have we covered the s2s cases there?
-
pep.
jonasw, I see
-
pep.
just inbound?
-
pep.
And even then I'm not sure
-
Ge0rG
winfried: I think so
-
Ge0rG
the difference to c2s is probably that there are different retention times for data, and no explicit consent from the user
-
Ge0rG
oh, there is also the "transport component" use case
-
jonasw
mmm, a whatsapp transport <3
-
jonasw
for super fubar
-
Ge0rG
If I register with icq.evildomain.com, it will store/process my ICQ credentials
-
winfried
Ge0rG: that is an interesting one
-
pep.
Isn't that another normal s2s case?
-
jonasw
credentials, right
-
pep.
"We don't know what can happen on the other side"
-
winfried
pep.: that one is
-
pep.
And they won't get more than what we give them
-
winfried
but whatsapptransport.trusteddomain.com is different
-
jonasw
I wonder if we want a way to give consent to the processing done by an s2s domain. then there could be something pubsubby where clients can query which s2s domains the user consented with and show that in the UI. warn the user when sending a message to a non-consented domain with "review the privacy policy" and offer doing the in-band consent thing as per the EULA XEP.
-
winfried
because trusteddomain is transfering it to a third server
-
jonasw
fwiw, I’m going to head out in four minutes.
-
pep.
How long do you want to go btw?
-
pep.
jonasw, I see value in that, I'm not sure it's not going to be an annoying process though
-
pep.
It's the annoying "yes I agree" that everybody is going to overlook in the end
-
jonasw
could be simplified in the UX of course, but technically we might need something like that
-
jonasw
and the server could even block stanzas to non-trusted s2s domains in strict deployments.
-
winfried
maybe set a next session? Maybe we should wrap up this one and move on to the interesting stuff....
-
pep.
yep
-
pep.
Date of next?
-
jonasw
following weeks this time won’t work for me
-
jonasw
(I know I’m special with scheduling and I’m sorry)
-
pep.
I can do any
-
Ge0rG
winfried: actually I'd argue that a remote transport is subject to a direct relationship with the user as a data controller
-
Maranda
Can I make an addition to s2s message processing? If hints are made mandatory that could pose a disclaimer caveat, in which if a user doesn't give explicit consent to treatment by a remote entity and I flagged all messages with "no-store" or "no-permanent-storage" it could be argued the responsibility falls directly on the 3rd uncompliant party
-
pep.
Tomorrow? Wed 12:30 or 13:30CEST? (like before)
-
Maranda
Because that'll be an impeding problem for sure
-
jonasw
pep., tomorrow is Tue in my calendar
-
jonasw
Wed won’t work for me
-
pep.
jonasw, yes it was two questions :p
-
jonasw
I’d prefer the time we did today actually, I can arrange that any day except mondays.
-
winfried
both work for me
-
pep.
If same time, I can't do Tue/Thu
-
jonasw
(and wednesdays, sorry)
-
jonasw
but 12:30 CEST also works, except on wednesdays
-
pep.
Tue 12:30CEST then?
-
jonasw
wfm
-
winfried
wfm
-
Ge0rG
wfm
-
jonasw
\o/
-
pep.
*bang*
-
jonasw
okay, gotta head out, see you folks
-
winfried
cu!
-
winfried
thanks
-
pep.
I need my coffee now
-
pep.
You guys caught me early
-
winfried
pep.: :-D
-
winfried
pep.: are you taking notes/logs again? maybe coordinate who puts them in the Wiki
-
pep.
I'll try to come up with the minutes before noon
-
pep.
If you can put that on the wiki that'd be great :p
-
winfried
I'll try, won't be home from work meetings till 0:30 today, but I will have some time in trains...
-
Ge0rG
trains. The place where you can work on the really important things, while telling your employer that you were too tired to do the after-meeting reports.
-
winfried
Ge0rG: watch out, this MUC has a public log :-D
-
daniel
> trains. The place where you can work on the really important things, while telling your employer that you were too tired to do the after-meeting reports. Trains. Those things that don't run if there is a signal failure. What ever that means. A rat bit through a cable maybe? Because apparently something as important as signals doesn't have redundancy
-
Ge0rG
winfried: my employer isn't paying overtime. Sometimes I have days when I need to get out of bed at 4AM, have some 12hrs of train time with a business meeting in the middle. They can't expect me to work 16hrs ;)
-
Ge0rG
daniel: the most frequent cause of delay at Deutsche Bahn is copper theft, I've heard.
-
Ge0rG
https://www.n-tv.de/panorama/Kupferdiebe-kosten-Zeit-und-Geld-article10436256.html
-
winfried
daniel Ge0rG here in the netherlands it is / was a major cause for delays too. They do have more theft-proof infrastructure nowadays
-
Ge0rG
winfried: do you have any news regarding the 112 app?
-
Maranda
And from my point of view, after glancing at it, GDPR is made to "make it impossibile" for complex decentralised environments to exist, so whatever will be done here will be for naught beside that when a user registers he'll get a message stating "do you give consent to treatment of your data by third parties", "I give consent" == s2s enabled, else s2s disabled.
-
Maranda
Fin.
-
Ge0rG
Maranda: your point of view is cynically pessimistic.
-
Ge0rG
Like with the cookie directive. The intention was to inform users and to allow them to opt out. Then it was perverted by the "content providers" to blame the EU
-
Maranda
Ge0rG: too bad that it looks to me that for what we could ever attempt to do to be compliant, due to the nature of xmpp we could never fully be.
-
Maranda
But we will see as usual
-
winfried
Ge0rG: yes, I have the interview done and a concept-blog, still working on the whitepaper. They have to check with their security persons I don't publicise any confidental information before I can show you the results
-
Ge0rG
winfried: I'm a security person. I can do a closed-group review ;)
-
winfried
Ge0rG: :-D
-
winfried
Ge0rG: I got a fascinating insight in the world of Belgian organisation and security. I can already reveal the organisation operating *all* of the telecom infrastructure in Belgium has more firewalls then employees ;-)
-
winfried
(all of the governmental telecom infrastructure)
-
Ge0rG
winfried: that sounds like much better data hygiene than T-Mobile Austria
-
jonasw
> winfried: my employer isn't paying overtime.✎ -
jonasw
> winfried: my employer isn't paying overtime. […] have some 12hrs of train time with a business meeting in the middle. Ge0rG, you’re not good at advertising. ✏
-
Ge0rG
jonasw: my employer will gladly pay for the hotel room so you can arrive on the day before and have a pleasant day on site. I just prefer to sleep in my own bed.
-
jonasw
I hate hotels, exactly.
-
Kev
I often take my own pillow with me when I go to the office, if I'm driving (not so much with carrying it on the train).
-
Ge0rG
I don't hate them. I just love to sleep at home
-
jonasw
Ge0rG, yeah, that’s what i meant.
-
jonasw
also see what I wrote in the other muc.
-
Ge0rG
I'm still catching up with last night.
- jonasw imagines Ge0rG MAM-syncing into his head
-
winfried
Ge0rG: I was pretty impressed with the data infrastructure they are using, they even build a (rudimentary) application firewall for XMPP!
-
jonasw
does conversations get consent from the user for using google cloud push? :)
-
jonasw
okay, so since I have merge powers, I need advice on what to do with this: https://github.com/xsf/xmpp.org/pull/425
-
jonasw
I was actually happy that pidgin dropped off the list and was silently hoping that it wouldn’t re-appear.
-
jonasw
but apparently that didn’t happen
-
jonasw
so what to do now?
-
jonasw
possibly a question for board
-
Ge0rG
jonasw: the right way would be for the Board or some other Official Entity to say "no" to this request. The loophole workaround would be to reject the PR until it's vouched for by an identified pidgin developer
-
jonasw
Ge0rG, maybe you should add your "ceterum pidgin delendam esse" to board agenda instead of council ;)
-
Ge0rG
jonasw: I don't have the power to add things to Board's agenda
-
Ge0rG
jonasw: and I don't have the karma either. Whatever I wanted from Board so far was vetoed.
-
jonasw
Ge0rG, ask Guus or MattJ to add "Vote for elimination of all pidgin references from xmpp.org" to it :)
-
jonasw
Ge0rG, the laws of probability say that this time it’ll work!!k✎ -
jonasw
Ge0rG, the laws of probability say that this time it’ll work!!1 ✏
-
flow
Ge0rG, I note that there is a carbons plugin for libpurple: https://github.com/gkdr/carbons
-
jonasw
plugins for libpurple are always good.
-
jonasw
they rarely break anything or introduce security issues or something like that.
-
Ge0rG
flow: do you want to explain to my aunt how to install it?
-
Kev
BTW, I think the easiest way to (potentially) resolve the Pidgin thing is to ask the project if they mind not being listed.
-
Kev
If they say "Yeah, that's fine, it's not very current", there's no need to make difficult decisions.
-
jonasw
Kev, they made a release a few weeks ago
-
Kev
Does that contradict anything I said? :)
-
jonasw
dunno
-
jonasw
I’m not awake.
-
Ge0rG
Kev: the easiest way is to require somebody from the project to raise their voice in that PR.
-
Ge0rG
Kev: which is even less work than asking them, and which is what I implied in my PR comment and described above as a "loophole"
-
Maranda
So, dead-end for GDPR is.. 25th May again?
-
jonasw
yeah
-
jonasw
towel day
-
Maranda
And I see Ge0rG with an avatar feels strange compared to the usual "G"
-
Maranda
jonasw, ok I suppose I'll go with my cynical, pessimistic idea, until I see more definite developments.
-
Maranda
(which I do not)
-
Ge0rG
Maranda: I suppose I need to restart prosody to get rid of it.
-
Maranda
Ge0rG: oh?
-
Ge0rG
Dave Cridland: I'd like to put up "kill GC1.0" onto the Council agenda for this week. I've collected some numbers, and I'll write a mail if I manage somehow.
-
Ge0rG
I'm also sure there was some other thing I promised / intended to PR.
-
Ge0rG
https://arstechnica.com/tech-policy/2018/04/hours-after-zuck-deletion-scandal-facebook-announces-new-unsend-feature/ - this totally triggers the GDPR
-
Ge0rG
"You can't delete sent or received messages from someone else's device." -- unless you are Mark Zuckerberg.
-
Andrew Nenakhov
What's next, unsend email? 😂
-
Andrew Nenakhov
I always thought that features like last message correction are just silly
-
Ge0rG
Andrew Nenakhov: that's old. https://support.office.com/en-us/article/recall-or-replace-an-email-message-that-you-sent-35027f88-d655-4554-b4f8-6c0729a723a0
-
Ge0rG
LMC is utter shit.✎ -
Ge0rG
LMC is actually useful in most cases. ✏
-
MattJ
/load display_corrections
-
Andrew Nenakhov
Ge0rG, > Message recall is available after you click Send and is available only if the recipient has an Exchange account within the same organization. Not really working in federated environment
-
Ge0rG
Andrew Nenakhov: tough luck.
-
Zash
I motion that we all get ice cream! (everyone says +1) /correct I motion that we do evil things!
-
Maranda
Ge0rG sucks.✎ -
Maranda
toads. ✏
-
Maranda
🤔
-
Ge0rG
so.... everyone licking ice cream, except for Maranda who's licking toads?
-
Maranda
Ge0rG, who knows maybe they'll turn into something else, or kill me, or both.
-
waqas
I haven't had ice cream in days…
-
Andrew Nenakhov
I get a feeling that xsf has entered a steep decline
-
Ge0rG
I have a fridge full of ice cream at my old home, and no sensible logistic way to get it into the new home.
-
Ge0rG
Andrew Nenakhov: the xsf MUC is not representative of the XSF.
-
waqas
Ge0rG: "sensible"
-
Maranda
Ge0rG, it's not?
-
Maranda
:O
-
Ge0rG
Andrew Nenakhov: the only decline the XSF is facing is that of available time of its members.
-
Maranda
Disclaimer 😚 ™
-
Maranda
:P
-
jonasw
I just came back from having ice cream.
-
jonasw
that’s relevant, r ight?✎ -
Zash
/topic Ice Cream
-
jonasw
that’s relevant, right? ✏
-
Ge0rG
Luckily there is no XMPP off-topic MUC.
-
jonasw
/topic Chips
-
Ge0rG
Damn, I'm hungry. Only had some waffles for breakfast and no lunch. Time to make a break
- Maranda poked out a "pessimistical" mod_gdpr.
- Maranda commits.
-
moparisthebest
what does it do?
-
moparisthebest
guess I could just peruse code...
-
Maranda
for now just disables s2s if you don't agree to conditions and 3rd party treatment of your data.
-
lovetox
if a XEP says stuff like : Given the foregoing discussion, it is evident that an entity could receive any combination of iq:register, x:data, and x:oob namespaces
-
lovetox
then i know im in for a lot of fun
-
moparisthebest
what are email providers doing with their identical S2S problem?
-
Maranda
https://github.com/maranda/metronome/blob/6044add55d8acfef86f4210ceae27cd6ca178a3f/plugins/mod_gdpr.lua --> completely untested, though it should be portable to Prosody easily enough.
-
jonasw
moparisthebest, nobody knows
-
jonasw
moparisthebest, but the expectations might be different for email which might be relevant for law stuff
-
moparisthebest
why would expectations matter? they are 100% identical as far as I can tell
-
jonasw
moparisthebest, I’m not sure. people might not expect their IM to be stored indefinitely on some server. for mail, this might be different.
-
moparisthebest
why? maybe they think everyone uses pop3 and has the 'delete from server' box ticked?
-
Zash
moparisthebest: wasn't the box for "don't delete from server"?
-
moparisthebest
depends on the client I guess :)
-
moparisthebest
I'm just saying from a technical perspective, with regard to s2s issue, email and xmpp are identical, and since email is far more widely used by much bigger companies, I feel like we should just see what they are doing
-
Maranda
Identical me... thinks not.
-
Maranda
Comparing mail data with a xmpp s2s stream is weird at best.
-
Maranda
One it's just a singler envelope the other... is... a stream? With potentially much more data passing by.
- Maranda mutters says the word.
-
moparisthebest
Maranda, sorry, how is it not identical?
-
Maranda
I just said.
-
moparisthebest
you send individual messages to a federated server
-
moparisthebest
they may or may not keep them
-
moparisthebest
the 'potentially more data' seems totally wrong too
-
Maranda
You just send individual messages? Oh rly?
-
moparisthebest
how often do you send/recieve xmpp messages with 25mb attachments sent with bob or whatever :P
-
jonasw
I tend to agree that they’re pretty much identical regarding the data which passes.
-
moparisthebest
that happens regularly with email
-
Maranda
I repeat "You just send individual messages? Oh rly?"
-
moparisthebest
yes, both email and xmpp just send individual messages, right?
-
Maranda
Hmmm nay, but okay.
-
moparisthebest
Maranda, how do you think they are different? because xmpp often sends multiple messages over a single connection?
-
moparisthebest
because smtp does that too, and so does imap, pop3, etc
-
Maranda
<incoming-routed presence="2078391" message="644568" iq="1050302"/> <outgoing-routed presence="428397" message="152432" iq="985607"/>
- Maranda coughs.
-
moparisthebest
that's 2 messages I guess, still not getting the point
-
Maranda
.
-
SamWhited
Please try to explain with words and not just examples, because I don't understand what you mean either.
-
Maranda
I don't think I have to explain XMPP (says even just XMPP) isn't just about messages, and you don't send exactly just messages actually you send much more of the other two.
-
Maranda
And there's a lot of data in *those two*
-
moparisthebest
when you boil it all down though, it's just message passing
-
Maranda
if you say so.
-
moparisthebest
are you saying you also send presence and things?
-
moparisthebest
how is that different than an email like 'hey, I started work today' or whatever
-
Maranda
Maybe I don't operate the sending directly which poses *much* of a difference compared to e-mail since those are completely (or almost) abstracted from users UI wise
-
Kev
I think when you're potentially talking about clients broadcasting your current location to all of your contacts, or whether you're WFH or in the office, that *is* a different use case than email.
-
Maranda
and still for GDPR we have to take that data/meta-data in account
-
Maranda
so if you keep saying xmpp is like e-mail okay.
-
moparisthebest
ok, so you are saying extra types of data get sent with xmpp without user intervention than email?
-
moparisthebest
*that's* an argument I can follow
-
moparisthebest
still, I believe normal message sending should be the same as email, so we could copy email providers for that, and maybe your mod_gdpr could just filter everything but normal messages or something?
-
jonasw
... except that lots of stuff doesn’t work with only normal messages.
-
jonasw
like OMEMO.
-
Maranda
mod_gdpr blocks everything going s2s, before user consented to the agreement and mainly 3rd parties treatment of his data passing by s2s.
-
jonasw
how does the user consent, and which agreement?
-
moparisthebest
yep, but perhaps you can sort some things out to what leaks (meta)data or not
-
Maranda
https://github.com/maranda/metronome/blob/master/plugins/mod_gdpr.lua#L19
-
Maranda
jonasw, ^
-
Ge0rG
Maranda: you need to gain consent for each individual s2s domain, and link to their respective data privacy policy.
-
moparisthebest
that seems utterly impossible Ge0rG
-
Maranda
Ge0rG, do I? Me thinks that the above is legally valid.
-
Ge0rG
Also, I don't understand how email and xmpp are different either, from a data protection / data retention point of view
-
jonasw
.oO(plot twist: user is currently negotiating for a power exchange relationship and replies with "I consent" to the wrong message.)
-
jonasw
Maranda, I don’t think that works either. you need to make the user aware of the specific data and metadata which may be sent to the remote domain.
-
jonasw
users might not be aware that the timestamp of their last online presence would be shared for exampale
-
Maranda
Ge0rG, it's implicit that if a from capuleti.is user chooses to have a contact to romeo.is then whatever data gets shared with romeo.is is *his/her sole* responsibility and that the data going to romeo.is will be treated by romeo.is
-
Maranda
jonasw, that is already done by the ToS
-
jonasw
Maranda, which ToS?
-
Maranda
The one which I'll add options to add you can't cover everything In-Band, else I need to send a never ending wall.✎ -
Maranda
The one which I'll add options to add you can't cover everything In-Band, else I need to send a never ending wall of text. ✏
-
jonasw
that’s why we were discussing the EULA XEP
-
Maranda
jonasw, which brings to the problem good luck getting every implementation and expecially every server federating to compliant by the 25th.
-
moparisthebest
yea that's really insane
-
moparisthebest
shouldn't it, at most, be an explanation of federation?
-
moparisthebest
(if you send something to bob@example.org refer to example.org for how they manage your data)
-
moparisthebest
again, what are email providers doing? they won't be doing 'federated eulas' I can almost guarantee
-
jonasw
moparisthebest, true, but they may be gambling on the fact that nobody is going to risk to burn down all of email with a lawsuit.
-
Maranda
Problem is that the deadline is too near now we should have moved as soon as GDPR got out in 2016 imho
-
jonasw
yeah
-
moparisthebest
that's a fine bet for my person email, but gmail/hotmail surely would just have to pay germany a few trillion dollars or something
- Maranda didn't even know about it before just recently.
-
moparisthebest
and they've surely had lawyers on this for years?
-
moparisthebest
federated EULAs sound like a friggin nightmare too
-
moparisthebest
"XMPP sucks so bad, I need a lawyer every time I have to add a new contact"
-
Zash
What about plain ol' IP routing?
-
Maranda
but still as soon as there's a draft of "EULA" xep I'll link to that jonasw (obviously)
-
moparisthebest
that's true Zash , every IP/port combo needs another EULA, also from every switch/router along the way, right?
-
Zash
Yes
-
jonasw
Zash, yeah
-
moparisthebest
I think even the concept of a EULA xep is a terrible idea for the above reason
-
moparisthebest
if widely implemented, it'd kill xmpp
-
jonasw
I was thinking about that too during the last meeting. I wonder if we’re colossally missing something here.
-
jonasw
moparisthebest, fundamentally, the EULA XEP was meant not for federation but for in-band registration
-
moparisthebest
does anyone know anyone that works at gmail or hotmail or something?
-
jonasw
unfortunately not
-
moparisthebest
jonasw, ah well for in-band registration it's a good idea, it's just a terrible idea for federation
-
Maranda
an EULA xep could not need implementation
-
Maranda
if it's just a descriptive xep
-
Maranda
like what data types are there, how to act in case of data transiting from a to b, who to contact in that case etc.✎ -
Maranda
like what data types are there, how to act in case of data transiting from a to b, who to contact in that case, who is responsible of what when etc. ✏
-
Maranda
there's a fair amount of documents like that XEP wise
-
jonasw
Maranda, the idea was to have an additional IQ exchange before/during registration, where the key points of a GDPR-EULA (e.g. retention times, data which is persisted/not persisted ,…) is presented as structured data (XML). this allows clients to format the key points neatly. in addition, the full terms can be provided via one or more URLs.
-
moparisthebest
and then you've made the protocol user-hostile for what some non-lawyers think some lawyers wrote in a jurisdiction that controls a small fraction of the internet
-
moparisthebest
sounds like a terrible plan
-
Maranda
Which is good if the deadend wasn't in a month and a half
-
jonasw
moparisthebest, how is that user-hostile?
-
Maranda
Or less
-
jonasw
I think being aware of what the service does with your data is very user-friendly.
-
moparisthebest
jonasw, "XMPP sucks so bad, I need a lawyer every time I have to add a new contact"
-
jonasw
I am not talking about federation, moparisthebest.
-
moparisthebest
"with whatscrap I just type in a contact and start chatting"
-
Maranda
So at the very least we should have a document to link at, me thinks
-
moparisthebest
well again, for user registration I totally agree
-
SamWhited
FWIW, XEP-0389 was designed with EULAs in mind. You could probably implement it already with that.
-
jonasw
moparisthebest, I am not talking about federation.
-
Maranda
No time for xep-0389
-
moparisthebest
ok, then I think it's a good idea
-
Maranda
I feel
-
moparisthebest
I just really don't want federation crippled due to some legislators with a superiority complex, and a likely wrong reading of the law by non-lawyers
-
Maranda
Well I don't have 200k
-
Maranda
😎
-
moparisthebest
try voting for better people, or move :)
-
moparisthebest
I mean we aren't writing code to cripple XMPP to china or russian standards
-
jonasw
moparisthebest, I like the legislation actually.
-
Maranda
All I want as a server operator is at least a blanket covering most of my ass
-
moparisthebest
why write code to cripple XMPP to EU standards
-
Maranda
That's all we need in the immediate time anyways
-
Maranda
Because as I redundantly said: there's not much time left
-
Maranda
moparisthebest, we need to get informative documentation done first, the most problematic bits are the data types descriptions, behaviour and garden-to-garden transits
-
moparisthebest
not sure exactly what you mean, but are you still just talking about registration?
-
moparisthebest
in general when I've had to present lawyer-stuff to users, they like to lay stuff out themselves, and I always end up providing text as written
-
moparisthebest
just a giant wall of text...
-
Maranda
No, I said it anything protocol dependant wont see the light by the 25th
-
moparisthebest
just turn off IBR and make them sign up with a web page?
-
moparisthebest
the free world can continue to support IBR
-
Maranda
Because beside the servers, there's clients and the "Pidgin" effect
-
pep.
moparisthebest: make them sign up what with a web pave
-
pep.
Page*
-
pep.
Please do provide input during the meetings if you have insight
-
Maranda
The registration method is irrelevant we need documentation, and stuff to add to single service agreements
-
Maranda
In the mean time
-
pep.
moparisthebest: and it's not just to new users
-
moparisthebest
well, web page registration lets you display a proper terms of service, and record them agreeing to it?
-
pep.
Yeah but what goes into the EULA
-
Maranda
moparisthebest, yes
-
pep.
That's the whole poiny
-
moparisthebest
pep., ask your lawyer
-
pep.
Point
-
Maranda
But we need to know what to add to the service agreements...
-
moparisthebest
hopefully just explaining how it works would be good enough, but who knows, IANAL
-
Maranda
And if there's a descriptive EULA xep at least we can link that
-
pep.
Well we're trying to see if we can figure parts of it by ourselves. Ultimately yes, we'll ask lawyers
-
pep.
And then try to provide templates for operators out there, with the usual disclaimers
-
moparisthebest
if you are in the 'writing code to solve it' phase then you are too far, should have already asked a lawyer
-
pep.
We're not
-
moparisthebest
some people are :) https://github.com/maranda/metronome/blob/master/plugins/mod_gdpr.lua
-
Maranda
That's a draft
-
Zash
> The software is provided "as is", without warranty of any kind etc...
-
Maranda
And it's very "user friendly" as it's not protocol dependant
-
Maranda
(problem is the relevant bits to add there)
-
Maranda
Zash, if it was that easy
-
Maranda
Apparently it's not
-
Maranda
moparisthebest, but yes essentially that module should cover the edgy cases, in where if users stay in your garden it's "easy". When they get outside it's troubles they wrote the regulation specifically that way
-
Maranda
(And they'll get prompted the first time they try to cross the wall)
-
pep.
What really annoys/confuses me, is that everybody talks about companies when this is going to reach a lot more than that
-
moparisthebest
that's the problem, they seem to have written the legislation to specifically target walled gardens like facebook/whatsapp etc
-
moparisthebest
and it does a good job at that
-
moparisthebest
but they totally ignored federated systems, and it seems to almost outright ban federated systems
-
moparisthebest
which, ignoring xmpp is something I could see legislators doing, ignoring email is not
-
moparisthebest
except they probably think 'email' and 'gmail' are the same thing...
-
Zash
Has anyone reached out to those involved in drafting this and asked "how does this relate to email?"
-
Zash
IIRC they used Outlook (with web thing)
-
Zash
OWA?
-
Zash
The FOSS-friendly people I stayed with were developing something to make it usable with Thunderbird
-
moparisthebest
davmail is what I used to use for that
-
Ge0rG
The new CLOUD Act allows US agencies to obtain data hosted in Europe. I wonder how many days it will take for Russia to create a comparable legal framework.
-
lovetox
but i read EU wanted to do this frist✎ -
lovetox
but i read EU wanted to do this first ✏
-
lovetox
get data stored in US
-
lovetox
so everybody gets all the data :)
-
moparisthebest
the solution is for everyone to run their own server in their house lovetox :P
-
Zash
\o/
-
lovetox
im already using no smartphone, facebook, i just have to get rid of gmail somehow
-
lovetox
then im underground
-
moparisthebest
lovetox, I cut the gmail cord in 2013, just setup postfix/dovecot on your house-server
-
moparisthebest
you can still have gmail forward mails to your new address, and you can have postfix send outgoing mails from your gmail through gmail's servers until you have everything fully migrated
-
lovetox
im have my own domain, but i fear spam a bit
-
lovetox
nothing goes over google spam filter
-
moparisthebest
it's not that bad, spamassasin+amavis
-
moparisthebest
thunderbird pretty much always gets whatever leaks through those
-
lovetox
how nice would it be if we had all pgp encryption on email
-
lovetox
google announced some kind of plugin for gamil years ago
-
moparisthebest
it's not as easy as setting up an xmpp server, there are more parts, and they tend to be crustier
-
moparisthebest
but you only have to do it once
-
Maranda
well it's tricky to be spam proof, but not impossible.
-
Maranda
(for e-mail)
-
lovetox
but with email is like, even if you host youself, 40% of all your mails are sent to gmail adresses anyway
-
lovetox
so they still get all emails
-
Maranda
hmmm lovetox
-
pep.
lovetox: that's true, though if we say that we might as well give up already
-
pep.
Even for xmpp
-
lovetox
why google dropped xmpp support :D
-
lovetox
we are save here
-
Zash
Extensible Mango and Potato Planters
-
pep.
I mean it's not just true for email but for lots of things.. If I thought it wasn't worth setting up my own mail service because "40% goes through Google anyway", I think giving up on life wouldn't be really far ahead :x
-
pep.
Lots of things go through Google, Facebook and whatnots
-
pep.
Zash: I'm going to signup for this giant meteor party I think
-
Zash
I'm not running my own email to keep Google from seeing my emails. I'm doing it so that I don't have to care about some provider shutting down.
-
lovetox
i would run my own server if it was just my email
-
Zash
To have control over my own ifrastructure. To not have to wait for someone else to fix my problems.
-
lovetox
but whole family uses the same domain
-
pep.
Zash: sure I'm not saying that's why I do it, or the only reason
-
lovetox
they will not understand if it doesnt work because i fucked it up again ^^
-
Zash
My mom uses my email server. Most recent issue she had was some unexplained issue that I'm going to write off as "Android weirdness"
-
Zash
"It doesn't work" - I try, it works fine.
-
Maranda
Zash, that's not Android Weirdness, it's called "Mom Weirdness"
-
Maranda
It's common to every mom (mine too), with the exact same symptoms: "It doesn't work" - I arrive, try it works fine.
-
Maranda
:P
-
pep.
Not sure a CC from members to operators is great, they can't all reply otherwise
-
pep.
Well they can break remove members@ ~
-
pep.
I'll just go to sleep..