XSF Discussion - 2018-05-01

xnyhps: Y U h4xed my car? https://www.bleepingcomputer.com/news/security/volkswagen-and-audi-cars-vulnerable-to-remote-hacking/

Yay perhaps "Watchdogs 2" style

Your loss

I'm playing sokoban today. The old house is full of boxes, and the transporter guys will arrive in T-22h

And I still have to put most of the things I own into boxes.

Hmm on a different topic does yax.im fetches a static public servers list from somewhere? If it does at all

Sounds fun

Maranda: you mean yaxim, the client, not yax.im the server?

And s/Yax.im/Yaxim/

No the client obviously

Maranda: https://github.com/pfleidi/yaxim/blob/master/res/values/servers.xml

That URL doesn't work any more

The original source is lost.

Ge0rG I re enabled IBR (I implemented account locking and e-mail verification for it, so it's rather safe) now I need to scour all clients who singled out my server and re-add it 🙄

PR incoming soon

Btw

Maranda: yaxim doesn't support entering the email address / data-forms

Maranda: feel free to PR that as well

Ge0rG damn you! 🤣

Almost no clients do.

Which is sad

Well Gajim does and that is sorted

I suppose that saves me sending PRs all around

As usual spent time implementing something that will be unused

Ah I thought not even Gajim supported this last time I checked.

Maranda: Does it support the email field or the form or both?

Holger it does support all custom fields

s/custom/additional registration/ rather

If you enable verification it'll make e-mail mandatory

And I guess "both"

Sounds good.

Gajim's user onboarding is so messed up, I don't even want to think about it

Ge0rG, I don't find it so messed and it supports dataforms element pretty well

https://upload.lightwitch.org/share/WMKL7jaY5eHb9786/ibr-forms.png

Maranda: what did you have to enter in the screen before?

just accounts, new account, and if you don't have any it'll bring you there automagically?

how did you chose the server?

register a new account > list of servers

how is that messed?

This is a vaguely interesting thread if you want to see how people that aren't in this room think about instant messaging: https://twitter.com/actuallyalice/status/990889721525161986

we need 90s messaging back, where you'd have msn, yahoo, jabber, ICQ all running from 1 app

huhu

Maranda, can't you do that using pidgin right now?

moparisthebest, sorry I'm quoting one of the tweets

I should have actually quoted it

oops, I should read previous posts sometimes :)

And I should stretch bbl

they could use just sms

did someone say https://jmp.chat/ ?

https://signal.org/blog/looking-back-on-the-front/ "Amazon threatens to suspend Signal's AWS account over censorship circumvention"

interesting.. Time to choose smthng else than a centralized solution like that..

maybe some type of federated standard might be a good choice

moparisthebest: in case you're interested in what would Signal guys respond to "federated would help" https://news.ycombinator.com/item?id=16870595

I'll summarize that:

"there are serveral other properties and trade-offs like then we couldn't lock people into our walled garden"

I think it's a valid point that if you have federated but only a handful of big servers, it's still easy to block, I think zinid mentioned this previously (but I may be wrong). The rest is of course marketing but that's obvious :)

sure I agree with that

but the point is to have a bunch of small ones

the bigger ones have more resources to resort to hacks like signal

(multiple servers, answer differently to different regions, etc)

> but the point is to have a bunch of small ones And I agree with that 👍

and if the govt starts blocking them, new ones can start up to replace those

One way or another it's interesting to see how Moxie resolves their problems, well, usually it's better to learn on someone else's problems

it becomes a game of whack-a-mole

Yes, but until your identity is tied to domain name you'd have to setup your roster each time you switch a server

well we could expand the protocol to make things like that easier

(or just save them locally on the client and share them across accounts, no protocol involved)

Like Briar?

Identify user by keys not domains... And we're back to OpenPGP!

hmm that is an interesting thought

the onion-like setup would in theory allow you to chat with 1 person on multiple JIDs, identified by key

and since there rosters are 100% client-side anyway, you could hop servers as much as you wanted

> @signalapp Time to move to the blockchain!:D https://twitter.com/pray4crypto/status/991390269798010880 nailed it!

Sign your subscription requests and clients can see you're the same person :)

But federation isn't about censorship resistance.

Zash: no? I'm out then!

Wiktor, yea but who wants to leak to the servers that you are the same person? :)

Did I forget "encrypted with OMEMO" ? Encryption here and there a little always help... :)

anyone know a server in the wild that implements this websocket discovery method? https://tools.ietf.org/html/rfc7395#section-4

moparisthebest: conversations.im

But they lack correct CORS headers for web clients for this file... Forgot to report that

thanks!

No problem, I tested one web client there, worked like a charm. Actually this is just a file and both ejabberd and Prosody have websocket support. So it's trivial to set up.

Oh, is my client desynchronized, or is the board meeting still ongoing?

I thought I fixed that

XSF Discussion | Logs: http://logs.xmpp.org/xsf/ | Agenda https://trello.com/b/Dn6IQOu0/board-meetings

I blame Conversations

yea Wiktor I just wanted to see an example of an actual file in the wild :)

Got it :)

ralphm: thanks!

Looks like I still have one too

Zash: but federation does address some issues caused by attempts to censorship. E.g. the blockage in Russia of AWS would not affect servers hosted in Russia.

ralphm, unless servers hosted in Russia will also be blocked from AWS. And they will be, eventually.

I think the point is just that Russia users could talk to their friends in Russia without problems (unaffected by AWS).

No. Russian servers would be asked to give up data or be shut down

Which is different threat.

Actually it's the same threat. Local servers can be blocked using same method as international ones. Authorities just have even more leverage over local services because they can not only block server but also physically access it.