XSF Discussion - 2018-05-15

MattJ, Ge0rG, to be fair, the "worst" I did XMPP-wise was on that plastic router with 64 MiB of RAM. I used libstrophe/libcouplet there (despite a lua runtime available; I didn’t want to get into building libexpat for that system; when I was going to crosscompile, I could also simply crosscompile my C application).

the SASL handshake still took considerable time on that system :)

(one really wants PLAIN on really constrained systems)

I'm not sure I can even fit TLS into the ESP

MattJ, GeOrg: regarding home automation and mqtt: once I was fed up with openhab I hacked something which connects mqtt, some scripts and rules and a xmpp "command line interface". Maybe someone is interested? I'd have to document and upload it...

ibikk: that's great but I want an Android app, so OpenHab is rather practical for that.

What I hate about it is that it consumes gigabytes of RAM and that there is no way to abstract multiple identical multi-item controllers as entities

the openhab app was OK, but I didn't want to expose openhab to the internet or use an VPN, therefore I did this xmpp command line, which in some aspects is far more powerful than openhab. also 'scripts' is misleading. it is a python app and provides scripts (have to be explicitly called by user) and (automatic) rules/controllers.

in my home network there also is a browser interface.

There is a subcommunity of people claiming that XMPP is awesome for IoT. I want to see that in practice.

I do not. mqtt seems fine.

ibikk: MQTT is okay for a small fleet of devices, but I want to have something where a device can bundle its API spec in a machine-readable way, like "I'm an RGBW controller and I support one HSV channel and one brightness channel and a global power switch"

Ge0rG, there is a bearssl implementation.

is there also a bearxmpp?

and a bearxmppiot?

I think hooking up libcouplet with that shouldn’t be too hard.

jonasw: and then we are still lacking all of the IoT infrastructure that purportedly puts XMPP above MQTT for IoT.

maybe

jonasw: feel free to prove me wrong.

Right now I'm convinced that XMPP-IoT is overhyped to a degree that's actually harmful for IoT over XMPP

I haven’t followed the work actual IoT people do

I just do my own stuff with some pubsub and IQs

that was easy enough to do with libcouplet and sleek and aioxmpp

Ge0rG: I think people have proposed how to do something like this using mqtt? It does not fit my needs however. My devices don't even talk mqtt themselves.

winfried: what was the scheduled appointment time again?

Ge0rG, 1230 CEST

Alright, thanks.

Ge0rG, have you looked at Home Assistant? OpenHAB was a bit too heavy for me

MattJ: that looks very interesting, thanks

And it's not running node.js, despite being hosted on .io

Indeed

"Learn how Hass.io can turn your Raspberry Pi into the ultimate home automation hub" - Hass is the German word for "hate". So appropriate.

They have an MQTT mode where the device posts its configuration

Ge0rG, https://www.home-assistant.io/docs/mqtt/discovery/

<node_id> (Optional): ID of the node providing the topic. <object_id>: The ID of the device. This is only to allow for separate topics for each device and is not used for the entity_id. node_id, object_id, entity_id... This looks like Designed by the XSF™

:)

I'm not sure why they need multiple topics for a single switch (set and state), if they could just have one that is read and written to and retained.

and embedding the full path of that into the config kind of defeats the purpose

The API has to handle many different kinds of devices, many APIs separate command and state, because in reality they are different

right. Devices that react to "ON" and then set the HSV state to "0,0,100" or somesuch.

It's awesome how fast you end up with a huge complexity overhead.

Indeed

also, sometimes setting might not work

for example if the device is offline

and you’d normally want to be able to detect that

(or if it is slow or something)

Yeah, the state essentially doubles as an ack for any command

it’s common in commanding systems actually

Also in Home Assistant it's generally optional anyway, if it's absent then the UI just assumes the state is whatever was requested, instantly (which obviously has downsides)

Right.

I see where this is going.

FWIW I consider XMPP suitable for higher-level IoT stuff, but not for device<->controller comms, unless the devices are powerful enough

MattJ: my devices are sufficiently powerful.

I consider most of the IoT XEPs to be over-engineered though

Then XEP-0060 them and enjoy

the hass discovery looks like a nice trade-off between complexity and comfort.

The Converse.js on http://www.xmpp-iot.org is great. You have to click it away after Every. Freaking. Click.

When was the last gdpr meeting again, the one with all of us

0504?

pep.: I could tell you, but I need to gain consent from all attendees first.

yeah that sounds about right

Ge0rG, shut up :p

pep.: do you want to make use of your right to Erasure?

let me gdpr the hell out of you. *goes and create a yax.im account*

Damn. You win this round.

hmm no there was nothing on 0504

last one with all of us seems to be 0430

Or my logs are lying to me

Ok I'm sending something for the minutes, 11 (& 12 that was cancelled)

Ge0rG, jonasw, winfried, meeting in ~10min

(Y)

I'm on the run right now, can't promise anything

k

!

t -2 ;-)

🙋‍

Okay, so I'm in the expected lunch break, but I'm alone so I can focus on the GDPR.

great

lets recapp

There's a question (quotes) I added in the minutes, that I think we didn't really focus on

I don't know if we can answer it by ourselves though

pep.: can you repeat the question(s) here?

Do we have to find all the data scattered across all different services, re export/deletion

"all different services", meaning not ours

We'd have to monitor all the services a user uses and how

pep.: from a legal perspective not: the data is transferred and not 'our' responsibility anymore

Ge0rG, I'm not saying it'd be easy or even fun, just asking from a legal standpoint

winfried, k

still thinking it would be fun ;-)

Ok, so what's left

winfried: that's too easy for an answer. If we are the controller, we are probably still responsible, aren't we?

What if Facebook "transfers" the data from Facebook EU Inc. to Facebook USA?

Ge0rG: IF we are controller yes, but there is no controller - processor situation but a transfer between two controllers

Ge0rG: FB EU -> FB US is transfer between two controllers, in the FB case that is not covered by 6.1b, so it has to be 6.1a

winfried: so we are controllers, but the other servers are controllers too?

Ge0rG: yes... that was one of the first premises we started with ;-)

winfried: I've always seen that as "controllers of our users' friends' data"

Which is not the same thing

what difference do you see (I am still digesting that one)

Ge0rG, that would make the s2s server a processor, but then how do you say you're not liable for what the contact does with MAM

I think with Ge0rGs interpretation we can argue that after the transfer the data is at the recipients control and the handling of the data is owned by the recipent, thus the recipient is responsible for all things GDPR and whether the senders privacy preferences are matched is a matter of trust between recipient and sender.

winfried: remote PubSub is data that a user's server transmits to a different server (controller?) on behalf of the user. Now does the remote server need to obtain consent from the user?

I'm explicitly not talking about data sent to other users.

Ge0rG: no, that is still 6.1b, so no consent. But the remote server, when it falls under the jurisdiction of the GDPR, needs to publish its privacy policy

winfried: and if it's in a third country?

then it's 49.1b, no consent required

pep.: thanks, you got the article number before me ;-)

Ah hmm, if that's not a controller that's different?

Ah nvm

winfried: great. Can we have that in the wiki, then?

yes pep. plz remind me ;-)

So wait, that means.. transfer between controllers? Or what Ge0rG said?

pep.: it is transfer between controllers

And what I said

> Ge0rG> winfried: I've always seen that as "controllers of our users' friends' data"

What did I say? And when?

pep.: two different use cases. Messages sent to other users vs things we store on other servers.

Ge0rG: yes, good to distinguish between them

pep.: if I send you a message, you become the owner on your server. If I publish a post on movim, I stay the owner

Ok, so what winfried said doesn'T apply to MAM?

pep.: what kind of MAM?

1:1

pep.: if it is my server archiving your messages in the conversation I had with you, then that MAM is my responsibility

pep.: and what did winfried say?

winfried, yes that's what I thought until now, but you're all confusing me with words :p

I propose I try to write it down in clear wording in the Wiki, plz correct if that is still confusing/incorrect. agreed?

Ge0rG, so "Ge0rG> winfried: I've always seen that as "controllers of our users' friends' data"" < this is wrong?

Well..

winfried: s/propose/volunteer/, right?

It's "not the interpretation we choose to think will be applied"

Ge0rG: yes

pep. [12:57]: > Ge0rG, so "Ge0rG> winfried: I've always seen that as "controllers of our users' friends' data"" < this is wrong? This is true as well, for the remote copy of the message I sent to my friend

pep.: correct, but we can only discuss/check an interpretation if it is worded complete and clear

We need to choose an interpretation anyway, and then hope we don't have to defend it in court

It's better to have an interpretation that we can reasonably agree on than not to have any

sure

and there is an interesting subtle issue here: when becomes my message the responsibility of the receiving person?

Once it gets over s2s?

I will try to word as precise as I can so we can decide ...

winfried: when the receiving person opted to use offline storage / MAM and the message arrives there?

:-D I see different opinions here

I tend to the pov of Ge0rG

as long as it is on the receivers server and not transferred to the receiver, the message is nobodies responsibility if we take s2s as border

but let me think about that one a bid and let me word it in the wiki

k

winfried: if the message is discarded, it doesn't matter. If it is stored, the recipient is the most logical person

Ge0rG: correct

I'd like to see setups where there is no offline storage / MAM at all

Have you seen the pdf I posted to the members list? Is that the way to go for the consequences for server operators? (Q1.2)

(oops it was odg)

(silence)

yes, digesting all this

still sick :(

I’m half-following

jonasw: :-( hope you get better soon!

thanks

I didn't see a PDF, but there was an .odg

:-D

The table?

So today is clarification day

How are we regarding things that can be sent to standards@ already

GDPR scheme.odg attached to a reply to minutes 10

hmm, should we plan for next, doesn't seem to be really active today

Waiting for reactions... ;-)

winfried: waiting for the mail server? Forget it.

why waiting for the email server?

winfried, you're talking about https://wiki.xmpp.org/web/GDPR/Table ?

winfried> GDPR scheme.odg attached to a reply to minutes 10

Ge0rG, it’s already been sent last week

https://sotecware.net/images/dont-puush-me/bOy6D9sQg3BxiP0GYdDkXcUBcdfc3o2_Pi4PW-5zUdQ.png

that’s a screen shot of it

oh, I misread that as "10 minutes ago" and was looking for new replies.

timestamp of the mail is 2018-05-08 11:56Z

oh

yeah, had that open already.

jonasw: that is the first page

there are more pages?

ugh

winfried, "on a large scale", is this even important?

I don’t know that tool

Oh, there is a second page!

I assumed when I scroll down and reach the end of a page there aren’t more pages :D

jonasw: yeah bad UI

pep.: not for the XSF context, but it helps asses server operators if they should to anything

hmm

I guess I should start working on that XEP quick

10days to write it and get it council approved(tm)!

:-D

And just after that, deployed everywhere!

noooot gonna happen

unless you manage to submit it today :)

hmm

nope

of you don't have your act together on the 25th in the Netherlands, you may get a warning and some more months to correct it :-P

cool

I guess they'll have to do that for a lot more people

any amendments to the scheme?

in Austria you get a warning. Full stop.

winfried, template looks ok to me. Maybe alongside MAM specify offline storage

How do you even set offline storage available but not active by default

winfried: step 5 might be "require consent for processing beyond the XSF template"

good points!

maybe split step 5 in two options: when using the XSF template (or equivalent) or when doing processing beyond that.

Zash, MattJ, is there a way to have offline storage stanby and do nothing atm?

Hmm?

Have offline storage opt-in

Next meeting: friday 13:30 CEST

winfried, ok

pep., not currently possible to configure per-user, if that's what you mean

ok, I guess that also need changing in the protocol

Totally possible, just not implemented

ah ok

Well, M-Link uses ad-hoc commands for that

Though a number of clients don't support them

Yeah so it's not specified

-xep offline

Bunneh! where are you when I need you

I always wanted a "user account configuration" XEP

There is IBR, in some ways

With data forms! And hookers!

pep.: do you summarize minutes again?

winfried, I'll try to do that yes :x

pep.: thanks!

then there is one thing left for me:

thanks once again guys!

Ge0rG, and jonasw ok with the date?

thanks folks

pep.: hope so

pep., yes, still OK

k

Updated the date on the wiki

pep.: thanks!

winfried I'm telling it you here, I don't have OMEMO on my device, so please desactivate it with my JID

Done, thank Daniel :-P

because I'm getting more and more like that I'm thinking of an automatic reply

edhelas: I could sell you <https://github.com/processone/ejabberd-contrib/tree/master/mod_deny_omemo> ...

no it's more a client side feature

Dave Cridland: was there an update to hacx to put it onto the agenda again? Cc jonasw

nope will get it out tonight if we don't have another unexpected area-wide power outage :)

Ge0rG, not that I knew

No