XSF Discussion - 2018-05-18

we have a list in gajim source with servers

its says that everyone that wants to be added should follow the instructions

on http://xmpp.org/services/register.shtml

this thing seems not to exist anymore, was there a list of servers somewhere on xmpp.org where people could add their server?

if yes, where is it now

I think that has moved to xmpp.net

oh lol right on the front page

pitty its not recorded if the server support IBR or not

indeed

you might wanna filter for features anyways

Is https://xmpp.net/register.php still the right method?

except that nobody maintains the list

I don’t have the permissions, and I think it’s possible that nobody knows how

stpeter does?

lovetox, 06:15:19 jonasw> fugata, didn‘t you start to compile a list of IBR-supporting servers with good XEP support? 08:11:04 fugata> I did 08:12:19 fugata> jonasw: I also created uptime accounts for them and sent the credentials to Daniel; they're all on status.conversations.im now IIRC 08:21:22 fugata> jonasw: http://paste.debian.net/1025196/

The compliance tester will also start checking for ibr but with the recommendation to just use ibr oob redirection

Is that a recommendation?

Zash: IMHO yes. Because it's easier to to spam protection

But at what cost!

Worse UX and you make Ge0rG sad.

The thing is with a 'powerful tool' you can't just test for ibr. That will force ops to blindly enable ibr and open the gates for spam. So the compliance tester will probably recommend oob. But if you want to diverge from that that's fine as well

daniel, maybe it’s better to then just not test for IBR

or make the data only available on request, but not on the overview

jonasw: but it's also important to have that information so people like lovetox can compile their list

like a JSON file

but not in the HTML table

to prevent "need to have it all green!!!" people from blindly enabling IBR

that.

So much that.

a JSON file would also be useful to automatically fetch on client installation/startup *cough*

Yeah that's why I'm not blindly enabling the test. Maybe we can just exclude it from the ranking or something

I’d prefer excluding it from the table and having a hidden-ish JSON file with that data included.

And no a json file is probably not a good idea. Because people who compile lists should take other factors into account as well

json would be nice

i would not fetch it, but would pull it into the source from time to time

Like uptime as provided by the status thing and do they have a privecy statement

ideally, we can soon-ish test for privacy statements automatedly (ping pep.)

Or 'is it run on a raspie in somebody's basement'

Ideally

hm maybe we could pull it automatically but only if the user starts account wizard

I'd rather not pull it automatically, but update the client every so often

pep.: what do you test for?

For the privacy statement

I assume jonasw is talking about EULA

pep., yes, I am

daniel, a server would expose a stream feature and a pre-auth way to query key parts of the privacy statement as well as an URL to the full text

so that clients can show that in-band when registering

pep., BTW, what is blocking the work on the XEP?

anything I can help with?

Time, and knowledge

what knowledge?

Definitely

Xmpp in general, what to use and how, why

okay, so, maybe we can split the work here

you could write up what the thing should do, and I fill in the protocol gaps

Ok

alternatively, I can advise you on how the protocol could look, whatever works for you

I'll try to come up with a list of requirements

that’d be great

I’d love it if we could make it til next council meeting

if we manage to get the text ready by monday, I could give a draft impl a shot in prosody

and aioxmpp

(since aioxmpp can’t do pre-auth IQs yet, that’ll be the more tricky part :))

For clients that don't support IBR data-forms / email, we obviously need a multi-state enum for what kind of IBR is supported!

what do you folks (especially Ge0rG) think of sending presence type="unavailable" or "error" when receiving groupchat messages from MUCs a client doesn’t know it is joined to?

Hello!

jonasw: what's wrong with message/error?

Ge0rG, does that kick one from a MUC reliably?

Are there clients, with XEP-0371( https://xmpp.org/extensions/xep-0371.html ) implemented?

Ge0rG, also, if we lost sync with the server, we *probably* were joined formerly, so leaving with an (potentially) confusing error shows intent more clearly...?

jonasw: I'm sure there are many painful corner cases we've not thought about ye

+t

okay, so just return a message error?

jonasw: we are talking about to=full, not to=bare, right?

wha?

which to?

that of the inbound groupchat message?

yes

sure, full jid

because there is spam with type=groupchat to=bare

and I don't want to leak presence to spammers

jonasw: so when does a client know it's not joined to a MUC but still receives groupchat messages from there?

right after a reconnect?

Ge0rG, I’d also listen for <x/> ...

but good point

it might leak presence :(

Ge0rG, I was thinking of a "leave the MUC operation" getting lost in an s2s hiccup

jonasw: how often do you leave MUCs?

does that matter?

jonasw: imagine the race condition between leaving a MUC and receiving messages, causing to leave the MUC again

uh

that race is a good point

but!

jonasw: and yes, it does matter.

don’t I receive a presence ACKing the leave?

jonasw: how does that change anything?

jonasw: are you going to put a timeout handler on the leave-presence?

OMG, leaving the MUC timed out! I need to ... ?

... </stream:stream>

ew

yeah

so closing that as wontfix

Btw, at https://xmpp.org/getting-started/ it might be useful to add a few notes about each server, just it being “popular” doesn’t mean people should use it blindly.

A few days ago someone started using xmpp.jp because it was the first one in this list, only to end up with 500ms of lag whenever they typed something in a MUC hosted in Europe.

Link Mauve: blasphemy!

Link Mauve: 230 here :p

The only solution I could give them was to create an account elsewhere, with the very nice porting ability we all know…

Our Holy Neutrality Rules forbid any kind of Provider Bias.

Ge0rG, ping goes two ways. :p

Why is the delay important?

This is why we recommend Pidgin.

daniel: in MUCs it is.

Who picked that list?

I'm sure it's approved by Board.

Actually it was even him (France) → xmpp.jp (Japan) → MUC (France) → xmpp.jp (Japan) → him (France).

Ge0rG: I got that we are talking about muc. But why is delay relevant?

daniel, some clients don’t display messages instantly.

daniel: because you see the delay between writing your message and its delivery

Link Mauve: some clients suck.

Ge0rG, indeed.

daniel: in this case I would argue it's not the delay. xmpp.jp is not really well know for its admin capabilities either (spam, not replying yo querier etc.)

Ge0rG, I’d even say most*. :p

Link Mauve: ^

queries*

I mean on mobile you can easily have those kinds of delays as well

pep., they replied once after I made the effort of writing in Japanese (and you helped me)!

Never bothered me

daniel: "Never bothered me" is not a very good way to handle user problems.

"Wontfix: Works for me"

Why is it a problem that other people read your messages 500ms after you typed them?

Patch (cables) welcome

daniel, anyway, that was only an option, being known for hosting and protecting spammers, having no real good policy privacy, being hosted in a country downright hostile to its citizens, etc. could be other reasons for not using a server.

daniel: It gets weird if you see your own messages that long after you sent them

Zash: that I can get on board with. Very weird indeed

But fix your client

I'm used to this latency from my own travel. And it sucks.

daniel: fixing the client slightly reduces the weirdness.

daniel: imagine mod_pastebin kicking in.

Having something to indicate 'in flight' is probably fine, then updating it with whatever the MUC sends back

And adding the little green tick

$ git blame ./content/pages/getting-started/_index.md|grep Pidgin 195fadcc content/pages/uses/getting-started.md (Guus der Kinderen 2017-01-17 12:36:13 +0100 23) * [Pidgin](http://pidgin.im/) (OS X, Windows & Linux)

there it is.

Or imagine participating in a fast-paced discussion and always getting your messages reordered.

Guus! What do you have to say for yourself?

Oh I should probably install mod_pastebin and find a nice solution for that

Zash: that's how yaxim does it.

But that's probably only a couple of weird servers using that

Zash: except for the well documented PITA of matching MUC reflections.

THAT WAS MY EVIL TWIN!

(I have no clue what that is, by the way)

Guus: Pidgin in https://xmpp.org/getting-started/

Guus: it's all your fault!

daniel, a possible other use is biboumi splitting messages if they would lead to IRC messages bigger than 512 bytes.

nono, my evil twin's fault, as I already explained.

Or containing newlines

Link Mauve: is biboumi honoring the message ID in that case already?

i really wish biboumi would hide the splitting from the user

Ge0rG, I don’t remember the resolution of that issue.

Guus: it's your fault to allowing your evil twin access to your githubs

daniel: please no.

He's not allowed, but does so anyway! that's the 'evil' in 'evil twin'.

Guus: From my perspective, the JID..i... is evil..

daniel: next thing would be to join incoming messages from the same sender?

is there any indication in irc that a message was split?

daniel, exposing a different view from the rest of the participants, and then wondering why they reacted some way (generally kicking you) to your huge paste or multi-lines message, is not really better.

daniel: no. it's just truncated

daniel, no, IRC doesn’t split messages, the client (here biboumi) is expected to.

Ge0rG, feel free to fix 🙂

Nice UX. Bridges. Pick one.

Guus: Board has approved Pidgin. I'm out of that game now.

Zash, exactly.

approve != need to be on getting started page

If you want to see the world (of XMPP) burn, you are free to do so.

I explicitly created that page with the intent that it would be made better by others.

anyway i usually don't buy the 'but it doesn't work on my transports' argument

transports suck. the end

maybe the irc transport should expose the limit and have the xmpp client split it

PLEASE NO!

There are errors for that, no?

MTU discovery!

I hope you are cynical now.

yeah i'm not really sure how to handle the irc situation besides dumbing xmpp down to the irc levels

daniel: that's basically what you need to do

otherwise the differences are going to hurt you

in which case you don't need xmpp in the first place but just use irc

What's wrong with how it is now?

Why are you trying to fix an imaginary problem?

And why write for OS/2 when you can write for Windows and it works on both!

Transports are tricky

gdpr meeting in 10

.

I'm available until 1400 CEST

.

GDPR meeting

start?

:)

.

I updated the wiki, though not to the extend I wish to.

most important addition, for everybody to take a look at: https://wiki.xmpp.org/web/GDPR#Roles_and_responsibilities

Thanks

I also checked in my bible the point I have been making about export only necessarily under 6.1a, not under 6.1b: I was incorrect, 6.1b is also included, so we have to provide an export facility

if technically feasible, right?(

winfried, "Data Processor: can be several, e.g. the internet hoster of the XMPP server operator", not sure I get this

Well,

I would have thought, for c2s, data processor is the controller, and for s2s, depends

Not sure what the ISP has to do here

Well, I host an XMPP server at my provider

then I am controller: I decide what and how

But I rent a rig at my ISP, so my ISP is responsible for a part of the processing

(doing it)

NB: this is the classical example of a controller-processor relation.

Right, can we also maybe add an example on this line that's more xmpp-related. alongside the ISP

do we have to disclose processors?

jonasw: yes

pep., using google/android push stuff would be a processor relationship.

(I think)

Roster management component?

Or is it a third-party?

first, it’s a piece of software

the question is under whose control it runs

if you run it on another machine you (as the server operator) control, it’s still under your control

Say it's not the same person as the xmpp server admin

and thus not a processor

in that case, processor would probably be appropriate?

Well, you can be both controller and processor

jonasw [13:38]: > do we have to disclose processors? Isn't the small business exception relevant here?

If you do everything yourself you'd be both

Ge0rG, I don’t know, is it and where is that exception defined?

art. 30

30.5

(I am still not convinced that we’re not under 9.1 by the way)

(at least with storage…)

Ge0rG: 30.5 is only for incidental processing, not structural

And if it is your core business, I guess it is structural

yeah

processing of personal data isn't core business for an xmpp server

then what is?

(considering that storage is subset of processing)

Back to the controller-processor story: roster management is third party, because a controller-processor relation always is a contractual one

Message delivery?

Ge0rG: Message delivery is also processing of personal data

winfried, so what about google cloud push?

is external roster management something the user requests or something the operators sets up?

would that, too, be third party? because there is no contract?

jonasw: yes

other point: does google use it only to provide a service or does it also analyze it for google's own purposes?

That we won't know, but I want to assume the latter

In the latter case the data subject must have given explicit consent

and that is a big problem with the current mobile ecosystem

so as the developer you accept Google's ToS and have to require consent from your users

Ge0rG: that is part of the ToS of Google? (never checked that)

winfried: dunno.

Hmm, I guess that's one of the reasons for https://gafam.laquadrature.net/ against Google. That everything that is done on your device is somewhat tracked via a unique id

TL;DR

and you can't opt-out

I guess the dev should warn their users

yes, I expect https://noyb.eu/ to take it on in the EU

And maybe allow for a way to opt-out of push?

pep. : and loose an important part of the functionality?

lose*, and yes

https://developers.google.com/terms/ §7a

but yes, from a legal point of view that is the only way

winfried, push isn’t *that* important. in many cases on android you can live without it.

I'm using the fdroid version of conversations, I survive :)

yah

Ge0rG, so by using google APIs, all your users agree to Google's privacy policy?

Or I guess you have to get consent for that

certainly

the latter probably

yeah.

From an XSF point of view I am afraid we must leave the app developers on their own here

yeah

there’s no potential protocol development involved in that

it’s between the app and the user

exactly

I'll put that in the minutes still, so it's not forgotten

not even the server side is much involved, it is just offering to act as a relay for the data to the google services. the app has to ensure that everything is in order for that. it sets that up explicitly.

good idea

We can still warn client devs

yes

+1 we have to

do we have a template for tos/data protection policy?

nafaik

Ge0rG: nope

I need to write ToS for yax.im, and I hoped we'd have a template in place.

guess it is time to write one ;-)

winfried: you volunteer?

Ge0rG: not on my own, but, ues

yes

So, as a mobile client dev wanting to allow for push, that would mean I would need to have the user opt-in really

I have taken notes to add to my GDPR in 5 steps scheme: contracts with processors mention push notifications

pep.: correct

Vhmm

jonasw: ?

is my location any type of sensitive data?

I'd say so

jonasw: not sensitive, but personal

because there’s this weather app of the german weather service which has push notifications and maybe we can look at their ToS regarding that

although we’d of course have to know what data is actually in the notifications to be sure that the personal data is in there

and thus needs to be covered by their ToS

jonasw: that is also an interesting issue: I know systems that only send pushes telling the app: log in, I have news for you, what is not very sensitive, except when the app is "the remember to take your HIV-medicine app"

I know daniel was working on push last weekend, maybe he has some info. I don't remember the details

okay, in case of the warnwetter app (which I was talking about) it’s probably irrelevant because they anonymize the location to patches of 35x50km, if I’m reading this correctly, before transmitting it to the server at all.

pep., for google push I think you can get away with a simple wakeup signal, but for iOS you have to actually send content IIRC

pep., winfried: github.com/inputmice/p2 has a very detailed write down of what gets send

daniel, thanks

On iOS that body is usually 'check you messages'

Your

daniel: thanks, nice comprehensive overview

indeed

so this only reveals to google when the same accounts receive messages

which is probably okay

That still means the user agrees to the privacy policies

That's still valuable metadata

jonasw: depending, in some case metadata analysis can reveal sensitive information

But you can't trace this back to an account

you?

If you give me the hash I wouldn't know what User this correlates to

Neither me nor Google

You the push server?

k

Well Google certainly not. But goggle couldn't ask me either because I don't know

Well google knows something has been sent to a particular device right

Yes

And what application triggered it

daniel: am I correct that this is your privacy friendly setup and that other implementations may be less privacy friendly?

yes

Ok, so maybe we should list this as a best practice!

> daniel: am I correct that this is your privacy friendly setup and that other implementations may be less privacy friendly? I don't know anything about other applications. But I guess you *could* design it in a way that reveals more information

winfried, agreed. There's still some metadata that gets passed to the push component and google that the user needs to be aware of

The data pushed to Google is "the app vendor is asking to wake the app", right?

I suppose yes

pep.: that is correct, but it makes the story far less critical, I can really think about only a few *very* sensitive applications where this really matters

The thing that bothers me here is https://developers.google.com/terms/#section_7_privacy_and_copyright_protection really

"By using our APIs, Google may use submitted information in accordance with our privacy policies."

So that means the user knows about this

pep.: correct

I assume it's similar for iOS

pep.: to be precise: here consent (6.1a) is needed, not only information

yes

daniel, I guess for this you can add that to the "first start guide"? (is there one in conversations I don't remember) "I want push stuff"

should we plan for next

yes

I can't do monday this time

Tuesday or friday are possible for me

same for me

Tue 12:30 CEST then?

wfm

We'll get input from Ge0rG when he's available

yes, nice

think we should try to move to the XSF policies next time

wfm

I'm going to try and tackle EULA with jonasw this weekend. jonasw I won't be available most of tomorrow, already :/

pep.: I can do some work this weekend too, plz ping me

I think we have most of the requirements on the wiki already, I'll try to gather all that, and then we can talk protocol bricks

pep., ah pity, I won’t be available most of sunday unfortunately. ✏

if that’s okay with you, I might just start a draft tomorrow

jonasw, ok, we'll see how tomorrow goes then

And tonight as well

Sure

;-) (y)

tonight isn’t an option for me either, unfortunately

k, we'll try to get in touch then

going for lunch nao

Minutes sent!

thanks!

Tue 1230CEST +1

in topic of GDPR: https://news.ycombinator.com/item?id=17099484

> in the otherwise rational tech sector. 🤔

if one believes these comments, the GDPR is going to clear the EU market and open up a lot of opportunities for startups ;) ✏

I was thinking the same

jonasw: for GDPR-compliant startups.

Ge0rG, yeah

from one resource linked there, in the context of Article 9.1: > It’s important to also consider a seemingly innocuous data field like “hobbies” and what that might indicate about a person.

(<https://blog.varonis.com/gdpr-requirements-list-in-plain-english/>)

Does it really depend on the type of field, or on the data. Because as a user I can put any kind of data I want in any field I want

interesting question

jonasw: yes, I am involved in some apps for people with mental disabilities and there we constantly consider: how sensitive is this datafield / processing.

pep.: it matters how structured the data is, the risks of a structured field are *much* bigger then the risks of a datafield that is used in an unforseen way...

Sorry I don't get this

Does that mean as an operator I can say "it's not my fault" if the user doesn't use my form correctly?

If you have a field "are you gay? " (Y/N) then that data is quite risky, it can be abused in a fully automated way. If somebody types in the field "other remarks" "I sometimes fall in love on people of the same sex" then it is hard to analyse, profile, and abuse, certainly without human intervention.

OK, and then we fall under the grey area just like for xmpp messages

pep.: exactly

I'd certainly like to know about email spam filters

and that is why fb is *way* out of line by selling advertisement on probably "gay", "diabetic" etc...

pep.: yes, that is still a fascinating one.... don't know for sure where the limits are there.

I like that guy's blog generally but https://jacquesmattheij.com/gdpr-hysteria sums up to what every GDPR proponent says about it

"Sure it's draconian the way it's written and easily abused by faceless bureaucrat's, but trust them, they are benevolent regulators!!!"

Is it just me or are the ones being hysteric over this mostly Americans?

I guess that's fine coming from the EU where half the countries still have monarchy's and are used to being subjects

which is why, yes, I'd expect most opposition comes from the USA

Zash, that’s also what I’ve seen, maybe because they’re more used than us with getting fucked by lawyers for anything and everything.

I saw some comment on HN stating that this is roughly a ^C^V of what Germany has had since the 70s-80s

Link Mauve, yes, americans have a strong and healthy distrust of govt

Zash, France too since 1978.

our entire system is based on the premise that govt is bad, and we should protect against an oppresive govt

Sweden has had pretty good privacy laws too

But you see, it’s inimaginable to expect companies to respect laws from forty years ago.

moparisthebest, yet your government is bad, and you don’t do anything about it. :(

moparisthebest, https://news.ycombinator.com/item?id=17100541 maybe that’s relevant

Seve/SouL: good idea, I might have some left from yesterday

moparisthebest, also, for certain definitions of "healthy"

You haven’t done anything in the past century even.

(given your health care systems, I doubt that anything is healthy there *scnr*)

Haha

Y'all should learn to extend your distrust to corporations too

Meh, of course there is no English version of this page on Wikipedia… https://fr.wikipedia.org/wiki/Loi_informatique_et_libert%C3%A9s

Nor of https://sv.wikipedia.org/wiki/Personuppgiftslagen

jonasw, yea I read that, and it makes sense, we have everything spelled out because we *don't* trust govt :P

The GDPR “just” increases the powers of our regulation entity (the CNIL), and uniformises that over the entire EU.

right, and it's easily abused by a bad regulator

tbh I'm not that trustful of my gvt either, maybe not for any good reason, just because trust is a big word

which I think is the entire problem anyone has with it

moparisthebest, yet they are so underfunded that they only go for big fishes and known problems, which is an issue on its own.

an issue I'd be afraid they'd solve with more fines :P

Yay, finally!

anyway that same guy has possibly my favorite blog post on the internet too so it was interesting to see him again https://jacquesmattheij.com/if-you-have-nothing-to-hide

nice article

moparisthebest, I fully agree with this article; now why would giving the exact same information to a bunch of companies be any less bad than to some government registry?

it's not, but the solution is to just, not give your data to a bunch of companies?

once you give it, you lost control, all the legislation in the world can't wrench it back

moparisthebest, except for most people, the choice isn’t between giving all of their data to Facebook or not, it’s between talking with their friends and family or not.

And it’s a pretty easy choice to make.

don’t talk to your friends & family and have more free time \o/

Exactly! \o/

See, easy!

except, wait, that only works for introverts

More time for hacking on code!

Introverts of the world, unite! Separately, alone, in our homes.

> Link Mauve> And it’s a pretty easy choice to make. I definitely don't agree with this. It's a conscious choice you have to make

facebook isn't the only way to talk to people

moparisthebest, you think?

tell that to my family

(fwiw, I actually made that choice)

pep., you don’t get this information, either before creating your account or during the time you’re using it, if you’re not looking for it.

okay, that’s only true because facebook==whatsapp in my mind

pep., the other day I went to some anime/game/cosplay convention, and every. single. person. asked me for my facebook account.

For them it’s a no brainer.

Link Mauve, I agree you have to be looking for an out. That's not always obvious, you first have to understand what's wrong about it

Everyone uses it, there is no price to pay to talk to those people, they don’t see any data being harvested, so it’s fine.

everyone still has email right? 99% of people have SMS ?

moparisthebest, yes, they have email

but they don’t use it

and SMS costs

so they chose not to use it

moparisthebest, I don’t have SMS for instance. :p

moparisthebest, yes, because facebook works

I would get a JMP account if it was available in Europe.

And SMS is plain text right :(

I mean, no tls

and no cat pics

email and SMS also works?

Yes, SMS is s/Facebook/your telco/ but the rest of the discussion is identical.

and both support cat pics usually (well MMS)

At least telcos are federated .. amongst themselves

Email is s/Facebook/Google/ so not much better either. :p

Link Mauve, FWIW I have a friend who is not just oblivious like most people, but actually supports Facebook (and others) behaviour

moparisthebest, you’re very often looking for technical solution to social problems, it’s not necessarily a good way to address those.

MattJ, yeah, those exist too.

I never expected to meet one :(

are legislative solutions to social problems a better way to address them Link Mauve ?

moparisthebest, isn’t that what legislation is all about?

addressing social problems?

isn't that what tech is all about? :P

(also, MMS are even more expensive than SMS)

(Depends on the country, in France both are free nowadays.)

lucky you

I pay 9ct per SMS, don’t wanna know what MMS would cost

Oh wow, I used to pay 15ct until 2012.

In addition to 15€ per month just to have this number.

at least the number is free

Afterwards I changed providers, and it became 0€ a month to have the number and unlimited SMS and MMS and two hours of calls and 50 MiB of data with cheap per-MiB overprice.

I used to pay $0.25 each way back in the day for SMS, but since probably 2005 they have been free

well up to 5000 for free or something, virtually unlimited, I have actual unlimited now though I try to just use jmp.chat

Link Mauve: at least here in the Netherlands telecom is *much* more regulated then the internet. My telco provider is not allowed to do with the data what facebook does

winfried, I think it’s the case in France too.

OTOH, telcos and ISPs are mandated to turn over data to the police if they ask.

winfried, but legislation won’t solve anything!!kk

But I’m really not sure, telecom is a domain I know almost nothing about.

Link Mauve, ahaha

Depending on how normalized that got after that EU directive

a paper related to graph analysis started with "or mobile call graphs which were sold as is common with telecommunictions providers"

but granted this might not have been france

Zash: in then Netherlands even for that the laws are more stringent then for server operators!

but it shows that it’s not as good as one might think

jonasw: Wasn't that in the news the other day? About US Telcos selling location data

I remember when it was insanely cheap to pay 9¢/min of 9k6 mobile internet over IrDA to a phone

And then I used to sit together with nerds, log into IRC to chat with other nerds and brag about being part of the future to both sides.