-
Andrew Nenakhov
Link Mauve, not quite MUC
-
Andrew Nenakhov
We call it simply group chat.
-
Andrew Nenakhov
Parts of it are already working.
-
Seve/SouL
Andrew Nenakhov, I think he is just asking for a MUC where people can join
-
Seve/SouL
Like him or me
-
Andrew Nenakhov
Well... We won't run 0045 MUCs.
-
Andrew Nenakhov
If you tell me your JIDs I can invite you to our prototype solution. It's backwards compatible with regular clients
-
jonasw
why?
-
jonasw
do we need Yet Another Groupchat Standard? aren’t three enough already?
-
jonasw
(or four if you count DMUC)
-
Andrew Nenakhov
jonasw, we are building the one that works.
-
Andrew Nenakhov
Holger, no.
-
jonasw
-xkcd 927
-
Bunneh
https://imgs.xkcd.com/comics/standards.png
-
jonasw
if it’s compatible to existing clients, how does it solve the fundamental '45 issue (resource === nickname)?
-
Andrew Nenakhov
Yes yes. We don't cover everyone's use cases though.
-
Steve Kille
It is of course easier to hack something to solve your own specific problems, than to produce a general solution
-
Andrew Nenakhov
Just ours.
-
Andrew Nenakhov
It is compatible in different way. Existing clients will treat it like a standard contact in roster.
-
jonasw
that doesn’t sound✎ -
jonasw
that doesn’t sound at all like Group Chat 1.0 ✏
-
Andrew Nenakhov
Steve Kille, you see, once you try to do a universal standard for everyone's needs, people will flock immediately and start demanding to add this and that
-
Andrew Nenakhov
From what I understand it killed MIX before it was even born
-
jonasw
having 10 standards for a fundamental feature like chats between more than two people will kill XMPP though :)
-
Steve Kille
jonasw: that is a key point
-
jonasw
I think the MIX split is doing much good here
-
jonasw
uh, Steve Kille, a thought which just crossed my mind: It would be *excellent* if each sub-feature in each XEP would be marked with who is responsible to implement it. like in my email: "User Client", "User Server", "MIX Component"
-
jonasw
this would give a very quick overview of the complexity of a MIX part for a given project
-
Andrew Nenakhov
Xmpp is already mostly dead.
-
Steve Kille
Making good choices as to what is in a universal standard and what is mandatory/optional is key. If you make it too thin, it is a problem because it does not solve necessary problems.
-
jonasw
I’d like to know for example what a client needs to do in order to benefit from MIX-ANON (it doesn’t necessarily need to *know* this is an ANON room, just the basic question "can I join a MIX-ANON room without doing additional things on the client side?")
-
Steve Kille
Let's start with the table you suggested.
-
jonasw
sure, one step at a time :)
-
Steve Kille
The way MIX-ANON has come out, it does not impact end user client at all. I was pleased that the split enabled this.
-
jonasw
Steve Kille, regarding your question about the PR: you can always start working on top of your working tree, even if I haven’t merged things yet
-
Steve Kille
Table will make this clear
-
jonasw
it shouldn’t lead to conflicts (if you don’t do version blocks; which you don’t need to, in general), and if it does I can resolve them
-
Steve Kille
jonasw: we need to synchronize, which is why I checked.
-
jonasw
this is great (about MIX-ANON)
-
Steve Kille
I'll bash on and do this after my bike ride to work
-
jonasw
but it’s indeed trivial, will merge it right away
-
Steve Kille
OK - so shall I add a new version number for the table (0.11.2)?
-
jonasw
Steve Kille, you can, otherwise I will :)
-
jonasw
(merged and pushed your editorial fixes)
-
ralphm
set the topic to
XSF Board Meeting | Logs: http://logs.xmpp.org/xsf/ | Agenda https://trello.com/b/Dn6IQOu0/board-meetings
- ralphm bangs gavel
-
MattJ
May just be you and me though...
-
ralphm
Hmm
-
ralphm
No Martin?
-
Kev
I'd like to note that, with an iteam hat on, I'm assuming Board has done due diligence with GDPR on our infrastructure, and will tell us if anything needs to change.
-
Ge0rG
There is a hugely important agendum pending, regarding the Board competence wrt. the GDPR XEP
-
ralphm
Ge0rG: while I agree on the importance of making sure everyone is ready for the GDPR, I don't think we should rush the XEP, if that's what you're getting at
-
Kev
It's not.
-
Ge0rG
There is also a meta-agendum regarding the process for XEPs that are neither technical nor processual, but rather legal.
-
Kev
The XEP was presented to Council. I don't believe Council has competence to be the approving body for such a XEP.
-
MattJ
I don't think there should be any process for XEPs that are legal, because... we don't have legal XEPs
-
Kev
So the question is what to do about it that Board is happy with.
-
MattJ
We're not an organisation that gives law advice
-
Kev
If Board is happy to be the approving body, we make a chance to XEP1 that allows an Informational XEP to be approved by Board.
-
ralphm
Kev: I understand that part, and I agree with MattJ
-
ralphm
I think stpeter's suggestion has some merit in that regard
-
Kev
If Board doesn't feel they have, or are able to acquire, competence here, then we probably communicate back that the XSF isn't the place for this XEP before any more work goes into it.
-
Kev
The central point being that I (strongly) feel that Council isn't the right place to approve a XEP giving advince on complying with the GDPR, whether that is "legal advice" or not.
-
MattJ
Agreed - but neither is the Board. And in that case, it means the XSF as an organisation is not
-
ralphm
I don't feel comfortable with the abstract on behalf of the XSF, either. It currently says: “This informational XEP provides information on deploying XMPP in way that is compliant with the General Data Protection Regulation (GDPR) of the European Union.”
-
Kev
(Other options are Board reviewing it and assuring Council that it is fine to publish from a legal perspective, and that Council should only review technical content, or changing the XEP such that it's not trying to give GDPR advince)
-
Kev
MattJ: I think the Board saying "No can do" is a reasonable outcome, if that's what Board feels. I'm just concerned that Council can't judge this (and, even if it's not legal advice, Council can't make the call on whether it's legal advice).
-
ralphm
I wouldn't be confortable as Council either, I agree
-
ralphm
The thing with the GDPR is that, for example, you should not store more information than needed. This can vary quite a bit depending on the nature of a particular deployment.
-
Kev
Board have the option to get legal advice on it.
-
Kev
Council don't have that sort of authority :)
-
MattJ
I think there are a few options
-
MattJ
- Trim it down until it's not GDPR-specific, and we're comfortable that it's nowhere near being taken as legal advice
-
MattJ
- Consult a (presumably costly) third-party to make us comfortable with it (and possibly aid in the editorial process)
-
MattJ
- Don't publish it
-
MattJ
(under the XSF)
-
MattJ
The author(s) can still do what they like with it
-
MattJ
Winfried has stated that #1 is not feasible, because it contains some very GDPR-specific statements, and presumably removing those may undermine the purpose of the document
-
MattJ
#2 is not feasible because of our financial situation, in my opinion
-
winfried
Mind if I join in?
-
MattJ
Please do!
-
Kev
Please do.
-
ralphm
Having a list of what's a reasonable minimum to store to be able to provide a particular service would be useful. I'm curious myself about the ability to take notice of Privacy Policies.
-
winfried
Short, I am on the move
-
ralphm
(let alone explicit consent for certain processing)
-
winfried
The issue is liability
-
winfried
Don't know to what extent the xsf is liable for xeps but we can limited it by presenting it as an opinion of the xsf in stead of guidelines
-
ralphm
And things like advise on the proper protection of the data you store, but I believe that GDPR doesn't require certain types of encryption (e.g. Encryption at Rest), but you need to ensure it is protected adequately.
-
MattJ
If someone (small independent service operator, large commercial operator) gets fined for being in violation of the GDPR but followed everything in our XEP, I can see how they may try to turn to the XSF for recompense
-
ralphm
winfried: I personally wouldn't want to go anywhere near providing an opinion as the XSF. At most I'd record best practices and points of attention. For the rest defer to experts.
-
MattJ
Whether they would actually have a case or not, I have no idea
-
ralphm
Say you run a public server hosting MUC rooms only. Each of the rooms are created by the owner of the server, but everybody is free to join them. How can you provide a proper Privacy Policy, how do you collect and process what data, and why? What can you do if someone requests removal?
-
ralphm
There's so much there.
-
MattJ
I think there is room for an Informational "Privacy Considerations for XMPP Server Operators" XEP
-
ralphm
Agreed, and I think *that* would be in scope for the Council just fine.
-
Zash
How would that be different from a GDPR-less GDPR XEP?
-
ralphm
Note that the example above is not arbitrary. There's some work to be done here. (Nod to Kev).
-
MattJ
Zash, it wouldn't, really
-
MattJ
But the current document has headings like "Is the GDPR appliccable to you?" - that's not something we can answer for anyone, that they can't just as easily get answered somewhere else
-
ralphm
Exactly.
-
ralphm
E.g. it depends on where the server operator is located.
-
ralphm
E.g. if you server is within the EU, I think the GDPR still applies even if all your users are not.
-
ralphm
Well, I guess that's it then
-
ralphm
For the record, there was never really a meeting today.
-
MattJ
Indeed. A formal vote isn't possible with over half the Board absent
-
ralphm
set the topic to
XSF Discussion | Logs: http://logs.xmpp.org/xsf/ | Agenda https://trello.com/b/Dn6IQOu0/board-meetings
- ralphm unbangs gavel
-
MattJ
But I think it's ok for the the council to not accept in the meantime, and for discussion to continue on the list
-
ralphm
(yes I can do that)
-
ralphm
MattJ: agreed
-
winfried
ralphm MattJ thanks for discussing this, I will take this, I will think a bit about how to handle this. I personally don't mind putting my own head in the line of fire, so I may also publish parts of the GDPR work as a personal opinion, outside the structures of the XSF.
-
MattJ
Sounds great - and also identify things we do need protocol features to support, such as the ToS/privacy stuff that was discussed
-
jonasw
so, I am looking at muchopper (to index MUCs in XMPP) again. are MUC bare JIDs, Subjects and Descriptions in any way personal data under GDPR? I don’t think so from the definition of personal data in Art 4.1, but if someone disagrees, let me know.
-
Ge0rG
I know this is controversial, but I'd say that public MUCs are public.
-
Zash
> basically anything is this personal data?
-
jonasw
Ge0rG, indeed, I’m going to filter for MUCs which have the publicly listed flag enabled
-
Ge0rG
jonasw: you could index the other ones for stats, but hide JID and meta data.
-
jonasw
what type of stats?
-
Zash
occupant count?
-
Ge0rG
dunno. Average number of users in a MUC? Number of people who are not in every MUC that has "xmpp" in the name?
-
jonasw
Ge0rG, what would I use as key then in my database for those?
-
jonasw
HMAC(some-secret, mucjid)?
-
Zash
Better PBKDF2 with i>9000
-
jonasw
ELOAD
-
Ge0rG
jonasw: if some-secret isn't in the DB, that's ok.
-
jonasw
I need to store the JID to be able to re-join after a restart
-
Zash
Is a MUC JID personal data?
-
jonasw
I don’t feel like it is
-
jonasw
the domain part might be though
-
Ge0rG
I don't think either is.
-
Ge0rG
jonasw: you also need to store the JID to blacklist MUCs
-
jonasw
no
-
Ge0rG
Ah, right. HMAC is sufficient
-
jonasw
MUCs can blacklist muchopper by banning it’s JID✎ -
jonasw
MUCs can blacklist muchopper by banning its JID ✏
-
Ge0rG
That, too.
-
jonasw
if a join fails due to a ban, data is purged
-
Zash
How do you remember that someone does not want your cookies?!!!
-
jonasw
but for restoring state I’ll need the JID, so I’ll always have to store the JID
-
pep.
Hmm, tbh the board discussion above seemed like one of our gdpr meetings, like beheaded chickens not really understanding what's happening
-
MattJ
As I said before all this started, that's the best that anyone can do right now :)
-
Ge0rG
pep.: is it possible that you and me were in different GDPR meetings?
-
ralphm
jonasw: personal data is any data relating to a natural person on its own or in combination with other data. This includes all kinds of identifiers, including JIDs
-
ralphm
Ge0rG: for the purposes of the GDPR it doesn't matter if something is public or not
-
Kev
ralphm: "It includes all kinds of identifiers, including JIDs" - but doesn't include all JIDs, correct?
-
Zash
A place someone goes to can imply interests which is personal info.
-
ralphm
Kev: JIDs leading to invidivuals
-
Kev
Right.
-
ralphm
so that includes the participant JID in MUC or proxyJID in MIX
-
Ge0rG
ralphm: that's true. But I still wonder what kind of data processing can be made on data that was made public by its owners.
-
Kev
Hmm. But a proxy JID in MIX is something that is assigned by the service, and doesn't identify the user, kinda.
-
Kev
It is an identifier for the user, yet doesn't identify the user, if that makes any sense at all.
-
ralphm
Ge0rG: the XSF is forwarding your message to everyone in this room. That's processing. And for a specific, explict and legitimate purpose.
-
ralphm
We are also storing logs.
-
Kev
I guess MIX proxy JIDs are actually quite similar to IPs.
-
Kev
So yeah, point withdrawn.
-
ralphm
Kev: it is a stable identifier for a natural person in the context of the MIX room. So yes, under the GDPR that is personal.
-
Ge0rG
ralphm: my question wasn't even about the xsf, but in that specific situation you could probably argue that the user gives consent by entering a public MUC and writing something
-
Kev
Yes, already talked myself around.
-
ralphm
Ge0rG: consent needs to be explicit and specific. In this case, you probably want a Privacy Policy to cover this use.
-
ralphm
We have voted on one in 2008. Can't find it right now.
-
Kev
Was probably lost in the Battle-Tested and Secure website update :)
-
ralphm
Kev: privacy.shtml
-
ralphm
there's a copy here: https://web.archive.org/web/20120808002100/https://www.jabber.org/service-policy/
-
Kev
You mean you've got it, or you'd like me to search on the server for it?
-
Kev
Ah, cool.
-
ralphm
And I have it in my gitorious clone of the xmpp repo
-
Kev
That's jabber.org's, though, not xmpp.org's?
-
Kev
Or is it so old it predates the split?
-
ralphm
well, haha: https://xmpp.org/2008/12/privacy-policy-approved/
-
Kev
Ah, no, loaded now. That's jabber.org's, not the XSF's.
-
Ge0rG
ralphm: I didn't see a consent dialog popup when joining this room for the first time.
-
ralphm
Kev: which seems to imply things I'm very curious about now.
-
ralphm
Ge0rG: yes, indeed
-
ralphm
but pizza
-
Zash
ARGH!
-
Zash
I didn't reload the mail config?
-
jonasw
:(
-
Zash
"and nothing of value was lost" :P
-
Zash
Why does the mailman archive not show dates?
-
Zash
Uh, does doing the member survey mean I agree to Googles privacy policy etc?
-
jonasw
probably
-
Ge0rG
Just in time. https://yaxim.org/blog/2018/05/24/updated-yax-dot-im-policies/
-
Seve/SouL
Congratulations, would be interesting if you get any message from one of your users regarding this, like requesting information, etc.
-
Wiktor
...or a nightmare letter: https://www.linkedin.com/pulse/nightmare-letter-subject-access-request-under-gdpr-karbaliotis
-
jonasw
meh, so apparently there’s no way to know whether a MUC wants to be listed publicly unless one has privileges over that MUC
-
jonasw
the #roominfo from distributed via disco#info doesn’t contain it, and the #roomconfig isn’t available to unprivileged users
-
Wiktor
isn't checking MUC server to see if the room is listed there sufficient?
-
jonasw
Wiktor, the list could be extremely long
-
Zash
Won't it *not* be in disco#items?
-
jonasw
Zash, I might have the MUC jid from another user or invite, and I need to know if the room wants to be publicly listed
-
Wiktor
jonasw: yep, but that's additional info for your bot :)
-
jonasw
so... the only way to do that is by iterating MUC directories .. :/
-
Zash
> :tag("feature", {var = get_hidden(event.room) and "muc_hidden" or "muc_public"}):up();
-
jonasw
ohh features
-
jonasw
right
-
Zash
Is this some magical thing only Prosody trunks MUC does?
-
Zash
jonasw: Oh I thought this was what you already checked?
-
jonasw
ejabberd also des it
-
jonasw
Zash, no, I looked at the #roominfo form
-
Zash
Ah, ok
-
pep.
jonasw, Ge0rG, winfried, my presence my be spotty tomorrow I just recalled I'm taking a train. At that time I should be waiting for it (queueing) so I should be able to attend from the phone
-
vanitasvitae
Is there an XMPP mastodon account? I was searching, but could not find one...