XSF Discussion - 2018-10-16


  1. dwd

    So odd question, but does anyone know what the state of xmpphp is?

  2. jonas’

    "awful"

  3. jonas’

    no wait

  4. jonas’

    I got confused

  5. jonas’

    I have no idea.

  6. dwd

    Well, yes, it's PHP.

  7. dwd

    What I'm looking for is a way of writing a component in PHP - I'm bound to a library written in PHP, in case you wonder. Has anyone tried this recently?

  8. jonas’

    dwd, maybe the movim folks?

  9. Zash

    I hear long-lived PHP processes are great!

  10. dwd

    No, edhelas seems to have a (quite reasonable) library, but it's C2S over websockets I think.

  11. Zash

    /s

  12. dwd

    Zash, It's not like I have much of a choice, unless I reverse engineer the PHP library, which is not much fun either.

  13. Link Mauve

    dwd, no, it’s normal c2s.

  14. Link Mauve

    The websocket part of Movim is for a custom protocol between its client-side (web) part and the PHP thing.

  15. dwd

    Oh, it talked of removing BOSH for WebSocket.

  16. Link Mauve

    It actually removed both.

  17. dwd

    Gasp.

  18. Link Mauve

    Just normal TLS nowadays.

  19. Link Mauve

    Just normal TCP nowadays.

  20. dwd

    OK, so I could take one of the three (!) XMPP libraries I've found in PHP and hack component support into it, I suppose.

  21. Zash

    Heh, didn't we discuss s2s over BOSH once?

  22. Ge0rG

    dwd: have a node.js web service in the backend spoken to by the PHP library :P

  23. dwd

    Zash, It has TCP/TLS support. Doesn't seem to need BOSH about.

  24. moparisthebest

    dwd, iirc the whole nextcloud chat thing has a full fledged xmpp server written in PHP, just without federation so far

  25. moparisthebest

    at least I know it was that way in the nearish past

  26. dwd

    That's a bizarre choice to make. Why on earth didn't they repackage an existing one?

  27. pep.

    dwd: edhelas actually merged his c2s lib into movim not so long ago. Maybe it's worth getting out again.

  28. Zash

    "This is your brain on PHP"

  29. pep.

    He was also looking into writing components for other things iirc, not sure what he's going to use

  30. dwd

    pep., You can get at it via the Composer, which is sort of PHP's package manager thing.

  31. pep.

    Maybe it's an older version then?

  32. dwd

    Not sure.

  33. Maranda

    Moxl does xmpp on xmpp

  34. Maranda

    Websocket in Movim is just for the frontend app to connect to the backend

  35. moparisthebest

    dwd, pretty sure because it has to run on webhosts that only offer PHP

  36. pep.

    What does that mean

  37. j.r

    Why are there still people using PHP? And this scary webspaces that only have a PHP Interpreter?

  38. Zash

    Gah, this anti-XML, pro-JSON discrimination everywhere!

  39. moparisthebest

    pep., j.r , you know in the not-too-distant past when a dedicated server or VPS was expensive but you could get FTP access to upload PHP files to run on some remote multi-user machine?

  40. moparisthebest

    guess they still want to support that kind of thing, I'm assuming that's the only reason anyone ever writes PHP

  41. moparisthebest

    https://www.moparisthebest.com/images/php_the_good_parts.png

  42. Zash

    continued popularity because popularity

  43. pep.

    I guess that's how it all started, I'm not sure what statred first though, the PHP hosting or the PHP devs :p

  44. Zash

    Doesn't >50% of the web still run wordpress?

  45. j.r

    moparisthebest: yes I also used them, but today PHP is not the best anymore

  46. moparisthebest

    neither is windows or mac or skype or signal or, well I could literally go on forever

  47. pep.

    j.r, has it ever been

  48. Zash

    It's easy to get started after learning HTML basics

  49. moparisthebest

    still it exists :'(

  50. j.r

    > j.r, has it ever been No not really in my opinon

  51. j.r

    > It's easy to get started after learning HTML basics Also work with NodeJS or also Java Enterprise or whatever

  52. SamWhited

    In case anyone is interested, on HN someone was complaining about this page being out of date, so I started updating it (added OMEMO, removed a bunch of old mechanisms that no one cares about, added clear recommendations):

  53. SamWhited

    https://conversations.im/omemo/audit.pdf

  54. SamWhited

    err, oops: https://wiki.xmpp.org/web/XMPP_E2E_Security

  55. Zash

    words of praise

  56. SamWhited

    Please feel free to jump in; the table also needs updating but I am struggling with this wiki format

  57. SamWhited

    And there is probably more important stuff I don't know about

  58. Zash

    pandoc, the best thing ever, can generate mediawiki format ;)

  59. pep.

    SamWhited, for OTR I would add the transport use-case in recommentations

  60. pep.

    As in, you don't need protocol knowledge to use it, shove that into <body/> (:() and you're done

  61. SamWhited

    Does anyone care about transports enough to make that useful information? (serious question, I have no idea; I know the Matrix people like to advertise them, but I'm not sure how widely they're developed or used)

  62. pep.

    I am not an e2ee user, but I know a few users still using OTR because of that

  63. SamWhited

    "a few users" probably doesn't mean we should keep recommending OTR though, personally I want it to die in a fire though, so maybe I'm just projecting that onto what I think the recommendations should be

  64. pep.

    We all have our own bubble right :)

  65. SamWhited

    Actually, SCIMP probably doesn't need to be on there either. Is there a single implementation that's not whatever their client is?

  66. pep.

    I never heard of SCIMP before

  67. SamWhited

    yah, me neither until I saw this page

  68. pep.

    Also what about MLS? Do we want to "pre-list" it in there?

  69. Zash

    Is that the RFC thing?

  70. pep.

    yeah

  71. Zash

    SCIMP

  72. dwd

    Internet Draft right now.

  73. SamWhited

    I wouldn't link an untried RFC with no implementations personally, seems like it's just muddying the waters.

  74. pep.

    Also OX

  75. pep.

    That should probably be listed alongside OMEMO

  76. SamWhited

    I guess we could put it on their as "future work, recommendation: watch" or something

  77. pep.

    Though I don't have actual knowledge on that either

  78. dwd

    SamWhited, I think MLS will take over everything, eventually. I was working on a XEP for it, but it's a little too much in flux right now.

  79. SamWhited

    I'll believe it when I see it

  80. SamWhited

    I'm worried about having yet another complicated protocol and generally don't trust the IETF with this sort of thing, but also it seems like something that should be done there and not by us so we'll see I guess

  81. SamWhited

    But I still haven't done anything but glance through it, so grain of salt I guess

  82. dwd

    You don't trust the IETF? In what way?

  83. dwd

    I mean, if you mean, "They're really slow and might never get it done" I can somewhat sympathise, but the crypto and protocol I'm willing to trust.

  84. SamWhited

    I just generally think they overengineer everything and pick use cases that are way too general

  85. Zash

    https://tools.ietf.org/html/rfc6121#section-13.2 hmmmm

  86. dwd

    Well, in this case, the use-case is handling groups of participants with e2ee. Seems OK to me.

  87. SamWhited

    But I'd also rather see them developing something than every random company going it solo

  88. dwd

    A lot of CPIM and so on was actually our fault. Or SIP's, depending on how you look at it. Either way, the industry was split and couldn't really pick a standard. The result has been no standard.

  89. SamWhited

    Right, now we have OMEMO which is starting to gain adoption and are developing another standard. Things haven't changed much.

  90. Zash

    Except OMEMO is in a weird state too

  91. SamWhited

    It's true.

  92. moparisthebest

    at the moment, whether anyone wants to accept it or not, it's whatever Conversations decides to implement will win

  93. Zash

    Conversations is the new Internet Explorer \o/

  94. pep.

    Zash, that's harsh, but I see where you want to go

  95. Zash

    or Chrome

  96. SamWhited

    or Netscape

  97. Zash

    I suppose Pidgin might be the IE

  98. SamWhited

    But I don't think that's entirely true; Conversations may drive a lot of development, but as long as they do it in the open with community involvement it's probably okay

  99. j.r

    > I suppose Pidgin might be the IE +1

  100. dwd

    Right. The current spec doesn't even reference the Signal spec needed to implement.

  101. SamWhited

    I agree OMEMO has problems, but they seem fixable. Seems like we're throwing the baby out with the bathwater if we start over.

  102. SamWhited

    Then again, maybe it's better enough to justify that, I just don't know.

  103. dwd

    Well, OMEMO really doesn't scale well for chatrooms, whereas MLS does.

  104. dwd

    So depends if you want >10K scaling in pubsub and chatrooms, I suppose.

  105. SamWhited

    Yah, maybe that's enough of a reason; I'm just scared of throwing out all the progress we've made again

  106. SamWhited

    But that is a pretty good one if it can really scale that well

  107. dwd

    I must make sure my sketch-design for offline/non-escrow encrypted archives still works after the last major changes, though. I think it does.

  108. pep.

    I guess that's only a corporate use-case, >10K people in a single chatroom, because I've never seen/heard of that in the wild

  109. pep.

    Or maybe we're planning for when XMPP becomes great again

  110. dwd

    pep., Sure, but OMEMO won't really scale well enough for, say, xsf@ or jdev@.

  111. SamWhited

    Back to the wiki: is OX XEP-0374? It doesn't appear to have been worked on in a while, is it worth including? Are there many implementations?

  112. dwd

    SamWhited, Smack does it I think. Not sure how many clients use it.

  113. dwd

    SamWhited, Most use the OMEMO/Signal plugin for that, even when they're not GPL clients, which is hella-awks.

  114. pep.

    SamWhited, that's the one

  115. SamWhited

    Thanks; doesn't seem worth including if nothing uses it

  116. pep.

    The good thing compared to OMEMO is that container

  117. SamWhited

    (nothing end user visible, I mean; it's neat that Smack does it)

  118. dwd

    SamWhited, I'd actually appreciate all the historic and aborted attempts being documented.

  119. pep.

    That includes more than just <body/>

  120. dwd

    pep., Right, but eSessions had that a decade ago.

  121. pep.

    dwd, sure

  122. pep.

    I was also wondering why OMEMO didn't use it

  123. dwd

    pep., And, I think, did it in such a way it was reusable.

  124. Zash

    (nice features, widely used) pick one

  125. dwd

    Zash, I'm not convinced OX is all about nice features, mind.

  126. pep.

    dwd, I'm not arguing for OX per se

  127. pep.

    (I'm not arguing at all)

  128. dwd

    Is this the right room for an argument?

  129. pep.

    No idea, but we don't have to figure this out if it isn't one :)

  130. Zash

    https://proxy.duckduckgo.com/iu/?u=http%3A%2F%2Fjpegy.com%2Fimages%2Fuploads%2F2015%2F07%2FNot-take-only-throw.jpg&f=1

  131. Zash

    no argument, only spec .. or something

  132. dwd

    Right, but actually, it's "No argument, only implementation in a popular client".

  133. Zash

    No agreement, only implement!

  134. SamWhited

    Partially filled in OMEMO in the table; didn't do the crypto properties because I couldn't remember off the top of my head

  135. SamWhited

    If someone else has the confidence to finish it I'd appreciate it

  136. SamWhited

    I guess I can remove the column "Online chats" from that able too… unless that means something that I don't understand? Isn't that just the same as 1:1 and groupchat columns? Obviously the e2e mechanisms all work with "chats"…

  137. SamWhited

    *that table

  138. SamWhited

    Or the "encryption" column too for that matter; I know it's a property that not all cryptosystems provide, but given that this is a page about e2e encryption…

  139. Zash

    Someone who thinks xep393 is markdown. Do we burn it with fire now?

  140. SamWhited

    I think everyone just calls everything that looks like Slack/Watsapp formatting "markdown" even if it's not

  141. SamWhited

    It's very confusing

  142. Zash

    I fear this confusion will eventually lead someone to use a generic markdown library (with html passthrough enabled by default) and then the sky falls.

  143. SamWhited

    If they did that it wouldn't be compatible at all and their formatting wouldn't be the same, so I suspect they'd nontice

  144. SamWhited

    I suppose it's possible they wouldn't notice, at least some of the styles are the same, but I suspect someone would want bold or italic or whichever isn't the same and notice

  145. Syndace

    Oh boy, positive and optimistic words towards OMEMOs future, hell yeah! In a few weeks I'll finally get my lib to a stable state, then I'll start pushing towards this "better future".