-
ralphm
Tobias: I was looking at XEP-0385 (Stateless Inline Media Sharing). Have you considered sending multiple media files at once? Would it be supported by adding additional <file/> elements?
-
dwd
WOuldn't that be multiple <media-sharing/> elements? Or maybe even references depending.
-
Tobias
Multiple messages, multiple media-sharing or multiple file
-
Tobias
That probably needs to be specified
-
Tobias
But inside a single message would probably be best. Multiple messages already works
-
ralphm
Sure, I'd prefer a single message in my use case
-
Ge0rG
I'd prefer a single message to carry multiple 0184 delivery receipts, but that's not what the XEP allows...
-
ralphm
I'm a bit surprised also by the use of XEP-0372 References here. In my thinking, References was meant to annotate a previous message. This seems to leave off the uri attribute to refer to the current one. I think that use case has not been properly defined.
-
ralphm
In fact, in my use case, there wouldn't necessarily be a part of the text to be reference.
-
ralphm
d
-
ralphm
More like the 'add attachment' button in many messengers.
-
ralphm
Ge0rG: maybe XEP-0333 is more appropriate for you?
-
Ge0rG
ralphm: I want per message receipts, but with a more efficient delivery
-
ralphm
I'm not sure if I can see the use case, but yeah, then that doesn't help
-
ralphm
Anyway, I was really looking at Tobias' spec only right now.
-
Ge0rG
The use case is after mam sync / fetching offline messages. You need to ack a bunch of incoming messages, and the respective payloads are just ids, wrapped into a bunch of boilerplate
-
dwd
ralphm, No, references were always meant to be capable of referring to the current message. For hyperlinky stuff.
-
daniel
> The use case is after mam sync / fetching offline messages. You need to ack a bunch of incoming messages, and the respective payloads are just ids, wrapped into a bunch of boilerplate Ge0rG: I think we either talked about this before or I independently had the thought of just bundling multiple receipts in a single message
-
ralphm
Ge0rG: but XEP-0333 just marks the last one, so that covers the use case
-
jonas’
ralphm, no it doesn’t, because you can’t be sure that all messages between two markers actually✎ -
jonas’
ralphm, no it doesn’t, because you can’t be sure that all messages between two markers actually arrived ✏
-
daniel
However in reality at least the bandwidth overhead of multiple messages vs one would be negligible if we had proper compression
-
daniel
We should really revisit the compression xep
-
daniel
And make it secure ™
-
ralphm
dwd: ah, I guess the references XEP needs to point this out then. Nevertheless, it doesn't seem useful for when you don't have a particular part of the message to reference, when sending media.
-
Zash
Someone Should™
-
ralphm
jonas’: arrived at the user or at his server?
-
Zash
What happens if the receiving users archive acks messages when they are saved into the archive?
-
jonas’
ralphm, both
-
ralphm
Zash: right
-
dedekin
> would be negligible if we had proper compression You could start with https://github.com/mgp25/Chat-API/wiki/FunXMPP-Protocol :-)
-
Seve
And call it WhatshAPPening
-
jonas’
looks like they invented a stripped-down version of EXI
-
Zash
jonas’: almost
-
jonas’
I expect EXI to be more useful than generic compression in the general XMPP case actually
-
pep.
Without the negotiation bits? ("these are the namespaces I'll be using")
-
Zash
EXI is more involved tho
-
pep.
(Re almost exi)
-
jonas’
Zash, that’s true
-
daniel
> I expect EXI to be more useful than generic compression in the general XMPP case actually But arguably a lot harder to implement
-
jonas’
probably
-
Zash
"FunXMPP" is closer to a fixed compression dictionary IIRC
-
daniel
Especially since the xep is apparently garbage
-
jonas’
if there are no ready-to-use libs
-
jonas’
Zash, yes, which is also what EXI does
-
fippo
hah. This one is much better than exi for chat! http://cvs.schmorp.de/Net-Knuddels/Net/Knuddels/Dictionary.pm?revision=1.5&view=markup
-
Zash
jonas’: EXI generates those from schemas tho
-
jonas’
Zash, true
-
fippo
why compress protocol when you can compress the chat message content
-
Zash
fippo: wut
-
jonas’
I sense sarcasm
-
daniel
But fwiw I'd love to play with exi if I can get a server dev on board
-
Zash
jonas’: sure hope so, since that's the opposite of what we want here
-
fippo
zash: this module is not a joke even. i think the knuddels stuff came up in the late 90s, mostly in germany. they were alive until a recent databreach
-
jonas’
is there a lua-exi?
-
Zash
jonas’: nope
-
jonas’
pity
-
Zash
And EXI seems complex enough that I'd rather use a library than NIH it
-
jonas’
yes please
-
jonas’
is there even any floss implementation of EXI?
-
pep.
Deprecate it! It's too complex you'll never get it right! /s
-
jonas’
that libexi is "status: planning" on sourceforge, whatever that means
-
Zash
Thanks Firefox, I really did mean to go to http://EXIstentialcomics.com/
-
daniel
jonas’: a Java one
-
daniel
But that's literally the only one I believe
-
Zash
http://exip.sourceforge.net/ ?
-
Kev
daniel: I'm interested in EXI, actually, but no clue where we'd start to get something sensible (and no cycles to do anything immediately).
-
daniel
Compression - be it exi or an improved compression xep - would make for a good summit topic
-
SamWhited
That's a good idea
-
Guus
wasn't Arc Riley working on EXI stuff?
-
daniel
Guus: yes. He was the one who told us that the xep is garbage
-
daniel
(probably not his exact words)
-
Guus
Where's he off to anyways? Haven't seen him in ages.
-
jonas’
vanished after last year’s board elections essentially
-
jonas’
hope they’re alright…
-
Zash
You could define a zlib-safe that requires flushing between every stanza (or when to/from changes in some way)
-
dwd
Zash, Am I right in thinking Prosody has built-in support for JWT authentication for BOSH/WebSocket connections?
-
Zash
dwd: What makes you think that?
-
Zash
What does that even mean?
-
dwd
Zash, I was under the impression that Jitsi used something like that.
-
dwd
Zash, Of course, I could so easily be wrong.
-
daniel
Sounds like an reasonable approach to 'fixing' that xep
-
Guus
dwd: Jitsi might have added custom code (it did so for a number of things, iirc)
-
dwd
Seems to have, indeed.
-
Guus
dwd: https://github.com/jitsi/lib-jitsi-meet/blob/master/doc/tokens.md
-
Guus
that's likely it
-
dwd
Yeah, I just found that myself.
-
ralphm
Isn't the issue with compression and encryption that a MiM can inject bits of information in messages going to an entity that are sure to be returned, to learn about the dictionary?
-
Zash
ralphm: Yes, like iq id attributes.
-
dwd
ralphm, Sorta. Compression oracles work by inserting known plaintext into a compression stream. So in our case, the compression stream is the entire session, so an attacker just sends messages to see if they can guess what's been sent before.
-
Zash
ralphm: If you flush between stanzas, that goes away
-
dwd
ralphm, But an attacker has to be able to see the compressed/encrypted stream, to count octets. I've generally considered this quite a hard attack.
-
ralphm
like on a mobile device?
-
Zash
You usually need a *lot* of requests to get actual secrets out
-
ralphm
ok, I had no idea how practicle an attack like this is
-
jonas’
https://blog.thijsalkema.de/blog/2014/08/07/https-attacks-and-xmpp-2-crime-and-breach/
-
ralphm
also, I'm particular curious about server-to-server connections in this regard
-
Zash
ralphm: https://blog.thijsalkema.de/blog/2014/08/07/https-attacks-and-xmpp-2-crime-and-breach/
-
Zash
jonas’: ha
-
dwd
ralphm, By which I mean, if an attacker has got to the point that they've got full access to your network traffic *and* is willing to expose themselves by sending traffic over tyour XMPP session as well, they're getting pretty desperate.
-
jonas’
ninja’d
-
ralphm
I know that document, but sure
-
jonas’
dwd, sending traffic to ones XMPP session is not that hard using a botnet. I get a lot of unsolicited traffic all day.
-
jonas’
that’s not *that* suspicious anymore
-
dwd
jonas’, Sure, but the attacker *also* has to have visibility over your TCP sessions.
-
jonas’
that’s true
-
Zash
But are the amounts of traffict required to do an actual attack small enough to evade admins being annoyed by the bandwidth usage?
-
jonas’
I wouldn’t count on admins thwarting an attack
-
dwd
Zash, Maybe. Depends what they're trying to discover. It'd be relatively simple to find out, for example, if you were in this MUC by sending you traffic including the room's jid. But then, it's far easier to just just the MUC and look...✎ -
dwd
Zash, Maybe. Depends what they're trying to discover. It'd be relatively simple to find out, for example, if you were in this MUC by sending you traffic including the room's jid. But then, it's far easier to just join the MUC and look... ✏
-
Zash
Another way to fix this is to have a fixed dictionary
-
dwd
Zash, That's not how zlib works.
-
Zash
dwd: There are other compression libraries
-
Zash
dwd: And you can sorta fake it by feeding it a dictionary before every ... chunk .. somehow.
-
dwd
Zash, Sure. But then you're only able to compress, say, the XML. So you'd be into EXI territory.
-
Zash
dwd: Picking say zstandard and training a dictionary on some XMPP data ought to be a lot easier to do than implementing all of EXI
-
dwd
Zash, Better solution of course is to use a constant-bandwidth transmission medium. :-)
-
SamWhited
Not necessarily, the spec could say that the dictionary must contain "@yourserver.com" or similar (assuming we want to target large rosters and assume that most people will be using the same server as their friends)
-
Kev
dwd: So padding all stanzas to the 1GB mark?
-
SamWhited
But I doubt a fixed dictionary is actually practical; interesting to think about though.
-
Zash
Kev: 10MB and you have a deal
-
dwd
Kev, No, just transmitting at a constant rate, and including padding.
-
dwd
Kev, It works quite well on radios. :-)
-
Zash
Whitespace flood instead of ping?
-
jonas’
like ssh does for keystrokes? :)
-
Zash
jonas’: REAL TIME TEXT?
-
jonas’
!!
-
Zash
SamWhited: Could do something where the client downloads and caches a dictionary on connect. Then it can be tuned to the server and stuff. More complexity tho and closer to EXI
-
Zash
(Can you tell that I just found `zstd --train ...` ?)
-
SamWhited
ooh, yah, that's interesting. It would be fun to think more about what sort of policies the server could create that way
-
jonas’
Zash, interesting
-
SamWhited
I say "policies", but I guess you don't have to target anything if you do that. Just train it on lots of streams and see what the most common stuff is.
-
Ge0rG
And you'll end up leaking private data in your dictionaries.
-
Zash
Trade-offs
-
SamWhited
So exclude bits of the stream you don't want it to see
-
SamWhited
Start training after stream negotiation, drop IDs, messages probably won't matter because if a phrase is reused enough it's probably not private, etc.
-
Zash
If we knew which bits that was, we could do nice compression.
-
Zash
... and that's basically what FunXMPP is
-
SamWhited
Fair
-
Zash
Pre-defined dictionary
-
Zash
With common things like "<message " and such
-
jonas’
Zash, except with zstd, there would be a standard-ish way to translate that dictionary
-
jonas’
and we wouldn’t be limited to keep XML metacharacters in place
-
jonas’
for example, 'from="' could be one token in the dict
-
Zash
all known xmlns="..." etc
-
jonas’
yupp
-
ralphm
Hate to interrupt, but…
-
ralphm
set the topic to
XSF Board Meeting | Logs: http://logs.xmpp.org/xsf/ | Agenda https://trello.com/b/Dn6IQOu0/board-meetings
- ralphm bangs gavel
-
jonas’
'<a xmlns="urn:xmpp:sm:2" h="' :-)
-
nyco
here
- jonas’ shuts up now
-
ralphm
0. Welcome and Agenda
-
nyco
quorum?
-
ralphm
MattJ sent regrets
-
ralphm
Guus?
-
Guus
I"m here
-
ralphm
Yay
-
Guus
(no agenda items from me)
-
ralphm
I have Elections and FOSDEM
-
nyco
and ED?
-
ralphm
nyco?
-
ralphm
Ok
-
ralphm
1. FOSDEM
-
nyco
FOSDEM/Summit is for SCAM?
-
ralphm
We've requested a stand again.
-
ralphm
(just informative)
-
nyco
oh great
-
nyco
thx a lot
-
Guus
(what nyco said)
-
ralphm
Also, we've secured the location for the Summit
-
Guus
I intend to make reservations for the annual dinner later this week
-
ralphm
We now need to start really inviting people to come and look at hotel deals
-
Guus
also, I'm assuming that last years hotel arrangements were ok? I'll redo those too, then
- ralphm nods
-
ralphm
That's it for me on this.
-
Guus
one thing
-
Guus
now that you raised the topic
-
Guus
last year, we, as in the XSF, invited three people to summit and fosdem, sponsoring them. I dubbed them 'young potentials', I think.
-
Guus
do we want to do something like that again this year
-
Guus
and if so, who? Last year, we extended an invitation to gsoc students. We did not participate in gsoc this year.
-
nyco
what was the outcome of this?
-
Guus
We had two students attend, iirc
-
nyco
how much were we attractive?
-
Guus
both of them are still active in the ignite realtime community
-
Guus
at least one of them mentioned that he'll be going to FOSDEM again this year.
-
nyco
so we might wanna do it again, I'd go for it...
-
Guus
I kind of like the concept of doing such sponsoring, but I can't immediately identify candidates for this iteration.
-
Guus
Do you have suggestions for candidates?
-
ralphm
Let the records reflect that suggestions are welcome.
-
ralphm
Let's put it back on next weeks agenda
-
Guus
k
-
ralphm
2. Elections
-
ralphm
With 3 days left, the list is wanting
-
Guus
we're at 4 candidates for board, 3 for council. All sitting candidates, I think
-
ralphm
Indeed
-
Kev
Sorry, lagging here, but from the peanut gallery, did any of the young hopefuls remain active in the standards community, or just for a particular project?
-
Kev
We've moved on, nevermind. As you were.
-
ralphm
Kev: Guus can still answer that one.
-
Guus
Kev: one is still active, afaik.
-
ralphm
Should we be worried about Council specifically? Three people is really meager
-
Guus
Paul / Vanitas
-
Kev
It's only two, actually, with one intending to apply but hasn't yet.
-
Kev
I was going to take a year off, but I'll throw my hat into the ring again now.
-
ralphm
Kev: well, if you mean: there page isn't actually there yet, we then also only have 2 for Board. *shame*
-
Guus
I wonder if there are people that are inclined to run, but are hold back for some reason
-
ralphm
Shall I sent another reminder?
-
nyco
yes, please, I think
-
ralphm
Ok.
-
Guus
Well, Alex just did one?
- Guus shrugs
-
ralphm
Last Friday, yes.
-
nyco
today is good, because it's Thu, and still a week day
-
ralphm
Right
-
ralphm
3. Executive Director
-
Kev
Another Council application in.
-
Guus
I think the relevant people now know that we have an election. I don't think it's a matter of pointing that out. Maybe we can persuade them to actually run, in some way though.
-
nyco
reminder at -48h, -24h, 12h, 6h, 1h, 30 min... 😉
-
ralphm
We haven't had one since Peter resigned this post. There's been question on needing one, and to be honest, maybe we don't.
-
Guus
Thanks Kev
-
Guus
Ralph, we briefly discussed this last week. I offered to take over from Martin, in doing an inventory of tasks/responsibilities.
-
Guus
which I wanted to do after we actually meet with Peter, for this and financials, which is another 'todo' that's been outstanding for to long..
-
ralphm
Ok
-
nyco
if we don't have an ED, then do we need to modify the bylaws? or we just elect a ghost ED?
-
Guus
I think Peter stated that he intended to resign as soon as we had a replacement.
-
Guus
as he's not actually doing anything in the role currently, I prefer having this status-quo over undertaking the massive operation that is rewriting the bylaws.
-
ralphm
What I've also seen done is that the Chair of the Board is appointed in such role in the absense of a candidate.
-
Guus
but, we should move on this. We should have, ages ago.
-
ralphm
(like in the company I currently work at)
-
nyco
ah I like that the chair is ED as well
-
nyco
*the idea*
-
Guus
ralphm, if that works with our bylaws (I doubt it, for reasons), we might want to wait until next board picks a new chair then.
-
ralphm
Right, I'm not sure myself, it is just something that popped up.
-
Guus
worth considering, nonetheless.
-
ralphm
I think the ED is appointed by the Board, so I don't think it conflicts, but I'm happy to hear thoughts from the floor on this, before actually suggesting we do this.
-
Kev
ED being on Board would seem inappropriate to me, even if it's allowed.
-
Kev
Given the ED is used to break deadlocks in the Board.
-
Guus
"If the Board consists of an even number of Directors, the Executive Director of the Corporation shall be empowered to cast a tie-breaking vote (...)" complicates matters.
-
Guus
(what he said)
-
ralphm
Kev: indeed.
-
ralphm
The issue is that a) I haven't seen this been used in this corporation, b) I have no real other suggestions.
-
ralphm
But I'm happy to discuss with Guus and Peter.
-
Guus
Let's move on for now
-
Guus
*tap*tap* is this thing still on?
-
Kev
Everyone moved on.
-
Guus
ralphm usually swings his mighty hammer before he does. 🙂
-
ralphm
4. EOB?
-
ralphm
AOB?
-
Guus
ennie, how nice and Dutch of you 😛
-
Guus
now.
-
Guus
no*
-
ralphm
5. Date of Next
-
ralphm
+1W
-
ralphm
6. Close
-
ralphm
Thanks all!
- ralphm bangs gavel
-
ralphm
set the topic to
XSF Discussion | Logs: http://logs.xmpp.org/xsf/ | Agenda https://trello.com/b/Dn6IQOu0/board-meetings
-
Guus
thanks!
-
nyco
thx everyone!
- ralphm unmutes jonas’
-
j.r
ralphm: what was wrong with him/her?
-
Guus
Nothing, but jonas’ applied self-mute-ation earlier.
-
Guus
(which might or might not have been a ploy to get out and play)
-
ralphm
j.r: there was a discussion going just when I interrupted to have our Board meeting, so he said he would go silent
-
Seve
Still missing an applicant for Board?
-
guusdk
Seve: we can always use more
-
SamWhited
Seve: https://wiki.xmpp.org/web/Board_and_Council_Elections_2018
-
flow
"Zash> jonas’: EXI generates those from schemas tho" not necessarily. i was told that it would perform also well without schemas, although I wonder if it would suffer from the same side channel based attacks as zlib compression
-
flow
"Kev> Sorry, lagging here, but from the peanut gallery, did any of the young hopefuls remain active in the standards community," I'd say vanitasvitae is active, he wrote a mail to standards@ not to long ago, but go no reply/response back, so I'd say the standards community is the entity being inactive here ;)
-
jonas’
some numbers on the stream compression ratio (numbers are "bytes saved" in percent from the perspective of the client; i.e. tx == from client to server, rx == from server to client): aioxmpp test suite, sync_flush only (XEP-0138 as written): 40% rx, 20% tx aioxmpp test suite, full_flush after each stanza: 25% rx, 20% tx JabberCat startup (lots of mucs, lots of avatars), full flush after each stanza: 25% rx, 12% tx sync vs. full is executed on both sides (client and server)✎ -
jonas’
some numbers on the stream compression ratio (numbers are "bytes saved" in percent from the perspective of the client; i.e. tx == from client to server, rx == from server to client): aioxmpp test suite, sync_flush only (XEP-0138 as written): 40% rx, 20% tx aioxmpp test suite, full_flush after each stanza: 25% rx, 20% tx JabberCat startup (lots of mucs, lots of avatars), full flush after each stanza: 25% rx, 12% tx JabberCat startup (lots of mucs, lots of avatars), sync flush: 36% rx, 12% tx sync vs. full is executed on both sides (client and server) ✏
-
jonas’
these are to be taken with a grain of salt due to the rather narrow use-cases