XSF Discussion - 2018-12-13

Hm, memberbot doesn't tell me what I'm voting for

Huh, xhtmlim bug?

Worked fine for me (Conversations).

Not a client issue it seems

It's sending <b> and <i>. Those aren't allowed per https://xmpp.org/extensions/xep-0071.html#def-text

that should only lead to them not having any effect

I think?

unsupported tags should be replaced with their content

Yes

I can't do that.

Huh?

That's the most basic of HTML handling

Ignore what you don't know

Right

No, I'm saying that my sanitizing code can't do that.

although one could argue that disallowed tags ≠ unsupported tags and disallowed tags should be dropped altogether. however, I’d go with replace with content even for disallowed. ✏

It's not possible to replace tags with text.

It must replace tags with tags or nothing.

So you found two bugs

Now, the real question is: Where does the plain text <body> go?

Zash, it’s even worse, you need to be able to replace tags with mixed content

if you get sent <p>something <b>foo<i>bar</i>baz</b> something</p>, the result should be <p>something foobarbaz something</p> (assuming p is allowed)

If a client supports XHTML-IM, it will ignore the body

But there was no <body>

or a message at all

I only received the "Approve (yes/no)" messages and I don't see where the others went

I'd check out the bot and try out. I'd be surprised if it didn't send body

Lookl like Link Mauve already noticed this and https://github.com/linkmauve/memberbot/commit/4f539b8571c48f84129c284517f6bb692352247e

Also note the body

Sure, but I didn't receive those at all for some reason

So either my firewall ate them or my XHTML-IM filter ate them

tasty

Afternoon, all.

hi dwd

XSF Board Meeting | Logs: http://logs.xmpp.org/xsf/ | Agenda https://trello.com/b/Dn6IQOu0/board-meetings

0. Welcome + Agenda

Welcome!

Who do we have?

Hey

hi

dwd asked us to discuss Compliance Suites, so there might be some Council members around to join for that item.

Hello :)

All things are possible.

MattJ?

You can summon MattJ by mentioning him...

Ge0rG and Link Mauve?

normally

Guus, You have to say MattJ three times in front of a mirror, I think.

My name has a similar, but different effect: the mirror breaks.

Mirror, mirror, who's the luast of all?

thanks

dwd, thank you very much

1. Appointment of officers

Alex has agreed to serve for another year as Secretary. I motion we reconfirm Alex Gnauck as our Secretary.

+1

(you're here for many purposes, Ge0rG )

+1

+1

Yay!

Peter has agreed to serve for another year as Treasurer. I motion we reconfirm Peter Saint-André as our Treasurer.

+1

+1

nyco?

Since we already have 3 votes, I'll say Yay again.

Thank you, Alex and Peter, for putting in the effort once again. Appreciated!

Missing votes to follow

On our Executive Director, Peter mentioned he didn't have time last week, but could this week. I haven't picked up on that, yet.

+1

(thanks nyco)

(do we need the missing votes to confirm them? We have quorum, don't we?)

sorry

Guus: we don't but I think it is nice if we have votes from all Directors.

I agree

And chiming in with Guus thanking Peter and Alex.

2. Compliance Suites

Hey

ho

Sorry, here now

(wow, sloooow mirror!)

Hi MattJ, feel free to put in your votes.

Meanwhile, dwd: go!

+1 to Alex for Secretary, +1 to Peter for Teasurer

dwd?

Oh, sorry - Ge0rG would be best to lead here.

I'll have to leave at 16:00

We had a discussion in Council regarding what form Compliance Suites should take, but I'm not even sure what we wanted to escalate to Board

naming?

TThe thing to escalate was in terms of using them as a marketing tool, perhaps filtering the software the XSF lists, etc.

"XMPP 2019"?

Ah, so compliant software. Yeah.

please define "marketing tool"

I don't think council needs board to approve naming (of XEPs)? ✏

agree with that, naming can be left to the Council

We had a discussion about badges some years ago. So that compliant software can be marked as such with nifty labels

Guus: some, most are Council's business

I think the current technical form of CS is appropriate, if we can have a prominent link on the top of the XEP list

nyco, Well, that's it, isn't it? The Council merely noted that we don'tt do much as an organisation with the compliance suites - what marketing could we do with them?

badges can be cool, very visual, understandable in one eye shot, impactful I like that idea

Badges comes up every time Compliance Suites are discussed

The problem is that someone needs to check, right?

nyco: that opens the question of whether badges will be issued by XSF after some formal/automatic verification, or if everybody can just assign them on their own

and what kind of abuse management mechanism we have then

This same conversation :)

There is no way we can verify who complies and who doesn't, so either the badges are free for everyone or we shouldn't have them

just like with trademarks, spot an infringement and sue them?

yep, qualification, certification, etc.

(of course, we can’t do that because manpower)

I'd be totally fine with prominent links to the compliance suites, and treating them purely as guidance for developers

I don't feel like being in the business of certifying

"business" is a rather correct analogy, I fear

Sure, but we can also let people self-certify and pull this from them if they are clearly taking the piss.

So what can we do, short of a certification business, to promote XMPP 2019?

I like this: https://www.coreinfrastructure.org/programs/badge-program/

If someone claims their software complies with the suite, and they don't, well, let the intarntubes' scorn be on them.

it's declarative, but promote good/best practices

dwd, "clearly" is still subjective, unfortunately

I think we, as the XSF should pace ourselves a bit here.

"intarntubes" 😉

Perhaps. But given that if people don't even claim a free thing, then that's a valuable signal in itself...

I'd not object to run some sort of compliance checker in our domain, akin to what we do with xmpp.net (of which the state is itself somehwat unclear)

xmpp.net is broken, not unclear ;)

although at the moment the only thing broken is the DNSSEC verification

which means that SRV records are not honoured for 99% of services

And also not an XSF effort

Ge0rG part of the reason why it remains broken is that we don't know who's responsible, I thik.

MattJ did a lot of good work on it.

Guus: I think it's because the intersection of people who have the knowledge, the time and the power to fix is is empty.

I have some time, I've put some work into it, fixed some stuff, but it still needs a little bit more - I'll get to it soon (but probably not before next week)

Isn't it mostly that it's abandoned upstream?

so the intersection of people who have the knowledge, the time and the power to do badges is empty as well?

I'd be ok with someone designing an official badge, and letting people use that when they feel like they should show it.

Kev, I've forked the repo and am fixing stuff, so happy to be the new upstream

I'd have to be convinced to have compliance testing itself be an XSF activity

ralphm, +1

let's ask lead devs: if they were badges, would you use them?

Yes, probably

I doubt it.

Ralph, I think that making the tools to do the checking available, could be an XSF activity

Ge0rG: sure

ralphm: it would probably make sense to have badges according to the compliance suite blocks, i.e. "core|advanced" "web|im|mobile" "client|server" *2019* ✏

My advice to the Board would be: Make the badges, and if they're useless, drop them.

Guus, no, the checking is next to impossible I'm afraid

But I'm not in favor of us doing the checking / publishing it, etc, other than to the extend what xmpp.net does for anyone that uses the tool.

I'd use badges, except my client doesn't qualify because I don't consider Avatars a must-have.

Guus: I think that building such tools is ambitious project

an

I stick to "impossible" :)

large parts of CS can't be usefully tested automatically.

ralphm , I"m not saying 'build it'

I'm suggesting: host one, if someone builds it.

MattJ: I'm a positive guy :-D

But it would be awesome to have a client/server test suite that I could run my code against.

we can "test"/"validate" appetite for badges, with only a small prototype

compliance.conversations.im is a good example. It's a great tool, but anyone could easily pass 100% by cheating

Guus: oh, I mistook 'making' for 'building', then.

nyco, Right. You don't even need a checker. Maybe people won't take the piss.

Let's do this, as dwd also mentioned, ask if someone would like to design such badges.

+1

I'd say developers should be allowed to use the badge on their own, with a way for users to complain and the XSF to revoke badges.

I'm not sure about this. Badges should be something you can trust. And nobody is going to endorse those, from what I understand.

but, to address dwd's suggestion: I don't see anything wrong with linking a set of badges to the compliance suite xeps

maybe we should not start with the design, which is costly

Then, if we have such a person, they can work with Council regarding what they should include.

nyco, it may be possible to find someone willing to donate time

nyco: we've already have had the Suites themselves. I don't see people putting the text around their clients, so a badge is then what we can do. If we don't start with design, what then?

for example, instead instead of an automated testing system, we can start with a crowdsourced testing system

yeah, we shouldn't start out with tasking a commercial designer, rather ask for volunteers

nyco: while I am not against that idea, I don't think it should be an XSF activity.

And I didn't mention paying for a design.

16:01

"costly" does not forcefully mean "money", can mean time, effort, delay...

If we don't have anyone in the community, there are people I'd be happy to reach out to

So far I've seen two +1 (me and MattJ) and one +0 (Guus).

What do we do?

for what: create a batch?

I think the Board should decide whether such implementation badges should be hosted on xmpp.org or if they can be hosted by the respective implementations.

Ge0rG: I'd be ok with hosting it themselves, and adding to our lists when they do

And then whether Badges are assigned explicitly by the XSF, or whether implementations can claim a badge and we have a way to retract that.

ralphm, "adding to our lists" <-- what do you mean, exactly, with that?

Ge0rG: I am not in favor of assigning them explicitly

I'd like them to still be within the control of the XSF, and enforce some basic constraints on their use... like linking them to a specific place

Guus: https://xmpp.org/software/

Something like: "Developers are allowed to display the respective badge if they are in good belief that their implementation complies with the respective part of CS. This can be disputed by users, upon which the XSF may retract this right from a developer"

if Compliances Suites are a responsibility/duty of the XSF, I see badges as the same

MattJ: like we had with Jabber Powered?

Yes

The list that contains Pidgin as an endorsed XMPP client.

Yes

I'm not in favor of adding badges to our lists of software. I am +1 of having badges created that can be used freely by others.

I like that

Guus: "freely" is too free for me, personally.

Ge0rG we won't be able to enforce anything anyway

I'm gone, sorry

Thanks nyco

Guus: my idea was that a project wants to, when they register their software, we could include a way to say if they want to carry the badge in their entry. It wouldn't be an endorsement.

Guus: we will be if badges are only shown on the XSF pages ;)

badges can very easily be copied.

Using a trademark on the badges will allow control over how they may be used.

Guus: we would if the XSF retains the rights on the badge and have a policy.

We don't need hundreds of pages of legalese for that.

But e.g. the Bluetooth logo is managed in that way.

ralphm I'm pretty sure that people we don't want to use the badge, won't care about our policy.

They'd simply use it in their software / download page, whatever.

I think the XSF being in a position to revoke would be a painful thing for us.

We /know/ that people tend to ... exaggerate compliance with things.

Kev: what's your alternative suggestion?

Guus: let scorn be on them

Guus: having the legal right to enforce doesn't mean making use of that right.

don’t you lose trademark rights if you don’t enforce them?

ralphm exactly - which is why I'm fine with _having badges_ to be used by others. I'm against us assigning specific badges to specific projects though (on our site)

It does unless you want it to be useless.

I don't see the point of the badges if we cannot make people trust the badges.

If you want badges (and I'm not convinced they're adding any value at all, but whatever), I think the best you can hope for is the same as claiming compliance at the moment. It's a claim.

I see the point, but there are really only three options here: 1. explicitly white-list badge-bearers (can be still worked around) 2. have a policy for self-assessment and retraction 3. allow everyone to claim everything and ignore violations

Unless the badges are just for guidance and we don't endorse it officially

https://web.archive.org/web/20060307012614/http://jabberpowered.org:80/

But it's not clear to me what problem the badges are solving, either.

if someone wants to fly a banner, claiming compliancy with a certain XEP, I'd be OK for us to provide a uniform design to that. I want to prevent us from listing things as 'compliant' though.

I suggest everybody here has a look at that, think about whether we want something like it for badges and continue this discussion next week.

Guus: I can see that

Guus: Which is exactly the state at the moment with saying you support CS2018, I think.

before we hammer off - @jonas' had an AOB.

Kev, exactly, but with a fancy colorful badge.

(which might add a uniform way of recognizing things, at best)

is this intended to have Approving Body Council? https://xmpp.org/extensions/xep-0381.html

it doesn’t make sense to me, but maybe that’s just me

3. AOB

> and will not alter the official Logo in any way, including its size 🤔

Ge0rG: we can modify all the terms, it just something we did before, and might be a good start for the rest of the discussion

jonas' at first glance, I think you're right. Council does not approve SIGs. ✏

jonas’: agreed, Board should be the approving body

suggestion: I change the approving body to board and re-issue the LC

Given this has been in the queue for two years, I'm not sure if it still makes sense

ralphm: I really like it

jonas’: ok

the LC might be a good way to figure it out -- and to move it to rejected if not needed.

indeed

jonas’ : agreed.

And whether its authors still want it

Anything else?

4. Date of Next

+1W

5. Close

Thanks all!

do we need a formal third +1 for Jonas' question?

Guus: I don't think so. Clearly a typo

Thank you very much everybody :)

And we just missed it on our radar. Also nobody asked about it.

XSF Discussion | Logs: http://logs.xmpp.org/xsf/ | Agenda https://trello.com/b/Dn6IQOu0/board-meetings

I don't think it works that way, even if it's a typo, but, fine. 🙂

Guus: well, Council cannot approve SIGs

so...

that's true

So the logical conclusion is that we are the approving body

It just popped up on the radar because Council has been listing all the open LCs

s/Council/Editor/, but yeah

I stand corrected

need to re-issue them for this term

aye

MattJ : thanks for taking over the upstream stuff for xmpp.net - would you mind putting it all in one place?

meaning: clone everything, even if you didn't modify it yet, in one account under either github or bitbucket (or whatever)?

It's somewhat confusing (to me) to figure out what part of the software lives where, and who's maintaining it. I'd love to have one account where this all is listed.

I'd not be against creating an xmpp.net github repo, just for this, outside of XSF control.

(my board hat was off, there)

Also, feel free to add me to any such org.

I've heard there is an org called JabberSPAM now.

Oh, I think that org would actually need an XSF seal of approval.

JabberSPAM?

certainly for TM use

We'll get you the T-Shirt, Ge0rG

when its approved, obviously.

Ge0rG: can you send an email to Board about this?

Because indeed, that might be a TM issue

jonas’: that, too, yes

trademark@jabber.org is the official address for TM issues AFAIK ✏

jonas’: I also wanted Board, because Peter isn't our ED anymore, and I'm unsure who's handling this now

I see

We need to fix https://xmpp.org/about/xsf/jabber-trademark/license-decision-process.html then

I'll include this in the chat with Peter

ralphm: AFAIR, board@ is moderators-only

Good point

eh, members-only

So there is no way to contact Board.

ralphm: also mention his comment on https://github.com/xsf/xmpp.org/pull/200

Just send it to that address and me. There's also info@xmpp.org, but that's probably also Peter, so we need to figure that out.

Since he's still an officer of the corporation, I'm sure it is fine

ralphm: sent to info@ and to you

Is here someone who could create me an account on the wiki?

lnj: yeah

Ge0rG, Could you create one for me or how does that work?

lnj: I need your email address and the desired CamelCase username.

lnj: via PM is alright

... wait a sec .. need to start gajim for pms

lnj: xmpp:georg@yax.im if that's better

assuming that your email address is the first thing that you'll post on the public wiki, maybe a PM isn't that important?

Kev, nudge nudge https://github.com/xsf/xeps/pull/718

I don't think I was aware of that, let me mail myself.

Jabberspam -> Safety Jabber, you can search on ML

https://safetyjabber.com/ https://android.safetyjabber.com https://sj.ms/ https://safetyapps.zone/sjim.html http://safetyjabbercom.blogspot.com/ https://sjsoftwaredev.com/sj-im/ ...

Neustradamus: I can't even...

Uhm https://safetyjabber.com/trademarks.php

Neustradamus: Skype usw PGP ? 🤣

ralphm: it's an interesting question whether you can enforce trademark on a substring.

I'm sure that Cisco has ways

Ge0rG, write a new RDBMS named SafetyOracleDatabase and let us know how it goes :)