XSF Discussion - 2019-04-23

  1. moparisthebest

    jabber.org certificate is expired if anyone knows how to ping admins

  2. Zash

    They know

  3. moparisthebest

    Cool

  4. Neustradamus

    moparisthebest: there are tickets on github :) https://github.com/stpeter/jabberdotorg/issues

  5. Ge0rG

    Are they new or from previous periods? 🤔

  6. Kev

    jonas’: One of my team just noticed the new XEP rendering and commented how neat it looks. JFYI.

  7. moparisthebest

    Ge0rG, looks like both! needs more cron

  8. moparisthebest

    or, systemd timers, whatever the latest hotness in scheduled jobs is

  9. Ge0rG

    you can't cron everything.

  10. Ge0rG

    Also privilege separation. I don't want certbot to have enough privileges to restart/reload my xmpp server.

  11. Ge0rG

    but devops today just install a docker that hooks into your other docker and then everything sinks and...

  12. moparisthebest

    I mean you can give it *just* enough priveleges to tell it to reload the certificate

  13. Zash

    Sounded like there weren't any way to only reload the cert.

  14. moparisthebest

    then 'just enough' is restarting the server ¯\_(ツ)_/¯

  15. moparisthebest

    is it better to have an admin remember to renew manually and restart the server manually? because you know where that gets you

  16. Ge0rG

    Zash: did I mention yet that the documented way of reloading certs in prosody doesn't work? Except when I do it twice.

  17. Zash

    Ge0rG: Not that I remember. Is there an issue for that?

  18. Ge0rG

    Zash: no. Maybe a pastebin on the prosody@ MUC. I've got a "complicated" setup, and I never had enough evidence to feel that pulling a number would be actually useful

  19. Zash

    I might have seen it to, or at least wondered why it only works when directly observed.

  20. Ge0rG

    Zash: https://issues.prosody.im/1346

  21. Zash

    Thanks

  22. moparisthebest

    > MASQUE (Multiplexed Application Substrate over QUIC Encryption) is a mechanism that allows co-locating and obfuscating networking applications behind an HTTPS web server.

  23. moparisthebest

    new IETF mailing list set up for it, expect a XEP soon >:)

  24. moparisthebest

    new ALPN I guess?

  25. Zash

    Saw the mail. I cried.

  26. moparisthebest pats Zash , it'll be ok

  27. moparisthebest

    hey you didn't want everything going over TLS on 443 right?

  28. moparisthebest

    now it'll just all go over UDP instead

  29. Zash

    Is that even going to work?

  30. moparisthebest

    only because all browsers and CDNs will add support at the same time yes

  31. moparisthebest

    ie, the same reason TLS on 443 worked

  32. Zash

    TLS on 443 works because nobody dare block it ... yet.

  33. moparisthebest

    can't have anything nice, unless you are 1 of the 2ish major browser vendors, and then you can have whatever you want

  34. Zash

    Browser vendors being the driving force behind anything, and everything becoming browser based is what depresses me.

  35. Ge0rG

    Browser vendors being the driving force behind MTA-STS...

  36. Zash

    DANE or DIE!

  37. Zash

    Wait how is MTA-STS different from POSH?

  38. Link Mauve

    Zash, it also requires DNS, and a subdomain.

  39. mathieui

    alsam

  40. mathieui

    oops