-
moparisthebest
jabber.org certificate is expired if anyone knows how to ping admins
-
Zash
They know
-
moparisthebest
Cool
-
Neustradamus
moparisthebest: there are tickets on github :) https://github.com/stpeter/jabberdotorg/issues
-
Ge0rG
Are they new or from previous periods? 🤔
-
Kev
jonas’: One of my team just noticed the new XEP rendering and commented how neat it looks. JFYI.
-
moparisthebest
Ge0rG, looks like both! needs more cron
-
moparisthebest
or, systemd timers, whatever the latest hotness in scheduled jobs is
-
Ge0rG
you can't cron everything.
-
Ge0rG
Also privilege separation. I don't want certbot to have enough privileges to restart/reload my xmpp server.
-
Ge0rG
but devops today just install a docker that hooks into your other docker and then everything sinks and...
-
moparisthebest
I mean you can give it *just* enough priveleges to tell it to reload the certificate
-
Zash
Sounded like there weren't any way to only reload the cert.
-
moparisthebest
then 'just enough' is restarting the server ¯\_(ツ)_/¯
-
moparisthebest
is it better to have an admin remember to renew manually and restart the server manually? because you know where that gets you
-
Ge0rG
Zash: did I mention yet that the documented way of reloading certs in prosody doesn't work? Except when I do it twice.
-
Zash
Ge0rG: Not that I remember. Is there an issue for that?
-
Ge0rG
Zash: no. Maybe a pastebin on the prosody@ MUC. I've got a "complicated" setup, and I never had enough evidence to feel that pulling a number would be actually useful
-
Zash
I might have seen it to, or at least wondered why it only works when directly observed.
-
Ge0rG
Zash: https://issues.prosody.im/1346
-
Zash
Thanks
-
moparisthebest
> MASQUE (Multiplexed Application Substrate over QUIC Encryption) is a mechanism that allows co-locating and obfuscating networking applications behind an HTTPS web server.
-
moparisthebest
new IETF mailing list set up for it, expect a XEP soon >:)
-
moparisthebest
new ALPN I guess?
-
Zash
Saw the mail. I cried.
- moparisthebest pats Zash , it'll be ok
-
moparisthebest
hey you didn't want everything going over TLS on 443 right?
-
moparisthebest
now it'll just all go over UDP instead
-
Zash
Is that even going to work?
-
moparisthebest
only because all browsers and CDNs will add support at the same time yes
-
moparisthebest
ie, the same reason TLS on 443 worked
-
Zash
TLS on 443 works because nobody dare block it ... yet.
-
moparisthebest
can't have anything nice, unless you are 1 of the 2ish major browser vendors, and then you can have whatever you want
-
Zash
Browser vendors being the driving force behind anything, and everything becoming browser based is what depresses me.
-
Ge0rG
Browser vendors being the driving force behind MTA-STS...
-
Zash
DANE or DIE!
-
Zash
Wait how is MTA-STS different from POSH?
-
Link Mauve
Zash, it also requires DNS, and a subdomain.
-
mathieui
alsam
-
mathieui
oops