XSF Discussion - 2019-08-27


  1. moparisthebest

    <ralphm> And indeed, maybe mod_block_strangers isn't the best approach. I can imagine various cases where you'd receive a message stanzas from a non-contact that you didn't direct presence to (bare or full). And didn't want it blocked.

  2. moparisthebest

    For example, jmp.chat

  3. moparisthebest

    Where you want messages from SMS non-contacts

  4. moparisthebest

    They have to constantly change their server and client recommendations because of this

  5. fds

    h

  6. jonas’

    moparisthebest, maybe talk to the server implementations about white-listing jmp.chat

  7. jonas’

    that’s a reasonable use-case

  8. jonas’

    and since you need to be registered with jmp.chat to receive messages from them (?) it is opt-in for each user fully and without extra config

  9. jonas’

    could be a config switch obviously for the admin to disable the whitelisting

  10. jonas’

    but I think by default it should be whitelisted

  11. Ge0rG

    What about > Also blocking messages from strangers, server-wide, is a very bad idea.

  12. jonas’

    true

  13. winfried

    Guus Ralphm maybe we should apply for this: https://www.forumstandaardisatie.nl/content/toetsen-van-standaarden

  14. Guus

    winfried: i quickly scanned: seems we're to late?

  15. winfried

    Guus: They have a continuous call and they accept twice a year. We missed the call for this autumn but can apply for the spring

  16. winfried

    And best prepare well for it...

  17. Guus

    kk

  18. MattJ

    Ge0rG + all: mailing list archives should be working again now

  19. Ge0rG

    MattJ: awesome, thanks!

  20. Ge0rG

    Are the numbers still the same?

  21. MattJ

    You mean did old URLs break? No, I sincerely hope not

  22. jonas’

    MattJ, https://mail.jabber.org/pipermail/members/2019-May/008986.html

  23. jonas’

    oh, that’s members

  24. jonas’

    but members should be public, no?

  25. jonas’

    (it was, at least)

  26. jonas’

    (I just grepped my xsf@ logs for a random mail.jabber.org link)

  27. jonas’

    (other links to standards@ seem to work)

  28. ralphm

    Yes, should be public

  29. ralphm

    In principle, mailman knows which lists should be

  30. Ge0rG

    jonas’: the evil thing about mailman silently renumbering is that all links still work, they just point to different mails

  31. ralphm

    Yes that's horrible

  32. ralphm

    At least for standards@ links archived by Google seem to match, with a quick sample

  33. Ge0rG

    ralphm: thanks for checking.

  34. Ge0rG

    I'm sure there are still broken links on the wiki, from our last silent renumbering.

  35. ralphm

    When was that? I have old links in my blog and haven't noticed issues

  36. ralphm

    2003-2005

  37. Ge0rG

    ralphm: I suppose around 2016, when the infra went belly up

  38. ralphm

    Ok

  39. Ge0rG

    ralphm: eg. https://wiki.xmpp.org/web/XEP-Remarks/XEP-0352:_Client_State_Indication leads into a 404

  40. Ge0rG

    https://wiki.xmpp.org/web/XEP-Remarks/XEP-0256:_Last_Activity_in_Presence has one 404 and one unrelated "XMPP or NodeJS" thread

  41. Ge0rG

    those two were the first hits of https://wiki.xmpp.org/web/index.php?search=mail.jabber.org&title=Special%3ASearch&go=Go

  42. ralphm

    Hmm

  43. Ge0rG

    I don't even dare going on

  44. ralphm

    Are you fixing them as you go?

  45. Guus

    Bear once provided me with server logs, that I grepped for frequent 404's

  46. Guus

    by no means a full fix, but I used it to fix the most high-impact ones.

  47. Guus

    maybe that can be repeated?

  48. ralphm

    Particularly in this case, there's context to find the new working URLs

  49. Ge0rG

    ralphm: nope. I have no idea where the links used to point to before

  50. Ge0rG

    and the 404s are kind of unexpected

  51. Ge0rG

    there used to be more wrong and less 404 links, IIRC

  52. ralphm

    Well, you have links with known months. Give the relatively low volume, you can choose suitable replacements.

  53. ralphm

    (just go up one level, scan for the XEP by number or name)

  54. ralphm

    E.g. the CSI one: https://mail.jabber.org/pipermail/standards/2014-August/029037.html

  55. Ge0rG

    Right.

  56. MattJ

    jonas’, oh, right

  57. MattJ

    I think that's part of my earlier attempts at a fix

  58. MattJ

    Apache was serving archives/private, and all the docs say to serve archive/public

  59. moparisthebest

    ralphm, Ge0rG, jonas’ : it's not just servers that block non-contacts either, also clients https://github.com/ChatSecure/ChatSecure-iOS/issues/844 pretty crappy situation

  60. moparisthebest

    and yea jmp.chat getting itself on a whitelist is probably doable, but kind of ruins the whole concept of an open federated system :/

  61. moparisthebest

    ditch whatsapp/telegram/$hotness_of_the_day and join XMPP and message anyone! (who doesn't happen to use a crippled client or server that they can't fix)

  62. ralphm

    Well, for what it is worth, once I disabled that module, I almost immediately got a bunch of spam. I understand it blocks certain users, but I am not affected by that, and that trumps not getting spam. YMMV

  63. moparisthebest

    and to be clear I think that's perfectly acceptable opt-in behavior, or even if it was on by default and you could opt-out

  64. moparisthebest

    just to have it hard-coded in clients, and server-wide in popular public servers where you can't disable it for your JID is bad bad

  65. ralphm

    Sure

  66. MattJ

    Agreed - a standard way to enable/disable it would be great

  67. Zash

    Magic blocking command-ish thing?

  68. MattJ

    Someone XEP it and we could implement it in Prosody in less than an hour

  69. Ge0rG

    Or, maybe, you know, a way to smartly block just the spam messages.

  70. Ge0rG

    Or, slightly less useful, a kind of captcha-on-first-contact

  71. ralphm

    Yeah, I don't believe in that.

  72. ralphm

    I'm tempted to say: my server will only ever forward anything (including presence subscription requests) to the client, if there is a matching outgoing presence request or approval.

  73. ralphm

    And then something to cover MUC/MIX.

  74. Holger

    ... invitations.

  75. ralphm

    for MUC?

  76. Holger

    Yeah.

  77. Holger

    That's one of those things that typically fail with mod_block_strangers.

  78. ralphm

    I don't remember how MUC invitations work, but in MIX there is the inviter - channel - invitee triangle and in that case it would indeed only work if both people have eachother in their roster

  79. ralphm

    I'm not sure if that's a negative, depending on how hard you want to block spam

  80. jonas’

    ralphm, MUC has both ways

  81. jonas’

    with the MUC channel in between or without

  82. ralphm

    The big issue, of course, is needing some kind of out-of-band exchange of JIDs, or maybe phone number matching.

  83. jonas’

    with is required for rooms where members are not allowed to edit the member list, but are allowed to send invites.

  84. ralphm

    When we were implementing (only) MIX, I looked in detail at its mediated invites, and really like that model.

  85. jonas’

    mediated invites are not spoofable, which is nice, but the problem is with spam of those, yes

  86. ralphm

    Because it won't cause blockage of invites from 'unknown' entities like the room (the invite comes directly from the inviter to the invitee), so that blocking JIDs will also never cause you to be bothered by people via MIX channels.

  87. ralphm

    And then if you require a bidirectional relationship, that would block probably most spam.

  88. ralphm

    (at the expense of ease-of-use, probably)

  89. jonas’

    s/, probably//

  90. jonas’

    ralphm, what you describe does not sound like a mediated invite to me

  91. ralphm

    well, I suppose it is mediated in reverse. It requires the participation of the channel.

  92. ralphm

    I.e. someone can join the channel only if it got an invite that was approved by the channel, and it will only receive invites from non-blocked people.

  93. jonas’

    I don’t get this, do you have a link to the document for me to read?

  94. ralphm

    jonas’: https://xmpp.org/extensions/xep-0407.html#usecase-user-invite

  95. jonas’

    ralphm, ah, yes, that’s neat

  96. jonas’

    so there’s a token from the MIX involed

  97. jonas’

    so there’s a token from the MIX involved

  98. jonas’

    but I could still spoof that

  99. jonas’

    ah, but that doesn’t matter because you’d be filtering non-roster contacts

  100. ralphm

    If you wanted you could implement a step where the invitee checks the invite with the channel, before showing the invite to the user.

  101. Ge0rG

    With three parties involved, you can't trust any one to represent the other.

  102. Ge0rG

    I've never blocked messages from strangers, and strangely I hardly receive any spam

  103. ralphm

    Ge0rG: maybe you are a natural anti-spam measure 🤣

  104. Ge0rG

    It used to be different.

  105. jonas’

    ralphm, that requires a way for the channel to say "yes, that token is valid" without joining

  106. ralphm

    Indeed

  107. jonas’

    ralphm, this is simply one of the occasions where Ge0rG did (does) what he was (is) preaching

  108. Ge0rG

    jonas’: if you are going to join anyway, and that join depends on the token being valid, you can just skip the round trip

  109. Ge0rG

    Clients are auto joining for years now.

  110. jonas’

    Ge0rG, the point is to validate the token to rule out dumb invite spam

  111. ralphm

    The point is that you may want to validate the invite before bothering the user

  112. jonas’

    unless you’re collaborating with the MIX service, you don’t have valid tokens to invite people

  113. ralphm

    In this scenario, you'd minimize spam.

  114. ralphm

    Also, implicitly the inviter does trust the channel

  115. Ge0rG

    Spammers would never collaborate with a MIX service

  116. ralphm

    So that's why I think it works

  117. jonas’

    if the spammers collaborate with the MIX service, the obvious solution is to punish the MIX service.

  118. Ge0rG

    > ralphm: there is a disapproved SPAM WG for that, in which you can become a member after signing an NDA with the blood of your first-born. That offer is still open, BTW, in case you are interested in not blocking strangers.

  119. pep.

    How much is invite spam a thing? I've never experienced it (I mean from spammers. I do get invite spam otherwise but from "legit" users)

  120. Ge0rG

    pep.: never got that so far

  121. ralphm

    It's been a long time since I got a bonfide invite

  122. Ge0rG

    Most invites I'm getting from myself as a shortcut to join a MUC on my mobile

  123. ralphm

    But I get multiple invites per week

  124. Ge0rG

    ralphm: do you happen to have xml?

  125. ralphm

    Not at the moment, but can hold on to it

  126. ralphm

    Next time

  127. Ge0rG

    ralphm: that would be great.

  128. Ge0rG is collecting samples

  129. ralphm nods

  130. ralphm

    Got a few from default.rs

  131. wurstsalat

    any updates regarding DOAP ? gajim does also provide one now

  132. pep.

    There's a PR awaiting, not sure what's blocking. I'd say editor's processing time

  133. pep.

    I'll have a look after we get together with jonas’

  134. Ge0rG

    Wiring a DOAP looks like a significant effort

  135. Zash

    copy an existing, edit the name, call it a day

  136. wurstsalat

    Just implement all the features, then you don't have to filter XEPs ;)

  137. Ge0rG

    wurstsalat: fewer features, less work.

  138. wurstsalat

    I see your point

  139. pep.

    Ge0rG: I'm sure somebody(tm) could PR a doap file for yaxim once it's deployed

  140. pep.

    Then you'd only have to update it

  141. Ge0rG

    pep.: I'd actually appreciate that

  142. wurstsalat

    Ge0rG, do you have a list of supported XEPs?

  143. Ge0rG

    wurstsalat: more or less, at https://yaxim.org/features/

  144. jonas’

    pep., the website is not editors realm

  145. pep.

    Ah

  146. pep.

    Board?

  147. jonas’

    I just happen to know a bit about pelican so I did a few things back then

  148. jonas’

    I don’t think there’s a formal team

  149. jonas’

    actually

  150. jonas’

    I have merge powers there, not sure why :)

  151. jonas’

    Guus and I do most of the reviews

  152. pep.

    Then we should submit that PR to board probably

  153. wurstsalat

    Ge0rG, Feb 1st, 2017 4:06 pm is sufficiently recent?

  154. Ge0rG

    wurstsalat: probably not, but it's the most recent I have ready.

  155. wurstsalat

    If nobody else volunteers I would compile a doap with this

  156. Zash

    Didn't someone make a ???? to doap thingymajigger?

  157. wurstsalat

    Ge0rG, there you go, an approximation ;) https://paste.gajim.org/view/22c58cfb

  158. pep.

    wurstsalat, 0077 "complete" "no forms support", hmm.

  159. wurstsalat

    That was me not parsing ;)

  160. Ge0rG

    Is that rdf file now licensed under gpl3?

  161. Ge0rG

    Should I also add the version tags for the specific XEPs?

  162. pep.

    yeah that'd be nice, maybe not required though(?)

  163. Zash

    disco#info to doap? or was this the project that needed the registries to be in order?

  164. pep.

    disco#info to doap could help a bit I guess.

  165. Ge0rG

    wurstsalat: Is that rdf file now licensed under gpl3?

  166. lovetox

    hm the tombstone thing where we redirect to another address on destruction of a muc

  167. lovetox

    if i disco such a muc, it has the new address inside <gone>new adress</gone> error condition

  168. lovetox

    is this somwhere specified ? or is this something people just do

  169. Zash

    XMPP core RFC

  170. Zash

    https://xmpp.org/rfcs/rfc6120.html#rfc.section.8.3.3.5

  171. jonas’

    I would’ve pasted that if I hadn’t accidentally Ctrl+Q

  172. wurstsalat

    Ge0rG: however you like

  173. Zash

    WTFPL?

  174. wurstsalat

    Tell me if I have to be specific ;)

  175. lovetox

    ok nice although weird that they add xmpp: into it

  176. pep.

    lovetox, it makes sense to be a valid URI I think

  177. Zash

    lovetox, handy if you ever wanna redirect to a wobsite or email or whatever I suppose

  178. wurstsalat

    lovetox: I thought gajim did that (but didn't check)

  179. Ge0rG

    wurstsalat: I'm not yet sure whether to bundle it with the source or with the website.

  180. Ge0rG

    Zash: I don't want to design the UX for that

  181. Zash

    Yes, convention for where to put the doap xml plz 🙂

  182. pep.

    Zash, wherever you want? You have to give a url to xmpp.org anyway

  183. Zash

    Ge0rG: "This MUC has now become an mailing list. GL;HF"

  184. Ge0rG

    Channel you are in is tombstoned, suddenly a "new email" editor appears

  185. pep.

    Somewhere not everybody has access would be better I guess :)

  186. Zash

    Ge0rG, show a link maybe?

  187. jonas’

    wurstsalat, "public domain"?

  188. lovetox

    Zash still weird, this makes parsing this much more complicated

  189. jonas’

    lovetox, don’t you need a URI parser anyways?

  190. Zash

    Life is complicated.

  191. lovetox

    i have one yes

  192. pep.

    And it's most likely always going to be another MUC.. (or MIX, maybe? someday)

  193. Ge0rG

    Just drop it at the OS URI handler. If you are lucky, the xmpp URI will get bounced to your running instance.

  194. pep.

    Or maybe an http url to logs? :P

  195. Zash

    Note that it's a generic stanza error, applicable to anything and everything.

  196. Ge0rG

    If you agree less lucky, you'll end up with a second client running, competing for your resource

  197. Zash

    Users, MUCs, pubsub nodes, entire servers etc

  198. Ge0rG

    Everything can be gone.

  199. Ge0rG

    Messages?

  200. Zash

    "The recipient or server can no longer be contacted at this address"

  201. jonas’

    https://http.cat/410

  202. Zash

    Hm, maybe that excludes pubsub nodes then

  203. Ge0rG

    Makes me think of the Moved XEP mess...

  204. Zash

    Are pubsub nodes recipients?

  205. Zash

    Moving is a mess

  206. Zash

    Cool URL^W JIDs don't change!

  207. Ge0rG

    I moved to the web. Feel free to subscribe to my blog rss

  208. Ge0rG

    Now imagine we had an URI scheme for individual messages.

  209. Zash

    Linking to a static website where you detail your shutdown seems like a thing you could do

  210. Zash

    Imagine if we had URIs in to/from for everything

  211. Ge0rG

    You could link to your last message, like a will

  212. Ge0rG

    Zash: heresy!

  213. Zash

    `<message to="mailto:jdoe@example.com" from="xmpp:me@example.net" type="normal"><subject>Buy!</subject><body>Lorem ipsum</body></message>`

  214. Zash

    Sure would have simplifed some bridging scenarios

  215. wurstsalat

    Ge0rG: poezio, dino, and gajim host the doap in their git repos (easiest I think)

  216. wurstsalat

    pep: the doap from poezio follows a different scheme though (I think Link Mauve updated it)

  217. Ge0rG

    wurstsalat: so I'd link to a raw file on github? Hmmm...

  218. pep.

    blame Link Mauve

  219. pep.

    (he knows better)

  220. pep.

    Ge0rG, yeah

  221. Ge0rG

    So be it, then!

  222. linkmauve

    wurstsalat, I think I updated all DOAP files I knew about when I improved the schema to have more consistent semantics.

  223. linkmauve

    I’ll have a look at some point, currently in Berlin and enjoying it too much to be too much on the computer. :D

  224. linkmauve

    debacle btw, I’m in Berlin atm.

  225. Ge0rG

    linkmauve: did you tell Holger?