-
ralphm
Daniel: your tweet to upgrade Dino is a bit, let's say, sparse on detail :-D
-
Daniel
which is probably a good thing?
-
ralphm
I don't know?
-
ralphm
Does has it shiny new features, or was there a horrible security issue?
-
Daniel
it had all the CVEs. roster injection. carbon injection. mam injection. https://github.com/dino/dino/commits/master
-
lovetox_
Does it get a Combo Bonus š
-
jonasā
:D
-
ralphm
Nice.
-
Daniel
i mean they fixed it pretty quick.
-
ralphm
Daniel: but you didn't want to rub it in?
-
Daniel
now someone should probably notify the debian maintainers
-
Daniel
ralphm, it's extremly easy to exploit. and someone has exploited the roster one in this muc yesterday
-
Daniel
so i donāt want to give details
-
ralphm
Well, if someone is updating the CVEs, isn't that automatic?
-
ralphm
Also, is there a changelog somewhere?
-
Daniel
dino hasn't had a release yet
-
Daniel
so no there is no changelog
-
Daniel
aside from git
-
jonasā
they should definitely allocate CVEs
-
Ge0rG
they, or the researcher who found it?
-
jonasā
"someone", actually
-
jonasā
I donāt think you need to be affiliated with a project to allocate CVEs
-
Ge0rG
yeah, when I find something, I typically allocate the CVEs myself
-
Daniel
i'll probably write something down for the three bugs together
-
Daniel
i mean it's the same general mistake
-
Ge0rG
Nobody reads the Security Considerations
-
Daniel
yes
-
Ge0rG
is there a bold-red-blinking markup we can use at the top of https://xmpp.org/extensions/xep-0280.html#inbound ?
-
Daniel
maybe. if people only read the examples; we should have bad examples
-
jonasā
Ge0rG, having a thing in xep.dtd / xep.xsl which allows to mark up Important boxes would be neat
-
Daniel
i mean explicitly examples showing you what kind of messages to reject
-
jonasā
stuff like sphinx generates with .. warning::
-
jonasā
Ge0rG, can you file a thing against xeps/XEP-0001?
-
jonasā
that wonāt help with RFC 6121, but itās something
-
Ge0rG
jonasā: an issue thing or a PR thing?
-
Ge0rG
Daniel: that's actually an excellent idea
-
Ge0rG
jonasā: https://github.com/xsf/xeps/issues/821
-
Ge0rG
Daniel: how about https://op-co.de/tmp/xep-0280.html#example-11
-
Daniel
The paragraph above that is also new?
-
Daniel
Looks fine
-
Daniel
Yeah that's probably a good improvement
-
Ge0rG
Daniel: yeah
-
Ge0rG
Daniel: but you can't link to paragraphs
-
Ge0rG
and I didn't want to link to example 10
-
Daniel
Makes you question why that wasn't in there before
-
Ge0rG
Daniel: because XEP authors aren't security consultants
-
Daniel
Maybe we want to go so far and in the security section say in <strong> *This has been exploited several times*
-
Daniel
And link to the CVE
-
Daniel
Probably a separate PR
-
Ge0rG
it would mark my third PR for 0280 today.
-
Daniel
I mean it is absolutely ridiculous that this has struck so many times in three different iterations
-
Ge0rG
I suppose it is enough to have a negative example for "received", without one for "sent".
-
Daniel
Yes
-
Daniel
Hopefully...
-
Ge0rG
Daniel: do you have the link to the initial incarnation?
-
Daniel
This predates my involvement in xmpp
-
Daniel
So no
-
jonasā
Ge0rG, a PR thing would be even better than an issue thing
-
Ge0rG
jonasā: yeah, but my work.
-
Licaon_Kter [cnvrs]
MattJ Any reason this room does not _warn the user that the discussions are logged_ ?
-
ralphm
As for RFCs, I suppose it could be in errata, but then again, who reads those.
-
Ge0rG
nobody :(
-
Daniel
up until recently i didnāt even know they existed
-
Zash
Licaon_Kter [cnvrs] looks like it only sends the signal when archiving is enabled or disabled.
-
Zash
And also the semantic difference between archiving and logging.
-
pep.
Maybe you should have two messages? :P
-
Zash
Link is in the subject and I /think/ also in some room metadata.
-
pep.
Some clients don't really show subjects in a prominent place anymore :(
-
Licaon_Kter [cnvrs]
Zash Subject/Title aside, Converse.js shows them, but will also show_"groupchat logging is now enabled"_ as per https://xmpp.org/extensions/xep-0045.html#enter-logging so, is Prosody not honouring that? Umm https://hg.prosody.im/trunk/file/tip/plugins/mod_muc_mam.lua#l99 maybe
-
pep.
he just answered you
-
Licaon_Kter [cnvrs]
I, obviously, did not undestand a thing š
-
pep.
"when [it] is enabled or disabled."
-
Zash
It is missing a thing for when you join
-
Licaon_Kter [cnvrs]
Ok, right...
-
Zash
Report issue. Patches especially appreciated š
-
Licaon_Kter [cnvrs]
True
-
Zash
But the public logs are provided by a separate module. Should that one add the tag?
-
Zash
IIRC both of them should only let you get logs/archives if you could join the room and get them yourself
-
lovetox_
If the user is entering a room in which the discussions are logged to a public archive (often accessible via HTTP), the service SHOULD allow the user to enter the room but MUST also warn the user that the discussions are logged.
-
lovetox_
So Zash this explicitly mentions http based logs
-
lovetox_
i would argue it does not matter how the server logs, what counts is that is publicly available, and the user should be warned about it
-
Licaon_Kter [cnvrs]
FYI, I only noticed this because ejabberd is announcing it every time Converse.js mysteriously dis/reconnects https://github.com/conversejs/converse.js/issues/1697
-
Ge0rG
lovetox_: so it's also true for MAM
-
Daniel
btw i've requested a CVE. i was a bit unsure on the how given that dino technically had no releases yet; but let's see if it gets accepted
-
balu_der_baer
Daniel, Requested a CVE for which issue exactly?
-
pep.
It speaks!
-
Daniel
balu_der_baer, I put roster, carbons, and mam in one
-
Ge0rG
...in Dino
-
Daniel
probbaly not worth creating different ones
-
Ge0rG
It would make sense to ask for one for Converse, though.
-
Daniel
balu_der_baer, i can credit you on the carbon one
-
pep.
Right. JC also just fixed an issue in converse
-
Ge0rG
Or is it just the 2017 one revamped?
-
pep.
It looks like it
-
Ge0rG
pep.: but it was fixed back then
-
pep.
In these clients
-
Daniel
for converse?
-
Daniel
was converse hit back then?
-
Ge0rG
pep.: converse was one of the clients, yes
-
pep.
heh, ok
-
balu_der_baer
I think the converse is the relevant one, given it is actually released software and not some "I compiled code from the internetz and is has bugz"
-
pep.
Isn't that the case for all software
-
Daniel
balu_der_baer, yes probably. dino is in debian and some other distros tho
-
Kev
I think dino has been released hasn't it? It's in Debian and stuff.
-
Daniel
and in fairly wide use
-
Ge0rG
pep.: I've heard that there is software that you need to type from a book
-
pep.
Kev, nope
-
pep.
no release
-
Kev
pep.: https://packages.debian.org/search?keywords=dino-im - different project?
-
pep.
No
-
pep.
But no release
-
Kev
Then it's been released.
-
pep.
No
-
Daniel
and that kids is why you dont make packages for git
-
pep.
Kev, https://tracker.debian.org/pkg/dino-im
-
pep.
look at the version string
-
Zash
Hey kids wanna get into a semantics discussion? What is a release?
-
Kev
I'm not saying that upstream say it's stable.
-
Kev
I'm saying that it has been released. I.e. it is available to users.
-
pep.
"It's in Debian so it's released!"
-
pep.
Ok let's leave the semantic discussions for later
-
Kev
Pretty much the definition of released is that it's available, yes.
-
pep.
Upstream hasn't cut a release yet, is all I'm saying.
-
pep.
Distributions do whatever they want with it
-
Daniel
it is probably worthwhile to get a CVE for. and it has already been requested
-
Daniel
so we donāt need to argue about it :-)
-
Kev
I understand that upstream may not have yet tagged a stable release. Just that that's largely irrelevant to users if they can apt install it.
-
pep.
So is it fine if I package it myself for my own use? Can I also say the software has been released? :)
-
Kev
I also understand that if someone uploaded it to Debian before upstream said it was ready for use, that sucks for upstream.
-
pep.
Or as long as it's published
-
Ge0rG
Kev: that sucks for debian
-
Kev
That too.
-
Daniel
it sucks for everyone
-
pep.
Ge0rG, you mean for Debian's users
-
Kev
That three.
-
Daniel
upstream. debian. the users
-
Ge0rG
Software releases are hard. Let's go shopping!
- Ge0rG almost wrote "shipping"
-
Daniel
am i seeing this correctly that converse has different mam/carbon parsing code for muc vs 1:1
-
Daniel
wtf
-
Daniel
and it hit only muc because of that
-
balu_der_baer
I know that Dino developers tell people to not use the debians "release" build but always use the latest nightly instead. And my guess is that those patches are caused by them preparing for a first real release
-
balu_der_baer
Daniel assessing Dino to be vulnerable to the MAM issue predates the commit time of the fix to Dino master by 5 minutes. Either they were super fast, Daniel told them before writing here or they actually knew before š¤ļø
-
Ge0rG
A conspiracy within a conspiracy?
-
Daniel
balu_der_baer, we were in here talking about how it is most likely vuln
-
Daniel
but i was out for a midnight snack before i could be bothered to actually verify
-
pep.
They also have access to this muc :)
-
Daniel
and also if you have just before that fixed the roster and carbon issue the mam fix could easily be done in 5 min
-
Daniel
it's the exact same lines of code copy pasted
-
balu_der_baer
Is anyone filing a CVE for the stanza id bug in Prosody I discovered yesterday?
-
Daniel
is it prosody not filtering out?
-
Daniel
i didnāt catch you mentioning that
-
Daniel
so i'm guessing
-
balu_der_baer
yes
-
Daniel
obvious bugs are obvious
-
Daniel
just get one yourself i guess?
-
balu_der_baer
I didn't mention any of the bugs, I left this task to you guys.
-
Daniel
did it not filter in general? or just under certain conditions
-
Daniel
well how would the stanza-id thing manifest itself?
-
Daniel
aside from MAM catchup being fucked
-
balu_der_baer
I guess as long as nobody tries to use them for anything, it won't...
-
Daniel
also there is code to do itā¦
-
balu_der_baer
I leave it to you or any other dev to find out when and why it doesn't work, I am not into Lua
-
Daniel
well i'm not yet sure the bug exists
-
balu_der_baer
How would one find out?
-
pep.
balu_der_baer, hint? around what time?
-
pep.
I could go through the logs..
-
balu_der_baer
This one maybe?
-
Daniel
this room doesnāt claim to do the cleaning
-
Daniel
as a client you are supposed to parse the sid only if the server announces that
-
pep.
I'm somewhat happy poezio didn't display the second message, "Or this one"
-
pep.
<body xmlns="broken">Or this one</body>
-
balu_der_baer
Daniel, Technically correct.
-
pep.
<message xml:lang="en" type="groupchat" to="pep@bouah.net/poezio-C7iY" from="xsf@muc.xmpp.org/balu_der_baer" id="c090def67ff04d4dae5cfc260bf71522"><body>This one maybe?</body><stanza-id xmlns="urn:xmpp:sid:0" by="xsf@muc.xmpp.org" id="2019-09-11-185b3f943380209c" /><stanza-id xmlns="urn:xmpp:sid:0" by="xsf@muc.xmpp.org" id="2019-09-11-a55228b004fa960d" /><origin-id xmlns="urn:xmpp:sid:0" id="c090def67ff04d4dae5cfc260bf71522" /></message> <message xml:lang="en" type="groupchat" to="pep@bouah.net/poezio-C7iY" from="xsf@muc.xmpp.org/balu_der_baer" id="e11708f4ba544d3e8ceee73bf579544d"><body xmlns="broken">Or this one</body><stanza-id xmlns="urn:xmpp:sid:0" by="xsf@muc.xmpp.org" id="2019-09-11-185b3f943380209c" /><origin-id xmlns="urn:xmpp:sid:0" id="e11708f4ba544d3e8ceee73bf579544d" /></message>
-
pep.
For reference
-
Daniel
so if you find a client that uses this for catchup (or anything) then you have your bug
-
balu_der_baer
When a message is archived, the server MUST add an stanza-id element as defined in Unique and Stable Stanza IDs (XEP-0359) [2] to the message, which informs the recipient of where and under what ID the message is stored. When doing this the server MUST follow the business rules defined in XEP-0359.
-
pep.
hmm.
-
pep.
That first message was cut in poezio.
-
pep.
Because of the <stanza-id /> :/
-
pep.
<message xml:lang="en" type="groupchat" to="pep@bouah.net/poezio-C7iY" from="xsf@muc.xmpp.org/balu_der_baer" id="b23f6efec2cf4ac2ad23d7da18fb7367"><body>When a message is archived, the server MUST add an <stanza-id /> element as defined in Unique and Stable Stanza IDs (XEP-0359) [2] to the message, which informs the recipient of where and under what ID the message is stored. When doing this the server MUST follow the business rules defined in XEP-0359.</body><stanza-id xmlns="urn:xmpp:sid:0" by="xsf@muc.xmpp.org" id="2019-09-11-e360996b290c9aae" /><origin-id xmlns="urn:xmpp:sid:0" id="b23f6efec2cf4ac2ad23d7da18fb7367" /></message>
-
balu_der_baer
I admit, it's funny to see how different clients screw up different things. None of them seems to be really solid about anything so far.
-
pep.
indeed
-
jonasā
le fuck wat
-
jonasā
balu_der_baer, which client is that?
-
pep.
version string says Movim 0.15
-
jonasā
nice
-
jonasā
report an issue against movibm✎ -
Zash
There's the @by. This server needs some upgrades, but that part looks correct?
-
balu_der_baer
jonas, openssl s_client
-
jonasā
report an issue against movim ✏
-
pep.
heh
-
balu_der_baer
Was using Gajim before, but it's XML console does too many sanity checks for doing such evil things
-
pep.
Maybe poezio's /rawxml doesn't :-Ā°
-
jonasā
Iāll just leave now
-
Daniel
how is <body>foo <bar/> something</body> supposed to render?
-
Kev
It's not, because that's illegal.
-
Daniel
not render the entire message?
-
Kev
The server is allowed to bounce it, even. But if it gets through to a client, anything's fair game, I think.
-
flow
that's what I would do, and as server close the client session (of course configurable, so that if you really want to support broken clients)
-
balu_der_baer
The body element MUST NOT contain mixed content (as defined in Section 3.2.2 of [XML]).
-
flow
balu_der_baer, IIRC this is not even mixed content
-
Kev
flow: It's not?
-
flow
maybe it is
-
Kev
If it's not then my understanding of mixed content is off.
-
flow
I just though thtat mixed content is text content + element
-
flow
and not text content + element + text content
-
balu_der_baer
An element type has mixed content when elements of that type may contain character data, optionally interspersed with child elements.
-
flow
luckily there is a reference where I can lookup this and refresh my memory
-
flow
or I let balu_der_baer do the work ;)
-
MattJ
afaik mixed just means multiple types are used (both element and text nodes), it doesn't mean a specific order or number of nodes
-
Kev
That's certainly how the XMPP specs have used the term, yes.
-
flow
yep, convinced, and we don't do that in xmpp
-
Daniel
i mean cutting your own c2s when your server sends you this is probably not ideal
-
flow
nobody suggested this
-
Daniel
no. i was just thinking out loud if i need to do something different in Conversations
-
Kev
Daniel: No, especially as servers are allowed to send you crap. But I don't think we're suggesting that.
-
balu_der_baer
Daniel, You need to fix the <body xmlns="broken"> thing
-
Daniel
balu_der_baer, already made a note
-
pep.
I also opened issues in poezio.
-
pep.
Though that's probably in slixmpp
-
flow
background? implementations do not consider the namespace of body elements?
-
larma
I have the feeling its super productive if random people just push random stanzas in xsf@ š
-
pep.
let's do that more often
-
Ge0rG
> None of them seems to be really solid about anything so far. Nobody has complained about yaxim so far. But don't even try to put different xml:langs into the game ;)
-
MattJ
An ancient one is simply putting in multiple <body> (same namespace and xml:lang)
-
MattJ
Some clients would render the first, some the last
-
Ge0rG
yeah, having multiple elements with the same name in any kind of hashmap is a well known security issue
-
balu_der_baer
ā Your client renders a first body when it shouldn't
-
MattJ
What should it render?
-
balu_der_baer
Nothing, it's an invalid message
-
mathieui
I think a few clients have a history of trying to fix received namespaces to work around very old bugs
-
pep.
Why do we try to keep compat with broken stuff? :(
-
pep.
Then we in turn we end up broken
-
flow
pep., some do, some avoid workarounds for broken implementations
-
Kev
You don't have a lot of choice dealing with broken stuff.
-
pep.
I wish we'd do that as a collective effort to push broken stuff away
-
Kev
At least not in an open ecosystem.
-
flow
I am in the latter camp FWIW
-
pep.
I also am
-
Kev
You might not try to 'fix up' the broken content, but you have to deal with it.
-
flow
Kev, I don't think this is true.
-
pep.
Kev, you do, you can just ignore them
-
Kev
pep.: Which is dealing with it.
-
pep.
Yes, while some others try to keep compat
-
MattJ
When we began Prosody, many of the other servers were "broken" in various ways... nobody would have used Prosody if we hadn't added workarounds for them
-
flow
Kev, sounded more like you meant that we don't have a choice besides adding workarounds into our code
-
Kev
flow: Yes, that's right.
-
MattJ
Not being able to s2s to 99% of the existing network was not an option :)
-
pep.
MattJ, now that you're a bit more notorious, here's your time :)
-
Kev
Like when ejabberd's PEP module sent tonnes of spurious messages, and if you wanted to avoid annoying your users you had to do something about them.
-
MattJ
Right, I'm just pointing out that you can't just make that your blanket stance towards issues like this
-
Kev
(ignore them, in fact, but it took code to ignore them)
-
Ge0rG
Is there consensus that a client MUST NOT render any bodies from a message that contains multiple bodies?
-
Ge0rG
(assuming equal xml:lang)
-
Kev
Ge0rG: You mean multiple bodies in the stream namespace, without distinguishing xml:lang, which might itself come from the stream?
-
flow
MattJ, true, it is always a per case decission, but to often that decission is "just add a workaround"
-
MattJ
In Prosody our policy is to avoid workarounds, and if that's not feasible then we add the workaround with a 'COMPAT' comment that explains when it was added and why (referencing bug reports, etc.)
-
Zash
pep.: Right when we're a bit behind on compliance features in core? Are you working for P1? ;)
-
Ge0rG
Kev: yes
-
Kev
In which case, no, I don't think there's anything in 612[01] that suggests a client would have to do that.
-
MattJ
and then we periodically review these and remove old ones that are no longer needed (as much?)
-
pep.
Zash, :P
-
Ge0rG
Kev: I'm pretty sure it's illegal, and the question arises which of the bodies will end up rendered
-
flow
Ge0rG, what would make it illegal?
-
Kev
flow: 612[01] rules do.
-
flow
Kev, multiple bodies with the same xml:lang?
-
Kev
Yes.
-
flow
ahh right, it's in rfc6121 5.2.3
-
Ge0rG
https://xmpp.org/rfcs/rfc6121.html#message-syntax-body
-
flow
couldn't find a rule in rfc6120 though
-
Kev
6120 just says to use the rules in 6121.
-
Ge0rG
but Ā§5.2.3 doesn't contain a statement on how to handle violations
-
flow
most things do not contain a statement on how to handle violations
-
flow
but yes, not showing a body at all appears sensible, probably even if there is a unique body-xmllang for your xmllang
-
Ge0rG
This is the opposite of "make everything you can to show the message content"
-
MattJ
https://tools.ietf.org/html/draft-iab-protocol-maintenance-03
-
flow
MattJ, \o/
-
pep.
this
-
flow
yep, this
-
Ge0rG
I hate this document.
- MattJ reject's Ge0rG's message
-
Ge0rG
It only makes sense in a closed system.
-
Ge0rG
With a dozen of actively used XMPP implementations, and a tail distribution of less widely used ones, how am I supposed to know that blocking "invalid" messages won't break the interop with some of them?
-
MattJ
It probably will
-
MattJ
But if everyone agreed to be strict, that tail would soon be fixed (or rightly let die)
-
flow
The question is if the outcome is better than being liberal in what to accept
-
MattJ
And not everyone has to agree to be strict, just the dominant players
-
pep.
Just like when people went TLS
-
MattJ
Prosody fixed many client bugs by being more strict in what it accepted than any of the existing servers
-
pep.
Except dominant players didn't.. at the time
-
pep.
(gmail)
-
MattJ
and we don't even go very far
-
Ge0rG
MattJ: but I don't have any leverage on those implementations. And people will blame me for the bugs
-
MattJ
I feel your pain, many of us have experienced that
-
MattJ
and as I said, we have put in (clearly marked) workarounds for things like that
-
lovetox_
what is the problem about body with different namespace? so what i dont check the namespace of body if i dont have to, this is certainly no security issue
-
pep.
Ge0rG, or on deployments..
-
MattJ
while simultaneously trying to get it fixed
-
pep.
lovetox_, I can include a message that only gajim users will see and not others
-
lovetox_
yeah and? its a feautre i would say
-
pep.
Is it?
-
flow
lovetox_, I am not sure if I can't be exploited somehow. The main problem is that implementations treat an element as body when it is not
-
MattJ
lovetox_, it's a potential human security issue - if people disagree on what to render for a message, the logs will be showing one thing, clients will be showing another
-
flow
But I can only come up with very constructed scenarious how this could cause an security issue
-
MattJ
despite it being a pretty poor messaging application that can't agree on how to render a text message :)
-
flow
Like a bot which accepts commands via <body/> and a screening service checking that the commands in <body/> are safe
-
MattJ
XSF board meeting logs could all be faked by board members, and someone will put <body>+1</body><body>-1</body> to make people think they voted one way on a contentious issue, but the chair would see them voting a different way
-
MattJ
Consistency is good, inconsistency is bad
-
flow
word
-
MattJ
Consistency in a distributed open network isn't always easy
-
MattJ
But if we at least specify the right way to do things, that's a great start
-
MattJ
Right now nobody can even claim any particular client is buggy, because there is no correct decision about what to render (which may include nothing)
-
MattJ
(or an error)
-
MattJ
I'll note that even excluding potentially-illegal <body> constructs, this issue will still exist for multiple <body> with different xml:lang (I can show different versions of the same message to different languages, they don't have to say the same thing)
-
MattJ
But at least in that case a client could indicate to the user that other versions of the message exist, and allow them to view them
-
Daniel
Mhh I now have uncommitted code that skips messages with body of the same language. Not really sure if I should commit that. I mean it's definitely illegal. And it probably won't happen on accident
-
Ge0rG
flow: do I need to pull a CVE number for Smack delivering the first of multiple equally xml-langed bodies?
-
Daniel
Ge0rG: is that a security issue?
-
Ge0rG
Daniel: what MattJ wrote. <body>+1</body><body>-1</body>
-
Ge0rG
https://logs.xmpp.org/xsf/2019-09-11#2019-09-11-869b4f1282d0a054
-
Ge0rG
Daniel: if there is only one implementation rendering the _last_ body from that list, it is a security issue
-
jonasā
Ge0rG, what else are you supposed to do?
-
Kev
That's a user confusion/unreliability issue. I'm not convinced it's a security issue.
-
jonasā
aioxmpp will take one, which one is officially undefined (but it will be the lastmost in the stanza)
-
Ge0rG
jonasā: tear down s2s!
-
Daniel
for ever!
-
jonasā
Ge0rG, seriously though. what should I do as a client library?
-
jonasā
send back an error?
-
jonasā
I see how this is a problem, I just donāt know the correct course of action
-
Ge0rG
jonasā: me neither
-
Daniel
that will get you kicked from the muc lol
-
flow
and presence leak
-
flow
(potential)
-
MattJ
Kev, I'm surprised that in the environments you're involved in, you don't see user confusion as a security (or safety) issue
-
Daniel
jonasā, i just opted for ignoring it
-
Daniel
will happen infrequently enough to not be a real issue
-
MattJ
Especially if you add enforcement or auditing tools to the mix, which might disagree about which <body> to use/allow
-
Ge0rG
MattJ: maybe because it's scoped to the sending user.
-
jonasā
flow, uh--- thatās an interesting one, I think you can make aioxmpp auto-reply to a message if you violate the schema hard enough
-
Ge0rG
If somebody wants to play mind tricks with you, the impact is limited to what you'd believe them
-
flow
jonasā, take the stanzas out of the stream, send an error back if the sending entity is subscribed to your presence and log an error
-
pep.
Why has it been specified that a MUC should kick us on message @type=error btw?
-
Ge0rG
pep.: yes.
-
jonasā
Daniel, so you drop the entire stanza if there is more than one <body/> with same-language?
-
Daniel
because if your session dies?
-
Daniel
jonasā, yes
-
jonasā
flow, yeah, no, the part which sends errors back wouldnāt know about that type of stuff
-
pep.
Ge0rG, am I onto something?
-
flow
jonasā, I never said it is easy ;)
-
Daniel
jonasā, i mean no; i return the body as null. it might run through other paths
-
jonasā
Daniel, right
-
Ge0rG
pep.: I was going to elaborate, but Daniel came first
-
jonasā
for all languages or only for the buggy one, Daniel?
-
pep.
if my session dies?
-
Daniel
good question š no for all messages
-
flow
jonasā, remember when we talked about providing a callback to the user which informs him what exactly went where wrong in the incoming processing chain?
-
Ge0rG
pep.: yes, the MUC needs to kick you out if your client silenty disconnected
-
jonasā
flow, exists, but that is not an error condition yet
-
pep.
But what if my client doesn't silently disconnect and I'm just trying to point out errors to others
-
jonasā
and Iām not sure what type of error condition it should be
-
Ge0rG
pep.: send a PM
-
pep.
@type=error?
-
Ge0rG
pep.: yes, those won't get you kicked IIRC
-
pep.
I see
-
Ge0rG
I have no idea how clients will behave ;)
-
jonasā
Ge0rG, so auto-reply woudlnāt get me kicked either since that would go to the full JID✎ -
pep.
I guess this + ignoring a message should be good
-
jonasā
Ge0rG, so auto-reply from the library woudlnāt get me kicked either since that would go to the full JID ✏
-
Ge0rG
pep.: presence leak
-
pep.
rrr
-
pep.
Can you stop finding issues
-
Ge0rG
So can we now decide whether it's a security issue or not?
-
Ge0rG
pep.: no
-
Ge0rG
life would be boring otherwise. Also, blame balu_der_baer
-
pep.
But that's probably going in the logs anyway and not actually visible by the user.
-
Daniel
I'll "fix it" in that i will ignore it in the future but i wont rush out another release
-
pep.
I would like if a client would tell me "There is an error" (and aggregate them) "please report that to the dev"
-
Ge0rG
Daniel: can you rush out releases again? Or is Play store still imposing multi-day delays?
-
Daniel
yes i could
-
Daniel
was meaning to tweet that
-
Daniel
i fixed the PS issue
-
Daniel
but i was doing so much tweeting lately
-
Ge0rG
My other app is broken on Android 10 because Google finally removed the deprecated Apache HttpClient library which is used by... the Google Maps v1 library.
-
Ge0rG
Daniel: as much as @xmpp?
-
Daniel
not as annoying as @xmpp
-
Daniel
my tweets are super high quality
-
Ge0rG
I've been struggling to convey this message to the person responsible, for some days now.
-
jonasā
doesnāt someone else have access to that account and can single-handedly change the password?
-
pep.
I think we'd rather fix this socially
-
Ge0rG
jonasā: nobody knows who that "someone else" is
-
Daniel
access yes. canāt change the pw though
-
pep.
Not technically
-
Ge0rG
pep.: full agreement here.
-
Kev
Which account what where?
-
Daniel
i mean sometimes i do tweet on @xmpp. but when i do it's only the best tweets
-
Ge0rG
Maybe I should just stop trying though, I'm probably the least empathetic person to attempt it
-
Ge0rG
Kev: twitter.com/xmpp
-
pep.
Daniel, of course
-
jonasā
Ge0rG, Daniel, actually I think we just need to agree on *which* of the multiple bodies to show and itās a non-issue, right?
-
Ge0rG
jonasā: right
-
Kev
Is that the XSF's one? I thought I had credentials for the XSF Twitter (although 1password is failing me)
-
Daniel
well rfc says it's illegal. so just dropping it is easier?
-
Ge0rG
Kev: yes
-
Kev
I wonder why I don't currently have it.
-
Ge0rG
Daniel: I'm sure some clients/bots will end up sending a default body and one in an explicit language, and the explicit language accidentally being the default one
-
flow
jonasā, coming up with a selection algorithm could be hard
-
Daniel
so we know it's not Kev whos doing the annoying tweetsā¦
-
jonasā
flow, "first"
-
flow
jonasā, first in XML?
-
Ge0rG
LinkedHashMap to the rescue!
-
jonasā
flow, eys✎ -
jonasā
flow, yes ✏
-
flow
jonasā, what if "first" is different per recipient
-
jonasā
flow, how is that supposed to happen?
-
flow
nothing gurantees that the order of the elements is stable when a stanza passes a hop
-
jonasā
flow, the order of elements with the same namespace-uri/local-name pair?
-
jonasā
I think weād be in trouble already if that was violated.
-
flow
especially the order of those elements yes
-
Kev
Hmm. Looks like my tweetdeck doesn't have it either. I'm finding this very confusing.
-
pep.
> Ge0rG> Daniel: I'm sure some clients/bots will end up sending a default body and one in an explicit language, and the explicit language accidentally being the default one Let's agree to fix these bots?
-
flow
jonasā, like where?
-
jonasā
flow, [thinking ...]
-
jonasā
flow, forms?
-
Ge0rG
Kev: escalate to the A-team?
-
jonasā
itās not strictly required there, but would be a major UX pain if the elements were reordered there
-
flow
are child elements of <x/>
-
flow
I am taking just about first level child elements of stanzas
-
jonasā
flow, oh, youāre only talking direct children of the stanza?
-
jonasā
huh
-
jonasā
why would that follow different rules?
-
flow
well mostly, for forms the order is actually important
-
flow
for first level stanza childs it is usually not
-
Kev
Right. I have control of @xmpp.
-
Kev
Awaiting further orders :)
-
jonasā
change the password until someone has found the person spamming newsletter ads on it ;)
-
flow
I believe it to be at least unspecified that it has to be stable when processing a stanza, and while most implementations may keep the order, we should not depend on unspecified behavior
-
Kev
Changing the password won't help, people are granted access via tweetdeck.
-
Kev
I mean, unless it's genuinely compromised.
-
pep.
Kev, you can probably access analytics though? I think that came up yesterday in commteam@
-
jonasā
looks more like "well meant but went too far"
-
Ge0rG
jonasā: I know who that person is
-
pep.
And they're not hiding it either
-
Kev
If someone from Board tells me to, I'll strip access down in tweetdeck.
-
Daniel
i think it has stopped anyway
-
pep.
Daniel, no it hasn't, it won't, read commteam@ :)
-
Ge0rG
Kev: yeah, can you check analytics for the number of new followers vs. gone followers since September 3rd?
-
Kev
No clue, can I?
-
Ge0rG
regarding the twitter activity, there was some wiki acitivty: https://wiki.xmpp.org/web/index.php?title=Special:RecentChanges&days=1&from=
-
Ge0rG
Kev: it was said to be on https://analytics.twitter.com
-
jonasā
https://wiki.xmpp.org/web/CommTeam/Newsletter_Twitter_campaign
-
Daniel
i'm confused
-
Kev
I do not believe I can get past stats on follower counts.
-
Ge0rG
Bummer.
-
Kev
28 day summary sees tweet count up, impressions up, mentions up, profile visits down 17%, followers I think stable, unless I'm misreading, or unless it's not giving the info.
-
Ge0rG
Kev: thanks
-
Ge0rG
In that case, it looks like the spam strategy is working out
-
Daniel
assuming this are good metricsā¦
-
Kev
I can only report what's in front of me.
-
ralphm
For clarity, as discussed in commteam@, those news letter tweets were sent by nyco. Some of the conversation might have been a bit harsh on him, as he is just trying to help.
-
Ge0rG
I'm very sorry that I hit the wrong notes in trying to talk to him :(
-
ralphm
To be honest, I was the one raising the issue in that room, and here before that, but I think we can take a lesson in seeing things from other perspectives, as well trying out things.
-
ralphm
In the mean while, should you have interesting stuff that could be (re-)tweeted from @xmpp, do let them know.
-
Kev
I don't think I've (deliberately, at least) passed any judgement other than offering to do what I'm told.
-
ralphm
Scheduled tweets interspersed with other stuff would already be a lot better.
-
ralphm
Kev: not calling anyone out specifically. And not even just on this topic.
-
Kev
Ah, my stats were September.
-
Daniel
yes. we actually have a lot of things going on in the community to increase # of tweets w/o repeating ourselves
-
ralphm
I assume everyone tries their best.
-
Kev
So for August we lost followers, and for July we gained (more) followers.
-
Kev
In fact, as far back as we've got stats, August is the only time we've lost followers rather than gaining.
-
Daniel
also 'we' probably react more sensitive to obvious advertisment than a regular person would
-
Ge0rG
Daniel: or without uttering things that look like cheap SEO
-
Ge0rG
Or that.
-
Kev
I'm back in 2017, and we've gained double-digits of followers each month, other than losing them in August.
-
Kev
I'm going to stop looking at stats now.
-
jonasā
how about re-tweeting https://twitter.com/iNPUTmice/status/1171678611897835520 ?
-
Ge0rG
jonasā: it lacks hashtags
-
Daniel
:-)
-
Daniel
i literally loled
-
Ge0rG
speaking of high-quality content
-
jonasā
#thatshouldhaveacve?
-
Daniel
jonasā, fwiw i usually RT my own tweets with xmpp if i consider them neutral and quality enough
-
Ge0rG
cheap self-promotion!
-
Ge0rG
:D
-
Daniel
good morning you should update dino did not make my own quality standards
-
jonasā
I like it actually
-
ralphm
Had Daniel's mentioned that you should because of security issues, I would have retweeted it right away.
-
jonasā
thatās not to diminish dino, but itās the kind of near-sarcastic security black humor Iām into✎ -
Daniel
to my defense I did wrote that before i had coffee
-
jonasā
thatās not to diminish dino, but itās the kind of near-sarcastic security black humor Iām into w.r.t. announcements ✏
-
ralphm
Noted. Daniel: don't š¦ before ā
-
pep.
Well on that note, you should also update converse. Maybe we can have a tweet with all of them.
-
pep.
And then retweet! When we get CVEs assigned
-
pep.
All PR is good PR right
-
jonasā
FTR, Docker Hub is an awful thing
-
jonasā
> Created 44 minutes ago > Queue time 1 minute > Duration 0 min
-
jonasā
> Logs are not available yet
-
jonasā
what kind of infrasturcture is this?
-
Kev
A free one?
-
mathieui
A terrible one
-
pep.
Ge0rG, re MUC & errors / presence leak, a client could theoretically (not saying I'm going to do it) buffer these error messages going out, and only send them when the user sends chatstates or messages in the MUC.
-
pep.
What about chat markers btw, are they also used in MUC? receipts are this I know. Isn't that a good enough presence leak already?
-
ralphm
Why would you send errors after a while? A server is likely not going to have anything it wants to do at that point?
-
pep.
Sending error to the participant jid, in hope that that gets logged by the clients and there's some kind of hint displayed to the user to actually contact devs. (Yes I'm pretty hopeful)
-
pep.
By that time the user could be gone for sure
-
pep.
Surelike they could be gone when I connect and fetch messages✎ -
pep.
Just like they could be gone when I connect and fetch messages ✏
-
ralphm
Correlation is not fun with random long delays, maybe.
-
pep.
hmm
-
pep.
True
-
pep.
But then people shout "presence leak"
-
Daniel
what is a presence leak?
-
Daniel
i previously thought of it as a resource leak
-
pep.
Daniel, you connect, your client fetches archive from MUC, finds an error and attempts to send that to the participant jid responsible for it. You're then effectively telling them you just came online
-
pep.
(or that you're somehow available)
-
Daniel
in a group chat?
-
ralphm
Is presence leak really a thing for MUC (as opposed to MIX)?
-
Daniel
didnāt you just did the same by joining?
-
ralphm
This
-
pep.
I wasn't the one to shout "presence leak"!
-
pep.
:)
-
pep.
But yeah, I actually agree. let me dismiss that issue then
-
pep.
Maybe combined with MSN? One of your clients didn't notice, the other connects and you send these errors. But then oh well
-
ralphm
Now, in theory, for MIX this is a bit different. There, sending presence can be optional.
-
ralphm
But then you might have markers or somesuch.
-
pep.
It's fine I'm not concerned about MIX for now, poezio doesn't have an implementation :)
-
ralphm
This is the XSF channel though, and not jdev š¤£
-
pep.
heh
-
pep.
So you can do MIX PR just fine? :P
-
jonasā
Kev, (moving this from council@), but what stops me from sending you a random type=error (think spam)?
-
jonasā
if you make swift show a popup and interrupt the user, thatās bad design IMO
-
flow
Daniel> i previously thought of it as a resource leak It is the same, but "presence leak" is the term rfc6120 uses
-
ralphm
I guess that also dismisses most of the recent discussions on Unicode and security issues in implementations. š
-
Daniel
yes. but by that definition sending chat markers does not leak your resource
-
Daniel
chat markers leak that you are present
-
Daniel
but that's not what the term means
-
Daniel
(at least that what i've thought)
-
Kev
jonasā: I never said anything about popups (Swift policy is to never trigger popups from protocol).
-
Kev
But if you start receiving errors from someone, it'll tell you in the chat log with that person.
-
jonasā
Kev, that, I think, is fine
-
jonasā
even with CC-all-the-errors
-
jonasā
it shows that something you did on your phone went wrong and that you might want to pay attention (essentially)
-
Kev
But not if it's bare-JID errors.
-
flow
> Daniel> chat markers leak that you are present Depends on the situation i'd say. Client should usually not send stanzas to other clients that are otherwhise unable to determine if you are online, that's what I'd call a "presence leak".
-
lovetox
i dont understand the benefit of the token XEP
-
lovetox
it says something about that the password can be stolen
-
jonasā
lovetox, maybe on-list?
-
lovetox
but a token is the same, if its stolen, i can change the account password
-
jonasā
I havenāt read it yet and I have to go AFK now
-
lovetox
at least its nice that the xep gives the user some knowledge about what devices have access to the account
-
Daniel
You could simply not allow that
-
lovetox
you mean the server?
-
lovetox
so how would then someone change his password
-
Daniel
Login properly
-
Ge0rG
tokens are opaque and properly randomized; also they are not often stored on a stick-it note ;)
-
Ge0rG
there is also very much value in one-time tokens to on-board a new device to your account
-
Ge0rG
without having a password in a URL or QR code
-
lovetox
but this is not about one-time tokens, so why are you mention it?
-
lovetox
because its also a "token"?
-
lovetox
its basically a password replacement that has absolutley the same propertys, full access to the account
-
lovetox
so as i said i think it adds value because you know what devices are in use, it does not really provide any additional security
-
Zash
Hm? Per-device passwords?
-
Daniel
Per device passwords
-
lovetox
and it was always weird for me that the register xep does not have an option where the server can demand your current password
-
Zash
You somehow logged into the account
-
lovetox
yeah ..
-
Daniel
I mean per device passwords is not necessarily a bad thing. I don't know if the xep is a good implementation of that
-
Daniel
I haven't read it yet
-
Daniel
But I wouldn't dismiss per device passwords on principle
-
Zash
I wonder if you can hijack the authzid for something like that
-
lovetox
i didnt dismiss it Daniel if you got that from what i said
-
lovetox
the XEP talks a bit about security
-
lovetox
so thats what i questioned
-
lovetox
its definitly nice to know what device are connected and beeing able to remotley log them off and revoke them
-
Daniel
> its definitly nice to know what device are connected and beeing able to remotley log them off and revoke them Yes
-
Ge0rG
I wouldn't be opposed to tokens that have limited permissions behind, like not being allowed to change the password or to issue further tokens; also a limit to one connection per token
-
Daniel
All that
-
Link Mauve
lovetox, in SASL EXTERNAL with client certs (XEP-0257 IIRC), it is said that if the user tries to change their password, they should get an error and then asked for the previous password first.
-
Ge0rG
Yes, with a data form
-
Link Mauve
In the non-error part of an error iq. ;_;
-
Daniel
> Yes, with a data form Data forms are definitely in the top five of my favorite forms
-
larma
I think auth tokens could be reusing RFC7628 and in general be more OAuth compatible
-
larma
Oh, and XEP-0235
-
pep.
oh, TIL
-
Daniel
oh they gave me three CVE
-
Kev
Maybe it's a special offer on Wednesdays.
-
flow
can't get enough of that wonderful CVEs
-
Zash
Gotta catch them all!
-
Ge0rG
They need to motivate the six digit numbers!
-
pep.
Do you win something if you get there first?