XSF Discussion - 2019-09-11

  1. mukt2 has left
  2. zach has left
  3. zach has joined
  4. stpeter has joined
  5. Dele (Mobile) has left
  6. stpeter has left
  7. mukt2 has joined
  8. pdurbin has joined
  9. debacle has left
  10. mukt2 has left
  11. pdurbin has left
  12. karoshi has left
  13. remko has joined
  14. mukt2 has joined
  15. sonny has left
  16. aj has joined
  17. zach has left
  18. zach has joined
  19. stpeter has joined
  20. peter has joined
  21. mukt2 has left
  22. kokonoe has left
  23. kokonoe has joined
  24. neshtaxmpp has joined
  25. mukt2 has joined
  26. remko has left
  27. UsL has left
  28. sonny has joined
  29. UsL has joined
  30. zach has left
  31. zach has joined
  32. mukt2 has left
  33. Steve Kille has left
  34. Steve Kille has joined
  35. zach has left
  36. zach has joined
  37. sonny has left
  38. neshtaxmpp has left
  39. neshtaxmpp has joined
  40. lskdjf has left
  41. kokonoe has left
  42. kokonoe has joined
  43. mukt2 has joined
  44. mukt2 has left
  45. mukt2 has joined
  46. peter has left
  47. pdurbin has joined
  48. mukt2 has left
  49. mukt2 has joined
  50. UsL has left
  51. kokonoe has left
  52. ths has left
  53. kokonoe has joined
  54. remko has joined
  55. stpeter has left
  56. ths has joined
  57. UsL has joined
  58. kokonoe has left
  59. kokonoe has joined
  60. zach has left
  61. zach has joined
  62. pdurbin has left
  63. kokonoe has left
  64. kokonoe has joined
  65. kokonoe has left
  66. mukt2 has left
  67. mukt2 has joined
  68. sonny has joined
  69. zach has left
  70. zach has joined
  71. mukt2 has left
  72. andy has joined
  73. remko has left
  74. mukt2 has joined
  75. matkor has left
  76. matkor has joined
  77. Yagiza has joined
  78. zach has left
  79. zach has joined
  80. sonny has left
  81. Tobias has joined
  82. Daniel has left
  83. Daniel has joined
  84. pdurbin has joined
  85. Nekit has joined
  86. j.r has joined
  87. andy has left
  88. andy has joined
  89. j.r has left
  90. zach has left
  91. zach has joined
  92. adiaholic has joined
  93. j.r has joined
  94. mukt2 has left
  95. pdurbin has left
  96. LNJ has joined
  97. kokonoe has joined
  98. mukt2 has joined
  99. zach has left
  100. zach has joined
  101. remko has joined
  102. mukt2 has left
  103. mukt2 has joined
  104. remko has left
  105. sonny has joined
  106. goffi has joined
  107. neshtaxmpp has left
  108. j.r has left
  109. j.r has joined
  110. zach has left
  111. zach has joined
  112. goffi has left
  113. goffi has joined
  114. pdurbin has joined
  115. mukt2 has left
  116. mukt2 has joined
  117. Alex has left
  118. Alex has joined
  119. winfried has left
  120. winfried has joined
  121. Maranda has left
  122. Maranda has joined
  123. winfried has left
  124. winfried has joined
  125. kokonoe has left
  126. kokonoe has joined
  127. ths has left
  128. ths has joined
  129. zach has left
  130. zach has joined
  131. UsL has left
  132. jabberjocke has joined
  133. rion has left
  134. zach has left
  135. zach has joined
  136. karoshi has joined
  137. lovetox_ has joined
  138. mukt2 has left
  139. arc has joined
  140. lovetox_ has left
  141. winfried has left
  142. winfried has joined
  143. mukt2 has joined
  144. lovetox_ has joined
  145. Nekit has left
  146. Nekit has joined
  147. kokonoe has left
  148. kokonoe has joined
  149. ralphm Daniel: your tweet to upgrade Dino is a bit, let's say, sparse on detail :-D
  150. zach has left
  151. zach has joined
  152. Daniel which is probably a good thing?
  153. ralphm I don't know?
  154. ralphm Does has it shiny new features, or was there a horrible security issue?
  155. Daniel it had all the CVEs. roster injection. carbon injection. mam injection. https://github.com/dino/dino/commits/master
  156. lovetox_ Does it get a Combo Bonus 😃
  157. jonas’ :D
  158. ralphm Nice.
  159. Daniel i mean they fixed it pretty quick.
  160. ralphm Daniel: but you didn't want to rub it in?
  161. Daniel now someone should probably notify the debian maintainers
  162. Mikaela has joined
  163. Daniel ralphm, it's extremly easy to exploit. and someone has exploited the roster one in this muc yesterday
  164. Daniel so i don’t want to give details
  165. ralphm Well, if someone is updating the CVEs, isn't that automatic?
  166. ralphm Also, is there a changelog somewhere?
  167. Daniel dino hasn't had a release yet
  168. Daniel so no there is no changelog
  169. Daniel aside from git
  170. jonas’ they should definitely allocate CVEs
  171. wurstsalat has joined
  172. j.r has left
  173. winfried has left
  174. Ge0rG they, or the researcher who found it?
  175. winfried has joined
  176. j.r has joined
  177. Douglas Terabyte has left
  178. Douglas Terabyte has joined
  179. mimi89999 has left
  180. jonas’ "someone", actually
  181. zach has left
  182. zach has joined
  183. jonas’ I don’t think you need to be affiliated with a project to allocate CVEs
  184. Steve Kille has left
  185. marc_ has joined
  186. mimi89999 has joined
  187. Ge0rG yeah, when I find something, I typically allocate the CVEs myself
  188. Daniel i'll probably write something down for the three bugs together
  189. Daniel i mean it's the same general mistake
  190. Ge0rG Nobody reads the Security Considerations
  191. Daniel yes
  192. Ge0rG is there a bold-red-blinking markup we can use at the top of https://xmpp.org/extensions/xep-0280.html#inbound ?
  193. Dele (Mobile) has joined
  194. Daniel maybe. if people only read the examples; we should have bad examples
  195. jonas’ Ge0rG, having a thing in xep.dtd / xep.xsl which allows to mark up Important boxes would be neat
  196. j.r has left
  197. Daniel i mean explicitly examples showing you what kind of messages to reject
  198. jonas’ stuff like sphinx generates with .. warning::
  199. jonas’ Ge0rG, can you file a thing against xeps/XEP-0001?
  200. jonas’ that won’t help with RFC 6121, but it’s something
  201. Steve Kille has joined
  202. Ge0rG jonas’: an issue thing or a PR thing?
  203. Ge0rG Daniel: that's actually an excellent idea
  204. Ge0rG jonas’: https://github.com/xsf/xeps/issues/821
  205. zach has left
  206. zach has joined
  207. aj has left
  208. mimi89999 has left
  209. ths has left
  210. ths has joined
  211. j.r has joined
  212. Ge0rG Daniel: how about https://op-co.de/tmp/xep-0280.html#example-11
  213. mimi89999 has joined
  214. jcbrand has joined
  215. j.r has left
  216. Daniel The paragraph above that is also new?
  217. Daniel Looks fine
  218. alameyo has left
  219. alameyo has joined
  220. Daniel Yeah that's probably a good improvement
  221. Ge0rG Daniel: yeah
  222. Ge0rG Daniel: but you can't link to paragraphs
  223. Ge0rG and I didn't want to link to example 10
  224. Daniel Makes you question why that wasn't in there before
  225. remko has joined
  226. Ge0rG Daniel: because XEP authors aren't security consultants
  227. Daniel Maybe we want to go so far and in the security section say in <strong> *This has been exploited several times*
  228. Daniel And link to the CVE
  229. Daniel Probably a separate PR
  230. Ge0rG it would mark my third PR for 0280 today.
  231. Daniel I mean it is absolutely ridiculous that this has struck so many times in three different iterations
  232. Ge0rG I suppose it is enough to have a negative example for "received", without one for "sent".
  233. Daniel Yes
  234. Daniel Hopefully...
  235. Ge0rG Daniel: do you have the link to the initial incarnation?
  236. Daniel This predates my involvement in xmpp
  237. Daniel So no
  238. adiaholic has left
  239. adiaholic has joined
  240. nyco has joined
  241. nyco has left
  242. mukt2 has left
  243. Neustradamus has left
  244. jabberjocke has left
  245. jabberjocke has joined
  246. mukt2 has joined
  247. Neustradamus has joined
  248. nyco has joined
  249. nyco has left
  250. Neustradamus has left
  251. Neustradamus has joined
  252. larma has left
  253. Link Mauve has left
  254. mr.fister has joined
  255. larma has joined
  256. sonny has left
  257. sonny has joined
  258. mr.fister has left
  259. zach has left
  260. zach has joined
  261. mr.fister has joined
  262. Licaon_Kter [cnvrs] has joined
  263. Reventlov has joined
  264. jonas’ Ge0rG, a PR thing would be even better than an issue thing
  265. intosi has left
  266. Mikaela has left
  267. Douglas Terabyte has left
  268. Mikaela has joined
  269. Douglas Terabyte has joined
  270. Ge0rG jonas’: yeah, but my work.
  271. Licaon_Kter [cnvrs] MattJ Any reason this room does not _warn the user that the discussions are logged_ ?
  272. Alex has left
  273. debacle has joined
  274. Alex has joined
  275. Alex has left
  276. mukt2 has left
  277. Alex has joined
  278. mr.fister has left
  279. jonas’ has left
  280. jonas’ has joined
  281. zach has left
  282. zach has joined
  283. Maranda has left
  284. Maranda has joined
  285. mukt2 has joined
  286. pdurbin has left
  287. nyco has joined
  288. mukt2 has left
  289. nyco has left
  290. kokonoe has left
  291. kokonoe has joined
  292. nyco has joined
  293. nyco has left
  294. aj has joined
  295. ths has left
  296. ths has joined
  297. mukt2 has joined
  298. ralphm As for RFCs, I suppose it could be in errata, but then again, who reads those.
  299. Mikaela has left
  300. Ge0rG nobody :(
  301. Mikaela has joined
  302. j.r has joined
  303. zach has left
  304. zach has joined
  305. Daniel up until recently i didn’t even know they existed
  306. mukt2 has left
  307. Zash Licaon_Kter [cnvrs] looks like it only sends the signal when archiving is enabled or disabled.
  308. Zash And also the semantic difference between archiving and logging.
  309. pep. Maybe you should have two messages? :P
  310. Zash Link is in the subject and I /think/ also in some room metadata.
  311. pep. Some clients don't really show subjects in a prominent place anymore :(
  312. j.r has left
  313. kokonoe has left
  314. j.r has joined
  315. Licaon_Kter [cnvrs] Zash Subject/Title aside, Converse.js shows them, but will also show_"groupchat logging is now enabled"_ as per https://xmpp.org/extensions/xep-0045.html#enter-logging so, is Prosody not honouring that? Umm https://hg.prosody.im/trunk/file/tip/plugins/mod_muc_mam.lua#l99 maybe
  316. pep. he just answered you
  317. Licaon_Kter [cnvrs] I, obviously, did not undestand a thing 🙂
  318. pep. "when [it] is enabled or disabled."
  319. Zash It is missing a thing for when you join
  320. Licaon_Kter [cnvrs] Ok, right...
  321. Zash Report issue. Patches especially appreciated 🙂
  322. Licaon_Kter [cnvrs] True
  323. Zash But the public logs are provided by a separate module. Should that one add the tag?
  324. Zash IIRC both of them should only let you get logs/archives if you could join the room and get them yourself
  325. aj has left
  326. Douglas Terabyte has left
  327. Douglas Terabyte has joined
  328. lovetox_ If the user is entering a room in which the discussions are logged to a public archive (often accessible via HTTP), the service SHOULD allow the user to enter the room but MUST also warn the user that the discussions are logged.
  329. kokonoe has joined
  330. lovetox_ So Zash this explicitly mentions http based logs
  331. lovetox_ i would argue it does not matter how the server logs, what counts is that is publicly available, and the user should be warned about it
  332. Licaon_Kter [cnvrs] FYI, I only noticed this because ejabberd is announcing it every time Converse.js mysteriously dis/reconnects https://github.com/conversejs/converse.js/issues/1697
  333. marc_ has left
  334. marc_ has joined
  335. madhur.garg has joined
  336. madhur.garg has left
  337. madhur.garg has joined
  338. madhur.garg has left
  339. madhur.garg has joined
  340. Licaon_Kter [cnvrs] has left
  341. zach has left
  342. zach has joined
  343. pdurbin has joined
  344. rion has joined
  345. Licaon_Kter [cnvrs] has joined
  346. jubalh has joined
  347. pdurbin has left
  348. remko has left
  349. Reventlov has left
  350. Reventlov has joined
  351. Reventlov has left
  352. Reventlov has joined
  353. kokonoe has left
  354. lovetox_ has left
  355. lumi has joined
  356. lovetox_ has joined
  357. lskdjf has joined
  358. zach has left
  359. zach has joined
  360. Reventlov has left
  361. Reventlov has joined
  362. Reventlov has left
  363. Reventlov has joined
  364. Reventlov has left
  365. ths has left
  366. Reventlov has joined
  367. Reventlov has left
  368. Reventlov has joined
  369. madhur.garg has left
  370. rion has left
  371. rion has joined
  372. Maranda has left
  373. Maranda has joined
  374. remko has joined
  375. j.r has left
  376. j.r has joined
  377. jabberjocke has left
  378. jabberjocke has joined
  379. lumi has left
  380. Ge0rG lovetox_: so it's also true for MAM
  381. zach has left
  382. zach has joined
  383. mukt2 has joined
  384. UsL has joined
  385. Daniel btw i've requested a CVE. i was a bit unsure on the how given that dino technically had no releases yet; but let's see if it gets accepted
  386. Maranda has left
  387. Maranda has joined
  388. balu_der_baer Daniel, Requested a CVE for which issue exactly?
  389. pep. It speaks!
  390. Daniel balu_der_baer, I put roster, carbons, and mam in one
  391. Ge0rG ...in Dino
  392. Daniel probbaly not worth creating different ones
  393. Ge0rG It would make sense to ask for one for Converse, though.
  394. Daniel balu_der_baer, i can credit you on the carbon one
  395. pep. Right. JC also just fixed an issue in converse
  396. Ge0rG Or is it just the 2017 one revamped?
  397. pep. It looks like it
  398. Ge0rG pep.: but it was fixed back then
  399. pep. In these clients
  400. Daniel for converse?
  401. Daniel was converse hit back then?
  402. Ge0rG pep.: converse was one of the clients, yes
  403. pep. heh, ok
  404. balu_der_baer I think the converse is the relevant one, given it is actually released software and not some "I compiled code from the internetz and is has bugz"
  405. pep. Isn't that the case for all software
  406. Daniel balu_der_baer, yes probably. dino is in debian and some other distros tho
  407. Kev I think dino has been released hasn't it? It's in Debian and stuff.
  408. Daniel and in fairly wide use
  409. Ge0rG pep.: I've heard that there is software that you need to type from a book
  410. pep. Kev, nope
  411. pep. no release
  412. Kev pep.: https://packages.debian.org/search?keywords=dino-im - different project?
  413. pep. No
  414. pep. But no release
  415. Kev Then it's been released.
  416. pep. No
  417. Daniel and that kids is why you dont make packages for git
  418. pep. Kev, https://tracker.debian.org/pkg/dino-im
  419. pep. look at the version string
  420. Zash Hey kids wanna get into a semantics discussion? What is a release?
  421. Kev I'm not saying that upstream say it's stable.
  422. Kev I'm saying that it has been released. I.e. it is available to users.
  423. pep. "It's in Debian so it's released!"
  424. pep. Ok let's leave the semantic discussions for later
  425. Kev Pretty much the definition of released is that it's available, yes.
  426. zach has left
  427. zach has joined
  428. pep. Upstream hasn't cut a release yet, is all I'm saying.
  429. pep. Distributions do whatever they want with it
  430. Daniel it is probably worthwhile to get a CVE for. and it has already been requested
  431. Daniel so we don’t need to argue about it :-)
  432. Kev I understand that upstream may not have yet tagged a stable release. Just that that's largely irrelevant to users if they can apt install it.
  433. pep. So is it fine if I package it myself for my own use? Can I also say the software has been released? :)
  434. Kev I also understand that if someone uploaded it to Debian before upstream said it was ready for use, that sucks for upstream.
  435. pep. Or as long as it's published
  436. Ge0rG Kev: that sucks for debian
  437. Kev That too.
  438. Daniel it sucks for everyone
  439. pep. Ge0rG, you mean for Debian's users
  440. Kev That three.
  441. Daniel upstream. debian. the users
  442. Ge0rG Software releases are hard. Let's go shopping!
  443. Ge0rG almost wrote "shipping"
  444. Nameless RTL person has left
  445. stpeter has joined
  446. jubalh has left
  447. jubalh has joined
  448. Daniel am i seeing this correctly that converse has different mam/carbon parsing code for muc vs 1:1
  449. Daniel wtf
  450. Daniel and it hit only muc because of that
  451. balu_der_baer I know that Dino developers tell people to not use the debians "release" build but always use the latest nightly instead. And my guess is that those patches are caused by them preparing for a first real release
  452. mukt2 has left
  453. stpeter has left
  454. zach has left
  455. mr.fister has joined
  456. zach has joined
  457. Reventlov has left
  458. Reventlov has joined
  459. mukt2 has joined
  460. balu_der_baer Daniel assessing Dino to be vulnerable to the MAM issue predates the commit time of the fix to Dino master by 5 minutes. Either they were super fast, Daniel told them before writing here or they actually knew before 🤔️
  461. Ge0rG A conspiracy within a conspiracy?
  462. Daniel balu_der_baer, we were in here talking about how it is most likely vuln
  463. Daniel but i was out for a midnight snack before i could be bothered to actually verify
  464. pep. They also have access to this muc :)
  465. Daniel and also if you have just before that fixed the roster and carbon issue the mam fix could easily be done in 5 min
  466. Daniel it's the exact same lines of code copy pasted
  467. jubalh has left
  468. balu_der_baer Is anyone filing a CVE for the stanza id bug in Prosody I discovered yesterday?
  469. Daniel is it prosody not filtering out?
  470. Daniel i didn’t catch you mentioning that
  471. Daniel so i'm guessing
  472. balu_der_baer yes
  473. Daniel obvious bugs are obvious
  474. Daniel just get one yourself i guess?
  475. balu_der_baer I didn't mention any of the bugs, I left this task to you guys.
  476. Daniel did it not filter in general? or just under certain conditions
  477. Daniel well how would the stanza-id thing manifest itself?
  478. Daniel aside from MAM catchup being fucked
  479. balu_der_baer I guess as long as nobody tries to use them for anything, it won't...
  480. Daniel also there is code to do it…
  481. balu_der_baer I leave it to you or any other dev to find out when and why it doesn't work, I am not into Lua
  482. Daniel well i'm not yet sure the bug exists
  483. balu_der_baer How would one find out?
  484. derdaniel has joined
  485. pep. balu_der_baer, hint? around what time?
  486. pep. I could go through the logs..
  487. stpeter has joined
  488. balu_der_baer This one maybe?
  489. mr.fister has left
  490. peter has joined
  491. Daniel this room doesn’t claim to do the cleaning
  492. Daniel as a client you are supposed to parse the sid only if the server announces that
  493. peter has left
  494. pep. I'm somewhat happy poezio didn't display the second message, "Or this one"
  495. pep. <body xmlns="broken">Or this one</body>
  496. balu_der_baer Daniel, Technically correct.
  497. zach has left
  498. zach has joined
  499. pep. <message xml:lang="en" type="groupchat" to="pep@bouah.net/poezio-C7iY" from="xsf@muc.xmpp.org/balu_der_baer" id="c090def67ff04d4dae5cfc260bf71522"><body>This one maybe?</body><stanza-id xmlns="urn:xmpp:sid:0" by="xsf@muc.xmpp.org" id="2019-09-11-185b3f943380209c" /><stanza-id xmlns="urn:xmpp:sid:0" by="xsf@muc.xmpp.org" id="2019-09-11-a55228b004fa960d" /><origin-id xmlns="urn:xmpp:sid:0" id="c090def67ff04d4dae5cfc260bf71522" /></message> <message xml:lang="en" type="groupchat" to="pep@bouah.net/poezio-C7iY" from="xsf@muc.xmpp.org/balu_der_baer" id="e11708f4ba544d3e8ceee73bf579544d"><body xmlns="broken">Or this one</body><stanza-id xmlns="urn:xmpp:sid:0" by="xsf@muc.xmpp.org" id="2019-09-11-185b3f943380209c" /><origin-id xmlns="urn:xmpp:sid:0" id="e11708f4ba544d3e8ceee73bf579544d" /></message>
  500. pep. For reference
  501. Daniel so if you find a client that uses this for catchup (or anything) then you have your bug
  502. balu_der_baer When a message is archived, the server MUST add an stanza-id element as defined in Unique and Stable Stanza IDs (XEP-0359) [2] to the message, which informs the recipient of where and under what ID the message is stored. When doing this the server MUST follow the business rules defined in XEP-0359.
  503. pep. hmm.
  504. pep. That first message was cut in poezio.
  505. pep. Because of the <stanza-id /> :/
  506. pep. <message xml:lang="en" type="groupchat" to="pep@bouah.net/poezio-C7iY" from="xsf@muc.xmpp.org/balu_der_baer" id="b23f6efec2cf4ac2ad23d7da18fb7367"><body>When a message is archived, the server MUST add an <stanza-id /> element as defined in Unique and Stable Stanza IDs (XEP-0359) [2] to the message, which informs the recipient of where and under what ID the message is stored. When doing this the server MUST follow the business rules defined in XEP-0359.</body><stanza-id xmlns="urn:xmpp:sid:0" by="xsf@muc.xmpp.org" id="2019-09-11-e360996b290c9aae" /><origin-id xmlns="urn:xmpp:sid:0" id="b23f6efec2cf4ac2ad23d7da18fb7367" /></message>
  507. balu_der_baer I admit, it's funny to see how different clients screw up different things. None of them seems to be really solid about anything so far.
  508. pep. indeed
  509. jonas’ le fuck wat
  510. jonas’ balu_der_baer, which client is that?
  511. pep. version string says Movim 0.15
  512. jonas’ nice
  513. jonas’ report an issue against movibm
  514. Zash There's the @by. This server needs some upgrades, but that part looks correct?
  515. balu_der_baer jonas, openssl s_client
  516. jonas’ report an issue against movim
  517. pep. heh
  518. balu_der_baer Was using Gajim before, but it's XML console does too many sanity checks for doing such evil things
  519. pep. Maybe poezio's /rawxml doesn't :-°
  520. jonas’ I’ll just leave now
  521. Daniel how is <body>foo <bar/> something</body> supposed to render?
  522. Kev It's not, because that's illegal.
  523. Daniel not render the entire message?
  524. Kev The server is allowed to bounce it, even. But if it gets through to a client, anything's fair game, I think.
  525. flow that's what I would do, and as server close the client session (of course configurable, so that if you really want to support broken clients)
  526. balu_der_baer The body element MUST NOT contain mixed content (as defined in Section 3.2.2 of [XML]).
  527. flow balu_der_baer, IIRC this is not even mixed content
  528. Kev flow: It's not?
  529. flow maybe it is
  530. Kev If it's not then my understanding of mixed content is off.
  531. flow I just though thtat mixed content is text content + element
  532. flow and not text content + element + text content
  533. balu_der_baer An element type has mixed content when elements of that type may contain character data, optionally interspersed with child elements.
  534. flow luckily there is a reference where I can lookup this and refresh my memory
  535. flow or I let balu_der_baer do the work ;)
  536. MattJ afaik mixed just means multiple types are used (both element and text nodes), it doesn't mean a specific order or number of nodes
  537. Kev That's certainly how the XMPP specs have used the term, yes.
  538. flow yep, convinced, and we don't do that in xmpp
  539. Daniel i mean cutting your own c2s when your server sends you this is probably not ideal
  540. flow nobody suggested this
  541. Alex has left
  542. Daniel no. i was just thinking out loud if i need to do something different in Conversations
  543. Kev Daniel: No, especially as servers are allowed to send you crap. But I don't think we're suggesting that.
  544. stpeter has left
  545. balu_der_baer Daniel, You need to fix the <body xmlns="broken"> thing
  546. adiaholic has left
  547. adiaholic has joined
  548. Daniel balu_der_baer, already made a note
  549. pdurbin has joined
  550. pep. I also opened issues in poezio.
  551. stpeter has joined
  552. zach has left
  553. zach has joined
  554. pep. Though that's probably in slixmpp
  555. peter has joined
  556. flow background? implementations do not consider the namespace of body elements?
  557. larma I have the feeling its super productive if random people just push random stanzas in xsf@ 😉
  558. pep. let's do that more often
  559. Ge0rG > None of them seems to be really solid about anything so far. Nobody has complained about yaxim so far. But don't even try to put different xml:langs into the game ;)
  560. MattJ An ancient one is simply putting in multiple <body> (same namespace and xml:lang)
  561. MattJ Some clients would render the first, some the last
  562. Ge0rG yeah, having multiple elements with the same name in any kind of hashmap is a well known security issue
  563. balu_der_baer ⚠ Your client renders a first body when it shouldn't
  564. MattJ What should it render?
  565. pdurbin has left
  566. balu_der_baer Nothing, it's an invalid message
  567. mathieui I think a few clients have a history of trying to fix received namespaces to work around very old bugs
  568. peter has left
  569. pep. Why do we try to keep compat with broken stuff? :(
  570. pep. Then we in turn we end up broken
  571. flow pep., some do, some avoid workarounds for broken implementations
  572. Kev You don't have a lot of choice dealing with broken stuff.
  573. pep. I wish we'd do that as a collective effort to push broken stuff away
  574. Kev At least not in an open ecosystem.
  575. flow I am in the latter camp FWIW
  576. pep. I also am
  577. Kev You might not try to 'fix up' the broken content, but you have to deal with it.
  578. flow Kev, I don't think this is true.
  579. pep. Kev, you do, you can just ignore them
  580. Kev pep.: Which is dealing with it.
  581. pep. Yes, while some others try to keep compat
  582. MattJ When we began Prosody, many of the other servers were "broken" in various ways... nobody would have used Prosody if we hadn't added workarounds for them
  583. flow Kev, sounded more like you meant that we don't have a choice besides adding workarounds into our code
  584. Kev flow: Yes, that's right.
  585. MattJ Not being able to s2s to 99% of the existing network was not an option :)
  586. pep. MattJ, now that you're a bit more notorious, here's your time :)
  587. Kev Like when ejabberd's PEP module sent tonnes of spurious messages, and if you wanted to avoid annoying your users you had to do something about them.
  588. MattJ Right, I'm just pointing out that you can't just make that your blanket stance towards issues like this
  589. Kev (ignore them, in fact, but it took code to ignore them)
  590. Ge0rG Is there consensus that a client MUST NOT render any bodies from a message that contains multiple bodies?
  591. Ge0rG (assuming equal xml:lang)
  592. Kev Ge0rG: You mean multiple bodies in the stream namespace, without distinguishing xml:lang, which might itself come from the stream?
  593. flow MattJ, true, it is always a per case decission, but to often that decission is "just add a workaround"
  594. MattJ In Prosody our policy is to avoid workarounds, and if that's not feasible then we add the workaround with a 'COMPAT' comment that explains when it was added and why (referencing bug reports, etc.)
  595. Zash pep.: Right when we're a bit behind on compliance features in core? Are you working for P1? ;)
  596. Ge0rG Kev: yes
  597. Kev In which case, no, I don't think there's anything in 612[01] that suggests a client would have to do that.
  598. MattJ and then we periodically review these and remove old ones that are no longer needed (as much?)
  599. pep. Zash, :P
  600. jubalh has joined
  601. Ge0rG Kev: I'm pretty sure it's illegal, and the question arises which of the bodies will end up rendered
  602. flow Ge0rG, what would make it illegal?
  603. Kev flow: 612[01] rules do.
  604. flow Kev, multiple bodies with the same xml:lang?
  605. Kev Yes.
  606. flow ahh right, it's in rfc6121 5.2.3
  607. Ge0rG https://xmpp.org/rfcs/rfc6121.html#message-syntax-body
  608. flow couldn't find a rule in rfc6120 though
  609. Kev 6120 just says to use the rules in 6121.
  610. Ge0rG but §5.2.3 doesn't contain a statement on how to handle violations
  611. flow most things do not contain a statement on how to handle violations
  612. flow but yes, not showing a body at all appears sensible, probably even if there is a unique body-xmllang for your xmllang
  613. Ge0rG This is the opposite of "make everything you can to show the message content"
  614. jabberjocke has left
  615. jabberjocke has joined
  616. MattJ https://tools.ietf.org/html/draft-iab-protocol-maintenance-03
  617. zach has left
  618. zach has joined
  619. flow MattJ, \o/
  620. pep. this
  621. flow yep, this
  622. Ge0rG I hate this document.
  623. MattJ reject's Ge0rG's message
  624. Ge0rG It only makes sense in a closed system.
  625. Ge0rG With a dozen of actively used XMPP implementations, and a tail distribution of less widely used ones, how am I supposed to know that blocking "invalid" messages won't break the interop with some of them?
  626. MattJ It probably will
  627. MattJ But if everyone agreed to be strict, that tail would soon be fixed (or rightly let die)
  628. stpeter has left
  629. flow The question is if the outcome is better than being liberal in what to accept
  630. MattJ And not everyone has to agree to be strict, just the dominant players
  631. pep. Just like when people went TLS
  632. MattJ Prosody fixed many client bugs by being more strict in what it accepted than any of the existing servers
  633. pep. Except dominant players didn't.. at the time
  634. pep. (gmail)
  635. MattJ and we don't even go very far
  636. Ge0rG MattJ: but I don't have any leverage on those implementations. And people will blame me for the bugs
  637. MattJ I feel your pain, many of us have experienced that
  638. MattJ and as I said, we have put in (clearly marked) workarounds for things like that
  639. lovetox_ what is the problem about body with different namespace? so what i dont check the namespace of body if i dont have to, this is certainly no security issue
  640. pep. Ge0rG, or on deployments..
  641. MattJ while simultaneously trying to get it fixed
  642. Licaon_Kter [cnvrs] has left
  643. pep. lovetox_, I can include a message that only gajim users will see and not others
  644. lovetox_ yeah and? its a feautre i would say
  645. pep. Is it?
  646. flow lovetox_, I am not sure if I can't be exploited somehow. The main problem is that implementations treat an element as body when it is not
  647. MattJ lovetox_, it's a potential human security issue - if people disagree on what to render for a message, the logs will be showing one thing, clients will be showing another
  648. flow But I can only come up with very constructed scenarious how this could cause an security issue
  649. MattJ despite it being a pretty poor messaging application that can't agree on how to render a text message :)
  650. aj has joined
  651. flow Like a bot which accepts commands via <body/> and a screening service checking that the commands in <body/> are safe
  652. lovetox_ has left
  653. MattJ XSF board meeting logs could all be faked by board members, and someone will put <body>+1</body><body>-1</body> to make people think they voted one way on a contentious issue, but the chair would see them voting a different way
  654. MattJ Consistency is good, inconsistency is bad
  655. flow word
  656. MattJ Consistency in a distributed open network isn't always easy
  657. MattJ But if we at least specify the right way to do things, that's a great start
  658. wurstsalat has left
  659. MattJ Right now nobody can even claim any particular client is buggy, because there is no correct decision about what to render (which may include nothing)
  660. MattJ (or an error)
  661. MattJ I'll note that even excluding potentially-illegal <body> constructs, this issue will still exist for multiple <body> with different xml:lang (I can show different versions of the same message to different languages, they don't have to say the same thing)
  662. MattJ But at least in that case a client could indicate to the user that other versions of the message exist, and allow them to view them
  663. wurstsalat has joined
  664. zach has left
  665. zach has joined
  666. zach has left
  667. zach has joined
  668. mukt2 has left
  669. mukt2 has joined
  670. Reventlov has left
  671. Daniel Mhh I now have uncommitted code that skips messages with body of the same language. Not really sure if I should commit that. I mean it's definitely illegal. And it probably won't happen on accident
  672. Ge0rG flow: do I need to pull a CVE number for Smack delivering the first of multiple equally xml-langed bodies?
  673. Daniel Ge0rG: is that a security issue?
  674. Ge0rG Daniel: what MattJ wrote. <body>+1</body><body>-1</body>
  675. Ge0rG https://logs.xmpp.org/xsf/2019-09-11#2019-09-11-869b4f1282d0a054
  676. Ge0rG Daniel: if there is only one implementation rendering the _last_ body from that list, it is a security issue
  677. jonas’ Ge0rG, what else are you supposed to do?
  678. Alex has joined
  679. Kev That's a user confusion/unreliability issue. I'm not convinced it's a security issue.
  680. jonas’ aioxmpp will take one, which one is officially undefined (but it will be the lastmost in the stanza)
  681. Ge0rG jonas’: tear down s2s!
  682. Daniel for ever!
  683. jonas’ Ge0rG, seriously though. what should I do as a client library?
  684. jonas’ send back an error?
  685. jonas’ I see how this is a problem, I just don’t know the correct course of action
  686. Ge0rG jonas’: me neither
  687. Daniel that will get you kicked from the muc lol
  688. flow and presence leak
  689. flow (potential)
  690. MattJ Kev, I'm surprised that in the environments you're involved in, you don't see user confusion as a security (or safety) issue
  691. winfried has left
  692. winfried has joined
  693. Daniel jonas’, i just opted for ignoring it
  694. Daniel will happen infrequently enough to not be a real issue
  695. MattJ Especially if you add enforcement or auditing tools to the mix, which might disagree about which <body> to use/allow
  696. Ge0rG MattJ: maybe because it's scoped to the sending user.
  697. jonas’ flow, uh--- that’s an interesting one, I think you can make aioxmpp auto-reply to a message if you violate the schema hard enough
  698. Ge0rG If somebody wants to play mind tricks with you, the impact is limited to what you'd believe them
  699. flow jonas’, take the stanzas out of the stream, send an error back if the sending entity is subscribed to your presence and log an error
  700. jabberjocke has left
  701. pep. Why has it been specified that a MUC should kick us on message @type=error btw?
  702. Ge0rG pep.: yes.
  703. jonas’ Daniel, so you drop the entire stanza if there is more than one <body/> with same-language?
  704. Daniel because if your session dies?
  705. Daniel jonas’, yes
  706. jonas’ flow, yeah, no, the part which sends errors back wouldn’t know about that type of stuff
  707. pep. Ge0rG, am I onto something?
  708. flow jonas’, I never said it is easy ;)
  709. Daniel jonas’, i mean no; i return the body as null. it might run through other paths
  710. jonas’ Daniel, right
  711. Ge0rG pep.: I was going to elaborate, but Daniel came first
  712. jonas’ for all languages or only for the buggy one, Daniel?
  713. pep. if my session dies?
  714. Daniel good question 🙂 no for all messages
  715. flow jonas’, remember when we talked about providing a callback to the user which informs him what exactly went where wrong in the incoming processing chain?
  716. Ge0rG pep.: yes, the MUC needs to kick you out if your client silenty disconnected
  717. jonas’ flow, exists, but that is not an error condition yet
  718. pep. But what if my client doesn't silently disconnect and I'm just trying to point out errors to others
  719. jonas’ and I’m not sure what type of error condition it should be
  720. Ge0rG pep.: send a PM
  721. pep. @type=error?
  722. Ge0rG pep.: yes, those won't get you kicked IIRC
  723. pep. I see
  724. Ge0rG I have no idea how clients will behave ;)
  725. jonas’ Ge0rG, so auto-reply woudln’t get me kicked either since that would go to the full JID
  726. pep. I guess this + ignoring a message should be good
  727. jonas’ Ge0rG, so auto-reply from the library woudln’t get me kicked either since that would go to the full JID
  728. Ge0rG pep.: presence leak
  729. pep. rrr
  730. pep. Can you stop finding issues
  731. Ge0rG So can we now decide whether it's a security issue or not?
  732. Ge0rG pep.: no
  733. Ge0rG life would be boring otherwise. Also, blame balu_der_baer
  734. pep. But that's probably going in the logs anyway and not actually visible by the user.
  735. Daniel I'll "fix it" in that i will ignore it in the future but i wont rush out another release
  736. pep. I would like if a client would tell me "There is an error" (and aggregate them) "please report that to the dev"
  737. Ge0rG Daniel: can you rush out releases again? Or is Play store still imposing multi-day delays?
  738. Daniel yes i could
  739. Daniel was meaning to tweet that
  740. Daniel i fixed the PS issue
  741. Daniel but i was doing so much tweeting lately
  742. Ge0rG My other app is broken on Android 10 because Google finally removed the deprecated Apache HttpClient library which is used by... the Google Maps v1 library.
  743. Ge0rG Daniel: as much as @xmpp?
  744. Daniel not as annoying as @xmpp
  745. Daniel my tweets are super high quality
  746. Ge0rG I've been struggling to convey this message to the person responsible, for some days now.
  747. jonas’ doesn’t someone else have access to that account and can single-handedly change the password?
  748. pep. I think we'd rather fix this socially
  749. Ge0rG jonas’: nobody knows who that "someone else" is
  750. Daniel access yes. can’t change the pw though
  751. pep. Not technically
  752. sonny has left
  753. sonny has joined
  754. Ge0rG pep.: full agreement here.
  755. Kev Which account what where?
  756. Daniel i mean sometimes i do tweet on @xmpp. but when i do it's only the best tweets
  757. Ge0rG Maybe I should just stop trying though, I'm probably the least empathetic person to attempt it
  758. Ge0rG Kev: twitter.com/xmpp
  759. lumi has joined
  760. pep. Daniel, of course
  761. jonas’ Ge0rG, Daniel, actually I think we just need to agree on *which* of the multiple bodies to show and it’s a non-issue, right?
  762. Ge0rG jonas’: right
  763. Kev Is that the XSF's one? I thought I had credentials for the XSF Twitter (although 1password is failing me)
  764. Daniel well rfc says it's illegal. so just dropping it is easier?
  765. Ge0rG Kev: yes
  766. Kev I wonder why I don't currently have it.
  767. Ge0rG Daniel: I'm sure some clients/bots will end up sending a default body and one in an explicit language, and the explicit language accidentally being the default one
  768. winfried has left
  769. winfried has joined
  770. flow jonas’, coming up with a selection algorithm could be hard
  771. Daniel so we know it's not Kev whos doing the annoying tweets…
  772. jonas’ flow, "first"
  773. flow jonas’, first in XML?
  774. Ge0rG LinkedHashMap to the rescue!
  775. jonas’ flow, eys
  776. jonas’ flow, yes
  777. flow jonas’, what if "first" is different per recipient
  778. jonas’ flow, how is that supposed to happen?
  779. flow nothing gurantees that the order of the elements is stable when a stanza passes a hop
  780. jonas’ flow, the order of elements with the same namespace-uri/local-name pair?
  781. jonas’ I think we’d be in trouble already if that was violated.
  782. flow especially the order of those elements yes
  783. Kev Hmm. Looks like my tweetdeck doesn't have it either. I'm finding this very confusing.
  784. zach has left
  785. winfried has left
  786. zach has joined
  787. winfried has joined
  788. pep. > Ge0rG> Daniel: I'm sure some clients/bots will end up sending a default body and one in an explicit language, and the explicit language accidentally being the default one Let's agree to fix these bots?
  789. flow jonas’, like where?
  790. jonas’ flow, [thinking ...]
  791. jonas’ flow, forms?
  792. Ge0rG Kev: escalate to the A-team?
  793. jonas’ it’s not strictly required there, but would be a major UX pain if the elements were reordered there
  794. flow are child elements of <x/>
  795. flow I am taking just about first level child elements of stanzas
  796. jonas’ flow, oh, you’re only talking direct children of the stanza?
  797. jonas’ huh
  798. jonas’ why would that follow different rules?
  799. flow well mostly, for forms the order is actually important
  800. flow for first level stanza childs it is usually not
  801. lovetox has joined
  802. Kev Right. I have control of @xmpp.
  803. Kev Awaiting further orders :)
  804. jonas’ change the password until someone has found the person spamming newsletter ads on it ;)
  805. Reventlov has joined
  806. flow I believe it to be at least unspecified that it has to be stable when processing a stanza, and while most implementations may keep the order, we should not depend on unspecified behavior
  807. Kev Changing the password won't help, people are granted access via tweetdeck.
  808. Kev I mean, unless it's genuinely compromised.
  809. pep. Kev, you can probably access analytics though? I think that came up yesterday in commteam@
  810. jonas’ looks more like "well meant but went too far"
  811. Ge0rG jonas’: I know who that person is
  812. pep. And they're not hiding it either
  813. Kev If someone from Board tells me to, I'll strip access down in tweetdeck.
  814. Daniel i think it has stopped anyway
  815. pep. Daniel, no it hasn't, it won't, read commteam@ :)
  816. Ge0rG Kev: yeah, can you check analytics for the number of new followers vs. gone followers since September 3rd?
  817. Kev No clue, can I?
  818. Ge0rG regarding the twitter activity, there was some wiki acitivty: https://wiki.xmpp.org/web/index.php?title=Special:RecentChanges&days=1&from=
  819. Ge0rG Kev: it was said to be on https://analytics.twitter.com
  820. winfried has left
  821. winfried has joined
  822. jonas’ https://wiki.xmpp.org/web/CommTeam/Newsletter_Twitter_campaign
  823. Reventlov has left
  824. Daniel i'm confused
  825. stpeter has joined
  826. peter has joined
  827. Kev I do not believe I can get past stats on follower counts.
  828. winfried has left
  829. winfried has joined
  830. Ge0rG Bummer.
  831. winfried has left
  832. winfried has joined
  833. derdaniel has left
  834. Kev 28 day summary sees tweet count up, impressions up, mentions up, profile visits down 17%, followers I think stable, unless I'm misreading, or unless it's not giving the info.
  835. winfried has left
  836. winfried has joined
  837. Ge0rG Kev: thanks
  838. Ge0rG In that case, it looks like the spam strategy is working out
  839. Daniel assuming this are good metrics…
  840. Kev I can only report what's in front of me.
  841. ralphm For clarity, as discussed in commteam@, those news letter tweets were sent by nyco. Some of the conversation might have been a bit harsh on him, as he is just trying to help.
  842. Ge0rG I'm very sorry that I hit the wrong notes in trying to talk to him :(
  843. ralphm To be honest, I was the one raising the issue in that room, and here before that, but I think we can take a lesson in seeing things from other perspectives, as well trying out things.
  844. ralphm In the mean while, should you have interesting stuff that could be (re-)tweeted from @xmpp, do let them know.
  845. Kev I don't think I've (deliberately, at least) passed any judgement other than offering to do what I'm told.
  846. ralphm Scheduled tweets interspersed with other stuff would already be a lot better.
  847. ralphm Kev: not calling anyone out specifically. And not even just on this topic.
  848. Kev Ah, my stats were September.
  849. Daniel yes. we actually have a lot of things going on in the community to increase # of tweets w/o repeating ourselves
  850. ralphm I assume everyone tries their best.
  851. Kev So for August we lost followers, and for July we gained (more) followers.
  852. Kev In fact, as far back as we've got stats, August is the only time we've lost followers rather than gaining.
  853. Daniel also 'we' probably react more sensitive to obvious advertisment than a regular person would
  854. Ge0rG Daniel: or without uttering things that look like cheap SEO
  855. Link Mauve has joined
  856. Ge0rG Or that.
  857. Kev I'm back in 2017, and we've gained double-digits of followers each month, other than losing them in August.
  858. Kev I'm going to stop looking at stats now.
  859. jonas’ how about re-tweeting https://twitter.com/iNPUTmice/status/1171678611897835520 ?
  860. Ge0rG jonas’: it lacks hashtags
  861. Daniel :-)
  862. Daniel i literally loled
  863. Ge0rG speaking of high-quality content
  864. jonas’ #thatshouldhaveacve?
  865. Daniel jonas’, fwiw i usually RT my own tweets with xmpp if i consider them neutral and quality enough
  866. Ge0rG cheap self-promotion!
  867. Ge0rG :D
  868. Daniel good morning you should update dino did not make my own quality standards
  869. jonas’ I like it actually
  870. ralphm Had Daniel's mentioned that you should because of security issues, I would have retweeted it right away.
  871. jonas’ that’s not to diminish dino, but it’s the kind of near-sarcastic security black humor I’m into
  872. Daniel to my defense I did wrote that before i had coffee
  873. zach has left
  874. zach has joined
  875. jonas’ that’s not to diminish dino, but it’s the kind of near-sarcastic security black humor I’m into w.r.t. announcements
  876. ralphm Noted. Daniel: don't 🐦 before ☕
  877. adiaholic has left
  878. adiaholic has joined
  879. pep. Well on that note, you should also update converse. Maybe we can have a tweet with all of them.
  880. pep. And then retweet! When we get CVEs assigned
  881. pep. All PR is good PR right
  882. jonas’ FTR, Docker Hub is an awful thing
  883. jonas’ > Created 44 minutes ago > Queue time 1 minute > Duration 0 min
  884. jonas’ > Logs are not available yet
  885. jonas’ what kind of infrasturcture is this?
  886. mukt2 has left
  887. Kev A free one?
  888. mathieui A terrible one
  889. mukt2 has joined
  890. remko has left
  891. jubalh has left
  892. matkor has left
  893. matkor has joined
  894. Dele (Mobile) has left
  895. Dele (Mobile) has joined
  896. Dele (Mobile) has left
  897. pdurbin has joined
  898. Dele (Mobile) has joined
  899. pep. Ge0rG, re MUC & errors / presence leak, a client could theoretically (not saying I'm going to do it) buffer these error messages going out, and only send them when the user sends chatstates or messages in the MUC.
  900. zach has left
  901. zach has joined
  902. pep. What about chat markers btw, are they also used in MUC? receipts are this I know. Isn't that a good enough presence leak already?
  903. ralphm Why would you send errors after a while? A server is likely not going to have anything it wants to do at that point?
  904. pep. Sending error to the participant jid, in hope that that gets logged by the clients and there's some kind of hint displayed to the user to actually contact devs. (Yes I'm pretty hopeful)
  905. pep. By that time the user could be gone for sure
  906. pep. Surelike they could be gone when I connect and fetch messages
  907. pep. Just like they could be gone when I connect and fetch messages
  908. ralphm Correlation is not fun with random long delays, maybe.
  909. pep. hmm
  910. pep. True
  911. pep. But then people shout "presence leak"
  912. Daniel what is a presence leak?
  913. Daniel i previously thought of it as a resource leak
  914. pdurbin has left
  915. pep. Daniel, you connect, your client fetches archive from MUC, finds an error and attempts to send that to the participant jid responsible for it. You're then effectively telling them you just came online
  916. pep. (or that you're somehow available)
  917. Daniel in a group chat?
  918. ralphm Is presence leak really a thing for MUC (as opposed to MIX)?
  919. Daniel didn’t you just did the same by joining?
  920. ralphm This
  921. pep. I wasn't the one to shout "presence leak"!
  922. pep. :)
  923. pep. But yeah, I actually agree. let me dismiss that issue then
  924. pep. Maybe combined with MSN? One of your clients didn't notice, the other connects and you send these errors. But then oh well
  925. ralphm Now, in theory, for MIX this is a bit different. There, sending presence can be optional.
  926. mukt2 has left
  927. ralphm But then you might have markers or somesuch.
  928. pep. It's fine I'm not concerned about MIX for now, poezio doesn't have an implementation :)
  929. ralphm This is the XSF channel though, and not jdev 🤣
  930. pep. heh
  931. pep. So you can do MIX PR just fine? :P
  932. jonas’ Kev, (moving this from council@), but what stops me from sending you a random type=error (think spam)?
  933. jonas’ if you make swift show a popup and interrupt the user, that’s bad design IMO
  934. flow Daniel> i previously thought of it as a resource leak It is the same, but "presence leak" is the term rfc6120 uses
  935. ralphm I guess that also dismisses most of the recent discussions on Unicode and security issues in implementations. 😃
  936. Daniel yes. but by that definition sending chat markers does not leak your resource
  937. Daniel chat markers leak that you are present
  938. Nekit has left
  939. Daniel but that's not what the term means
  940. Nekit has joined
  941. Daniel (at least that what i've thought)
  942. Kev jonas’: I never said anything about popups (Swift policy is to never trigger popups from protocol).
  943. Kev But if you start receiving errors from someone, it'll tell you in the chat log with that person.
  944. jonas’ Kev, that, I think, is fine
  945. jonas’ even with CC-all-the-errors
  946. jonas’ it shows that something you did on your phone went wrong and that you might want to pay attention (essentially)
  947. mukt2 has joined
  948. Kev But not if it's bare-JID errors.
  949. winfried has left
  950. winfried has joined
  951. neshtaxmpp has joined
  952. neshtaxmpp has left
  953. winfried has left
  954. winfried has joined
  955. winfried has left
  956. winfried has joined
  957. winfried has left
  958. winfried has joined
  959. mukt2 has left
  960. neshtaxmpp has joined
  961. neshtaxmpp has left
  962. zach has left
  963. zach has joined
  964. flow > Daniel> chat markers leak that you are present Depends on the situation i'd say. Client should usually not send stanzas to other clients that are otherwhise unable to determine if you are online, that's what I'd call a "presence leak".
  965. mukt2 has joined
  966. Steve Kille has left
  967. Mikaela has left
  968. Mikaela has joined
  969. Wojtek has joined
  970. zach has left
  971. zach has joined
  972. adiaholic has left
  973. adiaholic has joined
  974. Link Mauve has left
  975. sonny has left
  976. sonny has joined
  977. Wojtek has left
  978. Steve Kille has joined
  979. zach has left
  980. zach has joined
  981. arc has left
  982. arc has joined
  983. sonny has left
  984. sonny has joined
  985. patrick has joined
  986. matkor has left
  987. zach has left
  988. zach has joined
  989. patrick has left
  990. patrick has joined
  991. Mikaela has left
  992. Mikaela has joined
  993. matkor has joined
  994. arc has left
  995. arc has joined
  996. lovetox has left
  997. winfried has left
  998. winfried has joined
  999. winfried has left
  1000. winfried has joined
  1001. arc has left
  1002. arc has joined
  1003. zach has left
  1004. zach has joined
  1005. peter has left
  1006. Dele (Mobile) has left
  1007. arc has left
  1008. arc has joined
  1009. winfried has left
  1010. winfried has joined
  1011. winfried has left
  1012. winfried has joined
  1013. sonny has left
  1014. mimi89999 has left
  1015. winfried has left
  1016. winfried has joined
  1017. winfried has left
  1018. winfried has joined
  1019. pdurbin has joined
  1020. stpeter has left
  1021. zach has left
  1022. zach has joined
  1023. APach has left
  1024. Link Mauve has joined
  1025. pdurbin has left
  1026. matkor has left
  1027. eevvoor has joined
  1028. matkor has joined
  1029. APach has joined
  1030. lovetox has joined
  1031. lovetox i dont understand the benefit of the token XEP
  1032. zach has left
  1033. zach has joined
  1034. lovetox it says something about that the password can be stolen
  1035. jonas’ lovetox, maybe on-list?
  1036. lovetox but a token is the same, if its stolen, i can change the account password
  1037. jonas’ I haven’t read it yet and I have to go AFK now
  1038. lovetox at least its nice that the xep gives the user some knowledge about what devices have access to the account
  1039. mimi89999 has joined
  1040. jubalh has joined
  1041. Yagiza has left
  1042. Daniel You could simply not allow that
  1043. lovetox you mean the server?
  1044. lovetox so how would then someone change his password
  1045. lumi has left
  1046. Daniel Login properly
  1047. Ge0rG tokens are opaque and properly randomized; also they are not often stored on a stick-it note ;)
  1048. Ge0rG there is also very much value in one-time tokens to on-board a new device to your account
  1049. Ge0rG without having a password in a URL or QR code
  1050. lovetox but this is not about one-time tokens, so why are you mention it?
  1051. lovetox because its also a "token"?
  1052. lovetox its basically a password replacement that has absolutley the same propertys, full access to the account
  1053. lovetox so as i said i think it adds value because you know what devices are in use, it does not really provide any additional security
  1054. Zash Hm? Per-device passwords?
  1055. Daniel Per device passwords
  1056. lovetox and it was always weird for me that the register xep does not have an option where the server can demand your current password
  1057. Zash You somehow logged into the account
  1058. zach has left
  1059. zach has joined
  1060. lovetox yeah ..
  1061. eevvoor has left
  1062. Daniel I mean per device passwords is not necessarily a bad thing. I don't know if the xep is a good implementation of that
  1063. Daniel I haven't read it yet
  1064. Daniel But I wouldn't dismiss per device passwords on principle
  1065. Zash I wonder if you can hijack the authzid for something like that
  1066. lovetox i didnt dismiss it Daniel if you got that from what i said
  1067. lovetox the XEP talks a bit about security
  1068. lovetox so thats what i questioned
  1069. lovetox its definitly nice to know what device are connected and beeing able to remotley log them off and revoke them
  1070. Daniel > its definitly nice to know what device are connected and beeing able to remotley log them off and revoke them Yes
  1071. Ge0rG I wouldn't be opposed to tokens that have limited permissions behind, like not being allowed to change the password or to issue further tokens; also a limit to one connection per token
  1072. Daniel All that
  1073. lumi has joined
  1074. Link Mauve has left
  1075. Link Mauve has joined
  1076. Link Mauve lovetox, in SASL EXTERNAL with client certs (XEP-0257 IIRC), it is said that if the user tries to change their password, they should get an error and then asked for the previous password first.
  1077. lumi has left
  1078. lumi has joined
  1079. Nekit has left
  1080. Ge0rG Yes, with a data form
  1081. Link Mauve In the non-error part of an error iq. ;_;
  1082. Daniel > Yes, with a data form Data forms are definitely in the top five of my favorite forms
  1083. winfried has left
  1084. winfried has joined
  1085. zach has left
  1086. zach has joined
  1087. Link Mauve has left
  1088. Link Mauve has joined
  1089. aj has left
  1090. jubalh has left
  1091. sonny has joined
  1092. LNJ has left
  1093. LNJ has joined
  1094. zach has left
  1095. zach has joined
  1096. derdaniel has joined
  1097. Yagiza has joined
  1098. debacle has left
  1099. larma I think auth tokens could be reusing RFC7628 and in general be more OAuth compatible
  1100. larma Oh, and XEP-0235
  1101. pep. oh, TIL
  1102. winfried has left
  1103. winfried has joined
  1104. winfried has left
  1105. winfried has joined
  1106. winfried has left
  1107. winfried has joined
  1108. Daniel oh they gave me three CVE
  1109. derdaniel has left
  1110. zach has left
  1111. zach has joined
  1112. jubalh has joined
  1113. nyco has joined
  1114. Kev Maybe it's a special offer on Wednesdays.
  1115. debacle has joined
  1116. mukt2 has left
  1117. mukt2 has joined
  1118. Mikaela has left
  1119. Mikaela has joined
  1120. pdurbin has joined
  1121. zach has left
  1122. zach has joined
  1123. Douglas Terabyte has left
  1124. flow can't get enough of that wonderful CVEs
  1125. Zash Gotta catch them all!
  1126. nyco_ has joined
  1127. nyco_ has left
  1128. nyco_ has joined
  1129. nyco_ has left
  1130. jubalh has left
  1131. nyco_ has joined
  1132. nyco_ has left
  1133. nyco_ has joined
  1134. nyco_ has left
  1135. Douglas Terabyte has joined
  1136. pdurbin has left
  1137. nyco_ has joined
  1138. nyco_ has left
  1139. patrick has left
  1140. zach has left
  1141. zach has joined
  1142. jubalh has joined
  1143. nyco_ has joined
  1144. nyco_ has left
  1145. adiaholic has left
  1146. Douglas Terabyte has left
  1147. Ge0rG They need to motivate the six digit numbers!
  1148. lovetox has left
  1149. Mikaela has left
  1150. Mikaela has joined
  1151. nyco has left
  1152. pep. Do you win something if you get there first?
  1153. jcbrand has left
  1154. Douglas Terabyte has joined
  1155. zach has left
  1156. zach has joined
  1157. matkor has left
  1158. matkor has joined
  1159. mukt2 has left
  1160. Link Mauve has left
  1161. winfried has left
  1162. winfried has joined
  1163. winfried has left
  1164. winfried has joined
  1165. marc_ has left
  1166. Yagiza has left
  1167. j.r has left
  1168. j.r has joined
  1169. LNJ has left
  1170. winfried has left
  1171. neshtaxmpp has joined
  1172. winfried has joined
  1173. Tobias has left
  1174. Tobias has joined
  1175. peter has joined
  1176. stpeter has joined
  1177. zach has left
  1178. zach has joined
  1179. Dele (Mobile) has joined
  1180. Dele (Mobile) has left
  1181. pdurbin has joined
  1182. zach has left
  1183. zach has joined
  1184. karoshi has left
  1185. goffi has left
  1186. Nekit has joined
  1187. neshtaxmpp has left
  1188. neshtaxmpp has joined
  1189. dele has joined
  1190. dele has left
  1191. Nekit has left
  1192. pdurbin has left
  1193. jubalh has left
  1194. Dele (Mobile) has joined
  1195. peter has left
  1196. Dele (Mobile) has left
  1197. zach has left
  1198. zach has joined
  1199. mimi89999 has left
  1200. mimi89999 has joined
  1201. mukt2 has joined
  1202. stpeter has left
  1203. neshtaxmpp has left
  1204. xalek has left
  1205. sonny has left
  1206. sonny has joined
  1207. xalek has joined
  1208. mukt2 has left
  1209. alameyo has left
  1210. alameyo has joined
  1211. peter has joined
  1212. stpeter has joined
  1213. murabito has left
  1214. vanitasvitae has left
  1215. vanitasvitae has joined
  1216. wurstsalat has left
  1217. murabito has joined
  1218. zach has left
  1219. zach has joined
  1220. mukt2 has joined
  1221. peter has left
  1222. mukt2 has left
  1223. zach has left
  1224. zach has joined
  1225. stpeter has left
  1226. mukt2 has joined
  1227. debacle has left
  1228. matkor has left
  1229. matkor has joined
  1230. UsL has left
  1231. UsL has joined
  1232. mukt2 has left
  1233. mimi89999 has left
  1234. mimi89999 has joined
  1235. stpeter has joined
  1236. mukt2 has joined