XSF Discussion - 2019-09-11

  1. mukt2 has left

  2. zach has left

  3. zach has joined

  4. stpeter has joined

  5. Dele (Mobile) has left

  6. stpeter has left

  7. mukt2 has joined

  8. pdurbin has joined

  9. debacle has left

  10. mukt2 has left

  11. pdurbin has left

  12. karoshi has left

  13. remko has joined

  14. mukt2 has joined

  15. sonny has left

  16. aj has joined

  17. zach has left

  18. zach has joined

  19. stpeter has joined

  20. peter has joined

  21. mukt2 has left

  22. kokonoe has left

  23. kokonoe has joined

  24. neshtaxmpp has joined

  25. mukt2 has joined

  26. remko has left

  27. UsL has left

  28. sonny has joined

  29. UsL has joined

  30. zach has left

  31. zach has joined

  32. mukt2 has left

  33. Steve Kille has left

  34. Steve Kille has joined

  35. zach has left

  36. zach has joined

  37. sonny has left

  38. neshtaxmpp has left

  39. neshtaxmpp has joined

  40. lskdjf has left

  41. kokonoe has left

  42. kokonoe has joined

  43. mukt2 has joined

  44. mukt2 has left

  45. mukt2 has joined

  46. peter has left

  47. pdurbin has joined

  48. mukt2 has left

  49. mukt2 has joined

  50. UsL has left

  51. kokonoe has left

  52. ths has left

  53. kokonoe has joined

  54. remko has joined

  55. stpeter has left

  56. ths has joined

  57. UsL has joined

  58. kokonoe has left

  59. kokonoe has joined

  60. zach has left

  61. zach has joined

  62. pdurbin has left

  63. kokonoe has left

  64. kokonoe has joined

  65. kokonoe has left

  66. mukt2 has left

  67. mukt2 has joined

  68. sonny has joined

  69. zach has left

  70. zach has joined

  71. mukt2 has left

  72. andy has joined

  73. remko has left

  74. mukt2 has joined

  75. matkor has left

  76. matkor has joined

  77. Yagiza has joined

  78. zach has left

  79. zach has joined

  80. sonny has left

  81. Tobias has joined

  82. Daniel has left

  83. Daniel has joined

  84. pdurbin has joined

  85. Nekit has joined

  86. j.r has joined

  87. andy has left

  88. andy has joined

  89. j.r has left

  90. zach has left

  91. zach has joined

  92. adiaholic has joined

  93. j.r has joined

  94. mukt2 has left

  95. pdurbin has left

  96. LNJ has joined

  97. kokonoe has joined

  98. mukt2 has joined

  99. zach has left

  100. zach has joined

  101. remko has joined

  102. mukt2 has left

  103. mukt2 has joined

  104. remko has left

  105. sonny has joined

  106. goffi has joined

  107. neshtaxmpp has left

  108. j.r has left

  109. j.r has joined

  110. zach has left

  111. zach has joined

  112. goffi has left

  113. goffi has joined

  114. pdurbin has joined

  115. mukt2 has left

  116. mukt2 has joined

  117. Alex has left

  118. Alex has joined

  119. winfried has left

  120. winfried has joined

  121. Maranda has left

  122. Maranda has joined

  123. winfried has left

  124. winfried has joined

  125. kokonoe has left

  126. kokonoe has joined

  127. ths has left

  128. ths has joined

  129. zach has left

  130. zach has joined

  131. UsL has left

  132. jabberjocke has joined

  133. rion has left

  134. zach has left

  135. zach has joined

  136. karoshi has joined

  137. lovetox_ has joined

  138. mukt2 has left

  139. arc has joined

  140. lovetox_ has left

  141. winfried has left

  142. winfried has joined

  143. mukt2 has joined

  144. lovetox_ has joined

  145. Nekit has left

  146. Nekit has joined

  147. kokonoe has left

  148. kokonoe has joined

  149. ralphm

    Daniel: your tweet to upgrade Dino is a bit, let's say, sparse on detail :-D

  150. zach has left

  151. zach has joined

  152. Daniel

    which is probably a good thing?

  153. ralphm

    I don't know?

  154. ralphm

    Does has it shiny new features, or was there a horrible security issue?

  155. Daniel

    it had all the CVEs. roster injection. carbon injection. mam injection. https://github.com/dino/dino/commits/master

  156. lovetox_

    Does it get a Combo Bonus 😃

  157. jonas’


  158. ralphm


  159. Daniel

    i mean they fixed it pretty quick.

  160. ralphm

    Daniel: but you didn't want to rub it in?

  161. Daniel

    now someone should probably notify the debian maintainers

  162. Mikaela has joined

  163. Daniel

    ralphm, it's extremly easy to exploit. and someone has exploited the roster one in this muc yesterday

  164. Daniel

    so i don’t want to give details

  165. ralphm

    Well, if someone is updating the CVEs, isn't that automatic?

  166. ralphm

    Also, is there a changelog somewhere?

  167. Daniel

    dino hasn't had a release yet

  168. Daniel

    so no there is no changelog

  169. Daniel

    aside from git

  170. jonas’

    they should definitely allocate CVEs

  171. wurstsalat has joined

  172. j.r has left

  173. winfried has left

  174. Ge0rG

    they, or the researcher who found it?

  175. winfried has joined

  176. j.r has joined

  177. Douglas Terabyte has left

  178. Douglas Terabyte has joined

  179. mimi89999 has left

  180. jonas’

    "someone", actually

  181. zach has left

  182. zach has joined

  183. jonas’

    I don’t think you need to be affiliated with a project to allocate CVEs

  184. Steve Kille has left

  185. marc_ has joined

  186. mimi89999 has joined

  187. Ge0rG

    yeah, when I find something, I typically allocate the CVEs myself

  188. Daniel

    i'll probably write something down for the three bugs together

  189. Daniel

    i mean it's the same general mistake

  190. Ge0rG

    Nobody reads the Security Considerations

  191. Daniel


  192. Ge0rG

    is there a bold-red-blinking markup we can use at the top of https://xmpp.org/extensions/xep-0280.html#inbound ?

  193. Dele (Mobile) has joined

  194. Daniel

    maybe. if people only read the examples; we should have bad examples

  195. jonas’

    Ge0rG, having a thing in xep.dtd / xep.xsl which allows to mark up Important boxes would be neat

  196. j.r has left

  197. Daniel

    i mean explicitly examples showing you what kind of messages to reject

  198. jonas’

    stuff like sphinx generates with .. warning::

  199. jonas’

    Ge0rG, can you file a thing against xeps/XEP-0001?

  200. jonas’

    that won’t help with RFC 6121, but it’s something

  201. Steve Kille has joined

  202. Ge0rG

    jonas’: an issue thing or a PR thing?

  203. Ge0rG

    Daniel: that's actually an excellent idea

  204. Ge0rG

    jonas’: https://github.com/xsf/xeps/issues/821

  205. zach has left

  206. zach has joined

  207. aj has left

  208. mimi89999 has left

  209. ths has left

  210. ths has joined

  211. j.r has joined

  212. Ge0rG

    Daniel: how about https://op-co.de/tmp/xep-0280.html#example-11

  213. mimi89999 has joined

  214. jcbrand has joined

  215. j.r has left

  216. Daniel

    The paragraph above that is also new?

  217. Daniel

    Looks fine

  218. alameyo has left

  219. alameyo has joined

  220. Daniel

    Yeah that's probably a good improvement

  221. Ge0rG

    Daniel: yeah

  222. Ge0rG

    Daniel: but you can't link to paragraphs

  223. Ge0rG

    and I didn't want to link to example 10

  224. Daniel

    Makes you question why that wasn't in there before

  225. remko has joined

  226. Ge0rG

    Daniel: because XEP authors aren't security consultants

  227. Daniel

    Maybe we want to go so far and in the security section say in <strong> *This has been exploited several times*

  228. Daniel

    And link to the CVE

  229. Daniel

    Probably a separate PR

  230. Ge0rG

    it would mark my third PR for 0280 today.

  231. Daniel

    I mean it is absolutely ridiculous that this has struck so many times in three different iterations

  232. Ge0rG

    I suppose it is enough to have a negative example for "received", without one for "sent".

  233. Daniel


  234. Daniel


  235. Ge0rG

    Daniel: do you have the link to the initial incarnation?

  236. Daniel

    This predates my involvement in xmpp

  237. Daniel

    So no

  238. adiaholic has left

  239. adiaholic has joined

  240. nyco has joined

  241. nyco has left

  242. mukt2 has left

  243. Neustradamus has left

  244. jabberjocke has left

  245. jabberjocke has joined

  246. mukt2 has joined

  247. Neustradamus has joined

  248. nyco has joined

  249. nyco has left

  250. Neustradamus has left

  251. Neustradamus has joined

  252. larma has left

  253. Link Mauve has left

  254. mr.fister has joined

  255. larma has joined

  256. sonny has left

  257. sonny has joined

  258. mr.fister has left

  259. zach has left

  260. zach has joined

  261. mr.fister has joined

  262. Licaon_Kter [cnvrs] has joined

  263. Reventlov has joined

  264. jonas’

    Ge0rG, a PR thing would be even better than an issue thing

  265. intosi has left

  266. Mikaela has left

  267. Douglas Terabyte has left

  268. Mikaela has joined

  269. Douglas Terabyte has joined

  270. Ge0rG

    jonas’: yeah, but my work.

  271. Licaon_Kter [cnvrs]

    MattJ Any reason this room does not _warn the user that the discussions are logged_ ?

  272. Alex has left

  273. debacle has joined

  274. Alex has joined

  275. Alex has left

  276. mukt2 has left

  277. Alex has joined

  278. mr.fister has left

  279. jonas’ has left

  280. jonas’ has joined

  281. zach has left

  282. zach has joined

  283. Maranda has left

  284. Maranda has joined

  285. mukt2 has joined

  286. pdurbin has left

  287. nyco has joined

  288. mukt2 has left

  289. nyco has left

  290. kokonoe has left

  291. kokonoe has joined

  292. nyco has joined

  293. nyco has left

  294. aj has joined

  295. ths has left

  296. ths has joined

  297. mukt2 has joined

  298. ralphm

    As for RFCs, I suppose it could be in errata, but then again, who reads those.

  299. Mikaela has left

  300. Ge0rG

    nobody :(

  301. Mikaela has joined

  302. j.r has joined

  303. zach has left

  304. zach has joined

  305. Daniel

    up until recently i didn’t even know they existed

  306. mukt2 has left

  307. Zash

    Licaon_Kter [cnvrs] looks like it only sends the signal when archiving is enabled or disabled.

  308. Zash

    And also the semantic difference between archiving and logging.

  309. pep.

    Maybe you should have two messages? :P

  310. Zash

    Link is in the subject and I /think/ also in some room metadata.

  311. pep.

    Some clients don't really show subjects in a prominent place anymore :(

  312. j.r has left

  313. kokonoe has left

  314. j.r has joined

  315. Licaon_Kter [cnvrs]

    Zash Subject/Title aside, Converse.js shows them, but will also show_"groupchat logging is now enabled"_ as per https://xmpp.org/extensions/xep-0045.html#enter-logging so, is Prosody not honouring that? Umm https://hg.prosody.im/trunk/file/tip/plugins/mod_muc_mam.lua#l99 maybe

  316. pep.

    he just answered you

  317. Licaon_Kter [cnvrs]

    I, obviously, did not undestand a thing 🙂

  318. pep.

    "when [it] is enabled or disabled."

  319. Zash

    It is missing a thing for when you join

  320. Licaon_Kter [cnvrs]

    Ok, right...

  321. Zash

    Report issue. Patches especially appreciated 🙂

  322. Licaon_Kter [cnvrs]


  323. Zash

    But the public logs are provided by a separate module. Should that one add the tag?

  324. Zash

    IIRC both of them should only let you get logs/archives if you could join the room and get them yourself

  325. aj has left

  326. Douglas Terabyte has left

  327. Douglas Terabyte has joined

  328. lovetox_

    If the user is entering a room in which the discussions are logged to a public archive (often accessible via HTTP), the service SHOULD allow the user to enter the room but MUST also warn the user that the discussions are logged.

  329. kokonoe has joined

  330. lovetox_

    So Zash this explicitly mentions http based logs

  331. lovetox_

    i would argue it does not matter how the server logs, what counts is that is publicly available, and the user should be warned about it

  332. Licaon_Kter [cnvrs]

    FYI, I only noticed this because ejabberd is announcing it every time Converse.js mysteriously dis/reconnects https://github.com/conversejs/converse.js/issues/1697

  333. marc_ has left

  334. marc_ has joined

  335. madhur.garg has joined

  336. madhur.garg has left

  337. madhur.garg has joined

  338. madhur.garg has left

  339. madhur.garg has joined

  340. Licaon_Kter [cnvrs] has left

  341. zach has left

  342. zach has joined

  343. pdurbin has joined

  344. rion has joined

  345. Licaon_Kter [cnvrs] has joined

  346. jubalh has joined

  347. pdurbin has left

  348. remko has left

  349. Reventlov has left

  350. Reventlov has joined

  351. Reventlov has left

  352. Reventlov has joined

  353. kokonoe has left

  354. lovetox_ has left

  355. lumi has joined

  356. lovetox_ has joined

  357. lskdjf has joined

  358. zach has left

  359. zach has joined

  360. Reventlov has left

  361. Reventlov has joined

  362. Reventlov has left

  363. Reventlov has joined

  364. Reventlov has left

  365. ths has left

  366. Reventlov has joined

  367. Reventlov has left

  368. Reventlov has joined

  369. madhur.garg has left

  370. rion has left

  371. rion has joined

  372. Maranda has left

  373. Maranda has joined

  374. remko has joined

  375. j.r has left

  376. j.r has joined

  377. jabberjocke has left

  378. jabberjocke has joined

  379. lumi has left

  380. Ge0rG

    lovetox_: so it's also true for MAM

  381. zach has left

  382. zach has joined

  383. mukt2 has joined

  384. UsL has joined

  385. Daniel

    btw i've requested a CVE. i was a bit unsure on the how given that dino technically had no releases yet; but let's see if it gets accepted

  386. Maranda has left

  387. Maranda has joined

  388. balu_der_baer

    Daniel, Requested a CVE for which issue exactly?

  389. pep.

    It speaks!

  390. Daniel

    balu_der_baer, I put roster, carbons, and mam in one

  391. Ge0rG

    ...in Dino

  392. Daniel

    probbaly not worth creating different ones

  393. Ge0rG

    It would make sense to ask for one for Converse, though.

  394. Daniel

    balu_der_baer, i can credit you on the carbon one

  395. pep.

    Right. JC also just fixed an issue in converse

  396. Ge0rG

    Or is it just the 2017 one revamped?

  397. pep.

    It looks like it

  398. Ge0rG

    pep.: but it was fixed back then

  399. pep.

    In these clients

  400. Daniel

    for converse?

  401. Daniel

    was converse hit back then?

  402. Ge0rG

    pep.: converse was one of the clients, yes

  403. pep.

    heh, ok

  404. balu_der_baer

    I think the converse is the relevant one, given it is actually released software and not some "I compiled code from the internetz and is has bugz"

  405. pep.

    Isn't that the case for all software

  406. Daniel

    balu_der_baer, yes probably. dino is in debian and some other distros tho

  407. Kev

    I think dino has been released hasn't it? It's in Debian and stuff.

  408. Daniel

    and in fairly wide use

  409. Ge0rG

    pep.: I've heard that there is software that you need to type from a book

  410. pep.

    Kev, nope

  411. pep.

    no release

  412. Kev

    pep.: https://packages.debian.org/search?keywords=dino-im - different project?

  413. pep.


  414. pep.

    But no release

  415. Kev

    Then it's been released.

  416. pep.


  417. Daniel

    and that kids is why you dont make packages for git

  418. pep.

    Kev, https://tracker.debian.org/pkg/dino-im

  419. pep.

    look at the version string

  420. Zash

    Hey kids wanna get into a semantics discussion? What is a release?

  421. Kev

    I'm not saying that upstream say it's stable.

  422. Kev

    I'm saying that it has been released. I.e. it is available to users.

  423. pep.

    "It's in Debian so it's released!"

  424. pep.

    Ok let's leave the semantic discussions for later

  425. Kev

    Pretty much the definition of released is that it's available, yes.

  426. zach has left

  427. zach has joined

  428. pep.

    Upstream hasn't cut a release yet, is all I'm saying.

  429. pep.

    Distributions do whatever they want with it

  430. Daniel

    it is probably worthwhile to get a CVE for. and it has already been requested

  431. Daniel

    so we don’t need to argue about it :-)

  432. Kev

    I understand that upstream may not have yet tagged a stable release. Just that that's largely irrelevant to users if they can apt install it.

  433. pep.

    So is it fine if I package it myself for my own use? Can I also say the software has been released? :)

  434. Kev

    I also understand that if someone uploaded it to Debian before upstream said it was ready for use, that sucks for upstream.

  435. pep.

    Or as long as it's published

  436. Ge0rG

    Kev: that sucks for debian

  437. Kev

    That too.

  438. Daniel

    it sucks for everyone

  439. pep.

    Ge0rG, you mean for Debian's users

  440. Kev

    That three.

  441. Daniel

    upstream. debian. the users

  442. Ge0rG

    Software releases are hard. Let's go shopping!

  443. Ge0rG almost wrote "shipping"

  444. Nameless RTL person has left

  445. stpeter has joined

  446. jubalh has left

  447. jubalh has joined

  448. Daniel

    am i seeing this correctly that converse has different mam/carbon parsing code for muc vs 1:1

  449. Daniel


  450. Daniel

    and it hit only muc because of that

  451. balu_der_baer

    I know that Dino developers tell people to not use the debians "release" build but always use the latest nightly instead. And my guess is that those patches are caused by them preparing for a first real release

  452. mukt2 has left

  453. stpeter has left

  454. zach has left

  455. mr.fister has joined

  456. zach has joined

  457. Reventlov has left

  458. Reventlov has joined

  459. mukt2 has joined

  460. balu_der_baer

    Daniel assessing Dino to be vulnerable to the MAM issue predates the commit time of the fix to Dino master by 5 minutes. Either they were super fast, Daniel told them before writing here or they actually knew before 🤔️

  461. Ge0rG

    A conspiracy within a conspiracy?

  462. Daniel

    balu_der_baer, we were in here talking about how it is most likely vuln

  463. Daniel

    but i was out for a midnight snack before i could be bothered to actually verify

  464. pep.

    They also have access to this muc :)

  465. Daniel

    and also if you have just before that fixed the roster and carbon issue the mam fix could easily be done in 5 min

  466. Daniel

    it's the exact same lines of code copy pasted

  467. jubalh has left

  468. balu_der_baer

    Is anyone filing a CVE for the stanza id bug in Prosody I discovered yesterday?

  469. Daniel

    is it prosody not filtering out?

  470. Daniel

    i didn’t catch you mentioning that

  471. Daniel

    so i'm guessing

  472. balu_der_baer


  473. Daniel

    obvious bugs are obvious

  474. Daniel

    just get one yourself i guess?

  475. balu_der_baer

    I didn't mention any of the bugs, I left this task to you guys.

  476. Daniel

    did it not filter in general? or just under certain conditions

  477. Daniel

    well how would the stanza-id thing manifest itself?

  478. Daniel

    aside from MAM catchup being fucked

  479. balu_der_baer

    I guess as long as nobody tries to use them for anything, it won't...

  480. Daniel

    also there is code to do it…

  481. balu_der_baer

    I leave it to you or any other dev to find out when and why it doesn't work, I am not into Lua

  482. Daniel

    well i'm not yet sure the bug exists

  483. balu_der_baer

    How would one find out?

  484. derdaniel has joined

  485. pep.

    balu_der_baer, hint? around what time?

  486. pep.

    I could go through the logs..

  487. stpeter has joined

  488. balu_der_baer

    This one maybe?

  489. mr.fister has left

  490. peter has joined

  491. Daniel

    this room doesn’t claim to do the cleaning

  492. Daniel

    as a client you are supposed to parse the sid only if the server announces that

  493. peter has left

  494. pep.

    I'm somewhat happy poezio didn't display the second message, "Or this one"

  495. pep.

    <body xmlns="broken">Or this one</body>

  496. balu_der_baer

    Daniel, Technically correct.

  497. zach has left

  498. zach has joined

  499. pep.

    <message xml:lang="en" type="groupchat" to="pep@bouah.net/poezio-C7iY" from="xsf@muc.xmpp.org/balu_der_baer" id="c090def67ff04d4dae5cfc260bf71522"><body>This one maybe?</body><stanza-id xmlns="urn:xmpp:sid:0" by="xsf@muc.xmpp.org" id="2019-09-11-185b3f943380209c" /><stanza-id xmlns="urn:xmpp:sid:0" by="xsf@muc.xmpp.org" id="2019-09-11-a55228b004fa960d" /><origin-id xmlns="urn:xmpp:sid:0" id="c090def67ff04d4dae5cfc260bf71522" /></message> <message xml:lang="en" type="groupchat" to="pep@bouah.net/poezio-C7iY" from="xsf@muc.xmpp.org/balu_der_baer" id="e11708f4ba544d3e8ceee73bf579544d"><body xmlns="broken">Or this one</body><stanza-id xmlns="urn:xmpp:sid:0" by="xsf@muc.xmpp.org" id="2019-09-11-185b3f943380209c" /><origin-id xmlns="urn:xmpp:sid:0" id="e11708f4ba544d3e8ceee73bf579544d" /></message>

  500. pep.

    For reference

  501. Daniel

    so if you find a client that uses this for catchup (or anything) then you have your bug

  502. balu_der_baer

    When a message is archived, the server MUST add an stanza-id element as defined in Unique and Stable Stanza IDs (XEP-0359) [2] to the message, which informs the recipient of where and under what ID the message is stored. When doing this the server MUST follow the business rules defined in XEP-0359.

  503. pep.


  504. pep.

    That first message was cut in poezio.

  505. pep.

    Because of the <stanza-id /> :/

  506. pep.

    <message xml:lang="en" type="groupchat" to="pep@bouah.net/poezio-C7iY" from="xsf@muc.xmpp.org/balu_der_baer" id="b23f6efec2cf4ac2ad23d7da18fb7367"><body>When a message is archived, the server MUST add an <stanza-id /> element as defined in Unique and Stable Stanza IDs (XEP-0359) [2] to the message, which informs the recipient of where and under what ID the message is stored. When doing this the server MUST follow the business rules defined in XEP-0359.</body><stanza-id xmlns="urn:xmpp:sid:0" by="xsf@muc.xmpp.org" id="2019-09-11-e360996b290c9aae" /><origin-id xmlns="urn:xmpp:sid:0" id="b23f6efec2cf4ac2ad23d7da18fb7367" /></message>

  507. balu_der_baer

    I admit, it's funny to see how different clients screw up different things. None of them seems to be really solid about anything so far.

  508. pep.


  509. jonas’

    le fuck wat

  510. jonas’

    balu_der_baer, which client is that?

  511. pep.

    version string says Movim 0.15

  512. jonas’


  513. jonas’

    report an issue against movibm

  514. Zash

    There's the @by. This server needs some upgrades, but that part looks correct?

  515. balu_der_baer

    jonas, openssl s_client

  516. jonas’

    report an issue against movim

  517. pep.


  518. balu_der_baer

    Was using Gajim before, but it's XML console does too many sanity checks for doing such evil things

  519. pep.

    Maybe poezio's /rawxml doesn't :-°

  520. jonas’

    I’ll just leave now

  521. Daniel

    how is <body>foo <bar/> something</body> supposed to render?

  522. Kev

    It's not, because that's illegal.

  523. Daniel

    not render the entire message?

  524. Kev

    The server is allowed to bounce it, even. But if it gets through to a client, anything's fair game, I think.

  525. flow

    that's what I would do, and as server close the client session (of course configurable, so that if you really want to support broken clients)

  526. balu_der_baer

    The body element MUST NOT contain mixed content (as defined in Section 3.2.2 of [XML]).

  527. flow

    balu_der_baer, IIRC this is not even mixed content

  528. Kev

    flow: It's not?

  529. flow

    maybe it is

  530. Kev

    If it's not then my understanding of mixed content is off.

  531. flow

    I just though thtat mixed content is text content + element

  532. flow

    and not text content + element + text content

  533. balu_der_baer

    An element type has mixed content when elements of that type may contain character data, optionally interspersed with child elements.

  534. flow

    luckily there is a reference where I can lookup this and refresh my memory

  535. flow

    or I let balu_der_baer do the work ;)

  536. MattJ

    afaik mixed just means multiple types are used (both element and text nodes), it doesn't mean a specific order or number of nodes

  537. Kev

    That's certainly how the XMPP specs have used the term, yes.

  538. flow

    yep, convinced, and we don't do that in xmpp

  539. Daniel

    i mean cutting your own c2s when your server sends you this is probably not ideal

  540. flow

    nobody suggested this

  541. Alex has left

  542. Daniel

    no. i was just thinking out loud if i need to do something different in Conversations

  543. Kev

    Daniel: No, especially as servers are allowed to send you crap. But I don't think we're suggesting that.

  544. stpeter has left

  545. balu_der_baer

    Daniel, You need to fix the <body xmlns="broken"> thing

  546. adiaholic has left

  547. adiaholic has joined

  548. Daniel

    balu_der_baer, already made a note

  549. pdurbin has joined

  550. pep.

    I also opened issues in poezio.

  551. stpeter has joined

  552. zach has left

  553. zach has joined

  554. pep.

    Though that's probably in slixmpp

  555. peter has joined

  556. flow

    background? implementations do not consider the namespace of body elements?

  557. larma

    I have the feeling its super productive if random people just push random stanzas in xsf@ 😉

  558. pep.

    let's do that more often

  559. Ge0rG

    > None of them seems to be really solid about anything so far. Nobody has complained about yaxim so far. But don't even try to put different xml:langs into the game ;)

  560. MattJ

    An ancient one is simply putting in multiple <body> (same namespace and xml:lang)

  561. MattJ

    Some clients would render the first, some the last

  562. Ge0rG

    yeah, having multiple elements with the same name in any kind of hashmap is a well known security issue

  563. balu_der_baer

    ⚠ Your client renders a first body when it shouldn't

  564. MattJ

    What should it render?

  565. pdurbin has left

  566. balu_der_baer

    Nothing, it's an invalid message

  567. mathieui

    I think a few clients have a history of trying to fix received namespaces to work around very old bugs

  568. peter has left

  569. pep.

    Why do we try to keep compat with broken stuff? :(

  570. pep.

    Then we in turn we end up broken

  571. flow

    pep., some do, some avoid workarounds for broken implementations

  572. Kev

    You don't have a lot of choice dealing with broken stuff.

  573. pep.

    I wish we'd do that as a collective effort to push broken stuff away

  574. Kev

    At least not in an open ecosystem.

  575. flow

    I am in the latter camp FWIW

  576. pep.

    I also am

  577. Kev

    You might not try to 'fix up' the broken content, but you have to deal with it.

  578. flow

    Kev, I don't think this is true.

  579. pep.

    Kev, you do, you can just ignore them

  580. Kev

    pep.: Which is dealing with it.

  581. pep.

    Yes, while some others try to keep compat

  582. MattJ

    When we began Prosody, many of the other servers were "broken" in various ways... nobody would have used Prosody if we hadn't added workarounds for them

  583. flow

    Kev, sounded more like you meant that we don't have a choice besides adding workarounds into our code

  584. Kev

    flow: Yes, that's right.

  585. MattJ

    Not being able to s2s to 99% of the existing network was not an option :)

  586. pep.

    MattJ, now that you're a bit more notorious, here's your time :)

  587. Kev

    Like when ejabberd's PEP module sent tonnes of spurious messages, and if you wanted to avoid annoying your users you had to do something about them.

  588. MattJ

    Right, I'm just pointing out that you can't just make that your blanket stance towards issues like this

  589. Kev

    (ignore them, in fact, but it took code to ignore them)

  590. Ge0rG

    Is there consensus that a client MUST NOT render any bodies from a message that contains multiple bodies?

  591. Ge0rG

    (assuming equal xml:lang)

  592. Kev

    Ge0rG: You mean multiple bodies in the stream namespace, without distinguishing xml:lang, which might itself come from the stream?

  593. flow

    MattJ, true, it is always a per case decission, but to often that decission is "just add a workaround"

  594. MattJ

    In Prosody our policy is to avoid workarounds, and if that's not feasible then we add the workaround with a 'COMPAT' comment that explains when it was added and why (referencing bug reports, etc.)

  595. Zash

    pep.: Right when we're a bit behind on compliance features in core? Are you working for P1? ;)

  596. Ge0rG

    Kev: yes

  597. Kev

    In which case, no, I don't think there's anything in 612[01] that suggests a client would have to do that.

  598. MattJ

    and then we periodically review these and remove old ones that are no longer needed (as much?)

  599. pep.

    Zash, :P

  600. jubalh has joined

  601. Ge0rG

    Kev: I'm pretty sure it's illegal, and the question arises which of the bodies will end up rendered

  602. flow

    Ge0rG, what would make it illegal?

  603. Kev

    flow: 612[01] rules do.

  604. flow

    Kev, multiple bodies with the same xml:lang?

  605. Kev


  606. flow

    ahh right, it's in rfc6121 5.2.3

  607. Ge0rG


  608. flow

    couldn't find a rule in rfc6120 though

  609. Kev

    6120 just says to use the rules in 6121.

  610. Ge0rG

    but §5.2.3 doesn't contain a statement on how to handle violations

  611. flow

    most things do not contain a statement on how to handle violations

  612. flow

    but yes, not showing a body at all appears sensible, probably even if there is a unique body-xmllang for your xmllang

  613. Ge0rG

    This is the opposite of "make everything you can to show the message content"

  614. jabberjocke has left

  615. jabberjocke has joined

  616. MattJ


  617. zach has left

  618. zach has joined

  619. flow

    MattJ, \o/

  620. pep.


  621. flow

    yep, this

  622. Ge0rG

    I hate this document.

  623. MattJ reject's Ge0rG's message

  624. Ge0rG

    It only makes sense in a closed system.

  625. Ge0rG

    With a dozen of actively used XMPP implementations, and a tail distribution of less widely used ones, how am I supposed to know that blocking "invalid" messages won't break the interop with some of them?

  626. MattJ

    It probably will

  627. MattJ

    But if everyone agreed to be strict, that tail would soon be fixed (or rightly let die)

  628. stpeter has left

  629. flow

    The question is if the outcome is better than being liberal in what to accept

  630. MattJ

    And not everyone has to agree to be strict, just the dominant players

  631. pep.

    Just like when people went TLS

  632. MattJ

    Prosody fixed many client bugs by being more strict in what it accepted than any of the existing servers

  633. pep.

    Except dominant players didn't.. at the time

  634. pep.


  635. MattJ

    and we don't even go very far

  636. Ge0rG

    MattJ: but I don't have any leverage on those implementations. And people will blame me for the bugs

  637. MattJ

    I feel your pain, many of us have experienced that

  638. MattJ

    and as I said, we have put in (clearly marked) workarounds for things like that

  639. lovetox_

    what is the problem about body with different namespace? so what i dont check the namespace of body if i dont have to, this is certainly no security issue

  640. pep.

    Ge0rG, or on deployments..

  641. MattJ

    while simultaneously trying to get it fixed

  642. Licaon_Kter [cnvrs] has left

  643. pep.

    lovetox_, I can include a message that only gajim users will see and not others

  644. lovetox_

    yeah and? its a feautre i would say

  645. pep.

    Is it?

  646. flow

    lovetox_, I am not sure if I can't be exploited somehow. The main problem is that implementations treat an element as body when it is not

  647. MattJ

    lovetox_, it's a potential human security issue - if people disagree on what to render for a message, the logs will be showing one thing, clients will be showing another

  648. flow

    But I can only come up with very constructed scenarious how this could cause an security issue

  649. MattJ

    despite it being a pretty poor messaging application that can't agree on how to render a text message :)

  650. aj has joined

  651. flow

    Like a bot which accepts commands via <body/> and a screening service checking that the commands in <body/> are safe

  652. lovetox_ has left

  653. MattJ

    XSF board meeting logs could all be faked by board members, and someone will put <body>+1</body><body>-1</body> to make people think they voted one way on a contentious issue, but the chair would see them voting a different way

  654. MattJ

    Consistency is good, inconsistency is bad

  655. flow


  656. MattJ

    Consistency in a distributed open network isn't always easy

  657. MattJ

    But if we at least specify the right way to do things, that's a great start

  658. wurstsalat has left

  659. MattJ

    Right now nobody can even claim any particular client is buggy, because there is no correct decision about what to render (which may include nothing)

  660. MattJ

    (or an error)

  661. MattJ

    I'll note that even excluding potentially-illegal <body> constructs, this issue will still exist for multiple <body> with different xml:lang (I can show different versions of the same message to different languages, they don't have to say the same thing)

  662. MattJ

    But at least in that case a client could indicate to the user that other versions of the message exist, and allow them to view them

  663. wurstsalat has joined

  664. zach has left

  665. zach has joined

  666. zach has left

  667. zach has joined

  668. mukt2 has left

  669. mukt2 has joined

  670. Reventlov has left

  671. Daniel

    Mhh I now have uncommitted code that skips messages with body of the same language. Not really sure if I should commit that. I mean it's definitely illegal. And it probably won't happen on accident

  672. Ge0rG

    flow: do I need to pull a CVE number for Smack delivering the first of multiple equally xml-langed bodies?

  673. Daniel

    Ge0rG: is that a security issue?

  674. Ge0rG

    Daniel: what MattJ wrote. <body>+1</body><body>-1</body>

  675. Ge0rG


  676. Ge0rG

    Daniel: if there is only one implementation rendering the _last_ body from that list, it is a security issue

  677. jonas’

    Ge0rG, what else are you supposed to do?

  678. Alex has joined

  679. Kev

    That's a user confusion/unreliability issue. I'm not convinced it's a security issue.

  680. jonas’

    aioxmpp will take one, which one is officially undefined (but it will be the lastmost in the stanza)

  681. Ge0rG

    jonas’: tear down s2s!

  682. Daniel

    for ever!

  683. jonas’

    Ge0rG, seriously though. what should I do as a client library?

  684. jonas’

    send back an error?

  685. jonas’

    I see how this is a problem, I just don’t know the correct course of action

  686. Ge0rG

    jonas’: me neither

  687. Daniel

    that will get you kicked from the muc lol

  688. flow

    and presence leak

  689. flow


  690. MattJ

    Kev, I'm surprised that in the environments you're involved in, you don't see user confusion as a security (or safety) issue

  691. winfried has left

  692. winfried has joined

  693. Daniel

    jonas’, i just opted for ignoring it

  694. Daniel

    will happen infrequently enough to not be a real issue

  695. MattJ

    Especially if you add enforcement or auditing tools to the mix, which might disagree about which <body> to use/allow

  696. Ge0rG

    MattJ: maybe because it's scoped to the sending user.

  697. jonas’

    flow, uh--- that’s an interesting one, I think you can make aioxmpp auto-reply to a message if you violate the schema hard enough

  698. Ge0rG

    If somebody wants to play mind tricks with you, the impact is limited to what you'd believe them

  699. flow

    jonas’, take the stanzas out of the stream, send an error back if the sending entity is subscribed to your presence and log an error

  700. jabberjocke has left

  701. pep.

    Why has it been specified that a MUC should kick us on message @type=error btw?

  702. Ge0rG

    pep.: yes.

  703. jonas’

    Daniel, so you drop the entire stanza if there is more than one <body/> with same-language?

  704. Daniel

    because if your session dies?

  705. Daniel

    jonas’, yes

  706. jonas’

    flow, yeah, no, the part which sends errors back wouldn’t know about that type of stuff

  707. pep.

    Ge0rG, am I onto something?

  708. flow

    jonas’, I never said it is easy ;)

  709. Daniel

    jonas’, i mean no; i return the body as null. it might run through other paths

  710. jonas’

    Daniel, right

  711. Ge0rG

    pep.: I was going to elaborate, but Daniel came first

  712. jonas’

    for all languages or only for the buggy one, Daniel?

  713. pep.

    if my session dies?

  714. Daniel

    good question 🙂 no for all messages

  715. flow

    jonas’, remember when we talked about providing a callback to the user which informs him what exactly went where wrong in the incoming processing chain?

  716. Ge0rG

    pep.: yes, the MUC needs to kick you out if your client silenty disconnected

  717. jonas’

    flow, exists, but that is not an error condition yet

  718. pep.

    But what if my client doesn't silently disconnect and I'm just trying to point out errors to others

  719. jonas’

    and I’m not sure what type of error condition it should be

  720. Ge0rG

    pep.: send a PM

  721. pep.


  722. Ge0rG

    pep.: yes, those won't get you kicked IIRC

  723. pep.

    I see

  724. Ge0rG

    I have no idea how clients will behave ;)

  725. jonas’

    Ge0rG, so auto-reply woudln’t get me kicked either since that would go to the full JID

  726. pep.

    I guess this + ignoring a message should be good

  727. jonas’

    Ge0rG, so auto-reply from the library woudln’t get me kicked either since that would go to the full JID

  728. Ge0rG

    pep.: presence leak

  729. pep.


  730. pep.

    Can you stop finding issues

  731. Ge0rG

    So can we now decide whether it's a security issue or not?

  732. Ge0rG

    pep.: no

  733. Ge0rG

    life would be boring otherwise. Also, blame balu_der_baer

  734. pep.

    But that's probably going in the logs anyway and not actually visible by the user.

  735. Daniel

    I'll "fix it" in that i will ignore it in the future but i wont rush out another release

  736. pep.

    I would like if a client would tell me "There is an error" (and aggregate them) "please report that to the dev"

  737. Ge0rG

    Daniel: can you rush out releases again? Or is Play store still imposing multi-day delays?

  738. Daniel

    yes i could

  739. Daniel

    was meaning to tweet that

  740. Daniel

    i fixed the PS issue

  741. Daniel

    but i was doing so much tweeting lately

  742. Ge0rG

    My other app is broken on Android 10 because Google finally removed the deprecated Apache HttpClient library which is used by... the Google Maps v1 library.

  743. Ge0rG

    Daniel: as much as @xmpp?

  744. Daniel

    not as annoying as @xmpp

  745. Daniel

    my tweets are super high quality

  746. Ge0rG

    I've been struggling to convey this message to the person responsible, for some days now.

  747. jonas’

    doesn’t someone else have access to that account and can single-handedly change the password?

  748. pep.

    I think we'd rather fix this socially

  749. Ge0rG

    jonas’: nobody knows who that "someone else" is

  750. Daniel

    access yes. can’t change the pw though

  751. pep.

    Not technically

  752. sonny has left

  753. sonny has joined

  754. Ge0rG

    pep.: full agreement here.

  755. Kev

    Which account what where?

  756. Daniel

    i mean sometimes i do tweet on @xmpp. but when i do it's only the best tweets

  757. Ge0rG

    Maybe I should just stop trying though, I'm probably the least empathetic person to attempt it

  758. Ge0rG

    Kev: twitter.com/xmpp

  759. lumi has joined

  760. pep.

    Daniel, of course

  761. jonas’

    Ge0rG, Daniel, actually I think we just need to agree on *which* of the multiple bodies to show and it’s a non-issue, right?

  762. Ge0rG

    jonas’: right

  763. Kev

    Is that the XSF's one? I thought I had credentials for the XSF Twitter (although 1password is failing me)

  764. Daniel

    well rfc says it's illegal. so just dropping it is easier?

  765. Ge0rG

    Kev: yes

  766. Kev

    I wonder why I don't currently have it.

  767. Ge0rG

    Daniel: I'm sure some clients/bots will end up sending a default body and one in an explicit language, and the explicit language accidentally being the default one

  768. winfried has left

  769. winfried has joined

  770. flow

    jonas’, coming up with a selection algorithm could be hard

  771. Daniel

    so we know it's not Kev whos doing the annoying tweets…

  772. jonas’

    flow, "first"

  773. flow

    jonas’, first in XML?

  774. Ge0rG

    LinkedHashMap to the rescue!

  775. jonas’

    flow, eys

  776. jonas’

    flow, yes

  777. flow

    jonas’, what if "first" is different per recipient

  778. jonas’

    flow, how is that supposed to happen?

  779. flow

    nothing gurantees that the order of the elements is stable when a stanza passes a hop

  780. jonas’

    flow, the order of elements with the same namespace-uri/local-name pair?

  781. jonas’

    I think we’d be in trouble already if that was violated.

  782. flow

    especially the order of those elements yes

  783. Kev

    Hmm. Looks like my tweetdeck doesn't have it either. I'm finding this very confusing.

  784. zach has left

  785. winfried has left

  786. zach has joined

  787. winfried has joined

  788. pep.

    > Ge0rG> Daniel: I'm sure some clients/bots will end up sending a default body and one in an explicit language, and the explicit language accidentally being the default one Let's agree to fix these bots?

  789. flow

    jonas’, like where?

  790. jonas’

    flow, [thinking ...]

  791. jonas’

    flow, forms?

  792. Ge0rG

    Kev: escalate to the A-team?

  793. jonas’

    it’s not strictly required there, but would be a major UX pain if the elements were reordered there

  794. flow

    are child elements of <x/>

  795. flow

    I am taking just about first level child elements of stanzas

  796. jonas’

    flow, oh, you’re only talking direct children of the stanza?

  797. jonas’


  798. jonas’

    why would that follow different rules?

  799. flow

    well mostly, for forms the order is actually important

  800. flow

    for first level stanza childs it is usually not

  801. lovetox has joined

  802. Kev

    Right. I have control of @xmpp.

  803. Kev

    Awaiting further orders :)

  804. jonas’

    change the password until someone has found the person spamming newsletter ads on it ;)

  805. Reventlov has joined

  806. flow

    I believe it to be at least unspecified that it has to be stable when processing a stanza, and while most implementations may keep the order, we should not depend on unspecified behavior

  807. Kev

    Changing the password won't help, people are granted access via tweetdeck.

  808. Kev

    I mean, unless it's genuinely compromised.

  809. pep.

    Kev, you can probably access analytics though? I think that came up yesterday in commteam@

  810. jonas’

    looks more like "well meant but went too far"

  811. Ge0rG

    jonas’: I know who that person is

  812. pep.

    And they're not hiding it either

  813. Kev

    If someone from Board tells me to, I'll strip access down in tweetdeck.

  814. Daniel

    i think it has stopped anyway

  815. pep.

    Daniel, no it hasn't, it won't, read commteam@ :)

  816. Ge0rG

    Kev: yeah, can you check analytics for the number of new followers vs. gone followers since September 3rd?

  817. Kev

    No clue, can I?

  818. Ge0rG

    regarding the twitter activity, there was some wiki acitivty: https://wiki.xmpp.org/web/index.php?title=Special:RecentChanges&days=1&from=

  819. Ge0rG

    Kev: it was said to be on https://analytics.twitter.com

  820. winfried has left

  821. winfried has joined

  822. jonas’


  823. Reventlov has left

  824. Daniel

    i'm confused

  825. stpeter has joined

  826. peter has joined

  827. Kev

    I do not believe I can get past stats on follower counts.

  828. winfried has left

  829. winfried has joined

  830. Ge0rG


  831. winfried has left

  832. winfried has joined

  833. derdaniel has left

  834. Kev

    28 day summary sees tweet count up, impressions up, mentions up, profile visits down 17%, followers I think stable, unless I'm misreading, or unless it's not giving the info.

  835. winfried has left

  836. winfried has joined

  837. Ge0rG

    Kev: thanks

  838. Ge0rG

    In that case, it looks like the spam strategy is working out

  839. Daniel

    assuming this are good metrics…

  840. Kev

    I can only report what's in front of me.

  841. ralphm

    For clarity, as discussed in commteam@, those news letter tweets were sent by nyco. Some of the conversation might have been a bit harsh on him, as he is just trying to help.

  842. Ge0rG

    I'm very sorry that I hit the wrong notes in trying to talk to him :(

  843. ralphm

    To be honest, I was the one raising the issue in that room, and here before that, but I think we can take a lesson in seeing things from other perspectives, as well trying out things.

  844. ralphm

    In the mean while, should you have interesting stuff that could be (re-)tweeted from @xmpp, do let them know.

  845. Kev

    I don't think I've (deliberately, at least) passed any judgement other than offering to do what I'm told.

  846. ralphm

    Scheduled tweets interspersed with other stuff would already be a lot better.

  847. ralphm

    Kev: not calling anyone out specifically. And not even just on this topic.

  848. Kev

    Ah, my stats were September.

  849. Daniel

    yes. we actually have a lot of things going on in the community to increase # of tweets w/o repeating ourselves

  850. ralphm

    I assume everyone tries their best.

  851. Kev

    So for August we lost followers, and for July we gained (more) followers.

  852. Kev

    In fact, as far back as we've got stats, August is the only time we've lost followers rather than gaining.

  853. Daniel

    also 'we' probably react more sensitive to obvious advertisment than a regular person would

  854. Ge0rG

    Daniel: or without uttering things that look like cheap SEO

  855. Link Mauve has joined

  856. Ge0rG

    Or that.

  857. Kev

    I'm back in 2017, and we've gained double-digits of followers each month, other than losing them in August.

  858. Kev

    I'm going to stop looking at stats now.

  859. jonas’

    how about re-tweeting https://twitter.com/iNPUTmice/status/1171678611897835520 ?

  860. Ge0rG

    jonas’: it lacks hashtags

  861. Daniel


  862. Daniel

    i literally loled

  863. Ge0rG

    speaking of high-quality content

  864. jonas’


  865. Daniel

    jonas’, fwiw i usually RT my own tweets with xmpp if i consider them neutral and quality enough

  866. Ge0rG

    cheap self-promotion!

  867. Ge0rG


  868. Daniel

    good morning you should update dino did not make my own quality standards

  869. jonas’

    I like it actually

  870. ralphm

    Had Daniel's mentioned that you should because of security issues, I would have retweeted it right away.

  871. jonas’

    that’s not to diminish dino, but it’s the kind of near-sarcastic security black humor I’m into

  872. Daniel

    to my defense I did wrote that before i had coffee

  873. zach has left

  874. zach has joined

  875. jonas’

    that’s not to diminish dino, but it’s the kind of near-sarcastic security black humor I’m into w.r.t. announcements

  876. ralphm

    Noted. Daniel: don't 🐦 before ☕

  877. adiaholic has left

  878. adiaholic has joined

  879. pep.

    Well on that note, you should also update converse. Maybe we can have a tweet with all of them.

  880. pep.

    And then retweet! When we get CVEs assigned

  881. pep.

    All PR is good PR right

  882. jonas’

    FTR, Docker Hub is an awful thing

  883. jonas’

    > Created 44 minutes ago > Queue time 1 minute > Duration 0 min

  884. jonas’

    > Logs are not available yet

  885. jonas’

    what kind of infrasturcture is this?

  886. mukt2 has left

  887. Kev

    A free one?

  888. mathieui

    A terrible one

  889. mukt2 has joined

  890. remko has left

  891. jubalh has left

  892. matkor has left

  893. matkor has joined

  894. Dele (Mobile) has left

  895. Dele (Mobile) has joined

  896. Dele (Mobile) has left

  897. pdurbin has joined

  898. Dele (Mobile) has joined

  899. pep.

    Ge0rG, re MUC & errors / presence leak, a client could theoretically (not saying I'm going to do it) buffer these error messages going out, and only send them when the user sends chatstates or messages in the MUC.

  900. zach has left

  901. zach has joined

  902. pep.

    What about chat markers btw, are they also used in MUC? receipts are this I know. Isn't that a good enough presence leak already?

  903. ralphm

    Why would you send errors after a while? A server is likely not going to have anything it wants to do at that point?

  904. pep.

    Sending error to the participant jid, in hope that that gets logged by the clients and there's some kind of hint displayed to the user to actually contact devs. (Yes I'm pretty hopeful)

  905. pep.

    By that time the user could be gone for sure

  906. pep.

    Surelike they could be gone when I connect and fetch messages

  907. pep.

    Just like they could be gone when I connect and fetch messages

  908. ralphm

    Correlation is not fun with random long delays, maybe.

  909. pep.


  910. pep.


  911. pep.

    But then people shout "presence leak"

  912. Daniel

    what is a presence leak?

  913. Daniel

    i previously thought of it as a resource leak

  914. pdurbin has left

  915. pep.

    Daniel, you connect, your client fetches archive from MUC, finds an error and attempts to send that to the participant jid responsible for it. You're then effectively telling them you just came online

  916. pep.

    (or that you're somehow available)

  917. Daniel

    in a group chat?

  918. ralphm

    Is presence leak really a thing for MUC (as opposed to MIX)?

  919. Daniel

    didn’t you just did the same by joining?

  920. ralphm


  921. pep.

    I wasn't the one to shout "presence leak"!

  922. pep.


  923. pep.

    But yeah, I actually agree. let me dismiss that issue then

  924. pep.

    Maybe combined with MSN? One of your clients didn't notice, the other connects and you send these errors. But then oh well

  925. ralphm

    Now, in theory, for MIX this is a bit different. There, sending presence can be optional.

  926. mukt2 has left

  927. ralphm

    But then you might have markers or somesuch.

  928. pep.

    It's fine I'm not concerned about MIX for now, poezio doesn't have an implementation :)

  929. ralphm

    This is the XSF channel though, and not jdev 🤣

  930. pep.


  931. pep.

    So you can do MIX PR just fine? :P

  932. jonas’

    Kev, (moving this from council@), but what stops me from sending you a random type=error (think spam)?

  933. jonas’

    if you make swift show a popup and interrupt the user, that’s bad design IMO

  934. flow

    Daniel> i previously thought of it as a resource leak It is the same, but "presence leak" is the term rfc6120 uses

  935. ralphm

    I guess that also dismisses most of the recent discussions on Unicode and security issues in implementations. 😃

  936. Daniel

    yes. but by that definition sending chat markers does not leak your resource

  937. Daniel

    chat markers leak that you are present

  938. Nekit has left

  939. Daniel

    but that's not what the term means

  940. Nekit has joined

  941. Daniel

    (at least that what i've thought)

  942. Kev

    jonas’: I never said anything about popups (Swift policy is to never trigger popups from protocol).

  943. Kev

    But if you start receiving errors from someone, it'll tell you in the chat log with that person.

  944. jonas’

    Kev, that, I think, is fine

  945. jonas’

    even with CC-all-the-errors

  946. jonas’

    it shows that something you did on your phone went wrong and that you might want to pay attention (essentially)

  947. mukt2 has joined

  948. Kev

    But not if it's bare-JID errors.

  949. winfried has left

  950. winfried has joined

  951. neshtaxmpp has joined

  952. neshtaxmpp has left

  953. winfried has left

  954. winfried has joined

  955. winfried has left

  956. winfried has joined

  957. winfried has left

  958. winfried has joined

  959. mukt2 has left

  960. neshtaxmpp has joined

  961. neshtaxmpp has left

  962. zach has left

  963. zach has joined

  964. flow

    > Daniel> chat markers leak that you are present Depends on the situation i'd say. Client should usually not send stanzas to other clients that are otherwhise unable to determine if you are online, that's what I'd call a "presence leak".

  965. mukt2 has joined

  966. Steve Kille has left

  967. Mikaela has left

  968. Mikaela has joined

  969. Wojtek has joined

  970. zach has left

  971. zach has joined

  972. adiaholic has left

  973. adiaholic has joined

  974. Link Mauve has left

  975. sonny has left

  976. sonny has joined

  977. Wojtek has left

  978. Steve Kille has joined

  979. zach has left

  980. zach has joined

  981. arc has left

  982. arc has joined

  983. sonny has left

  984. sonny has joined

  985. patrick has joined

  986. matkor has left

  987. zach has left

  988. zach has joined

  989. patrick has left

  990. patrick has joined

  991. Mikaela has left

  992. Mikaela has joined

  993. matkor has joined

  994. arc has left

  995. arc has joined

  996. lovetox has left

  997. winfried has left

  998. winfried has joined

  999. winfried has left

  1000. winfried has joined

  1001. arc has left

  1002. arc has joined

  1003. zach has left

  1004. zach has joined

  1005. peter has left

  1006. Dele (Mobile) has left

  1007. arc has left

  1008. arc has joined

  1009. winfried has left

  1010. winfried has joined

  1011. winfried has left

  1012. winfried has joined

  1013. sonny has left

  1014. mimi89999 has left

  1015. winfried has left

  1016. winfried has joined

  1017. winfried has left

  1018. winfried has joined

  1019. pdurbin has joined

  1020. stpeter has left

  1021. zach has left

  1022. zach has joined

  1023. APach has left

  1024. Link Mauve has joined

  1025. pdurbin has left

  1026. matkor has left

  1027. eevvoor has joined

  1028. matkor has joined

  1029. APach has joined

  1030. lovetox has joined

  1031. lovetox

    i dont understand the benefit of the token XEP

  1032. zach has left

  1033. zach has joined

  1034. lovetox

    it says something about that the password can be stolen

  1035. jonas’

    lovetox, maybe on-list?

  1036. lovetox

    but a token is the same, if its stolen, i can change the account password

  1037. jonas’

    I haven’t read it yet and I have to go AFK now

  1038. lovetox

    at least its nice that the xep gives the user some knowledge about what devices have access to the account

  1039. mimi89999 has joined

  1040. jubalh has joined

  1041. Yagiza has left

  1042. Daniel

    You could simply not allow that

  1043. lovetox

    you mean the server?

  1044. lovetox

    so how would then someone change his password

  1045. lumi has left

  1046. Daniel

    Login properly

  1047. Ge0rG

    tokens are opaque and properly randomized; also they are not often stored on a stick-it note ;)

  1048. Ge0rG

    there is also very much value in one-time tokens to on-board a new device to your account

  1049. Ge0rG

    without having a password in a URL or QR code

  1050. lovetox

    but this is not about one-time tokens, so why are you mention it?

  1051. lovetox

    because its also a "token"?

  1052. lovetox

    its basically a password replacement that has absolutley the same propertys, full access to the account

  1053. lovetox

    so as i said i think it adds value because you know what devices are in use, it does not really provide any additional security

  1054. Zash

    Hm? Per-device passwords?

  1055. Daniel

    Per device passwords

  1056. lovetox

    and it was always weird for me that the register xep does not have an option where the server can demand your current password

  1057. Zash

    You somehow logged into the account

  1058. zach has left

  1059. zach has joined

  1060. lovetox

    yeah ..

  1061. eevvoor has left

  1062. Daniel

    I mean per device passwords is not necessarily a bad thing. I don't know if the xep is a good implementation of that

  1063. Daniel

    I haven't read it yet

  1064. Daniel

    But I wouldn't dismiss per device passwords on principle

  1065. Zash

    I wonder if you can hijack the authzid for something like that

  1066. lovetox

    i didnt dismiss it Daniel if you got that from what i said

  1067. lovetox

    the XEP talks a bit about security

  1068. lovetox

    so thats what i questioned

  1069. lovetox

    its definitly nice to know what device are connected and beeing able to remotley log them off and revoke them

  1070. Daniel

    > its definitly nice to know what device are connected and beeing able to remotley log them off and revoke them Yes

  1071. Ge0rG

    I wouldn't be opposed to tokens that have limited permissions behind, like not being allowed to change the password or to issue further tokens; also a limit to one connection per token

  1072. Daniel

    All that

  1073. lumi has joined

  1074. Link Mauve has left

  1075. Link Mauve has joined

  1076. Link Mauve

    lovetox, in SASL EXTERNAL with client certs (XEP-0257 IIRC), it is said that if the user tries to change their password, they should get an error and then asked for the previous password first.

  1077. lumi has left

  1078. lumi has joined

  1079. Nekit has left

  1080. Ge0rG

    Yes, with a data form

  1081. Link Mauve

    In the non-error part of an error iq. ;_;

  1082. Daniel

    > Yes, with a data form Data forms are definitely in the top five of my favorite forms

  1083. winfried has left

  1084. winfried has joined

  1085. zach has left

  1086. zach has joined

  1087. Link Mauve has left

  1088. Link Mauve has joined

  1089. aj has left

  1090. jubalh has left

  1091. sonny has joined

  1092. LNJ has left

  1093. LNJ has joined

  1094. zach has left

  1095. zach has joined

  1096. derdaniel has joined

  1097. Yagiza has joined

  1098. debacle has left

  1099. larma

    I think auth tokens could be reusing RFC7628 and in general be more OAuth compatible

  1100. larma

    Oh, and XEP-0235

  1101. pep.

    oh, TIL

  1102. winfried has left

  1103. winfried has joined

  1104. winfried has left

  1105. winfried has joined

  1106. winfried has left

  1107. winfried has joined

  1108. Daniel

    oh they gave me three CVE

  1109. derdaniel has left

  1110. zach has left

  1111. zach has joined

  1112. jubalh has joined

  1113. nyco has joined

  1114. Kev

    Maybe it's a special offer on Wednesdays.

  1115. debacle has joined

  1116. mukt2 has left

  1117. mukt2 has joined

  1118. Mikaela has left

  1119. Mikaela has joined

  1120. pdurbin has joined

  1121. zach has left

  1122. zach has joined

  1123. Douglas Terabyte has left

  1124. flow

    can't get enough of that wonderful CVEs

  1125. Zash

    Gotta catch them all!

  1126. nyco_ has joined

  1127. nyco_ has left

  1128. nyco_ has joined

  1129. nyco_ has left

  1130. jubalh has left

  1131. nyco_ has joined

  1132. nyco_ has left

  1133. nyco_ has joined

  1134. nyco_ has left

  1135. Douglas Terabyte has joined

  1136. pdurbin has left

  1137. nyco_ has joined

  1138. nyco_ has left

  1139. patrick has left

  1140. zach has left

  1141. zach has joined

  1142. jubalh has joined

  1143. nyco_ has joined

  1144. nyco_ has left

  1145. adiaholic has left

  1146. Douglas Terabyte has left

  1147. Ge0rG

    They need to motivate the six digit numbers!

  1148. lovetox has left

  1149. Mikaela has left

  1150. Mikaela has joined

  1151. nyco has left

  1152. pep.

    Do you win something if you get there first?

  1153. jcbrand has left

  1154. Douglas Terabyte has joined

  1155. zach has left

  1156. zach has joined

  1157. matkor has left

  1158. matkor has joined

  1159. mukt2 has left

  1160. Link Mauve has left

  1161. winfried has left

  1162. winfried has joined

  1163. winfried has left

  1164. winfried has joined

  1165. marc_ has left

  1166. Yagiza has left

  1167. j.r has left

  1168. j.r has joined

  1169. LNJ has left

  1170. winfried has left

  1171. neshtaxmpp has joined

  1172. winfried has joined

  1173. Tobias has left

  1174. Tobias has joined

  1175. peter has joined

  1176. stpeter has joined

  1177. zach has left

  1178. zach has joined

  1179. Dele (Mobile) has joined

  1180. Dele (Mobile) has left

  1181. pdurbin has joined

  1182. zach has left

  1183. zach has joined

  1184. karoshi has left

  1185. goffi has left

  1186. Nekit has joined

  1187. neshtaxmpp has left

  1188. neshtaxmpp has joined

  1189. dele has joined

  1190. dele has left

  1191. Nekit has left

  1192. pdurbin has left

  1193. jubalh has left

  1194. Dele (Mobile) has joined

  1195. peter has left

  1196. Dele (Mobile) has left

  1197. zach has left

  1198. zach has joined

  1199. mimi89999 has left

  1200. mimi89999 has joined

  1201. mukt2 has joined

  1202. stpeter has left

  1203. neshtaxmpp has left

  1204. xalek has left

  1205. sonny has left

  1206. sonny has joined

  1207. xalek has joined

  1208. mukt2 has left

  1209. alameyo has left

  1210. alameyo has joined

  1211. peter has joined

  1212. stpeter has joined

  1213. murabito has left

  1214. vanitasvitae has left

  1215. vanitasvitae has joined

  1216. wurstsalat has left

  1217. murabito has joined

  1218. zach has left

  1219. zach has joined

  1220. mukt2 has joined

  1221. peter has left

  1222. mukt2 has left

  1223. zach has left

  1224. zach has joined

  1225. stpeter has left

  1226. mukt2 has joined

  1227. debacle has left

  1228. matkor has left

  1229. matkor has joined

  1230. UsL has left

  1231. UsL has joined

  1232. mukt2 has left

  1233. mimi89999 has left

  1234. mimi89999 has joined

  1235. stpeter has joined

  1236. mukt2 has joined