-
flow
MattJ, May I suggest to remove the "Servers MUST NOT include the <stanza-id/> element in messages addressed to JIDs that do not have permissions to access the archive" from xep313. It appears to provide very little, I'd even say nothing because the id-String shouldn't reveal anything, for a lot of complexity in the MAM archive service implementation
-
lovetox
it does reveal something
-
lovetox
on ejabberd for example the exact timestamp of the message
-
MattJ
I think it would have to be tied with a requirement that ids do not leak any info
-
lovetox
yeah and this would be bad
-
MattJ
I'm not sure timestamp counts as a problem
-
MattJ
But if it was combined with a counter it would
-
MattJ
And timestamps are not unique on their own
-
flow
lovetox, well that would violate a MUST frmo xep359
-
flow
also I am not sure if timestamps are a problem
-
lovetox
its very useful that ejabberd uses timestamps as messages✎ -
lovetox
its very useful that ejabberd uses timestamps as ids ✏
-
lovetox
as it allows to determine a order
-
lovetox
even if impl cannot rely on it because other servers dont do that
-
MattJ
Tell me you don't depend on that :)
-
flow
furthermore, we could at least relax the requirement in xep313, e.g. by making it conditional
-
lovetox
of course i dont, as not all servers do that
-
lovetox
when i remember correctly the only argument against a orderable id was
-
lovetox
clusters may be more complex to implement that
-
flow
but I would simply remove that requirement from xep313, which also would make the xep less complex, which is always good
-
pep.
> MattJ> I think it would have to be tied with a requirement that ids do not leak any info Isn't that the case already?
-
pep.
For 0359 stuff
-
pep.
Hmm, it says "unique and stable" and recommends UUID..
-
pep.
I think that's good enough
-
lovetox
i see xep 0398 is under specified
-
lovetox
it says "Upon receiving a vCard publication request with a valid photo attached"
-
lovetox
so no photo element is invalid in this case?
-
lovetox
means every client out there now has to publish empty photo elements in there vcard for avatar conversion to work?
-
lovetox
is this intended? why not just interpret no photoelement as <photo/>
-
lovetox
or did the XEP author foget about the "Delete a photo" usecase
-
lovetox
and this sentence reflects only setting a avatar other than none
-
lovetox
^ Daniel
-
Daniel
yes the XEP doesn’t cover deletion
-
Daniel
yet
-
flow
pep., see also the security section of xep359
-
pep.
Right, so that's settled then
-
flow
MattJ, xep359 already has that requirement that IDs do not leak inve, hence i was supprised to find that section in xep313
-
MattJ
pep.: "unique and stable" is not enough
-
MattJ
We've already seen security issues from far simpler and more obvious problems, it's not enough to say that a sentence in a separate document covers us
-
pep.
MattJ, see what was said above
-
pep.
0359 mandates more than that
-
pep.
- the IDs defined in this extension MUST be unique and stable within the scope of the generating XMPP entity - Entities observing the value MUST NOT be able to infer any information from it - The value of 'id' MUST be considered a non-secret value.
-
pep.
(obviously, "MUST NOT be able to infer any information from it" is only practical to some extent, but that wouldn't be an issue for MAM would it)
-
Ge0rG
I suggest to introduce a new stanza element, <mam-id>, that is not leaking any information.
-
Ge0rG
With a "MUST NOT be equal to any of the other id elements or attributes of the message" requirement.
-
MattJ
Can't tell if sarcasm
-
Zash
In https://xmpp.org/extensions/xep-0398.html#presence it's implied but not explicitly stated that the server should leave empty <photo/> elements alone. Why is that? (poke Daniel)
-
Daniel
Iirc to give clients the option to join w/o avater
-
Daniel
Not that it really makes sense. But I think that was the intention behind it
-
Zash
Some clarification there would be good I think
-
Daniel
Quick update on the IM regulation. I just (accidentally) talked to someone who was on the SPD's (major party in Germany) digital working group thing. And it was her that Katharina barley asked in 2018 about IM regulation. And she contacted the CCC who was like "mhh we don't really know". And now it's apparently dead because according to her the SPD is not in a functional state right now
-
Daniel
Cc Ge0rG
-
pep.
What was that article then a week ago? :/
-
Daniel
dunno. i mean it did not have any sources. maybe it was old sources
-
Daniel
or just made up
-
pep.
k
-
Daniel
also she asked for me contact information and i wrote down my website and my email address and then she asked for my phone number because she doesn’t write email; and under pressure I couldn’t remember it (why do people think that 10 random numbers are a good ID) - i gues s i need a business card
-
pep.
"why do people think that 10 random numbers are a good ID" haha, I agree, and that's not even because of the infamous Zooko.
-
Ge0rG
Daniel: did you take her phone number at least?
-
Daniel
Ge0rG, no. it felt more like a "don’t call us we call you" situation
-
Ge0rG
Daniel: that's a bit sad.
-
Daniel
last time i tried to talk to a politician she offered to take a selfie with me
-
pep.
"PR, PR, PR"?
-
Ge0rG
Daniel: looks like you learned the hard way how modern politics work...
-
fippo
daniel: maybe she wanted the phone number to contact you via signal? :-p