I nominate dwd to be our new department of troll marketing.✎
j.rhas left
jonas’
I nominate dwd to be our new department of sarcastic(?) marketing. ✏
Daniel
at least he doesn’t repost the same joke 5 times in a span of a week. scnr :-)
Mikaelahas left
Mikaelahas joined
Mikaelahas left
Mikaelahas joined
LNJhas joined
adiaholichas left
adiaholichas joined
Ge0rG
Daniel: that was mean(ingful)!
adiaholichas left
adiaholichas joined
jubalhhas joined
adiaholichas left
adiaholichas joined
kokonoehas joined
Mikaelahas left
Mikaelahas joined
kokonoehas left
kokonoehas joined
goffihas joined
LNJhas left
LNJhas joined
lskdjfhas joined
balu_der_baerhas joined
zachhas left
zachhas joined
marc_has left
marc_has joined
marc_has left
marc_has joined
marc_has left
marc_has joined
marc_has left
marc_has joined
UsLhas joined
Douglas Terabytehas left
Douglas Terabytehas joined
j.rhas joined
pdurbinhas joined
DebXWoodyhas left
DebXWoodyhas joined
j.rhas left
pdurbinhas left
zachhas left
zachhas joined
lorddavidiiihas left
lorddavidiiihas joined
balu_der_baerhas left
lorddavidiiihas left
lorddavidiiihas joined
winfriedhas left
debaclehas joined
winfriedhas joined
winfriedhas left
winfriedhas joined
winfriedhas left
winfriedhas joined
Mikaelahas left
Mikaelahas joined
emushas left
zachhas left
zachhas joined
emushas joined
winfriedhas left
winfriedhas joined
winfriedhas left
winfriedhas joined
kokonoehas left
kokonoehas joined
mukt2has left
mukt2has joined
j.rhas joined
LNJhas left
LNJhas joined
zachhas left
zachhas joined
pdurbinhas joined
zachhas left
zachhas joined
pdurbinhas left
zachhas left
zachhas joined
Marandahas left
Marandahas joined
eevvoorhas joined
j.rhas left
zachhas left
zachhas joined
COM8has joined
adiaholichas left
COM8has left
COM8has joined
kokonoehas left
kokonoehas joined
COM8has left
COM8has joined
COM8has left
adiaholichas joined
COM8has joined
zachhas left
zachhas joined
emushas left
emushas joined
mukt2has left
COM8has left
mukt2has joined
Chobbeshas joined
winfriedhas left
winfriedhas joined
balu_der_baerhas joined
mukt2has left
zachhas left
zachhas joined
mukt2has joined
kokonoehas left
Mikaelahas left
Mikaelahas joined
Mikaelahas left
Mikaelahas joined
kokonoehas joined
Chobbeshas left
j.rhas joined
zachhas left
zachhas joined
lorddavidiiihas left
lorddavidiiihas joined
Mikaelahas left
Mikaelahas joined
rionhas left
kokonoehas left
kokonoehas joined
winfriedhas left
winfriedhas joined
rionhas joined
zachhas left
zachhas joined
mukt2has left
pdurbinhas joined
eevvoorhas left
kokonoehas left
winfriedhas left
winfriedhas joined
mukt2has joined
winfriedhas left
winfriedhas joined
winfriedhas left
winfriedhas joined
pdurbinhas left
j.rhas left
j.rhas joined
mukt2has left
mukt2has joined
j.rhas left
j.rhas joined
Mikaelahas left
Mikaelahas joined
zachhas left
zachhas joined
mukt2has left
Chobbeshas joined
winfriedhas left
winfriedhas joined
mukt2has joined
zachhas left
zachhas joined
matkorhas left
matkorhas joined
zachhas left
zachhas joined
Wojtekhas joined
j.rhas left
j.rhas joined
adiaholichas left
moparisthebest
Does anyone have a link documenting the numerous vulns clients had relating to xhtml-im ?
moparisthebest
I was hoping for a mailing list post or wiki page...
adiaholichas joined
dwd
There was Waqas's presentation about a decade back. (Maybe more recent than that, I forget).
Zash
Also, can someone explain to me how Matrix and Mastodon and pretty much everything else gets away with sending actual HTML in JSON but we can't send a sane subset of HTML in XML?
zachhas left
zachhas joined
dwd
Single implementation probably helps.
pep.
Because it's better to mix input and wire format, and users do it anyway
Seve
Implementation details should not block standards
Zash
Bring back XHTML-IM!
pep.
Bring back XHTML-IM!
Zash
Ropen skalla, XHTML-IM åt alla!
ajhas joined
adiaholichas left
adiaholichas joined
jubalhhas left
jubalhhas joined
mukt2has left
mukt2has joined
ajhas left
Dele (Mobile)has left
zachhas left
Dele (Mobile)has joined
zachhas joined
flow
Bring back XHTML-IM!
Ge0rG
Bring back GC1.0!
Zash
U wut m8?
jonas’
Bring back XHTML-IM!
pep.kicks Ge0rG
jonas’
how about we put this on the next all-member meeting agenda?
jonas’
yes, all-member meetings are a thing ;)
pep.
jonas’, or just council
jonas’
pep., I can predict the answer
pep.
wait for next council?
jonas’
it has to do with XEP-0001 not having a transition from state_of(xep_number("XHTML-IM")) -> {Experimental,Draft,Final}
pep.
Yeah I was wondering about that
jonas’
so it’d defer to Board
jonas’
since Board owns XEP-0001
pep.
That's a more generic question then
pep.
Not just 0071
Ge0rG
then Board may or may not define such a state transition and defer back to Council
jonas’
pep., although somebody floated the idea of re-defining XHTML-IM from scratch anyways
jonas’
which I support, actually
pep.
I could get along with that I guess
jonas’
with more clearly-defined use-case profiles
jonas’
and without @style
Ge0rG
Yes.
dwd
If someone can show that HTML within messages has a solution, I'm all for it. But last time we were here, it seemed that every implementation had suffered serious security problems.
pep.
Should we call it xhtml-im2
pep.
This time it's for real
dwd
FWIW, if there were some solution that meant we should shift around PWAs in messages that'd be awesome.
Ge0rG
dwd: modern web applications can be made secure with a global switch instead of having to sanitize every individual string, AFAICT
jonas’
dwd, I’ve been back and forth on this, and I think some standards simply require a basic level of intelligence, and if you cannot read Security Considerations, you maybe should not implement standards. or anything.
Zash
dwd, my observation is that any alternative will be equally terrible.
jonas’
dwd, PWA?
dwd
jonas’, A single-page web app.
dwd
jonas’, I mean, if we could safely ship aorund CSS and Javascript, that'd be amazingly amaing.
Zash
Not Progressive Web App?
zachhas left
zachhas joined
jonas’
dwd, would it be?
jonas’
dwd, I think that sounds terrible ;)
Ge0rG
I thought those are SPAs
jonas’
but I hate the current web, so...
dwd
jonas’, Sure. Apps in messages, what's not to like?
jonas’
dwd, everything?
Zash
dwd, I hate everything about that
MattJ
waqas created a sanitizer for xhtml-im, it works... what else is there to debate?
jonas’
MattJ, does it sanitize @style?
Zash
`tag.attr.style = nil`
jubalhhas left
Ge0rG
MattJ: is it written in JavaScript that can be bundled within an XHTML-IM message?
Zash
A Message Web App that sanitizes itself?
dwd
Zash, It'd sanitize the messages it sent to other people. I detect a flaw here.
MattJ
jonas’, it does
Ge0rG
dwd: you encountered sarcasm.
MattJ
Can't we just define a flag that clients need to send if their xhtml-im payload is malicious?
MattJ
Lighter than including a full sanitizer with every message
pep.
that ^
MattJ
Oh wait, XEP-0076
pep.
woo, we already have all the tools
Ge0rG
MattJ: but it's using an insecure xmlns :(
pdurbinhas joined
dwd
MattJ, Needs to be updated in line with XEP-0419.
Seve
Nice, solutions right away
pep.
Ge0rG, btw, you should push for 419 to go draft, there's already an implementation!!
Ge0rG
pep.: which one?
pep.
poezio's rot13 and b64 plugins
Ge0rG
pep.: but 419 is for XEPs, not for .py's
pep.
:(
dwd
pep., Is it doing whole stanza encryption (example 1)?
pep.
dwd, no but it should indeed
Ge0rG
dwd: I still think full-stanza-encryption would've been much funnier with rot13.
dwd
pep., Sorry, not Example 1, Example 2. I ask because most implementations seem to be mistakenly doing Example 3.
pep.
right
dwd
Ge0rG, Really? I rather enjoyed the deadpan comparison between the examples.
Ge0rG
dwd: must be an instance of British Humour, then
dwd
I note that XEP-0419 is the latest e2e encryption method in XMPP, too.
Ge0rG
latest and greatest.
Ge0rG
I wonder if people will appreciate if I announce that yaxim has had it from day 0.
Ge0rG
now that I think of it, yaxim implements it for ten years already.
Ge0rG
I just didn't have the feature namespace.
pdurbinhas left
moparisthebest
Seve: so can we just have a xep that says "execute this binary code as x86 instructions, but just the safe parts" ? If implementation details shouldn't block standards that is >:)
larma
moparisthebest, I think the cool guys use webassembly for this nowadays
adiaholichas left
adiaholichas joined
Mikaelahas left
Mikaelahas joined
Seve
moparisthebest, I just thing we should go as fast as the smartest in class, not the dumbest.✎
zachhas left
Seve
moparisthebest, I just think we should go as fast as the smartest in class, not the dumbest. ✏
zachhas joined
moparisthebest
Sure, we can all use one client and server and not even bother writing standards
moparisthebest
That is easiest and fastest
jonas’
moparisthebest, that’s not the same thing
jonas’
and you’re being needlessly hyperbolic
mukt2has left
mukt2has joined
Ge0rG
is it possible to add a line break inside a <td> in XEPs?
Steve Killehas left
Ge0rG
jonas’: I've got https://github.com/xsf/xeps/pull/841 but I'm most probably not ready yet and I would like to have one history/revision block for all that's different from CS-2019
jubalhhas joined
Zash
Ge0rG: That description seems a bit redundant, don't you think?
jubalhhas left
Ge0rG
Zash: I didn't want to leave it empty
nycohas left
edhelashas left
Steve Killehas joined
moparisthebest
Seve, jonas’ , yea sorry, mainly just pointing out that while I agree in principle that xeps shouldn't depend on implementations, if in practice 100% of implementations have security problems, that's probably a root issue that needs to be solved/defined/something by the xep
moparisthebest
other people have worded that way better in the past so just ignore me :)
Ge0rG
better specs help.
wurstsalathas left
Mikaelahas left
Mikaelahas joined
moparisthebest
I think it's possible to have a "secure" spec that, in practice, is impossible to implement securely, which I'd then argue is a bad spec
zachhas left
zachhas joined
Ge0rG
moparisthebest: which XHTML-IM is a prime example of
Zash
Is it impossible?
jonas’
I think waqas proved the opposite.
Zash
Isn't it just that it's too convenient to do the wrong thing
jonas’
and once you drop @style, I’d say it’s very trivially possible to implement securely
jonas’
what Zash says
Zash
Which 393 for example doesn't help with
Yagizahas left
karoshihas left
moparisthebest
are you going to write your own HTML/CSS engine, or fork chrome/firefox's and try to disable javascript but still keep up on other security issues, or ?
Zash
"Oh this looks like Markdown, I'll just take this markdown library and forgot to disable HTML pass trough"
karoshihas joined
moparisthebest
yes, in theory those things are possible, in practice, no one is going to do them
Zash
No one is going to do what?
jonas’
moparisthebest, bugs in the rendering engine are not in scope for XMPP software, unless XMPP software writes their own engine.
jonas’
why would you fork a rendering engine for this?
jonas’
why would you write your own?
jonas’
both don’t make sense
emushas left
Ge0rG
Just bundle an old version of Electron with your chat app
jonas’
both Qt and Gtk support a subset of HTML in any widget (which surprisingly is a superset of what XHTML-IM), so they’re covered. If you’re using a web browser (natievly or via widget) to render/execute your app, you have a rendering engine right there.
jonas’
you just need to do the fing sanitisation, which is fing trivial if we omit @style for a second
Zash
jonas’, and @on*
jonas’
just have a whitelist of elements, and everything which isn’t that is replaced by its children.
jonas’
Zash, those are forbidden anyways
kokonoehas joined
jonas’
in XHTML-IM
Zash
whitelist elements and attributes (@style excluded)
jonas’
s/elements/elements and attributes/
jonas’
yes
jonas’
it’s not hard in any way
jonas’
it’s written in the security considerations (more clearly than it was back then, admittedly)
jonas’
if you can’t read security considerations, maybe you shouldn’t be implement standards
jonas’
if you can’t comprehend the security considerations of a specific standard, get help and get the standard clarified
mukt2has left
jonas’
Ge0rG, any reason you make that a PR?
jonas’
Ge0rG, mark it WIP in the title at least
kokonoehas left
mukt2has joined
Zash
jonas’, you don't happen to have a nice short rationale for why @style needs to gtfo?
jonas’
Zash, requires an extra parser
jonas’
aside from that, allows stuff which probably only works on your machine
jonas’
(colors and things)
moparisthebest
jonas’, that's the theory, in practice, a developer reads a much simpler spec like 393, writes a few regexes, gives up and just passes it to a markdown processor
moparisthebest
(this just happend earlier today, hence my question)
jonas’
moparisthebest, oh, so exactly the thing happened everyone said it would?
Zash
It also almost happened in Converse.js
moparisthebest
yes and also we brought up all this as soon as he suggested the markdown processor, so it hasn't *actually* happened yet, but it would have
jonas’
moparisthebest, can’t blame them, XEP-0393 doesn’t mention that as a problem
moparisthebest
I was trying to find links about why this was a terrible idea
kokonoehas joined
larma
so how about we all just implement 394?
Ge0rG
jonas’: I made it a PR because I wanted to discuss the content changes in Council tomorrow
jonas’
Ge0rG, you can do that in your own fork instead
jonas’
larma, I’d like to burn XEP-0394
Ge0rG
jonas’: good point
Mikaelahas left
Mikaelahas joined
larma
jonas’, why? IMO it's superior to 393, it just has the flaw that it doesn't work well with legacy fallbacks (because you can't hide any chars that are only for fallback)
jonas’
larma, but it’s not superior to XEP-0071
jonas’
(or a slightly saner redefinition of XEP-0071)
larma
Well, it only has a subset of the features, but also is less likely to be accidentally use a HTML rendering engine
jonas’
I’m pretty sure it’s also harder to implement, and will be fun especially in memory-unsafe languages with all that string slicing involved.
zachhas left
zachhas joined
debaclehas left
larma
If I'd want to do it right, as a client developer I would probably convert all 3 versions into some data structure that is approximately 394
larma
Then I can convert that into any format required for my rendering engine
jonas’
except that you’d normally mix the text with that data structure
jonas’
not like '394 does
sonnyhas left
moparisthebest
so if I'm understanding this correctly, there is a scale of difficulty-to-implement vs security-of-implementation, ranging from so hard to implement no one will bother, making it secure, all the way to so easy to implement wrongly everyone implements it but it's totally insecure
moparisthebest
something like that
larma
jonas’, do you? HTML does, but other might not. It's actually a bad idea because it creates the requirement of escaping the actual text to ensure it's not considered markup
jonas’
larma, only if your data structure is a string
moparisthebest
394 makes you write your own parser and rendering engine, no one does it, xhtml-im is easiest to implement by just slapping it into a DOM, everyone does it, is insecure
jonas’
which I’d consider a terrible idea to start with :)
jonas’
moparisthebest, nobody forces you to write a rendering engine for '394
jonas’
moparisthebest, you can convert '394 to Qt text styles, to Gtk whatevers, and to HTML
but you have to write your own parser, and perhaps harder, "reverse parser"
jonas’
it’s just a painful thing to do
jonas’
yeah
moparisthebest
how do you get from input format to 394
jonas’
moparisthebest, if you’re using Qt or Gtk, you can probably more or less directly convert the respective datastructures to '394
jonas’
(the QTextDocument stuff for example)
Marandahas left
jonas’
from HTML, it’s a bit trickier, but also possible.
Marandahas joined
mukt2has left
emushas joined
larma
- 71 is not directly compatible with many non-complex renderers. Input needs to be sanitized before being used in complex renderers.
- 393 is not directly compatible with any markdown parser known to me, even though some might choose to use a incompatible markdown parser to implement it. If a markdown parser is used to generate HTML, same issue as with 71 might come up.
- 394 can be sanitized rather easily (check there is no overlap) and then can be used securely and without tons of efforts in most environment including HTML renderers
zachhas left
zachhas joined
larma
I think implementing 394 securely in a browser might actually be easier than implementing 71 securely in a browser, where browsers should be *the* example of allowing easy implementation of 71...
jonas’
larma, '71 is directly compatible with GTK and Qt, without the need for sanitisation (if you ignore @style).
jonas’
or do you consider those "complex"?
edhelashas joined
jonas’
otherwise, which other non-complex renderers are there?
mukt2has joined
larma
jonas’, it's not. Pango makup used by GTK only supports very few tags and actually uses CSS-like style for most stuff
It also doesn't do blockquote or body or img or any of the enumerations (it doesn't support such at all, as it's a text markup only thing). The "correct" way to use it is <span>s
jonas’
pity
jonas’
not great for accessibility either
wurstsalathas joined
larma
how is it related to accessibility?
jonas’
larma, <em/> for example to mark up emphasis
jonas’
enumerations and stuff, blockquotes
jonas’
all that’s relevant to screenreaders
larma
I don't think GTK wants you to provide screenreader annotations through display/styling markup
jonas’
how else does it work with Gtk then?
jonas’
seems odd to me to have that redundant
larma
Well Pango is a text rendering engine, it does only that single job of using font data and input text to generate an image. You also use it when drawing text on images, so it makes little sense to have accessibility markup at that point
zachhas left
zachhas joined
jonas’
yeah, I was talking about Gtk for a reason and am looking at GtkTextBuffer instead
jonas’
(and GtkTextView)
jonas’
using plain pango to render text is bound to be a PITA
jonas’
BTGNT
larma
Dino uses GtkLabel which only supports pango markup for all message rendering 😉
jonas’
that won’t be enough for stuff like blockquote anyways
jonas’
I’m also not sure how you’d mark up a GtkLabel itself for screenreaders to understand what’s going on
mukt2has left
mukt2has joined
larma
I think you do all this stuff with ATK, but haven't tried yet
larma
Also doing screen readers right for IM is probably not easy and won't work out of the box no matter which toolkit...
jonas’
very true
jubalhhas joined
mukt2has left
mukt2has joined
COM8has joined
COM8has left
COM8has joined
zachhas left
zachhas joined
mukt2has left
COM8has left
mukt2has joined
pdurbinhas joined
adiaholichas left
adiaholichas joined
COM8has joined
kokonoehas left
debaclehas joined
pdurbinhas left
kokonoehas joined
nycohas joined
andyhas left
jubalhhas left
kokonoehas left
zachhas left
zachhas joined
COM8has left
adiaholichas left
adiaholichas joined
kokonoehas joined
Mikaelahas left
Mikaelahas joined
zachhas left
zachhas joined
lovetox_has left
Dele (Mobile)has left
Wojtekhas left
zachhas left
zachhas joined
xalekhas joined
Wojtekhas joined
kokonoehas left
kokonoehas joined
mukt2has left
zachhas left
zachhas joined
sonnyhas joined
j.rhas left
j.rhas joined
lorddavidiiihas left
lorddavidiiihas joined
jubalhhas joined
jubalhhas left
jubalhhas joined
mukt2has joined
Nekithas left
zachhas left
zachhas joined
mukt2has left
pdurbinhas joined
zachhas left
zachhas joined
jubalhhas left
moparisthebest
nice to see there are 0 open source XMPP mac apps but a ton of matrix/telegram/other ones :'( https://github.com/serhii-londar/open-source-mac-os-apps#chat
mukt2has joined
pdurbinhas left
pep.
Most of these are electron apps no?
pep.
Does padé not work there?
moparisthebest
no idea, was just pointing out that someone seeing this list doesn't even see xmpp listed at all
moparisthebest
I know Monal for instance should be there, probably gajim ? what about dino? surely there are a TON of open source XMPP apps that run on MacOS
Tobiashas left
pep.
Go PR! :)
pep.
Is there a list of list page on the wiki or sth?
pep.
That needs to be updated every so often
mukt2has left
moparisthebest
probably most of the command line clients work on mac too right?
moparisthebest
I'll friggin put in a PR adding 50 XMPP clients that run on mac if I can find them :D
got to learn some jq today, I'll put in the PR later... gotta figure out what language they are each written in manually, guess that's important for mac users somehow?
Zash
Myeah, I'm not sure what's up with that.
Zash
Maybe it's aimed at developers?
moparisthebest
good news is we have 24 different macOS clients though
wurstsalathas left
mimi89999has joined
lskdjf
moparisthebest, I hope you don't want to try and add all of those clients to that "awsome" repo, though. Abandoned clients probably don't shed a good light on XMPP. Maybe pick the most reasonable 2/3 instead.
balu_der_baerhas left
!XSF_Martinhas left
Chobbeshas left
goffihas left
emushas left
emushas joined
kokonoehas joined
zachhas left
zachhas joined
matkorhas left
matkorhas joined
mukt2has joined
Ge0rG
Maybe pick the only one that's a Mac app.
Zash
How's the Tigase one, Beagle?
pdurbinhas joined
mukt2has left
sonnyhas left
pdurbinhas left
andrey.ghas left
moparisthebest
lskdjf: why not? It has telegram clients marked abandoned too
zachhas left
zachhas joined
lskdjf
moparisthebest, I already gave my reasoning: because bothering people with bad clients sheds a bad light on xmpp. Something is not good just because telegram people do it.
moparisthebest
I don't have a Mac and no way to pick the best couple
!XSF_Martinhas joined
lskdjf
then maybe you are either not the best person to do the PR or need more information first 🤷️
moparisthebest
Well no one else seems interested in doing it
moparisthebest
Besides that list is like "all open source Mac software" not just good ones
Zash
moparisthebest: Make an "Awesome XMPP clients" list and get it into the Awesome hierarchical directory that's totally not like early Yahoo! at all.
Zash
There was some XMPP stuff under "ChatOps" but I didn't look further
moparisthebest
I was thinking about making an awesome awesome list of all the awesome lists
Zash
That exists already
lskdjf
too late, that already exists https://github.com/sindresorhus/awesome
moparisthebest
Damnit, just like all my good ideas
pep.
We're not listed in Decentralized!!1 Mastodon is!
Lancehas joined
lskdjf
pep., no the awsome list about mastodon is :p we first need an "awsome xmpp" list 🙂
zachhas left
zachhas joined
Zash
pep.: There are only 2 XMPP services¹
¹ according to https://the-federation.info/✎
Zash
pep.: There are only 3 XMPP services¹
¹ according to https://the-federation.info/ ✏
pep.
Yeah.. I know that one..
Zash
Wanna help with my WIP mod_nodeinfo2.lua?
waqashas joined
andrey.ghas joined
pep.
I want to help with lots of things. Now how do I prioritize all that
Zash
"Awesome TODO"
pep.
:D
Lancehas left
emushas left
Link Mauve
“15:38:27 flow> Link Mauve, +1, is the list public somewhere? Maybe even in the wiki?”, only on a WIP branch from years ago, which will need a namespace bump: https://github.com/linkmauve/xeps/tree/xep-0234