jonas’I nominate dwd to be our new department of troll marketing.
j.rhas left
jonas’I nominate dwd to be our new department of sarcastic(?) marketing.
Danielat least he doesn’t repost the same joke 5 times in a span of a week. scnr :-)
Mikaelahas left
Mikaelahas joined
Mikaelahas left
Mikaelahas joined
LNJhas joined
adiaholichas left
adiaholichas joined
Ge0rGDaniel: that was mean(ingful)!
adiaholichas left
adiaholichas joined
jubalhhas joined
adiaholichas left
adiaholichas joined
kokonoehas joined
Mikaelahas left
Mikaelahas joined
kokonoehas left
kokonoehas joined
goffihas joined
LNJhas left
LNJhas joined
lskdjfhas joined
balu_der_baerhas joined
zachhas left
zachhas joined
marc_has left
marc_has joined
marc_has left
marc_has joined
marc_has left
marc_has joined
marc_has left
marc_has joined
UsLhas joined
Douglas Terabytehas left
Douglas Terabytehas joined
j.rhas joined
pdurbinhas joined
DebXWoodyhas left
DebXWoodyhas joined
j.rhas left
pdurbinhas left
zachhas left
zachhas joined
lorddavidiiihas left
lorddavidiiihas joined
balu_der_baerhas left
lorddavidiiihas left
lorddavidiiihas joined
winfriedhas left
debaclehas joined
winfriedhas joined
winfriedhas left
winfriedhas joined
winfriedhas left
winfriedhas joined
Mikaelahas left
Mikaelahas joined
emushas left
zachhas left
zachhas joined
emushas joined
winfriedhas left
winfriedhas joined
winfriedhas left
winfriedhas joined
kokonoehas left
kokonoehas joined
mukt2has left
mukt2has joined
j.rhas joined
LNJhas left
LNJhas joined
zachhas left
zachhas joined
pdurbinhas joined
zachhas left
zachhas joined
pdurbinhas left
zachhas left
zachhas joined
Marandahas left
Marandahas joined
eevvoorhas joined
j.rhas left
zachhas left
zachhas joined
COM8has joined
adiaholichas left
COM8has left
COM8has joined
kokonoehas left
kokonoehas joined
COM8has left
COM8has joined
COM8has left
adiaholichas joined
COM8has joined
zachhas left
zachhas joined
emushas left
emushas joined
mukt2has left
COM8has left
mukt2has joined
Chobbeshas joined
winfriedhas left
winfriedhas joined
balu_der_baerhas joined
mukt2has left
zachhas left
zachhas joined
mukt2has joined
kokonoehas left
Mikaelahas left
Mikaelahas joined
Mikaelahas left
Mikaelahas joined
kokonoehas joined
Chobbeshas left
j.rhas joined
zachhas left
zachhas joined
lorddavidiiihas left
lorddavidiiihas joined
Mikaelahas left
Mikaelahas joined
rionhas left
kokonoehas left
kokonoehas joined
winfriedhas left
winfriedhas joined
rionhas joined
zachhas left
zachhas joined
mukt2has left
pdurbinhas joined
eevvoorhas left
kokonoehas left
winfriedhas left
winfriedhas joined
mukt2has joined
winfriedhas left
winfriedhas joined
winfriedhas left
winfriedhas joined
pdurbinhas left
j.rhas left
j.rhas joined
mukt2has left
mukt2has joined
j.rhas left
j.rhas joined
Mikaelahas left
Mikaelahas joined
zachhas left
zachhas joined
mukt2has left
Chobbeshas joined
winfriedhas left
winfriedhas joined
mukt2has joined
zachhas left
zachhas joined
matkorhas left
matkorhas joined
zachhas left
zachhas joined
Wojtekhas joined
j.rhas left
j.rhas joined
adiaholichas left
moparisthebestDoes anyone have a link documenting the numerous vulns clients had relating to xhtml-im ?
moparisthebestI was hoping for a mailing list post or wiki page...
adiaholichas joined
dwdThere was Waqas's presentation about a decade back. (Maybe more recent than that, I forget).
ZashAlso, can someone explain to me how Matrix and Mastodon and pretty much everything else gets away with sending actual HTML in JSON but we can't send a sane subset of HTML in XML?
zachhas left
zachhas joined
dwdSingle implementation probably helps.
pep.Because it's better to mix input and wire format, and users do it anyway
SeveImplementation details should not block standards
ZashBring back XHTML-IM!
pep.Bring back XHTML-IM!
ZashRopen skalla, XHTML-IM åt alla!
ajhas joined
adiaholichas left
adiaholichas joined
jubalhhas left
jubalhhas joined
mukt2has left
mukt2has joined
ajhas left
Dele (Mobile)has left
zachhas left
Dele (Mobile)has joined
zachhas joined
flowBring back XHTML-IM!
Ge0rGBring back GC1.0!
ZashU wut m8?
jonas’Bring back XHTML-IM!
pep.kicks Ge0rG
jonas’how about we put this on the next all-member meeting agenda?
jonas’yes, all-member meetings are a thing ;)
pep.jonas’, or just council
jonas’pep., I can predict the answer
pep.wait for next council?
jonas’it has to do with XEP-0001 not having a transition from state_of(xep_number("XHTML-IM")) -> {Experimental,Draft,Final}
pep.Yeah I was wondering about that
jonas’so it’d defer to Board
jonas’since Board owns XEP-0001
pep.That's a more generic question then
pep.Not just 0071
Ge0rGthen Board may or may not define such a state transition and defer back to Council
jonas’pep., although somebody floated the idea of re-defining XHTML-IM from scratch anyways
jonas’which I support, actually
pep.I could get along with that I guess
jonas’with more clearly-defined use-case profiles
jonas’and without @style
Ge0rGYes.
dwdIf someone can show that HTML within messages has a solution, I'm all for it. But last time we were here, it seemed that every implementation had suffered serious security problems.
pep.Should we call it xhtml-im2
pep.This time it's for real
dwdFWIW, if there were some solution that meant we should shift around PWAs in messages that'd be awesome.
Ge0rGdwd: modern web applications can be made secure with a global switch instead of having to sanitize every individual string, AFAICT
jonas’dwd, I’ve been back and forth on this, and I think some standards simply require a basic level of intelligence, and if you cannot read Security Considerations, you maybe should not implement standards. or anything.
Zashdwd, my observation is that any alternative will be equally terrible.
jonas’dwd, PWA?
dwdjonas’, A single-page web app.
dwdjonas’, I mean, if we could safely ship aorund CSS and Javascript, that'd be amazingly amaing.
ZashNot Progressive Web App?
zachhas left
zachhas joined
jonas’dwd, would it be?
jonas’dwd, I think that sounds terrible ;)
Ge0rGI thought those are SPAs
jonas’but I hate the current web, so...
dwdjonas’, Sure. Apps in messages, what's not to like?
jonas’dwd, everything?
Zashdwd, I hate everything about that
MattJwaqas created a sanitizer for xhtml-im, it works... what else is there to debate?
jonas’MattJ, does it sanitize @style?
Zash`tag.attr.style = nil`
jubalhhas left
Ge0rGMattJ: is it written in JavaScript that can be bundled within an XHTML-IM message?
ZashA Message Web App that sanitizes itself?
dwdZash, It'd sanitize the messages it sent to other people. I detect a flaw here.
MattJjonas’, it does
Ge0rGdwd: you encountered sarcasm.
MattJCan't we just define a flag that clients need to send if their xhtml-im payload is malicious?
MattJLighter than including a full sanitizer with every message
pep.that ^
MattJOh wait, XEP-0076
pep.woo, we already have all the tools
Ge0rGMattJ: but it's using an insecure xmlns :(
pdurbinhas joined
dwdMattJ, Needs to be updated in line with XEP-0419.
SeveNice, solutions right away
pep.Ge0rG, btw, you should push for 419 to go draft, there's already an implementation!!
Ge0rGpep.: which one?
pep.poezio's rot13 and b64 plugins
Ge0rGpep.: but 419 is for XEPs, not for .py's
pep.:(
dwdpep., Is it doing whole stanza encryption (example 1)?
pep.dwd, no but it should indeed
Ge0rGdwd: I still think full-stanza-encryption would've been much funnier with rot13.
dwdpep., Sorry, not Example 1, Example 2. I ask because most implementations seem to be mistakenly doing Example 3.
pep.right
dwdGe0rG, Really? I rather enjoyed the deadpan comparison between the examples.
Ge0rGdwd: must be an instance of British Humour, then
dwdI note that XEP-0419 is the latest e2e encryption method in XMPP, too.
Ge0rGlatest and greatest.
Ge0rGI wonder if people will appreciate if I announce that yaxim has had it from day 0.
Ge0rGnow that I think of it, yaxim implements it for ten years already.
Ge0rGI just didn't have the feature namespace.
pdurbinhas left
moparisthebestSeve: so can we just have a xep that says "execute this binary code as x86 instructions, but just the safe parts" ? If implementation details shouldn't block standards that is >:)
larmamoparisthebest, I think the cool guys use webassembly for this nowadays
adiaholichas left
adiaholichas joined
Mikaelahas left
Mikaelahas joined
Sevemoparisthebest, I just thing we should go as fast as the smartest in class, not the dumbest.
zachhas left
Sevemoparisthebest, I just think we should go as fast as the smartest in class, not the dumbest.
zachhas joined
moparisthebestSure, we can all use one client and server and not even bother writing standards
moparisthebestThat is easiest and fastest
jonas’moparisthebest, that’s not the same thing
jonas’and you’re being needlessly hyperbolic
mukt2has left
mukt2has joined
Ge0rGis it possible to add a line break inside a <td> in XEPs?
Steve Killehas left
Ge0rGjonas’: I've got https://github.com/xsf/xeps/pull/841 but I'm most probably not ready yet and I would like to have one history/revision block for all that's different from CS-2019
jubalhhas joined
ZashGe0rG: That description seems a bit redundant, don't you think?
jubalhhas left
Ge0rGZash: I didn't want to leave it empty
nycohas left
edhelashas left
Steve Killehas joined
moparisthebestSeve, jonas’ , yea sorry, mainly just pointing out that while I agree in principle that xeps shouldn't depend on implementations, if in practice 100% of implementations have security problems, that's probably a root issue that needs to be solved/defined/something by the xep
moparisthebestother people have worded that way better in the past so just ignore me :)
Ge0rGbetter specs help.
wurstsalathas left
Mikaelahas left
Mikaelahas joined
moparisthebestI think it's possible to have a "secure" spec that, in practice, is impossible to implement securely, which I'd then argue is a bad spec
zachhas left
zachhas joined
Ge0rGmoparisthebest: which XHTML-IM is a prime example of
ZashIs it impossible?
jonas’I think waqas proved the opposite.
ZashIsn't it just that it's too convenient to do the wrong thing
jonas’and once you drop @style, I’d say it’s very trivially possible to implement securely
jonas’what Zash says
ZashWhich 393 for example doesn't help with
Yagizahas left
karoshihas left
moparisthebestare you going to write your own HTML/CSS engine, or fork chrome/firefox's and try to disable javascript but still keep up on other security issues, or ?
Zash"Oh this looks like Markdown, I'll just take this markdown library and forgot to disable HTML pass trough"
karoshihas joined
moparisthebestyes, in theory those things are possible, in practice, no one is going to do them
ZashNo one is going to do what?
jonas’moparisthebest, bugs in the rendering engine are not in scope for XMPP software, unless XMPP software writes their own engine.
jonas’why would you fork a rendering engine for this?
jonas’why would you write your own?
jonas’both don’t make sense
emushas left
Ge0rGJust bundle an old version of Electron with your chat app
jonas’both Qt and Gtk support a subset of HTML in any widget (which surprisingly is a superset of what XHTML-IM), so they’re covered. If you’re using a web browser (natievly or via widget) to render/execute your app, you have a rendering engine right there.
jonas’you just need to do the fing sanitisation, which is fing trivial if we omit @style for a second
Zashjonas’, and @on*
jonas’just have a whitelist of elements, and everything which isn’t that is replaced by its children.
jonas’Zash, those are forbidden anyways
kokonoehas joined
jonas’in XHTML-IM
Zashwhitelist elements and attributes (@style excluded)
jonas’s/elements/elements and attributes/
jonas’yes
jonas’it’s not hard in any way
jonas’it’s written in the security considerations (more clearly than it was back then, admittedly)
jonas’if you can’t read security considerations, maybe you shouldn’t be implement standards
jonas’if you can’t comprehend the security considerations of a specific standard, get help and get the standard clarified
mukt2has left
jonas’Ge0rG, any reason you make that a PR?
jonas’Ge0rG, mark it WIP in the title at least
kokonoehas left
mukt2has joined
Zashjonas’, you don't happen to have a nice short rationale for why @style needs to gtfo?
jonas’Zash, requires an extra parser
jonas’aside from that, allows stuff which probably only works on your machine
jonas’(colors and things)
moparisthebestjonas’, that's the theory, in practice, a developer reads a much simpler spec like 393, writes a few regexes, gives up and just passes it to a markdown processor
moparisthebest(this just happend earlier today, hence my question)
jonas’moparisthebest, oh, so exactly the thing happened everyone said it would?
ZashIt also almost happened in Converse.js
moparisthebestyes and also we brought up all this as soon as he suggested the markdown processor, so it hasn't *actually* happened yet, but it would have
jonas’moparisthebest, can’t blame them, XEP-0393 doesn’t mention that as a problem
moparisthebestI was trying to find links about why this was a terrible idea
kokonoehas joined
larmaso how about we all just implement 394?
Ge0rGjonas’: I made it a PR because I wanted to discuss the content changes in Council tomorrow
jonas’Ge0rG, you can do that in your own fork instead
jonas’larma, I’d like to burn XEP-0394
Ge0rGjonas’: good point
Mikaelahas left
Mikaelahas joined
larmajonas’, why? IMO it's superior to 393, it just has the flaw that it doesn't work well with legacy fallbacks (because you can't hide any chars that are only for fallback)
jonas’larma, but it’s not superior to XEP-0071
jonas’(or a slightly saner redefinition of XEP-0071)
larmaWell, it only has a subset of the features, but also is less likely to be accidentally use a HTML rendering engine
jonas’I’m pretty sure it’s also harder to implement, and will be fun especially in memory-unsafe languages with all that string slicing involved.
zachhas left
zachhas joined
debaclehas left
larmaIf I'd want to do it right, as a client developer I would probably convert all 3 versions into some data structure that is approximately 394
larmaThen I can convert that into any format required for my rendering engine
jonas’except that you’d normally mix the text with that data structure
jonas’not like '394 does
sonnyhas left
moparisthebestso if I'm understanding this correctly, there is a scale of difficulty-to-implement vs security-of-implementation, ranging from so hard to implement no one will bother, making it secure, all the way to so easy to implement wrongly everyone implements it but it's totally insecure
moparisthebestsomething like that
larmajonas’, do you? HTML does, but other might not. It's actually a bad idea because it creates the requirement of escaping the actual text to ensure it's not considered markup
jonas’larma, only if your data structure is a string
moparisthebest394 makes you write your own parser and rendering engine, no one does it, xhtml-im is easiest to implement by just slapping it into a DOM, everyone does it, is insecure
jonas’which I’d consider a terrible idea to start with :)
jonas’moparisthebest, nobody forces you to write a rendering engine for '394
jonas’moparisthebest, you can convert '394 to Qt text styles, to Gtk whatevers, and to HTML
jonas’that’s not the sisue
jonas’that’s not the issue
moparisthebestbut you have to write your own parser, and perhaps harder, "reverse parser"
jonas’it’s just a painful thing to do
jonas’yeah
moparisthebesthow do you get from input format to 394
jonas’moparisthebest, if you’re using Qt or Gtk, you can probably more or less directly convert the respective datastructures to '394
jonas’(the QTextDocument stuff for example)
Marandahas left
jonas’from HTML, it’s a bit trickier, but also possible.
Marandahas joined
mukt2has left
emushas joined
larma- 71 is not directly compatible with many non-complex renderers. Input needs to be sanitized before being used in complex renderers.
- 393 is not directly compatible with any markdown parser known to me, even though some might choose to use a incompatible markdown parser to implement it. If a markdown parser is used to generate HTML, same issue as with 71 might come up.
- 394 can be sanitized rather easily (check there is no overlap) and then can be used securely and without tons of efforts in most environment including HTML renderers
zachhas left
zachhas joined
larmaI think implementing 394 securely in a browser might actually be easier than implementing 71 securely in a browser, where browsers should be *the* example of allowing easy implementation of 71...
jonas’larma, '71 is directly compatible with GTK and Qt, without the need for sanitisation (if you ignore @style).
jonas’or do you consider those "complex"?
edhelashas joined
jonas’otherwise, which other non-complex renderers are there?
mukt2has joined
larmajonas’, it's not. Pango makup used by GTK only supports very few tags and actually uses CSS-like style for most stuff
larmaIt also doesn't do blockquote or body or img or any of the enumerations (it doesn't support such at all, as it's a text markup only thing). The "correct" way to use it is <span>s
jonas’pity
jonas’not great for accessibility either
wurstsalathas joined
larmahow is it related to accessibility?
jonas’larma, <em/> for example to mark up emphasis
jonas’enumerations and stuff, blockquotes
jonas’all that’s relevant to screenreaders
larmaI don't think GTK wants you to provide screenreader annotations through display/styling markup
jonas’how else does it work with Gtk then?
jonas’seems odd to me to have that redundant
larmaWell Pango is a text rendering engine, it does only that single job of using font data and input text to generate an image. You also use it when drawing text on images, so it makes little sense to have accessibility markup at that point
zachhas left
zachhas joined
jonas’yeah, I was talking about Gtk for a reason and am looking at GtkTextBuffer instead
jonas’(and GtkTextView)
jonas’using plain pango to render text is bound to be a PITA
jonas’BTGNT
larmaDino uses GtkLabel which only supports pango markup for all message rendering 😉
jonas’that won’t be enough for stuff like blockquote anyways
jonas’I’m also not sure how you’d mark up a GtkLabel itself for screenreaders to understand what’s going on
mukt2has left
mukt2has joined
larmaI think you do all this stuff with ATK, but haven't tried yet
larmaAlso doing screen readers right for IM is probably not easy and won't work out of the box no matter which toolkit...
jonas’very true
jubalhhas joined
mukt2has left
mukt2has joined
COM8has joined
COM8has left
COM8has joined
zachhas left
zachhas joined
mukt2has left
COM8has left
mukt2has joined
pdurbinhas joined
adiaholichas left
adiaholichas joined
COM8has joined
kokonoehas left
debaclehas joined
pdurbinhas left
kokonoehas joined
nycohas joined
andyhas left
jubalhhas left
kokonoehas left
zachhas left
zachhas joined
COM8has left
adiaholichas left
adiaholichas joined
kokonoehas joined
Mikaelahas left
Mikaelahas joined
zachhas left
zachhas joined
lovetox_has left
Dele (Mobile)has left
Wojtekhas left
zachhas left
zachhas joined
xalekhas joined
Wojtekhas joined
kokonoehas left
kokonoehas joined
mukt2has left
zachhas left
zachhas joined
sonnyhas joined
j.rhas left
j.rhas joined
lorddavidiiihas left
lorddavidiiihas joined
jubalhhas joined
jubalhhas left
jubalhhas joined
mukt2has joined
Nekithas left
zachhas left
zachhas joined
mukt2has left
pdurbinhas joined
zachhas left
zachhas joined
jubalhhas left
moparisthebestnice to see there are 0 open source XMPP mac apps but a ton of matrix/telegram/other ones :'( https://github.com/serhii-londar/open-source-mac-os-apps#chat
mukt2has joined
pdurbinhas left
pep.Most of these are electron apps no?
pep.Does padé not work there?
moparisthebestno idea, was just pointing out that someone seeing this list doesn't even see xmpp listed at all
moparisthebestI know Monal for instance should be there, probably gajim ? what about dino? surely there are a TON of open source XMPP apps that run on MacOS
Tobiashas left
pep.Go PR! :)
pep.Is there a list of list page on the wiki or sth?
pep.That needs to be updated every so often
mukt2has left
moparisthebestprobably most of the command line clients work on mac too right?
moparisthebestI'll friggin put in a PR adding 50 XMPP clients that run on mac if I can find them :D
moparisthebestgot to learn some jq today, I'll put in the PR later... gotta figure out what language they are each written in manually, guess that's important for mac users somehow?
ZashMyeah, I'm not sure what's up with that.
ZashMaybe it's aimed at developers?
moparisthebestgood news is we have 24 different macOS clients though
wurstsalathas left
mimi89999has joined
lskdjfmoparisthebest, I hope you don't want to try and add all of those clients to that "awsome" repo, though. Abandoned clients probably don't shed a good light on XMPP. Maybe pick the most reasonable 2/3 instead.
balu_der_baerhas left
!XSF_Martinhas left
Chobbeshas left
goffihas left
emushas left
emushas joined
kokonoehas joined
zachhas left
zachhas joined
matkorhas left
matkorhas joined
mukt2has joined
Ge0rGMaybe pick the only one that's a Mac app.
ZashHow's the Tigase one, Beagle?
pdurbinhas joined
mukt2has left
sonnyhas left
pdurbinhas left
andrey.ghas left
moparisthebestlskdjf: why not? It has telegram clients marked abandoned too
zachhas left
zachhas joined
lskdjfmoparisthebest, I already gave my reasoning: because bothering people with bad clients sheds a bad light on xmpp. Something is not good just because telegram people do it.
moparisthebestI don't have a Mac and no way to pick the best couple
!XSF_Martinhas joined
lskdjfthen maybe you are either not the best person to do the PR or need more information first 🤷️
moparisthebestWell no one else seems interested in doing it
moparisthebestBesides that list is like "all open source Mac software" not just good ones
Zashmoparisthebest: Make an "Awesome XMPP clients" list and get it into the Awesome hierarchical directory that's totally not like early Yahoo! at all.
ZashThere was some XMPP stuff under "ChatOps" but I didn't look further
moparisthebestI was thinking about making an awesome awesome list of all the awesome lists
ZashThat exists already
lskdjftoo late, that already exists https://github.com/sindresorhus/awesome
moparisthebestDamnit, just like all my good ideas
pep.We're not listed in Decentralized!!1 Mastodon is!
Lancehas joined
lskdjfpep., no the awsome list about mastodon is :p we first need an "awsome xmpp" list 🙂
zachhas left
zachhas joined
Zashpep.: There are only 2 XMPP services¹
¹ according to https://the-federation.info/
Zashpep.: There are only 3 XMPP services¹
¹ according to https://the-federation.info/
pep.Yeah.. I know that one..
ZashWanna help with my WIP mod_nodeinfo2.lua?
waqashas joined
andrey.ghas joined
pep.I want to help with lots of things. Now how do I prioritize all that
Zash"Awesome TODO"
pep.:D
Lancehas left
emushas left
Link Mauve“15:38:27 flow> Link Mauve, +1, is the list public somewhere? Maybe even in the wiki?”, only on a WIP branch from years ago, which will need a namespace bump: https://github.com/linkmauve/xeps/tree/xep-0234
XSF Discussion - 2019-10-08