-
pep.
Thanks for the meeting/minutes. As I mentioned on the non-public board list, I was at the protests in france :)
-
edhelas
:)
-
edhelas
Movim 0.16.1 released https://nl.movim.eu/?node/pubsub.movim.eu/Movim/cdfc0a4c-3459-4d3b-8c15-08994810d54e
-
Guus
congrats!
-
Guus
out of personal interest: does that now work with the latest Openfire? iirc, we've fixed the issues that caused interop problems
-
Zash
Do we have all the server devs in one of the channelrooMUCs?
-
edhelas
Guus didn't tried with Openfire recently
-
Guus
Zash this one? š
-
Guus
jdev?
-
Zash
Guus, Holger, other server devs: We Prosody devs have been thinking about phasing out Dialback, for reasons written down in https://issues.prosody.im/1471 Thoughts?
-
Zash
(Metarelated: We need that Hats XEP implemented)
-
Guus
I was going to show you how bad of an idea of that was, because over half of my s2s connections use dialback - only to find out that hardly any do.
-
Guus
Still, I'd not be a fan, as it'd break backwards compatibility. I'm constantly talking to people that are running server versions that are pretty old.
-
Guus
(even those _could_ also do certificate based auth, etc, etc)
-
Zash
I was going to ask why the only Dialback connections I have are to jabber.org, dwd and an openfire
-
Guus
Why is Openfire's (I'm assuming xmpp.igniterealtime.org) using Dialback? It has valid certs.
-
Zash
Why is it not offering me SASL EXTERNAL? I have valid certs?
-
Guus
we're running something alpha - buggydibugbug?
-
Guus
also, we're currently rewriting all of the s2s code...
-
Guus
(not doing dialback would actually save us a lot of time...)
-
Zash
In theory having multiplexing would be very nice, but in practice I've never seen that be used, except for that one time dwd tried and found a bug in Prosody.
-
Zash
So I've been leaning towards depoying XEP-0288 - Bidi instead and being happy enough with that.
-
Holger
> I'd not be a fan, as it'd break backwards compatibility. Same here.
-
Holger
I think Tigase still doesn't support SASL EXTERNAL at all, for example. (Not entirely sure though.)
-
Zash
Are any of the Tigase folks here or in jdev@?
-
jonasā
fun question: those hosts which can only do dialback, what TLS version can they do?
-
jonasā
is it likely that they will become unreachable "soon" either way because libssl drops support for that version?
-
Guus
I don't think we should remove support for people that for one reason or another don't want or can't set up certificates. Dialback offers better security than no security.
-
Guus
I can think of deployments that are deliberately not internet-facing, or have other reasons to not want to depend on Let's Encrypt
-
Guus
Also, everyone having valid certificates very much is an effect of one single organisation providing a service, I think. What happens if, for whatever reason, Let's Encrypt stops doing their thing (or stops being trustworthy)?
-
Guus
Their certificates are only valid for 3 months - having dialback as a fallback to a service that pretty much hinges on one organisation isn't the worst of ideas, maybe.
-
Zash
I'm not a fan of this single point of failure either
-
Zash
However it is the current reality
-
Guus
would making it easier to disable dialback be a compromise to be considered?
-
Zash
I did word it as "phase out", meaning not instant.
-
Guus
security-minded setups can then disable it, while others might opt to choose interop over security. It boils down to that question, right?
-
Zash
Yeah
-
Zash
FWIW it's pretty easy in Prosody already, just comment out that module.
-
Guus
Sure, not saying it wasn't š
-
Zash
No idea about other servers, but if it's not easy then making it easy seems like a good idea.
-
Guus
Having given this 5 minutes of thought, I'd not be a fan of phase out Dialback though.
-
Maranda
> Guus, Holger, other server devs: We Prosody devs have been thinking about phasing out Dialback, for reasons written down in https://issues.prosody.im/1471 > Thoughts? > (Metarelated: We need that Hats XEP implemented) Agreed with Guus phasing out DB is a horrible idea, I already more than once expressed my opinion on it
-
Guus
I think it's good to discuss these things though. Thanks!
-
Guus
Maranda : I never said it was a horrible idea.
-
!XSF_Martin
Zash: Didn't you recently talk about disabling dialback in prosody?
-
Maranda
Plenty of cisco jabber deployments only do DB for example
-
Zash
!XSF_Martin: Yes.
-
Maranda
And not sasl external
-
Maranda
> Same here. > I think Tigase still doesn't support SASL EXTERNAL at all, for example. (Not entirely sure though.) I'm not sure if it doesnt support it for sure I never seen any deployment I know of using it with my server
-
Guus
fwiw: https://issues.igniterealtime.org/browse/OF-1940
-
Maranda
Also I never agreed about most of the security concerns on DB nowadays, very few implementations don't do STARTTLS before DB (Metronome does bump servers that do that for example)
-
Maranda
And the rogue issuing of certificates by LE just introduces more security concerns, so I'm not sure what you expect to achieve here beside breaking interoperability
-
MattJ
Backwards compatibility: meh Let's Encrypt: it's still not the world's only CA by far Closed setups: don't care about s2s, or can run their own CA or enable dialback
-
Daniel
Where is memberbot again?
-
Daniel
The source code I mean
-
Daniel
I finally want to do a lower case and a trim around the response parsing
-
Daniel
The fact that it doesn't accept 'Yes ' is super annoying
-
Maranda
MattJ: I'm not the one who mentioned LE as solution for a free certificate to feed to SASL external to begin with
-
Wojtek
@Maranda - we added it recently in development versions so it will be included in next 8.1.0
-
pep.
Daniel, https://github.com/legastero/memberbot
-
pep.
See also some fixes here already: https://github.com/linkmauve/memberbot/commits/master
-
Daniel
pep.: thank you
-
Guus
Daniel I think Alex mentioned forking that into the xsf github account recently. Not sure if he's working on it.
-
Guus
and yes, it's annoying. I'd welcome that fix š
-
Alex
travelling right now with bad internet access. Feel free to fork it to the XSF repo and I will take it from there ;-)
-
Daniel
I think I'll pr link's repo
-
Alex
also, don't think I have permissions to fork it to XSF repo, so someone else would need to do the initial fork
-
pep.
Maybe I can, now
-
Alex
https://palaver.im:5443/upload/5bb502b7c5289e610734e07c6a499759f520bf98/KfbREEd9IVGxE7vRIIZGilr520dOqpVw0Hncz4qm/2019-12-06_12_48_34-legastero_memberbot__XSF_Memberbot__v2.png
-
pep.
hmm no I can't
-
pep.
Daniel, as you might have seen the "Redis woohoo!" commit is just here to bypass Redis as we didn't want to set it up to test our changes :-°
-
pep.
(also I'm curious if it's actually necessary..)
-
Daniel
I was just blindly going to add strip().lower() in some places. I wasn't even going to run it
-
pep.
heh
-
dwd
Zash, XEP-0220 is also used by XEP-0288 - are you suggesting that the dialback auth is deprecated, or that the syntax itself is deprecated?
-
moparisthebest
Maranda: rogue issuing of certs by LE?
-
Zash
dwd: Personally I really don't like the syntax. But I'm pretty sure you can do 288 without talking Dialback.
-
pep.
ralphm, Guus, can somebody give me perms on the trello board so I add agendan items please.✎ -
pep.
ralphm, Guus, can somebody give me perms on the trello board so I add agenda items please. ✏
-
ralphm
pep., what is your username there?
-
pep.
ppjet6
-
ralphm
pep., oh, interesting, I also found another one, which does have an avatar
-
pep.
I just added an avatar
-
ralphm
but that one is maximebuquet
-
pep.
Yeah, that was the original username they gave me, and apparently it's possible to change it.
-
pep.
Not sure how long it sticks around
-
ralphm
so it is one account then?
-
ralphm
confusing
-
pep.
it is
-
pep.
(confusing)
-
pep.
Thanks I've been added
-
ralphm
Well, I think I added both
-
pep.
ugh, weird
-
Guus
I though I already added you?
-
Guus
Are you there three times now? š
-
ralphm
You added one of his accounts as guest
-
ralphm
I promoted that one, and added the other for good measure.
-
ralphm
So pep. is double important now
-
Guus
Internet is hard
-
ralphm
nah
-
Martin
The *hard* parts are not the problems, the problems come from the *soft* part. No software, no problem. š
-
Guus
You beat the end boss?
-
Link Mauve
RFC5891 says it obsoletes RFC3491, does that mean XMPP applications should stop using the Nameprep stringprep profile for domain names?
-
ralphm
Well...
-
ralphm
It turns out that there are some issues surrounding Precis and multiple versions of Unicode.
-
Zash
Understatement of the decade š
-
Link Mauve
ralphm, this isnāt PRECIS yet.
-
Zash
IDNA 2008?
-
Zash
That's a separate thing from stringprep
-
Link Mauve
Iām looking at whether IDNA2008 can be used for the domainpart of JIDs instead of IDNA2003 + Nameprep.
-
Zash
That's not how it works
-
Link Mauve
Is it not?
-
ralphm
Link Mauve, for reference: https://mailarchive.ietf.org/arch/msg/xmpp/a-WhzOTyOq168GujQHgzQ1-DURI
-
Link Mauve
Thanks.
-
Link Mauve
Ah yes, I have read this email already.
-
Link Mauve
This thread.
-
Zash
If IDNA 2008 replaces IDNA 2003 AND Nameprep then I've gotten it all backwards.
-
Link Mauve
Zash, thatās what I get from the obsoletes header of the RFC, but I may be wrong.
-
ralphm
I think you either do it using stringprep as earlier versions of XMPP Addresses, or using Precis using the latests incarnation of it
-
Zash
I've just replaced the IDNA part and kept the stringprep part
-
Zash
IDNA doesn't come into play until you start doing DNS
-
Link Mauve
IDNA2008 did the same mistake (?) as PRECIS of relaxing the Unicode version from UnicodeĀ 3.2 to undefined version.
-
Zash
Related: The 1023 byte limit on JID parts is super weird given the 256 byte limit on DNS names.
-
Zash
I guess you can invent your own non-DNS based federation with looooooong server names.
-
Link Mauve
Wouldnāt that break any XMPP software using IDNA*?
-
Zash
Define "using IDNA*"
-
Zash
Being mostly familiar with Prosody, I can say that it should work fine as long as you don't try to federate.
-
Zash
Because IDNA isn't applied until you start doing DNS lookups
-
Link Mauve
So I shouldnāt use IDNA2003 nor IDNA2008 in my JID library at all?
-
Link Mauve
Since it isnāt involved in DNS in any way?
-
Zash
Prosody's JID library doesn't use IDNA at least.
-
Link Mauve
Ok.
-
Zash
I guess read https://tools.ietf.org/html/rfc7622#section-3.2 and https://tools.ietf.org/html/rfc6122#section-2.2
-
ralphm
Or get a hold of Peter
-
Zash
One could probably interpret those texts as nameprep being basically the same as IDNA?
-
ralphm
Nameprep uses IDNA, but there a bunch more.
-
flow
Link Mauve, domainparts can be DNS names of U-labels, not A-labels, hence they are in ACE. IDNA converts U-labels to A-labels and is hence not needed for your JID library.
-
flow
Note that RFC7622 is underspecified regarding domainparts, see also https://www.rfc-editor.org/errata/eid5789
-
Zash
> ifqdn = 1*1023(domainbyte) > a "domainbyte" is a byte used to represent a UTF-8 encoded Unicode code point that can be contained in a string that conforms to RFC 5890
-
Zash
Hmmm
-
flow
and here lies the problem
-
Zash
> ifqdn = 1*(namepoint) > a "namepoint" is a UTF-8 encoded Unicode code point that satisfies the Nameprep profile of stringprep in RFC 6122
-
flow
strike that, the ifqnd definition is not the problem, the textual description is
-
Zash
Note that those are from two separate RFCs
-
Zash
The first I pasted replaces the second.
-
flow
Yep
-
Zash
Does the 7622 definition permit 1023 UTF-8 continuation bytes?
-
flow
The problem is that RFC7622 only allows code points allowed in NR-LDH labels and U-labels
-
flow
which excludes the colon for example, and I am pretty sure most of us have domainparts which include colons
-
Zash
Oh glob what's an NR-LDH label?
-
Zash
Colons?
-
flow
non reserved letters digits hypen label
-
flow
Zash, just have a look at https://www.rfc-editor.org/errata/eid5789
-
Zash
That's not allowed in domain names
-
Zash
And IP literals are in "good luck with that" territory
-
flow
NR-LDH are the old style dns label format prior unicode, which just could include letters, digits and the hypen, hence the name
-
Zash
Aren't U-labels the new ones?
-
flow
yes and no
-
flow
on the wire DNS still uses LDH labels
-
flow
hence IDNA
- Zash remembers how touching on this topic generally ends with a great desire to crawl down under the desk and cry
-
flow
It's really not that hard
-
Zash
`to_ascii()` yes
-
flow
bbl
-
Link Mauve
edhelas, āwhen you join a chatroom (especially that one)ā, which one?
-
Link Mauve
Otherwise, congrats for the release!