XSF Discussion - 2020-02-19

Do any servers support https://xmpp.org/extensions/xep-0078.html anymore?

Or might it be worth resurrecting? Since TLS is required and everyone (https world) agrees basic auth is fine, and it doesn't suffer from the "never upgradeable" problems sasl does?

sasl is downgrade resistant

And upgrade proof

moparisthebest, You can get the same effect as XEP-0078 with PLAIN, and essentially the same speed with SASL2, though.

moparisthebest, And you get to choose more secure methods than PLAIN, as well.

I'm not clear on what those are, I know about "channel binding" for instance, and iirc it's been broken before and such, but assuming not who cares anyway

If every http application ever can live without it, what's the point

Again, I understand not sending something plaintext across the network that can be used to login as you was absolutely critical when XMPP was written, TLS wasn't the norm then

Is it valuable in a world where everything is TLS though?

HTTP applications often use OAuth, which can be done over SASL but not XEP-0078, for example.

That's normally when you authenticate with a 3rd party service though right?

Like, sign into this site with your GitHub account?

Does anything in XMPP do that?

Yes. But that doesn't matter - point is that SASL is extensible, whereas XEP-0078 isn't.

And certainly some deployments seem to like having channel binding around, or not having plaintext password equivalents on the wire even with TLS in play.

moparisthebest: SASL is the pinnacle

Oh I get it's more extensible, it just seems 99% of the time the extra complexity and RTTs is not desirable

Seems like 0078 should be the norm and sasl the exception nowadays I'm saying?

My impression is this situation is similar to Direct TLS vs STARTLS

moparisthebest, I think SASL PLAIN is the same (or at least close to xep78) in terms of complexity and round trips

dwd, what's the benefit, besides feature discovery maybe, of "simple json" compared to xep335?

and will I find an answer ot this question by carefully reading the simple json XEP?

I think so. How would a developer go about using 335? Would it involve more code than simple json?

The comparison isn't between simple json and raw 335, it's between simple json and stuffing json in directly into message bodies.

Isn't the comparison between stuffing json anywhere and explaining people what the x in xmpp stands for?

Pretty much.

But I do understand that "Here is a protocol framework. Now off you go and design a protocol and implement it in multiple libraries" is quite a steep learning curve.

HTTP REST is even less than a protocol framework.

Ge0rG, Yes, but you just stuff JSON into named endpoints and you're done.

Ge0rG, And moreover, even if you do download 780k, it won't damage the network. Whereas stuffing JSON into <body/> does, since naive clients can't be used anymore.

League of Legends used to stuff XML into the body, which of course was encoded.

Novel, at least.

I think it's been in use a decade ago.

> Release: October 27, 2009

Ge0rG, there's no last-modified/etag check upon retrieval?

ralphm: the code is straight from https://stackoverflow.com/a/36509726/539443

It's surprising that almost none of the http client libraries actually supports local caching

so you end up doing it manually, badly. if at all

That's pretty terrible indeed.

I.e. I can't get over how little people know about stuff like this, and always get this wrong.

Especially when people were still doing RSS aggregators.

Hey, encoding a bet on Google not changing their HTML into your app is also a rather dumb decision

Luckily, the app's API designers were competent at least.

I guess

should iq type="get" *never* have side-effects?

Because we have an example of such in... RFC 6121

Requesting the roster "subscribes" you to roster pushes

Wat

vanitasvitae: do XMPP libraries typically provide APIs to easily send arbitrary XML? I was under the assumption they don't make it that easy

> If a connected resource or available resource requests the roster, it is referred to as an "interested resource". The server MUST send roster pushes to all interested resources.

larma, totally depends on the library

larma: in Smack you could do it fairly easily I think

Some are high level, and try to hide everything from you, some are low level and offer barely any XMPP stuff - some fall in between (you could say they fail at both)

Yeah, in Smack you can parse the XML into a "StandardExtensionElement" and append that to your messages.

vanitasvitae: that isn't what I would call an easy API

¯\_(ツ)_/¯

PR welcome :P

MattJ, ugh (re roster). I can see why that's been done but that seems like breaking some assumptions indeed

I just wonder how we are considering to add stream.send_json(to, json), when we don't have stream.send_xml(to, XML)

It seems obvious that 99% of the time if you request the information you are also interested in changes to that information

That seems like a bold assumption to make. Especially since we have mechanisms to say we're interested in the data

pep., they wouldn’t be atomic.

what do you mean

pep., caps to your server may be known to your server long after you’ve requested the roster.

In the meantime, you would miss roster pushes.

Seems like an edge-case no? Or maybe there's something missing for this kind of case (subscribing to data around bind)

Atomic get-and-subscribe is quite an important operation to have

Yes but it this really what we want for iq type="get"? :x

Does that mean because I've requested somebody's version I want to know now everytime they change

The XEP doesn't specify that behaviour, so no, it doesn't mean that

It means instead that you have to poll if you ever do want that :)

larma, Most libraries let you send/receive arbitrary XML, in various ways that are individually reasonably sane. The problem is that they're all radically different from one another and involve a lot of implied knowledge to use well.

Yeah, but why are we then not unifying/easying the use of custom XML in XMPP and instead only unify/ease the use of custom JSON in XMPP? ✏

larma, I can't think of a way to do that without essentially distilling it into "learn XMPP really good".

larma, Don't get me wrong; that's my preferred solution. I just think it's impractical.

Why?

Also, why is it required to learn xmpp really good for that?

does anyone know of a thing that is an xmpp client on one end and a rest api on the other?

with rest calls to send; and where you can put in (http) callbacks for notifications

bot developers these days can’t be bothered to connect to anything not http

Daniel, Like the Prosody API, or XMPP-FTW?

maybe. let me take a look

larma, I don't know where you'd start with trying to create a generic API. I got a lot of pushback for including the sketch in the original UDT.

Daniel, I don't know how maintained XMPP-FTW is, now. At one point it was heavily worked on by Lloyd, but he's moved onto other things and I don't know anyone else picked it up. It was, at one point, looking as if it'd merge the XML <-> JSON translations bits with stanza.io^Wjs.

dwd: when searching for how to do custom XML in smack I found https://stackoverflow.com/questions/6387947/how-to-send-custom-xml-packet-using-javas-smack-api which basically says, "here is how you, but don't do it"

It already starts with the requirement to define a namespace...

dwd, yeah; probably something like mod_rest for prosody. probably a little less generic; and kinda scoped to one user (callbacks for just one user; not all users)

dwd: can we at least agree that it should just be sending strings instead of json so that it can be any notation, or just strings, or base64 encoded binary, or ... Also that would allow libraries to not care about json at all (the current proposal requires libraries implementing it to at least include a json validator)

Daniel: Use case? Bots or something?

Zash: yes bots

I'd like mod_rest to support that. Currently it's probably awkward unless you give the bot an entire domain

Yes. Mod_rest isn't too far of from what we want to do. Except that. And except that we have only limited control over the server (don't ask) and are not running prosody

that is generally my complaint with about every XMPP library I've ever used, they all make you jump through a series of hoops when I just want to send a String

Daniel: mod_component_client! (Connect Prosody as a 114 component to another XMPP server)

Daniel, you also have mod_slack_webhooks, which AIUI lets Slack bots connect to Prosody.

moparisthebest: That's a good thing IMO. Pain to enforce well-formedness and stanza counting for 198 if you just get strings.

Link Mauve: oh that might be interesting

We have a ton of variations of this, sending messages via http. mod_rest is kinda meant to be the one that does it all

I wonder i f this is something we wanna standardize tho, "HTTP based component/bot interface"

This has been proposed at Summit, but other things took priority.

Zash, so if you are building a client or, something serious it's a good thing, if you just want to experiment quickly not so much

I tend to think they should be built in layers, bottom just deals with strings, slightly higher XML, over that you have your normal API that helps with things

Oh, you actually meant printf XML?

larma, yeah I tend to agree with that. since it's really application specific I'm not sure why we'd restrict it to JSON, not sure why the library would fiddle with that

Sure, but I think you still wanna discourage people from sending raw strings too often.

And I don,t really see the point in specifying it anyway

last night I was purposefully trying to send ridiculous things to see how servers would handle them for instance, ended up just not using any library because none of them had good support for this, so "testing" would be at least one use-case

moparisthebest, in any library it's possible to declare new tags to include as part of stanzas.. I am all for writing (better) documentation in libraries

I know in verse you can access the underlying socket and do whatever, but it's easy to compose arbitrary xml without reaching for strings

And prosody too

Not just documentation. Also make it easier. The way slixmpp does it is horrible

Where as prosody stuff is relatively easy to understand

Daniel, I don't disagree about slixmpp being horrible :)

I mean for complex things prosody also gets in your way

I usually found the declarative way in slixmpp (and in stanza.io and various other projects from Lance) to be quite good for extensibility.

But for a simple I want to add a key value pair it's super easy

Link Mauve, fwiw I'm still confused when adding an ElementBase in slix

Really? :/

"what attributes do I need again, and what do they do"

https://github.com/moparisthebest/jDnsProxy/blob/master/xmpp-dox/src/main/java/com/moparisthebest/dns/xmpp/DnsIq.java#L41 java/smack isn't much better here

The slack webhook thing is kinda nice

I mean it's not exactly what we need. But it helps me understand the problem space better

MUC bots needing to actually join the relevant rooms is a bit awkward, the slack thing doesn't have that problem. But it's awkward in another direction instead IIRC

> larma> I just wonder how we are considering to add stream.send_json(to, json), when we don't have stream.send_xml(to, XML) Probably because the data users want to send is already in json. And that does not mean that an API should (or can) not provide "sendXml(to, xml)"

send_whatever(to, mimetype, binary, data)

What Zash say

I personally don't want to include 42 parsers in my lib. Let the user validate themselves

Even though.. I'm not fond of the mimetype thing

I'd say s/mimetype/namespace/ :)

> moparisthebest> that is generally my complaint with about every XMPP library I've ever used, they all make you jump through a series of hoops when I just want to send a String One of the first things Jive Software implemented in Smack ~20 years ago was an API to make that easy

pep., I don't think including a parser is a necessary prerequisite for such an API

Zash, binary *and* data?

flow: boolean for whether to base64 the data blob I guess

ahh, is_binary (or so) then

isn't udt^WJSONthing requiring the JSON data to be validated? (well it does say "JSON", that means valid JSON)

(mod_rest has a thing for udt already)

pep., if you are prepared to receive json, then you probalby have a json parser (and validator) already available,

validation sounds like the recipient's problem :P

I don't think I would bundle one with smack if I where to implement something like simple json

moparisthebest, if you implement that you implement both sides

I guess

s/recipient/consumer of that json data/

In any case, I don't think all of this is necessary anyway..

flow, if you don't validate that the string provided by the user is in fact valid JSON, one could argue that you are not standards compliant, because the json XEP clearly clarifies that what is in a <json> element MUST be valid JSON according to (insert reference to RFC here)

larma, I didn't say that nobody should validate it. Just that it don't see it as strictly necessary to include a json validator in smack if I where to add support for something like simple json

larma, is it the library's job to ensure anything sent using it is standards compliant? that sounds... very wrong?

how do you develop new extensions then, for example

moparisthebest, not in general, but when it provides a highly abstract API, like the send_json(to, data) I would expect it to only send standards compliant things on the wire

I also expect it to escape my strings when I do send(to, body) with body = "x < pi &&", no?

sure, but if you already ensure in a higher level that 'data' is valid json, then it only adds an unnecessary validation step if the library performs another check if data is json

if the API lets me send a string I expect it to send exactly the bytes I tell it to

if the API lets me send some XML object, then I expect that XML lib to do that kind of escaping

I does not really hurt, but I don't see it a strict requirement for a library to perform that validation here

I suspect that's an unusual position. If would find it surprising if message->setBody(someString) required me to first escape somString.

yea ^ that sounds like the second thing, some XML object that should be escaping things

some goes for the receiving side

also "escaping rules" != "validating something"

if all xmpp client libs refuse to send non-valid things, how are we testing that server implementations deal with bad input correctly? (or are we?)

moparisthebest, I doubt allowing to send bad input is a good API

Do you think it should be allowed to do send_json("test@example.com", "urn:example:type", "Nope, I don't do JSON here")? And on the recipient side it would just provide a string. So that if people don't want to do JSON they'll just end up using that method and we have an even worse problem as right now with JSON in body

You can have escape hatches for sure in the lib

But that shouldn't be the default

well sure, completely agree there

At least for Swiften the idea is that stuff you send should largely be valid, and that there's an escape hatch for shoving octets onto the wire (which will break everything).

i.e. it makes it hard to do the Wrong Thing.

sounds right, no argument there

moparisthebest, I’d also expect a library implementing JSON to not take a raw string as input, but the language representation of the JSON thing (for instance a Python dict containing lists and other dicts and strings and such), so that the user of the library couldn’t do it wrong.

Of course, the raw XML extension API wouldn’t do this validation, so you could send invalid JSON using it.

Ryanair just screwed everything.

Do I have to, like, hire Landor myself to come up with a new brand name for XMPP?

Snikket it is.

except that's not XMPP. That's a subset of XMPP

How so?

one could argue it's even a "proprietary" messenger.

Good luck, but how?

what? how could you argue that?

Ellenor Malik, that’s bullshit.

of course it’s a subset of XMPP. why would it need support for the IoT XEPs.

and it’s all free and libre software, there’s nothing proprietary about it.

"XMPP is not Snikket's focus."

you misunderstood that

https://www.reddit.com/r/xmpp/comments/f0el07/can_someone_explain_to_me_whats_the_point_of

MattJ explained it in more detail here: https://old.reddit.com/r/xmpp/comments/f0el07/can_someone_explain_to_me_whats_the_point_of/fgto5h0/

you know about that thread, so I’m assuming you are intentionally ignoring data

> jonas’ has written: > of course it’s a subset of XMPP. why would it need support for the IoT XEPs. why do you need a whole-ass XEP for IoT anyway? the way you control IoT on IRC is just by a standard privmsg, and XMPP doesn't need to be any different

Ellenor Malik, err, no.

Ellenor Malik, my take is for developers that know to search "xmpp" there are numerous servers/clients/etc, for "users" that just want "to chat", that's what snikket seems to be targeting, it's still standard/interoperable/federating/open xmpp

Encoding machine-readable stuff in the body would be utterly stupid.

moparisthebest: the whitelabel clone of conversations is refusing to connect to under-compliant XMPP servers. to me that seems far too close to a proprietary system for anyone to be comfortable with it

Ellenor Malik, you mean that your server didn’t implement XEP-0401 yet?

That’s a complaint to direct to your server implementation, not to a client using it. ✏

it's also not true

i’m fairly certain that snikket would open xmpp:anyserver.tld?register

not sure why you would want to use snikket with non snikket servers

but if you wanted to you could

if you know about non-snikket servers then snikket probably isn't for you

The amount of bullshit and conspiracy theories that go around when ever someone - who has a well established record for working in the xsf - tries something new, is unbelievable

Happened to me with Quicksy as well

it’s almost as if people didn’t want XMPP to change to something successful

it's almost as if refusing to connect to slightly behind the curve servers amounts to vendor lockin

some call it vendor lock-in, others call "providing a decent UX in a federated system"

take it or leave it, noones forcing you

MattJ won’t make Snikket not federate.

I’m rather confident in that.

anecdotal quicksy story, was having an argument about why xmpp was superior to everything in an IRC channel recently, and they brought up how hard it was to install Conversations and know what a JID and a server etc was, get an account, compared to Signal where you just install it and it works

I said "what about Quicksy" and got "oh, hadn't seen that before, looks really nice"

another one brought over to the dark side >:)

if you think I'm mentally ill now, try feeding me some cookies.

I'm not personally going to use Quicksy or Snikket, I already have a setup I like, but I am VERY happy to recommend them to others that do not

(don't)

> jonas’ has written: > some call it vendor lock-in, others call "providing a decent UX in a federated system" the alternative is to prompt. "The presence server you have chosen does not support all of the features of Snikket. At this stage, you have three choices. Continue connecting, and experience marginally degraded functionality (you'll still be able to chat and join conferences), pick another server (and then the client can call a few web servers in a round-robin which can recommend a few servers based on geography), or, if you know the server administrator personally, flame them and tell them to upgrade to Snikket." > take it or leave it, noones forcing you Welcome to juntist Brazil. > MattJ won’t make Snikket not federate. > I’m rather confident in that. still, makes me uncomfortable

Ellenor Malik: can you post a screen shot of the error message where it says you can't use a certain server?

...

i was providing an example of an error message I would supply if the server was not fully compliant.

No. You said earlier that snikket is doing vendor lock in. I'm asking you to provide proof for that

I just got Snikket (client) to connect to my main account on my non-snikket server that doesn't even have registration.

Zash: oookaaayy

Had to `qrencode -t ansi 'xmpp:me@myserver.tld?register'` and uncheck a hidden checkbox tho

that's more than a mite absurd

I'm pretty sure on the server side snikket refers to a feature set and not a specific server

yes "modern xmpp" for lack of a better term

Huh

moparisthebest, better term .... liiiike .... snikket?

sure :)

Zash: having to qrencode the registration seems more than a mite barrier to entry shaped

No, quite the opposite

(she says, while planning a Website for her XMPP server which will do just that)

QR code with `xmpp:example.com?register` on your website would work just fine in Conversations too

Ellenor Malik, have you ever instead tried to send someone a username and password over SMS or something

the main issue is getting people to transcribe domain names

also the people that always capitalize the first letter of everything without telling you

why are we sending passwords over SMS anyway?

I said or something :)

I've done it using Silence before

... but why are we sending qr codes over SMS?

you don't

I should probably come up with a module to an XMPP server that makes it so that users can only federate if they verify their phone number

what are you going to use to verify phone number?

that is, they can only message out of the local server

Ellenor Malik, sounds like a plan for anti-spam in some deployments

Ellenor Malik, also sounds like you are just talking about https://www.kontalk.net/

everything that can be done by someone with a 132 iq has already been done

fyi that's mostly standard xmpp too and federates

last I checked he was taking out the non-standard extensions slowly

probably preparing to shut down

which is bad

I'm happy that most people in the community do understand the motivation behind Snikket <3

and yes, you can connect to non-Snikket servers with the Snikket app, and yes, you can connect to a Snikket server from a non-Snikket app

But it's not advertised that way because that's not really what provides the best user experience

and I have had to explain to multiple people who try to use Snikket with non-Snikket servers that they really really should just go and use Conversations

you'd have to explain "what is XMPP" to people that *just* want a chat app

The problem is that anyone in this room, or who even knows what XMPP is most likely is not the target audience for Snikket

*eyes glaze over* thinks to self: when will this idiot shut up so I can just go install Signal

Off to dinner now, don't worry :)

haha sorry if the sarcasm wasn't implied, that's an impression of a user who just wants a chat app when you go into a "what is XMPP and why is it the best" explanation

:)

Don't explain it, just force them to use it. 😃

MattJ: would it not be ideal to splash up a warning when a non-snikket compliant server is used?

https://upload.umbrellix.net:5281/upload/PzgVtgcc8O76UlW8/20200219_115631210.m4a

I’m halfway through writing down the (xmpp) protocol used by search.jabber.network in a proper ProtoXEP by the way.

or rather, a cleaned up variant of that.

nice

for s.j.n, I'd like not to have to use HTTP btw, and some clients seemed to prefer that for possible anonymity purposes. jonas’ would it be a problem for you if servers provided anon hosts that have s.j.n whitelisted? (so potentially you could get spammed from all around)

pep., interesting idea

I mean, I can get spammed via HTTP already

Right

and with tor you can make that even more fun

I don’t block anything at the moment

but we’ll have to write down how to behave when I reply with rate-limiting error codes

also, see what I wrote in https://github.com/horazont/muchopper/issues/51

<body>{"code":"502", "message":"please come back later"}</body>

to make this less painful: <error type='wait'><resource-constraint xmlns='...'/><rate-limit xmlns='urn:xmpp:channel-search:0'/></error>

moparisthebest, there’s SO MUCH wrong with that. I can only compliment you, you put a lot of triggers in just 63 bytes.

only thing that’s missing is some unicode shenangians

jonas’, lol yea "how to trigger XMPP developers in only 63 characters!!!"

also HTTP developers if they are paying attention

I guess I could have used smart quotes instead...

oarrr

😁

jonas’, just for you <body>{“code”: “502”, “message”: “please come back later”}</body>

What have you cursed us with‽

I have moved the Summit minutes (pad) to the wiki, https://wiki.xmpp.org/web/Conferences/Summit_24#Minutes

I wanted to do something a bit more elaborated, but I don't have much time so that'll do. There is still quite a few pieces missing, I'd appreciate if people present could have a look