marc0sjonas’, thanks for the lengthy and detailed response about Reminders. I really appreciate it
jonas’you’re welcome
pdurbinhas joined
etahas left
etahas joined
remkohas left
strypeyhas left
strypeyhas joined
pdurbinhas left
LNJhas left
Steve Killehas left
Steve Killehas joined
remkohas joined
debaclehas left
mukt2has joined
Marandahas left
Steve Killehas left
lorddavidiiihas left
remkohas left
lorddavidiiihas joined
Marandahas joined
lorddavidiiihas left
remkohas joined
lorddavidiiihas joined
mukt2has left
strypeyhas left
remkohas left
lskdjfhas left
lskdjfhas joined
eevvoorhas left
remkohas joined
remkohas left
remkohas joined
mimi89999has joined
remkohas left
etahas left
Jeybehas left
remkohas joined
Jeybehas joined
Half-Shot[m]has left
pdurbinhas joined
pdurbinhas left
pdurbinhas joined
etahas joined
Steve Killehas joined
mukt2has joined
lorddavidiiihas left
mimi89999has left
lorddavidiiihas joined
mukt2has left
mimi89999has joined
eevvoorhas joined
raghavgururajanhas joined
Marchas left
Marchas joined
andyhas left
LNJhas joined
Link MauveSo, since I’m now doing an internship, I probably should change my member status.
Link MauveHow can I do that?
Link MauveAlso hi, I’m adding XEP-0284 support to Inkscape. o/
jonas’Link Mauve, member status?
Link Mauvejonas’, the employer thing.
jonas’I just edit my wiki page
Link MauveI don’t have one yet. :-°
andyhas joined
Marchas left
flowLink Mauve, yeah, xep284 is one of my all time favorites (along with the gobby protocol)
Link MauveWhat are the differences between them?
flowyou may want to compare those two from a protocl perspective, although the gobby one isn't that well documented IIRC
Link MauveAlso with other protocols such as Etherpad’s or CryptPad’s?
flowI have no idea which one is better. But it could be worth putting some research effort into a survey of the existing protocols for collaborative xml editing
Link MauveYeah.
Link MauveAnd then merge all of the improvements into XEP-0284. :p
pdurbinhas left
lorddavidiiihas left
Douglas Terabytehas left
Douglas Terabytehas joined
lorddavidiiihas joined
raghavgururajanhas left
Half-Shothas left
Half-Shothas joined
lorddavidiiihas left
etahas left
lorddavidiiihas joined
raghavgururajanhas joined
lorddavidiiihas left
remkohas left
remkohas joined
Wojtekhas joined
raghavgururajanhas left
jonas’stay away from etherpad
jonas’it uses the broken JavaScript unicode model
jonas’with UTF-16 everywhere.
moparisthebestif you have to stay away from broken javascript that's like 99% of the web
moparisthebestthough now that you mention it, sounds kind of nice...
lorddavidiiihas joined
Ge0rGI've heard there are still parts of the web that you can surf with noscript.
raghavgururajanhas joined
jonas’s.j.n for example
jonas’though you won’t get the fancy charts
Link Mauvejonas’, I’m using XMPP, so UTF-8 everywhere.
jonas’Link Mauve, the etherpad protocol data model assumes UTF-16
jonas’so stay away from that
Link MauveOk.
Ge0rGnothing is wrong with UTF-16. It's only when you treat it as UCS-2 when things start going wrong.
j.rhas left
lorddavidiiihas left
lorddavidiiihas joined
remkohas left
lorddavidiiihas left
etahas joined
lorddavidiiihas joined
lorddavidiiihas left
j.rhas joined
lorddavidiiihas joined
remkohas joined
lorddavidiiihas left
lorddavidiiihas joined
lorddavidiiihas left
lorddavidiiihas joined
lorddavidiiihas left
lorddavidiiihas joined
Jeybehas left
Jeybehas joined
j.rhas left
j.rhas joined
lorddavidiiihas left
lorddavidiiihas joined
etahas left
etahas joined
pdurbinhas joined
Jeybehas left
Jeybehas joined
Nekithas left
Nekithas joined
lorddavidiiihas left
pdurbinhas left
lorddavidiiihas joined
lorddavidiiihas left
lorddavidiiihas joined
Steve Killehas left
moparisthebestis https://xmpp.org/software/servers.html a pretty complete list still? does anyone know of widely deployed public servers not on this list?
Link MauveIn the XEP schema, <dl/> is specified as only taking a list of <di/>, each containing a <dt/> and a <dd/>.
Link MauveThe <di/> is not specified in XHTML AFAIK, why is it present here?
ZashXEP ≠ XHTML tho
Link MauveBut the XSLT transfers the <di/> to the generated HTML5.
Link MauveAs is.
ZashThat sounds like a bug
Link MauveIndeed.
Link MauveI’ll use it in the meantime, but I’ll keep it in mind.
lorddavidiiihas left
lorddavidiiihas joined
moparisthebestother than prosody, XMPP servers seem very bad about having a place to report security problems...
moparisthebestejabberd and tigase just link to github issues, openfire links to a forum and public issue tracker
lovetoxhas joined
jonas’Link Mauve, feel free to file an issue and/or patch
moparisthebestisode, iot broker, astrachat nothing at all
debaclehas joined
moparisthebestapache vysper joins prosody in having a very visible defined way to report security issues
Link Mauvejonas’, https://github.com/xsf/xeps/pull/900
Link Mauvemoparisthebest, maybe report them the issue?
moparisthebestand the rest have a developer email/jid if you dig deep enough, which isn't *terrible*
jonas’Link Mauve, looks good, I’ll add it to the queue for tonight
moparisthebestLink Mauve, right, how :D
Link Mauvemoparisthebest, using a normal issue I guess? ^^'
jonas’moparisthebest, you could use a normal issue to report the problem that there’s no security contact.
jonas’though github issues nowadays also have a way to be hidden for security reasons, IIRC
Link MauveOh, do they?
moparisthebestAnd the 3 servers that have no way to contact anyone at all?
moparisthebestEmail sales?
jonas’fulldisclosure@seclists.org
remkohas left
remkohas joined
Steve Killehas joined
raghavgururajanhas left
remkohas left
remkohas joined
Steve Killehas left
waqashas joined
waqashas left
moparisthebestI don't think I care that much, if they don't, why should I
moparisthebestI'll just post it on a blog or something and if they are vulnerable to a 0 day maybe they'll create a security email :)
KevIsode provides snail mail, phone, fax and email (through web form) contact details on the website, and customers obviously have a support system to submit things through. So I think 'nothing at all' in terms of ability to get in contact is pushing it a little bit.
moparisthebestand no place to report specifically security issues, I guess a web form might go to someone who could handle them, it's not obvious though
KevAny (provided) contact mechanism would ultimately end up at someone who could handle the query.
KevOr i fyou think you've found a vulnerability in M-Link, feel free to just bypass that and email me.
KevOr if you think you've found a vulnerability in M-Link, feel free to just bypass that and email me.
moparisthebestin this case it's more of a general bug that may affect multiple servers, but just in general having a dedicated security problem reporting method is ideal
KevIt's not clear to me that it would be any more useful than the generic contact details, TBH.
KevI can see how for an OSS project where the contact details are "Open a public ticket viewable by the world" it would be.
jonas’Kev, in 90% of the companies, the generic contact form will end up at a clueless person who deflects your request or it takes ages to proceed
jonas’having a proper security contact is superior to that
moparisthebesthttps://www.apache.org/security/ this is considered a good way to handle it
Kevjonas’: I don't believe that to be true at Isode.
KevIn fact, I believe we have precisely 0 clueless people on staff.
moparisthebesthttps://www.astrachat.com/Contact.aspx for example only has sales emails
remkohas left
remkohas joined
jonas’Kev, but as a security researcher, you can’t know in advance
moparisthebesthttps://letsencrypt.org/contact/ https://prosody.im/bugs/ also examples of prominent "security issues go here"
Yagizahas left
pdurbinhas joined
remkohas left
Nekithas left
Syndacehas left
pdurbinhas left
Wojtekmoparisthebest in case of Tigase you can use contact form here https://tigase.net/technical-support (3rd option, though naming may be confusing); besides - due to size and how we handle communication internally we didn't/don't fee that dedicated security channel was required
remkohas joined
raghavgururajanhas joined
moparisthebestWojtek, the "If you have our support subscription use the form to send us a message" button?
Wojtekyou give example of LE, and even they put a bold: "Please do not write to this address unless your message concerns a security issue with Let’s Encrypt." because, from experience, when you put an email in public place, it's quite often spammed with people ignoring it's intend sadly ¯\_(ツ)_/¯
Wojtekyes, this one (as I said - naming may be confusing - I'll forward your suggestion to relevant person)
moparisthebestah yea, I would not have used that unless you said :)
Wojteksooorryyy :-)
Wojtekin general support without subscription should go to github :-)
Wojtekbtw. wasn't there a XSF security mailing list?
pep.there is still, maybe. Seems abandonned though
waqashas joined
waqashas left
Wojtekyeah, but it also seems public so I'm not sure it's viable in this case (I *thought* that it wasn't, or at least it's archive wasn't)
Wojtekhas left
Wojtekhas joined
Wojtek@moparisthebest could you ping me on xmpp:wojtek@tigase.org ?
fippothere was a server-devs mailing list which was created and then used for the dialback bugs.
fippounused since probably
Dele Olajidehas left
Dele Olajidehas joined
Marchas joined
KevIndeed, but is intended for this type of thing.
moparisthebestdid those bugs let you crash a good amount of public servers though?
jonas’that sounds fun
jonas’crash as in crash?
jonas’as in total DoS?
moparisthebestthis probably shouldn't be public until fixes are out, I've sent it to a number of server devs so far
jonas’via s2s or authenticated c2s or unauthenticated c2s?
jonas’yeah
moparisthebestno data leaks, just crash (thankfully?)
KevIt wasn't a crash, it was an authentication bypass.
KevHeh.
fippoalso just checking: its not a variant of billion laughs?
moparisthebestI haven't heard of that
jonas’moparisthebest, ouchie
fippohttps://en.wikipedia.org/wiki/Billion_laughs_attack -- there was an xmpp variant of it as well
jonas’moparisthebest, billion laughs is exponential entity expansion. define an XML entity &foo; which expands to &bar;&bar;, define &bar; to expand to &baz;&baz; and so on.
moparisthebestah, now that's nice, but no this isn't the same
pep.isn't XMPP parsers not supposed to handle undefined entities?
pep.aren't XMPP parsers not supposed to handle undefined entities?
jonas’pep., and, more importantly, not supposed to handle entity definitions ;)
KevIndeed.
pep.right
KevNot quite the same as people doing the right thing, though :)
jonas’pep., as we all know, people take shortcuts when implementing stuff
jonas’and if the shortcut is "not configuring your parser properly" ...
pep.Indeed
fippowell, this came up again a couple of years after the initial CVE. Happens all the time.
moparisthebestnow those are some hilarious links https://www.cio.com/article/3082084/xml-is-toast-long-live-json.html https://github.com/kubernetes/kubernetes/issues/83253 "CVE-2019-11253: Kubernetes API Server JSON/YAML parsing vulnerable to resource exhaustion attack"
jonas’relevant: https://noyaml.com
Dele Olajidehas left
andrey.ghas left
Wojtekhas left
Wojtekhas joined
Wojtekhas left
Wojtekhas joined
Wojtekhas left
Wojtekhas joined
Wojtekhas left
Wojtekhas joined
Wojtekhas left
Wojtekhas joined
raghavgururajanhas left
Wojtekhas left
Wojtekhas joined
Wojtekhas left
Ge0rGWhen I got my dozen of xmpp clients CVE, I contacted all the developers manually