XSF Discussion - 2020-05-29

  1. jonas’

    pep., I don’t see text in MIX which says otherwise

  2. jonas’

    pep., I don’t recall text in MIX which says otherwise

  3. jonas’

    but it’s been quite a while since I’ve read MIX

  4. jonas’

    in some discussion a few days back, I was looking for this, and now I found it: https://multiformats.io/multihash/

  5. jonas’

    don’t ask me what the context is though

  6. jonas’

    might be about the blake2 stuff

  7. larma

    jonas’: you forgot to add a blockchain trigger warning to the link ;)

  8. jonas’

    larma, I didn’t notice anything blockchainy in there

  9. larma

    multiformats is from protocol labs which is blockhcainy 😉

  10. jonas’

    TIL (and don’t care)

  11. Zash

    They invented ASN.1 ?

  12. larma

    Zash, how is this related to ASN.1?

  13. Zash


  14. jonas’

    they’re not OIDs though?

  15. Zash

    The concept of { oid, hash bitstring } ?

  16. jonas’

    I don’t see OIDs there though

  17. jonas’

    OIDs are hierarchical

  18. larma

    yeah, they're not using OIDs, they are just prefixing the hash with a type and it's length

  19. Zash

    I don't mean OIDs specifically

  20. Zash

    Maybe I've just looked too closely at the whole ASN.1 thing, so to me it looks similar.

  21. MattJ

    It's the same but worse

  22. larma

    Zash, you mean they could have used ASN.1 instead?

  23. Zash

    They could

  24. larma

    but they are blockchainy

  25. jonas’

    why would you though

  26. larma

    so they mind every byte

  27. jonas’

    ASN is odd with it’s different serialisation formats

  28. Kev

    Says the developer working with XML :)

  29. jonas’


  30. larma

    ASN.1 has an XML serialisation format 😉

  31. Kev

    Is memberbot online, and should they be?

  32. Zash

    We're in voting, so they should be.

  33. Kev

    That was my thought.

  34. jonas’

    it’s available for me

  35. Kev

    Hmm. I wonder if S2S between my server and xmpp.org is down.

  36. Kev

    Ah. Has xmpp.org enabled the 'I won't talk to small DH Keys' Prosody thing?

  37. pep.

    gender-neutral singular "they" replacing "it" for things? :P

  38. Zash

    bots are people too!

  39. pep.

    I'm sorry

  40. MattJ

    Kev, yes (but to be clear it's not a Prosody thing, it's system OpenSSL defaults on Debian 10)

  41. Zash

    Pretty sure it's been configured to prefer ECDHE

  42. Kev

    Ah. Any chance that could be turned off, as an easier option that updating my server to a release from the last millenium? :)

  43. pep.

    And actually probably most distributions now, at it's recommended by openssl since.. a vulnerability not so long ago

  44. pep.

    And actually probably most distributions now, at it's recommended by openssl since.. yet another vulnerability not so long ago

  45. pep.

    jonas’, flow, is the 157 validation thing gonna delay/make the PR get refused? :/

  46. pep.

    Can we change that later if it's the case?

  47. Zash

    I kinda rather you added text that says everything should be URIs

  48. pep.

    I don't mind about the way we do it, I just wanted it in :x

  49. pep.

    I don't mind the way we do it, I just wanted it in :x

  50. pep.

    But as flow said, adding this kind of text on all fields now might be considered breaking (even though I would expect people to just put URIs in there already as the example suggests)

  51. Zash

    It's not Standards Track

  52. pep.

    so.. that means we can bend it in any way we want it's fine? :p

  53. Zash

    We can bend anything we want any way we want.

  54. Zash

    We have the power!

  55. pep.

    We are the last XEP benders

  56. flow

    pep., it already delayed the PR. I personally see no reason why this should cause the PR to get vetoed by council, but since it takes only one council member to veto…. In any case you could resubmit without, which would be sad. But we can not add the data form validation later on, without bumping the namespace, so it was important to do it now.

  57. Guus

    I found out today that most of the spam that I get through XMPP is coming from my secondary account, on jabber.org, instead of my primary account on igniterealtime.org. What strikes me is that I publish contact details including the latter a lot more than the former.

  58. Zash

    I too get a bunch of spam to my jabber.org account, despite never having written about it anywhere or barely used it for more than occational testing.

  59. stpeter

    We're working on it!

  60. !XSF_Martin

    > We're working on it! Is Neustradamus around?

  61. stpeter


  62. Guus

    Having something anti spam on jabber.org would obviously be nice, but I wasn't so much calling for action as I was expressing surprise at the source of the spam I get. It would be interesting to find reasons why an infrequently used account gathers more spam than an actively used and shared one.

  63. Guus

    I do now wonder if the recent uptake in spam and the recent instability at jabber.org are related.

  64. Zash

    Guus: I imagine you'd find a ton of legitimate accounts by taking a random list of email addreses and picking out the localparts.

  65. Guus

    That wouldn't get you my jabber.org account.

  66. Zash

    Maybe the reason it seems to be more is that you look at it less often, so the spam waves get buffered up in offline storage

  67. Guus

    I'm logged in all the time, but am not using it for anything other than ... what, really? As a fallback in case my primary account has issues, mostly.

  68. Zash


  69. vanitasvitae

    I receive lots of spam on my personal account on my personal server, but it appears to be fluctuating quite drastically from day to day.

  70. vanitasvitae

    Guess I made it to some spam list...

  71. moparisthebest

    same, it went away almost entirely for almost a year I'd guess, but now it's back up to a few a day

  72. Zash

    But in my case, an account with no contacts that I never use and never mentioned anywhere, still getting spam? They must have guessed.

  73. Guus

    Can we assume that it's mostly one entity that's driving all of this spam?

  74. Guus

    Zash: maybe some kind of way to list accounts on a server or something?

  75. Guus

    Xep 55 with a wildcard?

  76. Zash

    Does jabber.org have that enabled? That'd be scary.

  77. Kev

    No. It supports xep55, but it's opt-in.

  78. pep.

    or.. the db got leaked! :p

  79. Zash

    Or any db got leaked, and they tried every username on every server

  80. pep.

    Kev, opt-in by the client?

  81. Kev

    pep.: Yes.

  82. pep.

    So like MAM? :P

  83. Kev

    Well, by the user through their client.

  84. pep.

    opt-in but every clients uses it

  85. pep.

    opt-in but every client uses it

  86. Kev

    I don't follow.

  87. pep.

    It's a joke. I don't know if it's the case for 0055.

  88. pep.

    MAM was made opt-in on most servers though

  89. pep.

    For GDPR reasons among others

  90. pep.

    But every client uses it anyway

  91. Zash

    Opt-in by using it!

  92. Zash

    But for 55 I'd hope it be a thing where you register with it to opt in

  93. Kev

    You don't register with it, you tick the box in your user configuration adhoc.

  94. Kev

    But that's probably equivalent.

  95. Zash


  96. pep.

    You mean your client does that for you, providing whatever UI

  97. pep.

    (maybe not even mentioning the fact that you're enabling it)

  98. Kev

    Do you have any evidence clients are doing this, or are you guessing?

  99. pep.

    No evindence, just saying it's a possibility

  100. Zash

    I highly doubt things will execute random ad-hoc commands

  101. vanitasvitae

    The spam I receive is 95% russian and about spam services

  102. vanitasvitae

    So I can assume its the same sender.