XSF Discussion - 2020-06-04

https://github.com/xsf/xmpp.org/issues/608#issuecomment-638522416

From an iteam perspective Docker would be preferred

Hello!

I have a question regarding XEP-0420: Stanza Content Encryption

My client software is plugin-based, so I need to know the way of plugin interaction.

Should XEP-420 be implemented as blacklist or whitelist based?

I think you need both

a whitelist for the outer elements

and a blacklist for the inner

(outer those that were not encrypted. inner those that are)

when decrypting i mean

In the first case I have a list on elements, that should be ignored when encrypting: left in stanza, not moved into encrypted <content /> element.

yeah I'd do that with a whitelist approach

you only need elements that the server needs for routing

meaning message processing hints

et al

In second case we have a list of elements (reported by other plugins), which must be moved from stanza into encrypted <content/> element.

Daniel, so, you see the second way is better?

imho yes

Ok, thanx

i'd encrypt everything but [store, no-copy, …]

the decrypting side however is more dangerous. that's where you can fuck up and create security issues

Daniel, I'm discussing encrypting side right now.

Daniel, if we encrypt "everything but..." it's a whitelist approach!

Daniel, *blacklist* I mean.

Some elements you want to have outside *and* duplicate inside. XEP-0258, for example.

Sorry, that's unclear "outisde" versus "inside" the SCE, so unencrypted versus encrypted.

MattJ, Ack.

dwd, why may I want to have Security Label both encrypted and unencrypted?

server needs it for routing. but the recipient also wants to verify

flow I lost my gsoc MUC bookmark, so I'll be lazy and post it here. Can you confirm that we filled out the GSoC 2020 Org payment request form? Google sent out a reminder (I think the reminder went out to every participating org, but I'm not sure).

sign( meta, encrypt( more stuff ) ) ?

SCE is way more complicated than some people think it is

and it's really easy to srew up

Daniel, More fun than that, even - the security label may need to be re-written between policies and things by servers, but you still want the original. Email deals with this by triple-wrapping, but I'm really not sure we'd want to go there.

Zash, And yes, that's halfway to triple wrapping, which is sign[server]{ meta, sign[sender]{ more_meta, encrypt{ data }}}

(If you'll pardon my newly-invented pseudo-syntax)

Guus, yes PSA filled out the form before the deadline :)

👍

Zash> sign( meta, encrypt( more stuff ) ) should probably be sign(normalize(meta), encrypt(more stuff)) and the "problem" is the normalize(meta) part

Mmmmm XML c14n

exactly

it's a design decission involving balancing the tradeoff, but I actually think having something sign(normalize(meta), more bytes) as optional experimental feature can't hurt to get some insights about potential issues ✏

I think, for example, that XML normaliziation is trivial with Java SE, while it may would require another, likely heavy-weight, dependency on Android (if something is available there at all) ✏

I still wonder, why Message Reactions uses emoji instead of reusing XEP-0107: User Mood?

and slack and mattermost and matrix and everything

Zash, so, someone's just trying to mimic other IMs and networks instead of improving XMPP?

Yagiza, I guess because that is what github, gitlab, etc do ✏

Yagiza, that reads like it implies that by mimicing others one can not improve XMPP ✏

flow, well... I like XMPP because it's powerful. Other networks are forced to use Emoji, 'cause they don't have such nice things, like User Mood or User Activity. But why should we?

Yagiza, I am not sure which one of using unicode code points or xep user mood as enumeration of possible reactions is "better". both approaches appear to have advantages and disadvantages

Why limit yourself to moods?

IIRC in Matrix it's just a piece of text. It doesn't have to be emoji, that's just an UI decision

Zash, right, but then, on the other side, is it really good that you can react with all types of code points?

Just let me react with "cool" and "!" and I'll be happy

e.g. github limits the kind of reactions

flow, yes. But I think that advantages of reusing User Mood instead of emoji prevail over disadvantages.

flow, still, I'd leave that as an UI decision

Zash, I always wonder how I have to read "!" as reaction? Is it positive? Negative? Danger?

flow, !

How would you read *anything*?

Zash, sure, but is that enough? don't you have to be able to negoiate allowed reaction kinds on the protocol level?

Tons of emoji is incredibly ambigous

Sure, but not all

Zash, 'cause most of emoji are meaningless as reactions to messages. Also, they may lead to confuse, 'cause sender may mean different thing, than receiver may think of.

And there's never one that means what I'm trying to say anyways

A thumbs up on a comment can be hardly misinterpreted

Sure it can

hmm, ok, care to elaborate how?

No

Language and communication is complicated.

and often not unambiguous in particular

https://github.com/xsf/memberbot/pull/6 -- this is running on memberbot@dave.cridland.net, anyone fancy helping me test? (I'll need the jid you want to test from to add you as an "XSF Member").

dwd, sure

use mine

guus.der.kinderen at ignite

Added. You should be able to send it a subscription request and then start voting.

dwd, it acknowledges me, but does not offer things to vote on.

https://igniterealtime.org:443/httpfileupload/680d2838-390d-4d9f-beba-577ecf7dbbbc/image.png

Ah, great, that's a bug.

Did you add it to your roster? Or just send?

I added to my roster

subscription status 'both'

> error<wait:remote-server-timeout:Server-to-server connection failed: Error during negotiation of encrypted connection: sslv3 alert bad record mac>

The what

That's exciting.

> flow> A thumbs up on a comment can be hardly misinterpreted "Somebody should ..". "👍" Do you like what I said? Are you ok with it? Are you gonna do it?

language is complicated

OK, so, memberbot bug is that here: https://github.com/dwd/memberbot/blob/memberbot-fixes/memberbot/chat_voting.py#L360 slixmpp ends up trying to wrap a future into an IQ and everything breaks.

pep., Does that "supports" call ever work?

maybe slix broke it, dunno

OK, that maybe works now. Seems not to break with Inverse anymore at least.

Guus, want to see if that works for you as well now?

dwd: Remind me after lunch please

dwd: have you seen my PRs?

dwd seems to work now. I got three votes, with (the same) three candidates each.

dwd: You have commented, can you test it?

I've applied yes, no and abstain - seems to all work as expected.

I can test the bot?

Note: When I look the vCard, the XSF logo is always the old...

Neustradamus, You should be able to add memberbot@dave.cridland.net to your roster and vote (it's intentionally the same three candidates).

Have a conflicting meeting (again). Can't make it to Board today.

ralphm: should we think about another time slot?

!

o/

o/

Especially since the two agenda items I added concern ralph. Well one definitely, the second one all of us

# Welcome

Any other agenda item to add?

I guess we'll leave the two I added for when ralph is present

I have nothing

neither do I

Nothing here, except a query for whether the commteam have thought any more about their requirements

Even though some commteam members were present last time (Seve, emus), I haven't poked anybody yet

So it's also partly my fault

(I still need to send minutes for last week even.)

is the outside person waiting for us?

if so, we should try to get some momentum

Seve, maybe as a board and commteam member it'd be better if you did that?

Hi

Guus, yes and no, I don't think we've given a 'no' but we have let her know not to expect an imminent 'yes'

pep., I haven't offered my self to do that because I feel you guys have more context than me on this. As I said didn't know nyco asked for a plan. I would not be good at leading this. I can try to start a conversation in the commteam though, that's for sure.

Let's try and focus on this to get to a conclusion. We have a bad habit of letting things linger to long.

Seve, ok. I'll try to send last time's minutes quickly (to summarize last time's chat) I'll poke commteam :x

pep., very much appreciated!

Seve if only to get more of a conversation started, you approaching commteam members might be good.

oh, or that. 🙂

I have a question for board, not related to commteam but minutes: I see in other communities / organizations that acknowledging minutes is a thing, is that something that's been done before here? That some would want to do

At the beginning of a meeting these orgs I've seen ask their board (or equivalent) to ack last meeting's minutes

If we do have proper meetings, we should. But, as our minutes are often absent, and we're having a verbatim log of each meeting, I don't really see the point.

So maybe a topic for once we've sorted out the "minutes" problem.

I'm fine with no official answer anyway. I was just curious

+1

We have the logs, so yes, everyone can confirm the minutes. Although it makes sense to do that.

When meetings are used to record the meeting (and record decisions), we should verify/acknowledge them, I think. I don't think that's how we're currently using the minutes though.

# AOB?

None here

nor me

Next: +1w

# Close

thanks

Thank you guys

pep.: So you could not find time to sunmarize the recent meeting on the hireing topic?

You mean the meeting we've had in the other room? No. I think I'll just include a few lines in minutes I send for last week's board meeting to give some context. I don't think it needs much more

At least I would like to summarize the few points we agree in general on

tbh I don't especially want to be flagged "minute person", I don't like minutes :P

(Well I don't like writing them)

pep.: I dont take it as this, but I thought from the recent one you said you gonna do it

No, I said I wouldn't do it :x

Maybe we can make that as a rotation system? Some documenation is important pep.: ok then I try

"I won't do minutes just now. There's lots of things in there". I was planning to wait for a next meeting

pep.: Sorry, Im talking about the other chat on hiring only

yes

I'm quoting myself from that chat ✏

Ah okay, I think I got confused. If I can do something or help let me know

dwd: Thanks, can you add my PRs?

The goal is to test and confirm that it is good: - https://github.com/xsf/memberbot/pull/4 - https://github.com/xsf/memberbot/pull/5

k

can someone enlighten me on the role of MUC in Jitsi? looking at the various parts that make up jitsi there is the jitsi video bridge which takes the role of a SFU and there is the jicofo which is a compontent that you talk COLIBRI to.

but what role does MUC take here?

the jitsi documentation require me to set up a muc server; and also give jicofo admin (owner) rights to that muc server

but it doesn’t really say what the muc rooms are used for

The MUC is used for the signaling and chat between conference participants

ok; chat i get

but isn’t colibri the signaling?

(including jicofo AIUI)

It uses Prosody

i'm essentially wondering (text chat aside) if there is a different set of protocols aside from colibri (which is not muc or message based) that i need to understand

Not that I'm aware of, not sure if they stick some stuff in presence though

so hypotically if i wanted to experiment with video conferencing i'd just need jicofo and the video bridge?

jonas’ did some trickery to get a chat bot into Jitsi conferences iirc

Daniel, I *think* you need to go through a MUC to talk to Jicofo, since it uses the MUC identity

but that’s just casual observation from jicofo and jvb logs as well as a bit of MUC traffic

jonas’, ok thanks. that probably makes some sense in front of the background that jitsi meet is

15:36:40 jonas’> and yeah, weird stuff happens (with Jitsi Meet at least) if you have a participant which doesn’t speak the protocols 15:36:48 jonas’> I had to hide presence to make the web ui not misbehave ✏

(those two messages went into the wrong room initially, sorry)

He, I didn't realize you sent them to the wrong MUC and wondered why you quoted yourself. 😂

(fwiw i'm not interested in being compatible with jitsi meet the webinterface but just reusing the compontents to make video conferencing happening. or at least understand what that would entail)

Daniel, I recommend setting up Jitsi Meet first to get a feeling on how intertwined it all is

everything is extremely picky about everything

Daniel: So you consider adding a/v conferences to conversations?

no

i'm trying to understand how that would work

When will it be ready?

COIN and Colibiri are two XEPs they use, I think

As Jonas said, they add an occupant to the muc (nicknamed 'focus') that is used for signalling.

> When will it be ready? Yesterday would be a good date, otherwise xmpp is UNUSABLE!!!1!

Guus, neither COIN nor colibri mention MUC though

so that was kinda the missing piece that i needed to understand all that

You can join the MUC through XMPP for chat, but in Openfire, we decided against that. It offers very disturbing user experience, as there's then a set of occupants that only chat, and a set of occupants that both chat, but also have a video conference in which communication takes place.

It's technically entirely possible though (or at least it was in the state of the code ~2 years ago, when I last looked)

got to feed the kids. later

https://faq.whatsapp.com/general/chats/how-to-format-your-messages/ :)

curl !$ > xep-xxxx.xml

MattJ: pandoc !$ -o modernxmpp/how-to-format-your-messages.md

> https://faq.whatsapp.com/general/chats/how-to-format-your-messages/ :) Isn't that literally what we are doing?

Yep, pretty much

Maybe they thought adding that xep would be *fun*.

Doesn't mean it is a good example :)

What do you think if we change the name of https://commons.wikimedia.org/wiki/File:XMPP_logo.svg to XSF_logo.svg? And add XMPP_logo.svg without XMPP text?

lbocquet, why? I don't think the XSF has a logo. And XMPP is no property of the XSF, it's an IETF standard

How we can publish the logo with text and without?

I have seen XSF_logo.svg (which is not good) without XMPP text...

The XMPP_logo.svg has MIT license and it is "Copyright © XMPP Standards Foundation" ✏

So the XSF has copyrights for the XMPP logo, that doesn't make it the XSF logo :)