XSF Discussion - 2020-12-14


  1. mukt2 has left

  2. emus has left

  3. arc has left

  4. mukt2 has joined

  5. darkijah has joined

  6. Arne has left

  7. Arne has joined

  8. Aleksej has left

  9. darkijah

    hello

  10. darkijah

    anyone there?

  11. arc has joined

  12. adiaholic has left

  13. Andrzej has joined

  14. lskdjf has left

  15. darkijah has left

  16. matkor has left

  17. Andrzej has left

  18. dwd has left

  19. adiaholic has joined

  20. krauq has left

  21. LNJ has left

  22. raghavgururajan has left

  23. krauq has joined

  24. raghavgururajan has joined

  25. govanify has left

  26. govanify has joined

  27. Shell has left

  28. intosi has joined

  29. darkijah has joined

  30. darkijah has left

  31. Shell has joined

  32. darkijah has joined

  33. darkijah has left

  34. darkijah has joined

  35. darkijah has left

  36. intosi has left

  37. andrey.g has left

  38. krauq has left

  39. krauq has joined

  40. Yagiza has joined

  41. Andrzej has joined

  42. govanify has left

  43. govanify has joined

  44. govanify has left

  45. govanify has joined

  46. Andrzej has left

  47. mukt2 has left

  48. raghavgururajan has left

  49. raghavgururajan has joined

  50. arc has left

  51. arc has joined

  52. arc has left

  53. arc has joined

  54. chronosx88 has joined

  55. Andrzej has joined

  56. govanify has left

  57. govanify has joined

  58. arc has left

  59. arc has joined

  60. arc has left

  61. arc has joined

  62. arc has left

  63. arc has joined

  64. krauq has left

  65. arc has left

  66. arc has joined

  67. krauq has joined

  68. neshtaxmpp has joined

  69. govanify has left

  70. govanify has joined

  71. APach has left

  72. APach has joined

  73. mukt2 has joined

  74. DebXWoody has joined

  75. wladmis has left

  76. govanify has left

  77. govanify has joined

  78. APach has left

  79. Mikaela has joined

  80. mukt2 has left

  81. APach has joined

  82. arc has left

  83. arc has joined

  84. krauq has left

  85. krauq has joined

  86. govanify has left

  87. govanify has joined

  88. lorddavidiii has joined

  89. arc has left

  90. arc has joined

  91. arc has left

  92. arc has joined

  93. Tobias has joined

  94. andy has joined

  95. arc has left

  96. arc has joined

  97. matkor has joined

  98. mukt2 has joined

  99. chronosx88 has left

  100. chronosx88 has joined

  101. mukt2 has left

  102. paul has joined

  103. arc has left

  104. arc has joined

  105. wurstsalat has joined

  106. pitchum has joined

  107. dwd has joined

  108. mukt2 has joined

  109. pitchum has left

  110. emus has joined

  111. krauq has left

  112. mdosch has left

  113. mdosch has joined

  114. krauq has joined

  115. Adi has joined

  116. lorddavidiii has left

  117. raghavgururajan has left

  118. floretta has left

  119. j.r has left

  120. j.r has joined

  121. Guus has left

  122. lorddavidiii has joined

  123. j.r has left

  124. j.r has joined

  125. moparisthebest has left

  126. eevvoor has joined

  127. Guus has joined

  128. j.r has left

  129. debacle has joined

  130. moparisthebest has joined

  131. lskdjf has joined

  132. j.r has joined

  133. Kev has joined

  134. Guus has left

  135. krauq has left

  136. MattJ

    @SCAM: FOSDEM call for stands is open, though hopefully nobody is actually relying on me to know that :)

  137. krauq has joined

  138. Shell has left

  139. eevvoor has left

  140. Guus has joined

  141. andrey.g has joined

  142. krauq has left

  143. krauq has joined

  144. lorddavidiii has left

  145. flow

    hmm, online stands?

  146. moparisthebest has left

  147. pasdesushi has joined

  148. andrey.g has left

  149. pasdesushi has left

  150. APach has left

  151. APach has joined

  152. lorddavidiii has joined

  153. intosi has joined

  154. emus has left

  155. neshtaxmpp has left

  156. MattJ

    Yes, online stands

  157. lorddavidiii has left

  158. MattJ

    I think it would be good to issue (as early as possible) a call for content from projects

  159. MattJ

    People may need time to prepare

  160. lorddavidiii has joined

  161. moparisthebest has joined

  162. Aleksej has joined

  163. Andrzej has left

  164. krauq has left

  165. krauq has joined

  166. Adi has left

  167. Adi has joined

  168. mukt2 has left

  169. krauq has left

  170. krauq has joined

  171. DebXWoody has left

  172. DebXWoody has joined

  173. pasdesushi has joined

  174. emus has joined

  175. mukt2 has joined

  176. andrey.g has joined

  177. intosi has left

  178. Andrzej has joined

  179. pasdesushi has left

  180. inky has left

  181. mukt2 has left

  182. emus has left

  183. emus has joined

  184. intosi has joined

  185. mukt2 has joined

  186. Andrzej has left

  187. Kev has left

  188. intosi has left

  189. Kev has joined

  190. Andrzej has joined

  191. lorddavidiii has left

  192. intosi has joined

  193. LNJ has joined

  194. neshtaxmpp has joined

  195. andrey.g has left

  196. focus121 has left

  197. focus121 has joined

  198. Andrzej has left

  199. lorddavidiii has joined

  200. antranigv has joined

  201. mimi89999 has left

  202. mimi89999 has joined

  203. intosi has left

  204. larma has left

  205. larma has joined

  206. Zash

    How does an online stand even work?

  207. eevvoor has joined

  208. SamWhited

    Video chat with slides and the website shared?

  209. lorddavidiii has left

  210. Alex has left

  211. alameyo has left

  212. raghavgururajan has joined

  213. Steve Kille has left

  214. raghavgururajan has left

  215. mukt2 has left

  216. mukt2 has joined

  217. raghavgururajan has joined

  218. intosi has joined

  219. Steve Kille has joined

  220. moparisthebest has left

  221. intosi has left

  222. raghavgururajan has left

  223. raghavgururajan has joined

  224. lorddavidiii has joined

  225. moparisthebest has joined

  226. mukt2 has left

  227. Andrzej has joined

  228. intosi has joined

  229. moparisthebest has left

  230. Alex has joined

  231. debacle has left

  232. papatutuwawa has joined

  233. inky has joined

  234. moparisthebest has joined

  235. Shell has joined

  236. Kev has left

  237. Kev has joined

  238. antranigv

    Is there any "reset password" standard?

  239. pasdesushi has joined

  240. antranigv

    I was thinking of this: the user asks for "reset password", the server looks for emails in the VCard, and we send the "link", say via HTTP, OR a new password, to their specified email.

  241. MattJ

    I'm not aware of a standard for that, no. Also using the vCard is unwise because it's typically not verified (so a typo could grant someone else access to the account, etc.)

  242. mathieui

    would be nice to have a standard way of reaching the user as a service or admin though

  243. MattJ

    Also I may not want to publish an email but still have one registered, or I may want to use a different email for my account but publish a different public email address

  244. mathieui

    We often have to correlate the little data we have when we get a "lost password" request

  245. intosi has left

  246. MattJ

    For Prosody I'm planning to work on verified email (and possibly phone number) support, which would help a lot with that

  247. jonas’

    :-O

  248. APach has left

  249. APach has joined

  250. SamWhited

    It's not widely supported, but XEP-0389 handles password reset

  251. APach has left

  252. APach has joined

  253. pasdesushi has left

  254. MattJ

    Ah yes

  255. MattJ

    So the future is hopeful :)

  256. Ge0rG

    SamWhited: by asking for an email during EIBR?

  257. mukt2 has joined

  258. antranigv

    MattJ, that would be nice, I run a mix of prosody and ejabberd, but the main jabber.am server is still prosody, and would love to see that.

  259. SamWhited

    Sure, that would be one way

  260. SamWhited

    You could also do it after registration. Eventually maybe define a URI to open the client and continue the reset process

  261. papatutuwawa has left

  262. Daniel

    In some scenarios it might make sense to tie the account registration to SMS verification anyway.

  263. SamWhited

    (eIBR can also do that; really this is the use case I had in mind when I designed it :) )

  264. Ge0rG

    how do you get the URI after you lost your password?

  265. mukt2 has left

  266. Ge0rG

    Daniel: how is quicksy going btw?

  267. Daniel

    Terribly

  268. SamWhited

    Ge0rG: eIBR works before login, so somewhere in your client you'd pick "I forgot my password" or something and it would just select the eIBR feature instead of the normal auth feature

  269. adiaholic has left

  270. Ge0rG

    SamWhited: ah well, doing oob authentication during password reset is probably not the challenging part ;)

  271. Ge0rG

    I was looking into how to make the users define the oob channel in advance in a sensible way

  272. SamWhited

    Ge0rG: I guess I'm not sure what you mean? What is "define the oob channel?"

  273. adiaholic has joined

  274. Ge0rG

    SamWhited: a user needs to give an email address / phone number / avian carrier coordinates at some time, and the server needs to verify that

  275. Ge0rG

    it shouldn't be mandatory though

  276. SamWhited

    Ge0rG: if you're using eIBR you could use the dataform challenge and just ask for that stuff, or you could define your own more specific challenge if dataforms aren't desired

  277. Daniel

    Ge0rG: I think you need to transport the actual carrier, not the coordinates

  278. mukt2 has joined

  279. Daniel

    Like Mail it in or something

  280. Zash

    Ad-hoc command?

  281. Ge0rG

    SamWhited: well, passing an email during IBR has been a thing for seventeen years now

  282. intosi has joined

  283. Ge0rG

    I'm not sure if any server implementation will actually verify that email address

  284. MattJ

    Prosody doesn't, currently

  285. SamWhited

    Sure, how the server actually implements things is up to them

  286. Ge0rG

    Daniel: good point. I'm not sure if that's in scope for eIBR though

  287. Ge0rG

    intergrated IM solutions can do nifty things like https://developers.google.com/identity/sms-retriever/overview

  288. APach has left

  289. intosi has left

  290. intosi has joined

  291. Aleksej has left

  292. APach has joined

  293. lorddavidiii has left

  294. lorddavidiii has joined

  295. wladmis has joined

  296. Kev has left

  297. Алексей has left

  298. Steve Kille has left

  299. APach has left

  300. APach has joined

  301. Andrzej has left

  302. intosi has left

  303. Andrzej has joined

  304. xsf has left

  305. xsf has joined

  306. paul has left

  307. floretta has joined

  308. paul has joined

  309. Aleksej has joined

  310. Aleksej has left

  311. dwd

    We did a password reset system for a failed product at Surevine. Built around two SASL mechanisms, one for the "I forgot my password" bit, and a one-time reset code one to handle the "Click here to reset your password" link.

  312. lorddavidiii has left

  313. intosi has joined

  314. lorddavidiii has joined

  315. neshtaxmpp has left

  316. neshtaxmpp has joined

  317. pasdesushi has joined

  318. chronosx88 has left

  319. chronosx88 has joined

  320. pasdesushi has left

  321. lorddavidiii has left

  322. intosi has left

  323. Andrzej has left

  324. Andrzej has joined

  325. APach has left

  326. APach has joined

  327. alameyo has joined

  328. intosi has joined

  329. Adi has left

  330. eevvoor has left

  331. eevvoor has joined

  332. lorddavidiii has joined

  333. intosi has left

  334. debacle has joined

  335. Wojtek has joined

  336. Maranda has left

  337. intosi has joined

  338. Maranda has joined

  339. pasdesushi has joined

  340. eevvoor has left

  341. eevvoor has joined

  342. pasdesushi has left

  343. intosi has left

  344. Kev has joined

  345. Arne has left

  346. krauq has left

  347. krauq has joined

  348. intosi has joined

  349. pasdesushi has joined

  350. pasdesushi has left

  351. pasdesushi has joined

  352. pasdesushi has left

  353. Arne has joined

  354. lovetox has joined

  355. intosi has left

  356. antranigv has left

  357. pasdesushi has joined

  358. antranigv has joined

  359. pasdesushi has left

  360. pasdesushi has joined

  361. DebXWoody has left

  362. neshtaxmpp has left

  363. neshtaxmpp has joined

  364. DebXWoody has joined

  365. intosi has joined

  366. Lance has left

  367. Andrzej has left

  368. Andrzej has joined

  369. intosi has left

  370. lorddavidiii has left

  371. lorddavidiii has joined

  372. pasdesushi has left

  373. matkor has left

  374. intosi has joined

  375. Maranda

    Ge0rG: Metronome does, and also verify that the address is not a disposable one....

  376. arc has left

  377. jonas’

    Maranda, how do you verify that it’s not disposable? :)

  378. arc has joined

  379. Maranda

    I pass the domain name to an external REST API which does that

  380. Maranda

    If it's catched as DEA it will invalid the registration

  381. Ge0rG

    > an external REST API That's how the internet works, right?

  382. adiaholic has left

  383. Maranda

    Ge0rG: if you want you can implement your own thing, and collect the data required... Tbh I found it more convenient to let someone else do the latter, and since.. Yes most ppl use a REST API.

  384. Maranda

    😺

  385. Ge0rG

    Maranda: not criticizing you, I understand the trade-offs

  386. matkor has joined

  387. mathieui

    Oh non, those APIs are the bane of my existence since I use spamgourmet

  388. Maranda

    ... Had to lookup the DB I use in the code because it's years I don't touch it. Anyways it's https://www.nameapi.org/

  389. moparisthebest

    If you are going to do it that's probably a fine way, but... Why prohibit disposable emails at all

  390. mathieui

    moparisthebest, because that’s what spammers use

  391. Maranda

    moparisthebest: they're used by spammers to circumvent verification

  392. moparisthebest

    Spammers set up their own domains no problem

  393. SamWhited

    Spammers generally don't like to set up their own domains because other providers use domain reputation and if you setup a new domain you don't have a positive reputation to help you land in peoples inboxes even though the contents of your message looked kind of spammy.

  394. MattJ

    You're right, it should be a simple whitelist of gmail.com, outlook.com, yahoo.com

  395. Maranda

    moparisthebest: once they become detected and listed, nameapi will block those as well

  396. Maranda

    They do several checks

  397. Maranda

    Not just DEA

  398. Maranda

    It served me well enough over the years

  399. Zash

    MattJ, make sure to whitelist their MX'es so everyone with custom domains aren't blocked!

  400. floretta has left

  401. intosi has left

  402. chronosx88 has left

  403. floretta has joined

  404. paul has left

  405. Wojtek has left

  406. intosi has joined

  407. krauq has left

  408. krauq has joined

  409. eevvoor has left

  410. nyco has left

  411. Kev has left

  412. Kev has joined

  413. nyco has joined

  414. adiaholic has joined

  415. papatutuwawa has joined

  416. j.r has left

  417. lorddavidiii has left

  418. Wojtek has joined

  419. lorddavidiii has joined

  420. intosi has left

  421. j.r has joined

  422. Steve Kille has joined

  423. chronosx88 has joined

  424. pasdesushi has joined

  425. intosi has joined

  426. pasdesushi has left

  427. paul has joined

  428. lorddavidiii has left

  429. intosi has left

  430. fuana has joined

  431. Kev has left

  432. Kev has joined

  433. chronosx88 has left

  434. chronosx88 has joined

  435. Aleksej has joined

  436. fuana has left

  437. fuana has joined

  438. lorddavidiii has joined

  439. DebXWoody has left

  440. Andrzej has left

  441. intosi has joined

  442. arc has left

  443. arc has joined

  444. pasdesushi has joined

  445. Andrzej has joined

  446. fuana has left

  447. pasdesushi has left

  448. intosi has left

  449. pasdesushi has joined

  450. chronosx88 has left

  451. chronosx88 has joined

  452. pasdesushi has left

  453. pasdesushi has joined

  454. pasdesushi has left

  455. Wojtek has left

  456. pasdesushi has joined

  457. Yagiza has left

  458. intosi has joined

  459. stpeter has joined

  460. stpeter has left

  461. Andrzej has left

  462. pasdesushi has left

  463. APach has left

  464. APach has joined

  465. APach has left

  466. APach has joined

  467. intosi has left

  468. jcbrand has left

  469. Arne has left

  470. Arne has joined

  471. jcbrand has joined

  472. Andrzej has joined

  473. Guus has left

  474. krauq has left

  475. krauq has joined

  476. intosi has joined

  477. serge90 has left

  478. serge90 has joined

  479. krauq has left

  480. stpeter has joined

  481. stpeter has left

  482. krauq has joined

  483. floretta has left

  484. floretta has joined

  485. moparisthebest

    this is probably bad, I know SamWhited does Go XMPP stuff, anyone else? https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities/

  486. andrey.g has joined

  487. raghavgururajan has left

  488. jcbrand has left

  489. paul has left

  490. jonas’

    moparisthebest: oh my

  491. moparisthebest

    I'm not absolutely positive whether this is a deal breaker for XMPP or not , looks like attribute/element ordering isn't preserved

  492. moparisthebest

    it is "unfixable" at the moment so they just dropped it

  493. intosi has left

  494. raghavgururajan has joined

  495. Kev

    I'm not sure it's a security vulnerability, but it's definitely not irrelevant, e.g. data forms.

  496. Kev

    Also Atom over pubsub, I guess.

  497. Wojtek has joined

  498. Andrzej has left

  499. intosi has joined

  500. arc has left

  501. Tobias has left

  502. chronosx88 has left

  503. chronosx88 has joined

  504. Kev has left

  505. moparisthebest

    this is old but I just saw it today too, a case of bad XML comment parsing causing a major security bug in iOS https://siguza.github.io/psychicpaper/ / https://twitter.com/s1guza/status/1255641164885131268

  506. alameyo has left

  507. moparisthebest

    https://i.imgflip.com/4qcxj6.jpg

  508. intosi has left

  509. Wojtek has left

  510. lorddavidiii has left

  511. lorddavidiii has joined

  512. david has left

  513. david has joined

  514. lovetox has left

  515. intosi has joined

  516. Mikaela has left

  517. j.r has left

  518. j.r has joined

  519. lorddavidiii has left

  520. lorddavidiii has joined

  521. raghavgururajan has left

  522. intosi has left

  523. chronosx88 has left

  524. chronosx88 has joined

  525. paul has joined

  526. papatutuwawa has left

  527. deuill has left

  528. intosi has joined

  529. alameyo has joined

  530. deuill has joined

  531. lorddavidiii has left

  532. Wojtek has joined

  533. Andrzej has joined

  534. lorddavidiii has joined

  535. intosi has left

  536. chronosx88 has left

  537. chronosx88 has joined

  538. andrey.g has left

  539. lorddavidiii has left

  540. andrey.g has joined

  541. raghavgururajan has joined

  542. Andrzej has left

  543. intosi has joined

  544. deuill has left

  545. deuill has joined

  546. raghavgururajan has left

  547. Wojtek has left

  548. intosi has left