moparisthebesthas anyone ran MUC over MIX over MUX yet? https://xmpp.org/extensions/inbox/mux.html (or at least made the joke)
Andrzejhas left
Andrzejhas joined
Alexhas left
etahas left
etahas joined
LNJhas left
wurstsalathas left
intosihas left
Andrzejhas left
krauqhas left
krauqhas joined
intosihas joined
alex-a-sotohas left
alex-a-sotohas joined
davidhas left
davidhas joined
intosihas left
govanifyhas left
govanifyhas joined
intosihas joined
mukt2has left
intosihas left
alameyohas left
intosihas joined
SamWhitedThis whole Go XML debacle has made me think of another reason to use bytes instead of codepoints in references: if we ever want to sign references in the future you can't take a hash of codepoints without reencoding. Probably not applicable to @mentions, but references likely have applications far beond that. Being able to just pass the indexes directly to a byte slice operation and get a sha out seems like good practice.
Andrzejhas joined
intosihas left
alameyohas joined
krauqhas left
krauqhas joined
chronosx88has left
chronosx88has joined
Andrzejhas left
intosihas joined
wladmishas left
DebXWoodyhas joined
Guushas joined
intosihas left
Guushas left
Tobiashas joined
Andrzejhas joined
intosihas joined
archas left
archas joined
archas left
archas joined
jcbrandhas joined
archas left
archas joined
slouchy6has left
slouchy6has joined
intosihas left
andyhas joined
krauqhas left
krauqhas joined
moparisthebesthas left
Mikaelahas joined
moparisthebesthas joined
intosihas joined
Yagizahas joined
govanifyhas left
govanifyhas joined
intosihas left
govanifyhas left
govanifyhas joined
paulhas joined
wurstsalathas joined
intosihas joined
dwdhas joined
lorddavidiiihas joined
intosihas left
Arnehas left
emushas joined
antranigvhas left
intosihas joined
Arnehas joined
florettahas left
andrey.ghas joined
Ge0rGUntil you realize that signing a subset of a message is a recipe for disaster
jonas’ok, I read that mattermost article, and I’m like wtf
jonas’it makes no sense whatsoever
Ge0rGjonas’: there are also no examples in the CVEs.
Ge0rGI suppose that you can craft XML that will be parsed incorrectly or something
Ge0rGAnd apparently the validator will decode, re-encode, and compare the resulting strings
jonas’they say it's in the roundtrips and somehow related to namespace prefixes
jonas’and unfixable due to api
Ge0rGOr rather, the xml structure.
Ge0rGYeah, that's not how you describe a vulnerability
jonas’but at least it’s no RCE or something, so I don’t have to take down o.j.n
pasdesushihas joined
j.rhas joined
Ge0rGWhen did you rewrite ojn in go?
jonas’the probers always were go
jonas’based an SamWhited’s nice low-level xmpp library
jonas’was easier to use for such low level tasks than aioxmpp
pasdesushihas left
mdoschThere are only low level xmpp libs in go…
Ge0rGBut you can use them to extract byte streams!
Ge0rGWhere are all the hard learned lessons about how (not) to hash xml content?
jonas’in the xmlsec standard
jonas’used by SAML
jonas’so this reads dire for encoding/xml IMO
peetahhas left
peetahhas joined
Ge0rGthere is only an xmlsec library. And it's written in C!
Ge0rGjonas’: ah thanks. Did you consider those when designing 0390?
jonas’no
j.rhas left
j.rhas joined
APachhas left
paulhas left
APachhas joined
paulhas joined
eevvoorhas joined
Alexhas joined
govanifyhas left
govanifyhas joined
intosihas left
Guushas joined
Zashhas left
Zashhas joined
j.rhas left
Shellhas left
Kevhas joined
lskdjfhas joined
Steve Killehas left
Kevhas left
Алексейhas joined
Steve Killehas joined
Kevhas joined
Tobiashas left
j.rhas joined
Tobiashas joined
lskdjfhas left
lskdjfhas joined
andrey.ghas left
pasdesushihas joined
pasdesushihas left
APachhas left
pasdesushihas joined
Aleksejhas joined
pasdesushihas left
gavhas left
alameyohas left
APachhas joined
krauqhas left
krauqhas joined
DebXWoodyhas left
DebXWoodyhas joined
intosihas joined
Andrzejhas left
Andrzejhas joined
debaclehas joined
Aleksejhas left
Steve Killehas left
Steve Killehas joined
archas left
archas joined
archas left
archas joined
govanifyhas left
govanifyhas joined
archas left
archas joined
archas left
archas joined
archas left
archas joined
archas left
archas joined
pasdesushihas joined
pasdesushihas left
intosihas left
papatutuwawahas joined
alameyohas joined
krauqhas left
krauqhas joined
Andrzejhas left
Andrzejhas joined
intosihas joined
intosihas left
govanifyhas left
govanifyhas joined
papatutuwawahas left
papatutuwawahas joined
Steve Killehas left
papatutuwawahas left
papatutuwawahas joined
papatutuwawahas left
papatutuwawahas joined
papatutuwawahas left
papatutuwawahas joined
Alexhas left
papatutuwawahas left
papatutuwawahas joined
Steve Killehas joined
Andrzejhas left
Andrzejhas joined
papatutuwawahas left
papatutuwawahas joined
Alexhas joined
papatutuwawahas left
papatutuwawahas joined
intosihas joined
alameyohas left
LNJhas joined
Zashhas left
Zashhas joined
paulhas left
paulhas joined
intosihas left
pasdesushihas joined
pasdesushihas left
DebXWoodyhas left
larmahas left
larmahas joined
pasdesushihas joined
govanifyhas left
govanifyhas joined
govanifyhas left
govanifyhas joined
papatutuwawahas left
pasdesushihas left
krauqhas left
krauqhas joined
wladmishas joined
krauqhas left
krauqhas joined
peetahhas left
peetahhas joined
edhelasa small question about 0045
edhelaswhat is the general purpose of muc#roomconfig_pubsub ?
mathieuiI thought it could be for 0316 but that does not appear therein
dwdedhelas, I always assumed that was a half-baked idea that never went anywhere.
dwdedhelas, Back in the day, there was a lot of "Oh, we can have pubsub here".
edhelasHolger I see that the field is available trough the ejabberd MUC config, does it triggers some things in the backend or is it just pure metadata ?
lorddavidiiihas left
Holgeredhelas: Just pure metadata.
SamWhitedGe0rG: this is *not* the same as the partial signing nonsense that XML-DSig does, however, I take your point, might as well sign the whole body and still not be able to figure out what the signature matches up to because codepoints and different normalization forms were used.
edhelasHolger ok thanks :)
edhelasit can kinda make sense in Movim this field, then you can link a Movim Community (Pubsub Atom node) to a MUC, but I need to figure out the UI to send the correct Pubsub URI
APachhas left
SamWhitedjonas’: I must admit, I had wondered about why you were using mellium when you make an XMPP library; glad it was useful :) I'd be really curious what the differences are that made it easier for you if you remember. I'd like to develop a higher level library on top of it at some point and it would be helpful to figure out exactly where that dividing line lies to have real first-hand experience where a higher level library wasn't enough.
jonas’SamWhited, easy: aioxmpp does not have s2s support whatsoever.
SamWhitedoh, hah, fair enough
jonas’and it (intentionally) makes it hard to shoot yourself in the foot by messing with the lower layers of stream negotiation
SamWhitedMellium doesn't either yet really, but I've got a package on a branch somewhere that should make it a little easier
jonas’well, it can do enough. I don’t need to go beyond stream features really :)
jonas’SamWhited, the main reason though (because I could easily have hacked that into aioxmpp and also did that by now for other reasons) is that the infrasturcture is based on prometheus and prometheus is very golang
SamWhitedAlso makes sense; thanks.
SamWhitedgoes to remind himself what state the SASL-EXTERNAL/BIDI implementations were in and see if they can be merged
APachhas joined
lorddavidiiihas joined
govanifyhas left
govanifyhas joined
eevvoorhas left
eevvoorhas joined
Adihas joined
intosihas joined
wladmishas left
wladmishas joined
krauqhas left
krauqhas joined
intosihas left
nycohas left
alameyohas joined
APachhas left
xsfhas left
florettahas joined
nycohas joined
chronosx88has left
chronosx88has joined
krauqhas left
krauqhas joined
wurstsalatZash, just in case you didn’t know about Ook yet https://sv.wikipedia.org/wiki/Ook
ZashI knew about /that/ definition.
Ge0rGthe other one is in the XEP
ZashI couldn't spot anything obviously disqualifying anyways. Maybe it's too dark to see up here.
APachhas joined
Marandahas left
Wojtekhas joined
xsfhas joined
xsfhas left
Marandahas joined
peetahhas left
peetahhas joined
APachhas left
APachhas joined
APachhas left
APachhas joined
peetahhas left
peetahhas joined
Steve Killehas left
Andrzejhas left
Andrzejhas joined
alex-a-sotohas left
APachhas left
APachhas joined
APachhas left
APachhas joined
APachhas left
APachhas joined
alex-a-sotohas joined
Steve Killehas joined
APachhas left
APachhas joined
APachhas left
APachhas joined
APachhas left
APachhas joined
APachhas left
APachhas joined
APachhas left
APachhas joined
APachhas left
APachhas joined
APachhas left
APachhas joined
Andrzejhas left
Andrzejhas joined
Andrzejhas left
Andrzejhas joined
Shellhas joined
DebXWoodyhas joined
intosihas joined
MattJjonas’, I'm not sure I'm satisfied with the "it's like CORS" argument re. custom XEP-0363 headers
MattJCORS is largely protecting against the kinds of issues that wouldn't really be applicable to most XMPP clients, while we allow the server to set Authorization which is a very restricted header as far as CORS is concerned
MattJFor web clients that do need to be careful, CORS will be there anyway, we don't need additional restrictions on our side
L29Ahhas joined
Danielhas left
Danielhas joined
intosihas left
jonas’I wish I had found the thread from when this was added
jonas’MattJ, practically, though, you could put a shim proxy in front of whatever cloud service to use to translate a blob in authorized into whatever you need
peetahhas left
peetahhas joined
lovetoxhas joined
SamWhitedThen you have to pay for all that bandwidth. This is what we did for HipChat (not with HTTP upload, but basically the same thing) and it cost a *lot* more.
jonas’right
SamWhitedI mean, we had to do that anyways for auth reasons, so worth it, but I can imagine most services would just prefer to upload straight to <cloud provider>
jonas’MattJ, I think your argument, if written out in more detail, would be a great addition to the current thread though
SamWhitedI'm with Zash; X- isn't actually a thing, adding it is just a weird bandaid that makes some services happy but not others. Doesn't seem worth special casing it.
sonnyhas left
sonnyhas joined
peetahhas left
peetahhas joined
serge90has joined
Zashhttps://tools.ietf.org/html/rfc6648
DebXWoodyhas left
DebXWoodyhas joined
murabitohas left
Lancehas left
murabitohas joined
Lancehas joined
emushas left
andrey.ghas left
Andrzejhas joined
alex-a-sotohas left
alex-a-sotohas joined
emushas joined
Yagizahas left
xsfhas joined
Andrzejhas left
Andrzejhas joined
murabitohas left
florettahas left
Ge0rGHTTP is a horrible footgun. It was a huge error embedding it into our clean and nice well-structured protocol
murabitohas joined
SamWhitedSomething something glass houses and stones
moparisthebestanother group might say "Apple and Go can't even parse XML correctly why does XMPP use it"
ZashLet's throw glass Go pieces at Apple
SamWhitedLiterally no one can parse XML correctly; namespaces are a nightmare. Special casing attributes, but only sometimes, and also multiple ways to declare them, etc.
lovetoxhas left
Andrzejhas left
Andrzejhas joined
ZashNor can they parse HTML
Zashor anything
SamWhitedAnd don't even get me started on anything like dsig (not relevant to us, thank goodness, we do this right ofr the most part I think) where things that aren't the actual bytes on the wire are hashed and you have a canonicalization mechanism to hopefully make signatures match)
ZashSince we can't into computers, let's just become farmers
etacompliance tests are pretty useful for this btw
etalike, if the people who write the spec also write tests
Ge0rGeta: compliance tests only test the positive case
Ge0rGthen hackers test the other cases.
etabecause I mean personally when implementing things I just bash stuff together until it works
SamWhitedNot relying on exact parser output for security is also useful :) (and now it's time to complain about SAML)
etaGe0rG: well you can test negative cases
Ge0rGeta: you *can*, but why *would* you?
Andrzejhas left
Andrzejhas joined
flowcausing testing more cases is generally a good thing?
krauqhas left
krauqhas joined
Andrzejhas left
Andrzejhas joined
etayeah
lovetoxhas joined
Ge0rGflow: testing is just unneeded work! it doesn't move the scrum tasks!
mr-Lhas joined
mr-Lhas left
mr-Lhas joined
Andrzejhas left
Andrzejhas joined
mr-Lhas left
Andrzejhas left
marcSamWhited: regarding eIBR, any news about the things we discussed last time?
chronosx88has left
alex-a-sotohas left
alex-a-sotohas joined
intosihas joined
chronosx88has joined
Andrzejhas joined
focus121has left
focus121has joined
antranigvhas joined
intosihas left
Andrzejhas left
Andrzejhas joined
antranigvhas left
antranigvhas joined
antranigvhas left
SamWhitedmarc: what discussion was that, I don't recall?
florettahas joined
Andrzejhas left
Andrzejhas joined
edhelashas left
edhelashas joined
Алексейhas left
antranigvhas joined
Andrzejhas left
Andrzejhas joined
Andrzejhas left
Alexhey guys, its member meeting time again
Alexbangs the gavel
Alexhere is our Agenda for today:
https://wiki.xmpp.org/web/Meeting-Minutes-2020-12-15
Alex1) Call for Quorum
adiaholic😀
Alexas you can see 32 members voted via proxy, so we have a quorum
Alex2) Items Subject to a Vote
Alexnew and returning members, you can see the applications here:
https://wiki.xmpp.org/web/Membership_Applications_Q4_2020
Alex3) Opportunity for XSF Members to Vote in the Meeting
antranigvhas left
Alexanyone here who has not voted yet and wants to do so now?
ZashJust had a chat with memberbot
antranigvhas joined
Alex👍
Alexanyone else?
Alexokay
Alexwill shutdown memberbot then and start working on the results
Andrzejhas joined
Alex4) Announcement of Voting Results
Alexwhen you reload the page you can see the results here:
https://wiki.xmpp.org/web/Meeting-Minutes-2020-12-15#Announcement_of_Voting_Results
Alexall reappliers and applicants are accepted. Conrats all
Alex5) Any Other Business?
alameyohas left
adiaholicThanks a lot!
Alex6) Formal Adjournment
AlexI motion that we adjourn
papatutuwawahas joined
Alexbangs the gavel
Alexthanks everyone
Andrzejhas left
Andrzejhas joined
Danielhas left
Danielhas joined
j.rhas left
marcSamWhited: regarding feedback to the user based on the challenge's response
j.rhas joined
SamWhitedmarc: oh, are you also zapb? I remember that; I just haven't prepared a new version yet.
Andrzejhas left
marcSamWhited: yep, okay
SamWhitedGotcha; sorry about that, I think I knew that but wasn't putting the names together for some reason.