has anyone ran MUC over MIX over MUX yet? https://xmpp.org/extensions/inbox/mux.html (or at least made the joke)
Andrzejhas left
Andrzejhas joined
Alexhas left
etahas left
etahas joined
LNJhas left
wurstsalathas left
intosihas left
Andrzejhas left
krauqhas left
krauqhas joined
intosihas joined
alex-a-sotohas left
alex-a-sotohas joined
davidhas left
davidhas joined
intosihas left
govanifyhas left
govanifyhas joined
intosihas joined
mukt2has left
intosihas left
alameyohas left
intosihas joined
SamWhited
This whole Go XML debacle has made me think of another reason to use bytes instead of codepoints in references: if we ever want to sign references in the future you can't take a hash of codepoints without reencoding. Probably not applicable to @mentions, but references likely have applications far beond that. Being able to just pass the indexes directly to a byte slice operation and get a sha out seems like good practice.
Andrzejhas joined
intosihas left
alameyohas joined
krauqhas left
krauqhas joined
chronosx88has left
chronosx88has joined
Andrzejhas left
intosihas joined
wladmishas left
DebXWoodyhas joined
Guushas joined
intosihas left
Guushas left
Tobiashas joined
Andrzejhas joined
intosihas joined
archas left
archas joined
archas left
archas joined
jcbrandhas joined
archas left
archas joined
slouchy6has left
slouchy6has joined
intosihas left
andyhas joined
krauqhas left
krauqhas joined
moparisthebesthas left
Mikaelahas joined
moparisthebesthas joined
intosihas joined
Yagizahas joined
govanifyhas left
govanifyhas joined
intosihas left
govanifyhas left
govanifyhas joined
paulhas joined
wurstsalathas joined
intosihas joined
dwdhas joined
lorddavidiiihas joined
intosihas left
Arnehas left
emushas joined
antranigvhas left
intosihas joined
Arnehas joined
florettahas left
andrey.ghas joined
Ge0rG
Until you realize that signing a subset of a message is a recipe for disaster
jonas’
ok, I read that mattermost article, and I’m like wtf
jonas’
it makes no sense whatsoever
Ge0rG
jonas’: there are also no examples in the CVEs.
Ge0rG
I suppose that you can craft XML that will be parsed incorrectly or something
Ge0rG
And apparently the validator will decode, re-encode, and compare the resulting strings
jonas’
they say it's in the roundtrips and somehow related to namespace prefixes
jonas’
and unfixable due to api
Ge0rG
Or rather, the xml structure.
Ge0rG
Yeah, that's not how you describe a vulnerability
jonas’
but at least it’s no RCE or something, so I don’t have to take down o.j.n
pasdesushihas joined
j.rhas joined
Ge0rG
When did you rewrite ojn in go?
jonas’
the probers always were go
jonas’
based an SamWhited’s nice low-level xmpp library
jonas’
was easier to use for such low level tasks than aioxmpp
pasdesushihas left
mdosch
There are only low level xmpp libs in go…
Ge0rG
But you can use them to extract byte streams!
Ge0rG
Where are all the hard learned lessons about how (not) to hash xml content?
jonas’
in the xmlsec standard
jonas’
used by SAML
jonas’
so this reads dire for encoding/xml IMO
peetahhas left
peetahhas joined
Ge0rG
there is only an xmlsec library. And it's written in C!
jonas’: ah thanks. Did you consider those when designing 0390?
jonas’
no
j.rhas left
j.rhas joined
APachhas left
paulhas left
APachhas joined
paulhas joined
eevvoorhas joined
Alexhas joined
govanifyhas left
govanifyhas joined
intosihas left
Guushas joined
Zashhas left
Zashhas joined
j.rhas left
Shellhas left
Kevhas joined
lskdjfhas joined
Steve Killehas left
Kevhas left
Алексейhas joined
Steve Killehas joined
Kevhas joined
Tobiashas left
j.rhas joined
Tobiashas joined
lskdjfhas left
lskdjfhas joined
andrey.ghas left
pasdesushihas joined
pasdesushihas left
APachhas left
pasdesushihas joined
Aleksejhas joined
pasdesushihas left
gavhas left
alameyohas left
APachhas joined
krauqhas left
krauqhas joined
DebXWoodyhas left
DebXWoodyhas joined
intosihas joined
Andrzejhas left
Andrzejhas joined
debaclehas joined
Aleksejhas left
Steve Killehas left
Steve Killehas joined
archas left
archas joined
archas left
archas joined
govanifyhas left
govanifyhas joined
archas left
archas joined
archas left
archas joined
archas left
archas joined
archas left
archas joined
pasdesushihas joined
pasdesushihas left
intosihas left
papatutuwawahas joined
alameyohas joined
krauqhas left
krauqhas joined
Andrzejhas left
Andrzejhas joined
intosihas joined
intosihas left
govanifyhas left
govanifyhas joined
papatutuwawahas left
papatutuwawahas joined
Steve Killehas left
papatutuwawahas left
papatutuwawahas joined
papatutuwawahas left
papatutuwawahas joined
papatutuwawahas left
papatutuwawahas joined
Alexhas left
papatutuwawahas left
papatutuwawahas joined
Steve Killehas joined
Andrzejhas left
Andrzejhas joined
papatutuwawahas left
papatutuwawahas joined
Alexhas joined
papatutuwawahas left
papatutuwawahas joined
intosihas joined
alameyohas left
LNJhas joined
Zashhas left
Zashhas joined
paulhas left
paulhas joined
intosihas left
pasdesushihas joined
pasdesushihas left
DebXWoodyhas left
larmahas left
larmahas joined
pasdesushihas joined
govanifyhas left
govanifyhas joined
govanifyhas left
govanifyhas joined
papatutuwawahas left
pasdesushihas left
krauqhas left
krauqhas joined
wladmishas joined
krauqhas left
krauqhas joined
peetahhas left
peetahhas joined
edhelas
a small question about 0045
edhelas
what is the general purpose of muc#roomconfig_pubsub ?
mathieui
I thought it could be for 0316 but that does not appear therein
dwd
edhelas, I always assumed that was a half-baked idea that never went anywhere.
dwd
edhelas, Back in the day, there was a lot of "Oh, we can have pubsub here".
edhelas
Holger I see that the field is available trough the ejabberd MUC config, does it triggers some things in the backend or is it just pure metadata ?
lorddavidiiihas left
Holger
edhelas: Just pure metadata.
SamWhited
Ge0rG: this is *not* the same as the partial signing nonsense that XML-DSig does, however, I take your point, might as well sign the whole body and still not be able to figure out what the signature matches up to because codepoints and different normalization forms were used.
edhelas
Holger ok thanks :)
edhelas
it can kinda make sense in Movim this field, then you can link a Movim Community (Pubsub Atom node) to a MUC, but I need to figure out the UI to send the correct Pubsub URI
APachhas left
SamWhited
jonas’: I must admit, I had wondered about why you were using mellium when you make an XMPP library; glad it was useful :) I'd be really curious what the differences are that made it easier for you if you remember. I'd like to develop a higher level library on top of it at some point and it would be helpful to figure out exactly where that dividing line lies to have real first-hand experience where a higher level library wasn't enough.
jonas’
SamWhited, easy: aioxmpp does not have s2s support whatsoever.
SamWhited
oh, hah, fair enough
jonas’
and it (intentionally) makes it hard to shoot yourself in the foot by messing with the lower layers of stream negotiation
SamWhited
Mellium doesn't either yet really, but I've got a package on a branch somewhere that should make it a little easier
jonas’
well, it can do enough. I don’t need to go beyond stream features really :)
jonas’
SamWhited, the main reason though (because I could easily have hacked that into aioxmpp and also did that by now for other reasons) is that the infrasturcture is based on prometheus and prometheus is very golang
SamWhited
Also makes sense; thanks.
SamWhitedgoes to remind himself what state the SASL-EXTERNAL/BIDI implementations were in and see if they can be merged
APachhas joined
lorddavidiiihas joined
govanifyhas left
govanifyhas joined
eevvoorhas left
eevvoorhas joined
Adihas joined
intosihas joined
wladmishas left
wladmishas joined
krauqhas left
krauqhas joined
intosihas left
nycohas left
alameyohas joined
APachhas left
xsfhas left
florettahas joined
nycohas joined
chronosx88has left
chronosx88has joined
krauqhas left
krauqhas joined
wurstsalat
Zash, just in case you didn’t know about Ook yet https://sv.wikipedia.org/wiki/Ook
Zash
I knew about /that/ definition.
Ge0rG
the other one is in the XEP
Zash
I couldn't spot anything obviously disqualifying anyways. Maybe it's too dark to see up here.
APachhas joined
Marandahas left
Wojtekhas joined
xsfhas joined
xsfhas left
Marandahas joined
peetahhas left
peetahhas joined
APachhas left
APachhas joined
APachhas left
APachhas joined
peetahhas left
peetahhas joined
Steve Killehas left
Andrzejhas left
Andrzejhas joined
alex-a-sotohas left
APachhas left
APachhas joined
APachhas left
APachhas joined
APachhas left
APachhas joined
alex-a-sotohas joined
Steve Killehas joined
APachhas left
APachhas joined
APachhas left
APachhas joined
APachhas left
APachhas joined
APachhas left
APachhas joined
APachhas left
APachhas joined
APachhas left
APachhas joined
APachhas left
APachhas joined
Andrzejhas left
Andrzejhas joined
Andrzejhas left
Andrzejhas joined
Shellhas joined
DebXWoodyhas joined
intosihas joined
MattJ
jonas’, I'm not sure I'm satisfied with the "it's like CORS" argument re. custom XEP-0363 headers
MattJ
CORS is largely protecting against the kinds of issues that wouldn't really be applicable to most XMPP clients, while we allow the server to set Authorization which is a very restricted header as far as CORS is concerned
MattJ
For web clients that do need to be careful, CORS will be there anyway, we don't need additional restrictions on our side
L29Ahhas joined
Danielhas left
Danielhas joined
intosihas left
jonas’
I wish I had found the thread from when this was added
jonas’
MattJ, practically, though, you could put a shim proxy in front of whatever cloud service to use to translate a blob in authorized into whatever you need
peetahhas left
peetahhas joined
lovetoxhas joined
SamWhited
Then you have to pay for all that bandwidth. This is what we did for HipChat (not with HTTP upload, but basically the same thing) and it cost a *lot* more.
jonas’
right
SamWhited
I mean, we had to do that anyways for auth reasons, so worth it, but I can imagine most services would just prefer to upload straight to <cloud provider>
jonas’
MattJ, I think your argument, if written out in more detail, would be a great addition to the current thread though
I'm with Zash; X- isn't actually a thing, adding it is just a weird bandaid that makes some services happy but not others. Doesn't seem worth special casing it.
sonnyhas left
sonnyhas joined
peetahhas left
peetahhas joined
serge90has joined
Zash
https://tools.ietf.org/html/rfc6648
DebXWoodyhas left
DebXWoodyhas joined
murabitohas left
Lancehas left
murabitohas joined
Lancehas joined
emushas left
andrey.ghas left
Andrzejhas joined
alex-a-sotohas left
alex-a-sotohas joined
emushas joined
Yagizahas left
xsfhas joined
Andrzejhas left
Andrzejhas joined
murabitohas left
florettahas left
Ge0rG
HTTP is a horrible footgun. It was a huge error embedding it into our clean and nice well-structured protocol
murabitohas joined
SamWhited
Something something glass houses and stones
moparisthebest
another group might say "Apple and Go can't even parse XML correctly why does XMPP use it"
Zash
Let's throw glass Go pieces at Apple
SamWhited
Literally no one can parse XML correctly; namespaces are a nightmare. Special casing attributes, but only sometimes, and also multiple ways to declare them, etc.
lovetoxhas left
Andrzejhas left
Andrzejhas joined
Zash
Nor can they parse HTML
Zash
or anything
SamWhited
And don't even get me started on anything like dsig (not relevant to us, thank goodness, we do this right ofr the most part I think) where things that aren't the actual bytes on the wire are hashed and you have a canonicalization mechanism to hopefully make signatures match)
Zash
Since we can't into computers, let's just become farmers
eta
compliance tests are pretty useful for this btw
eta
like, if the people who write the spec also write tests
Ge0rG
eta: compliance tests only test the positive case
Ge0rG
then hackers test the other cases.
eta
because I mean personally when implementing things I just bash stuff together until it works
SamWhited
Not relying on exact parser output for security is also useful :) (and now it's time to complain about SAML)
eta
Ge0rG: well you can test negative cases
Ge0rG
eta: you *can*, but why *would* you?
Andrzejhas left
Andrzejhas joined
flow
causing testing more cases is generally a good thing?
krauqhas left
krauqhas joined
Andrzejhas left
Andrzejhas joined
eta
yeah
lovetoxhas joined
Ge0rG
flow: testing is just unneeded work! it doesn't move the scrum tasks!
mr-Lhas joined
mr-Lhas left
mr-Lhas joined
Andrzejhas left
Andrzejhas joined
mr-Lhas left
Andrzejhas left
marc
SamWhited: regarding eIBR, any news about the things we discussed last time?
chronosx88has left
alex-a-sotohas left
alex-a-sotohas joined
intosihas joined
chronosx88has joined
Andrzejhas joined
focus121has left
focus121has joined
antranigvhas joined
intosihas left
Andrzejhas left
Andrzejhas joined
antranigvhas left
antranigvhas joined
antranigvhas left
SamWhited
marc: what discussion was that, I don't recall?
florettahas joined
Andrzejhas left
Andrzejhas joined
edhelashas left
edhelashas joined
Алексейhas left
antranigvhas joined
Andrzejhas left
Andrzejhas joined
Andrzejhas left
Alex
hey guys, its member meeting time again
Alexbangs the gavel
Alex
here is our Agenda for today:
https://wiki.xmpp.org/web/Meeting-Minutes-2020-12-15
Alex
1) Call for Quorum
adiaholic
😀
Alex
as you can see 32 members voted via proxy, so we have a quorum
Alex
2) Items Subject to a Vote
Alex
new and returning members, you can see the applications here:
https://wiki.xmpp.org/web/Membership_Applications_Q4_2020
Alex
3) Opportunity for XSF Members to Vote in the Meeting
antranigvhas left
Alex
anyone here who has not voted yet and wants to do so now?
Zash
Just had a chat with memberbot
antranigvhas joined
Alex
👍
Alex
anyone else?
Alex
okay
Alex
will shutdown memberbot then and start working on the results
Andrzejhas joined
Alex
4) Announcement of Voting Results
Alex
when you reload the page you can see the results here:
https://wiki.xmpp.org/web/Meeting-Minutes-2020-12-15#Announcement_of_Voting_Results
Alex
all reappliers and applicants are accepted. Conrats all
Alex
5) Any Other Business?
alameyohas left
adiaholic
Thanks a lot!
Alex
6) Formal Adjournment
Alex
I motion that we adjourn
papatutuwawahas joined
Alexbangs the gavel
Alex
thanks everyone
Andrzejhas left
Andrzejhas joined
Danielhas left
Danielhas joined
j.rhas left
marc
SamWhited: regarding feedback to the user based on the challenge's response
j.rhas joined
SamWhited
marc: oh, are you also zapb? I remember that; I just haven't prepared a new version yet.
Andrzejhas left
marc
SamWhited: yep, okay
SamWhited
Gotcha; sorry about that, I think I knew that but wasn't putting the names together for some reason.