XSF Discussion - 2020-12-15


  1. intosi has joined

  2. Arne has left

  3. intosi has left

  4. andy has left

  5. stpeter has joined

  6. stpeter has left

  7. paul has left

  8. raghavgururajan has joined

  9. mukt2 has left

  10. j.r has left

  11. j.r has joined

  12. mukt2 has joined

  13. lskdjf has left

  14. deuill has left

  15. deuill has joined

  16. j.r has left

  17. Aleksej has left

  18. debacle has left

  19. intosi has joined

  20. Arne has joined

  21. peetah has left

  22. peetah has joined

  23. emus has left

  24. intosi has left

  25. intosi has joined

  26. Andrzej has joined

  27. govanify has left

  28. govanify has joined

  29. intosi has left

  30. dwd has left

  31. Andrzej has left

  32. govanify has left

  33. govanify has joined

  34. intosi has joined

  35. krauq has left

  36. krauq has joined

  37. chronosx88 has left

  38. chronosx88 has joined

  39. intosi has left

  40. Andrzej has joined

  41. arc has joined

  42. winfried has left

  43. winfried has joined

  44. peetah has left

  45. peetah has joined

  46. andrey.g has left

  47. govanify has left

  48. govanify has joined

  49. intosi has joined

  50. moparisthebest

    has anyone ran MUC over MIX over MUX yet? https://xmpp.org/extensions/inbox/mux.html (or at least made the joke)

  51. Andrzej has left

  52. Andrzej has joined

  53. Alex has left

  54. eta has left

  55. eta has joined

  56. LNJ has left

  57. wurstsalat has left

  58. intosi has left

  59. Andrzej has left

  60. krauq has left

  61. krauq has joined

  62. intosi has joined

  63. alex-a-soto has left

  64. alex-a-soto has joined

  65. david has left

  66. david has joined

  67. intosi has left

  68. govanify has left

  69. govanify has joined

  70. intosi has joined

  71. mukt2 has left

  72. intosi has left

  73. alameyo has left

  74. intosi has joined

  75. SamWhited

    This whole Go XML debacle has made me think of another reason to use bytes instead of codepoints in references: if we ever want to sign references in the future you can't take a hash of codepoints without reencoding. Probably not applicable to @mentions, but references likely have applications far beond that. Being able to just pass the indexes directly to a byte slice operation and get a sha out seems like good practice.

  76. Andrzej has joined

  77. intosi has left

  78. alameyo has joined

  79. krauq has left

  80. krauq has joined

  81. chronosx88 has left

  82. chronosx88 has joined

  83. Andrzej has left

  84. intosi has joined

  85. wladmis has left

  86. DebXWoody has joined

  87. Guus has joined

  88. intosi has left

  89. Guus has left

  90. Tobias has joined

  91. Andrzej has joined

  92. intosi has joined

  93. arc has left

  94. arc has joined

  95. arc has left

  96. arc has joined

  97. jcbrand has joined

  98. arc has left

  99. arc has joined

  100. slouchy6 has left

  101. slouchy6 has joined

  102. intosi has left

  103. andy has joined

  104. krauq has left

  105. krauq has joined

  106. moparisthebest has left

  107. Mikaela has joined

  108. moparisthebest has joined

  109. intosi has joined

  110. Yagiza has joined

  111. govanify has left

  112. govanify has joined

  113. intosi has left

  114. govanify has left

  115. govanify has joined

  116. paul has joined

  117. wurstsalat has joined

  118. intosi has joined

  119. dwd has joined

  120. lorddavidiii has joined

  121. intosi has left

  122. Arne has left

  123. emus has joined

  124. antranigv has left

  125. intosi has joined

  126. Arne has joined

  127. floretta has left

  128. andrey.g has joined

  129. Ge0rG

    Until you realize that signing a subset of a message is a recipe for disaster

  130. jonas’

    ok, I read that mattermost article, and I’m like wtf

  131. jonas’

    it makes no sense whatsoever

  132. Ge0rG

    jonas’: there are also no examples in the CVEs.

  133. Ge0rG

    I suppose that you can craft XML that will be parsed incorrectly or something

  134. Ge0rG

    And apparently the validator will decode, re-encode, and compare the resulting strings

  135. jonas’

    they say it's in the roundtrips and somehow related to namespace prefixes

  136. jonas’

    and unfixable due to api

  137. Ge0rG

    Or rather, the xml structure.

  138. Ge0rG

    Yeah, that's not how you describe a vulnerability

  139. jonas’

    but at least it’s no RCE or something, so I don’t have to take down o.j.n

  140. pasdesushi has joined

  141. j.r has joined

  142. Ge0rG

    When did you rewrite ojn in go?

  143. jonas’

    the probers always were go

  144. jonas’

    based an SamWhited’s nice low-level xmpp library

  145. jonas’

    was easier to use for such low level tasks than aioxmpp

  146. pasdesushi has left

  147. mdosch

    There are only low level xmpp libs in go…

  148. Ge0rG

    But you can use them to extract byte streams!

  149. Ge0rG

    Where are all the hard learned lessons about how (not) to hash xml content?

  150. jonas’

    in the xmlsec standard

  151. jonas’

    used by SAML

  152. jonas’

    so this reads dire for encoding/xml IMO

  153. peetah has left

  154. peetah has joined

  155. Ge0rG

    there is only an xmlsec library. And it's written in C!

  156. jonas’

    Ge0rG, https://www.w3.org/TR/xmldsig-core/ https://www.w3.org/TR/xmlenc-core/

  157. Ge0rG

    jonas’: ah thanks. Did you consider those when designing 0390?

  158. jonas’

    no

  159. j.r has left

  160. j.r has joined

  161. APach has left

  162. paul has left

  163. APach has joined

  164. paul has joined

  165. eevvoor has joined

  166. Alex has joined

  167. govanify has left

  168. govanify has joined

  169. intosi has left

  170. Guus has joined

  171. Zash has left

  172. Zash has joined

  173. j.r has left

  174. Shell has left

  175. Kev has joined

  176. lskdjf has joined

  177. Steve Kille has left

  178. Kev has left

  179. Алексей has joined

  180. Steve Kille has joined

  181. Kev has joined

  182. Tobias has left

  183. j.r has joined

  184. Tobias has joined

  185. lskdjf has left

  186. lskdjf has joined

  187. andrey.g has left

  188. pasdesushi has joined

  189. pasdesushi has left

  190. APach has left

  191. pasdesushi has joined

  192. Aleksej has joined

  193. pasdesushi has left

  194. gav has left

  195. alameyo has left

  196. APach has joined

  197. krauq has left

  198. krauq has joined

  199. DebXWoody has left

  200. DebXWoody has joined

  201. intosi has joined

  202. Andrzej has left

  203. Andrzej has joined

  204. debacle has joined

  205. Aleksej has left

  206. Steve Kille has left

  207. Steve Kille has joined

  208. arc has left

  209. arc has joined

  210. arc has left

  211. arc has joined

  212. govanify has left

  213. govanify has joined

  214. arc has left

  215. arc has joined

  216. arc has left

  217. arc has joined

  218. arc has left

  219. arc has joined

  220. arc has left

  221. arc has joined

  222. pasdesushi has joined

  223. pasdesushi has left

  224. intosi has left

  225. papatutuwawa has joined

  226. alameyo has joined

  227. krauq has left

  228. krauq has joined

  229. Andrzej has left

  230. Andrzej has joined

  231. intosi has joined

  232. intosi has left

  233. govanify has left

  234. govanify has joined

  235. papatutuwawa has left

  236. papatutuwawa has joined

  237. Steve Kille has left

  238. papatutuwawa has left

  239. papatutuwawa has joined

  240. papatutuwawa has left

  241. papatutuwawa has joined

  242. papatutuwawa has left

  243. papatutuwawa has joined

  244. Alex has left

  245. papatutuwawa has left

  246. papatutuwawa has joined

  247. Steve Kille has joined

  248. Andrzej has left

  249. Andrzej has joined

  250. papatutuwawa has left

  251. papatutuwawa has joined

  252. Alex has joined

  253. papatutuwawa has left

  254. papatutuwawa has joined

  255. intosi has joined

  256. alameyo has left

  257. LNJ has joined

  258. Zash has left

  259. Zash has joined

  260. paul has left

  261. paul has joined

  262. intosi has left

  263. pasdesushi has joined

  264. pasdesushi has left

  265. DebXWoody has left

  266. larma has left

  267. larma has joined

  268. pasdesushi has joined

  269. govanify has left

  270. govanify has joined

  271. govanify has left

  272. govanify has joined

  273. papatutuwawa has left

  274. pasdesushi has left

  275. krauq has left

  276. krauq has joined

  277. wladmis has joined

  278. krauq has left

  279. krauq has joined

  280. peetah has left

  281. peetah has joined

  282. edhelas

    a small question about 0045

  283. edhelas

    what is the general purpose of muc#roomconfig_pubsub ?

  284. mathieui

    I thought it could be for 0316 but that does not appear therein

  285. dwd

    edhelas, I always assumed that was a half-baked idea that never went anywhere.

  286. dwd

    edhelas, Back in the day, there was a lot of "Oh, we can have pubsub here".

  287. edhelas

    Holger I see that the field is available trough the ejabberd MUC config, does it triggers some things in the backend or is it just pure metadata ?

  288. lorddavidiii has left

  289. Holger

    edhelas: Just pure metadata.

  290. SamWhited

    Ge0rG: this is *not* the same as the partial signing nonsense that XML-DSig does, however, I take your point, might as well sign the whole body and still not be able to figure out what the signature matches up to because codepoints and different normalization forms were used.

  291. edhelas

    Holger ok thanks :)

  292. edhelas

    it can kinda make sense in Movim this field, then you can link a Movim Community (Pubsub Atom node) to a MUC, but I need to figure out the UI to send the correct Pubsub URI

  293. APach has left

  294. SamWhited

    jonas’: I must admit, I had wondered about why you were using mellium when you make an XMPP library; glad it was useful :) I'd be really curious what the differences are that made it easier for you if you remember. I'd like to develop a higher level library on top of it at some point and it would be helpful to figure out exactly where that dividing line lies to have real first-hand experience where a higher level library wasn't enough.

  295. jonas’

    SamWhited, easy: aioxmpp does not have s2s support whatsoever.

  296. SamWhited

    oh, hah, fair enough

  297. jonas’

    and it (intentionally) makes it hard to shoot yourself in the foot by messing with the lower layers of stream negotiation

  298. SamWhited

    Mellium doesn't either yet really, but I've got a package on a branch somewhere that should make it a little easier

  299. jonas’

    well, it can do enough. I don’t need to go beyond stream features really :)

  300. jonas’

    SamWhited, the main reason though (because I could easily have hacked that into aioxmpp and also did that by now for other reasons) is that the infrasturcture is based on prometheus and prometheus is very golang

  301. SamWhited

    Also makes sense; thanks.

  302. SamWhited goes to remind himself what state the SASL-EXTERNAL/BIDI implementations were in and see if they can be merged

  303. APach has joined

  304. lorddavidiii has joined

  305. govanify has left

  306. govanify has joined

  307. eevvoor has left

  308. eevvoor has joined

  309. Adi has joined

  310. intosi has joined

  311. wladmis has left

  312. wladmis has joined

  313. krauq has left

  314. krauq has joined

  315. intosi has left

  316. nyco has left

  317. alameyo has joined

  318. APach has left

  319. xsf has left

  320. floretta has joined

  321. nyco has joined

  322. chronosx88 has left

  323. chronosx88 has joined

  324. krauq has left

  325. krauq has joined

  326. wurstsalat

    Zash, just in case you didn’t know about Ook yet https://sv.wikipedia.org/wiki/Ook

  327. Zash

    I knew about /that/ definition.

  328. Ge0rG

    the other one is in the XEP

  329. Zash

    I couldn't spot anything obviously disqualifying anyways. Maybe it's too dark to see up here.

  330. APach has joined

  331. Maranda has left

  332. Wojtek has joined

  333. xsf has joined

  334. xsf has left

  335. Maranda has joined

  336. peetah has left

  337. peetah has joined

  338. APach has left

  339. APach has joined

  340. APach has left

  341. APach has joined

  342. peetah has left

  343. peetah has joined

  344. Steve Kille has left

  345. Andrzej has left

  346. Andrzej has joined

  347. alex-a-soto has left

  348. APach has left

  349. APach has joined

  350. APach has left

  351. APach has joined

  352. APach has left

  353. APach has joined

  354. alex-a-soto has joined

  355. Steve Kille has joined

  356. APach has left

  357. APach has joined

  358. APach has left

  359. APach has joined

  360. APach has left

  361. APach has joined

  362. APach has left

  363. APach has joined

  364. APach has left

  365. APach has joined

  366. APach has left

  367. APach has joined

  368. APach has left

  369. APach has joined

  370. Andrzej has left

  371. Andrzej has joined

  372. Andrzej has left

  373. Andrzej has joined

  374. Shell has joined

  375. DebXWoody has joined

  376. intosi has joined

  377. MattJ

    jonas’, I'm not sure I'm satisfied with the "it's like CORS" argument re. custom XEP-0363 headers

  378. MattJ

    CORS is largely protecting against the kinds of issues that wouldn't really be applicable to most XMPP clients, while we allow the server to set Authorization which is a very restricted header as far as CORS is concerned

  379. MattJ

    For web clients that do need to be careful, CORS will be there anyway, we don't need additional restrictions on our side

  380. L29Ah has joined

  381. Daniel has left

  382. Daniel has joined

  383. intosi has left

  384. jonas’

    I wish I had found the thread from when this was added

  385. jonas’

    MattJ, practically, though, you could put a shim proxy in front of whatever cloud service to use to translate a blob in authorized into whatever you need

  386. peetah has left

  387. peetah has joined

  388. lovetox has joined

  389. SamWhited

    Then you have to pay for all that bandwidth. This is what we did for HipChat (not with HTTP upload, but basically the same thing) and it cost a *lot* more.

  390. jonas’

    right

  391. SamWhited

    I mean, we had to do that anyways for auth reasons, so worth it, but I can imagine most services would just prefer to upload straight to <cloud provider>

  392. jonas’

    MattJ, I think your argument, if written out in more detail, would be a great addition to the current thread though

  393. krauq has left

  394. krauq has joined

  395. murabito has joined

  396. APach has left

  397. APach has joined

  398. APach has left

  399. APach has joined

  400. Guus has left

  401. andrey.g has joined

  402. Andrzej has left

  403. Lance has joined

  404. Zash

    jonas’, https://logs.xmpp.org/xsf/2018-02-15?p=h#2018-02-15-a77a48f290b74a33

  405. peetah has left

  406. jonas’

    Zash, so it’s your fault!!k

  407. Zash

    You were there!

  408. Zash

    MattJ too

  409. peetah has joined

  410. MattJ

    Yes

  411. MattJ

    But you are to blame for removal of X-* ;)

  412. serge90 has left

  413. sonny has left

  414. sonny has joined

  415. Zash

    Can't let you have deprecated things!

  416. SamWhited

    I'm with Zash; X- isn't actually a thing, adding it is just a weird bandaid that makes some services happy but not others. Doesn't seem worth special casing it.

  417. sonny has left

  418. sonny has joined

  419. peetah has left

  420. peetah has joined

  421. serge90 has joined

  422. Zash

    https://tools.ietf.org/html/rfc6648

  423. DebXWoody has left

  424. DebXWoody has joined

  425. murabito has left

  426. Lance has left

  427. murabito has joined

  428. Lance has joined

  429. emus has left

  430. andrey.g has left

  431. Andrzej has joined

  432. alex-a-soto has left

  433. alex-a-soto has joined

  434. emus has joined

  435. Yagiza has left

  436. xsf has joined

  437. Andrzej has left

  438. Andrzej has joined

  439. murabito has left

  440. floretta has left

  441. Ge0rG

    HTTP is a horrible footgun. It was a huge error embedding it into our clean and nice well-structured protocol

  442. murabito has joined

  443. SamWhited

    Something something glass houses and stones

  444. moparisthebest

    another group might say "Apple and Go can't even parse XML correctly why does XMPP use it"

  445. Zash

    Let's throw glass Go pieces at Apple

  446. SamWhited

    Literally no one can parse XML correctly; namespaces are a nightmare. Special casing attributes, but only sometimes, and also multiple ways to declare them, etc.

  447. lovetox has left

  448. Andrzej has left

  449. Andrzej has joined

  450. Zash

    Nor can they parse HTML

  451. Zash

    or anything

  452. SamWhited

    And don't even get me started on anything like dsig (not relevant to us, thank goodness, we do this right ofr the most part I think) where things that aren't the actual bytes on the wire are hashed and you have a canonicalization mechanism to hopefully make signatures match)

  453. Zash

    Since we can't into computers, let's just become farmers

  454. eta

    compliance tests are pretty useful for this btw

  455. eta

    like, if the people who write the spec also write tests

  456. Ge0rG

    eta: compliance tests only test the positive case

  457. Ge0rG

    then hackers test the other cases.

  458. eta

    because I mean personally when implementing things I just bash stuff together until it works

  459. SamWhited

    Not relying on exact parser output for security is also useful :) (and now it's time to complain about SAML)

  460. eta

    Ge0rG: well you can test negative cases

  461. Ge0rG

    eta: you *can*, but why *would* you?

  462. Andrzej has left

  463. Andrzej has joined

  464. flow

    causing testing more cases is generally a good thing?

  465. krauq has left

  466. krauq has joined

  467. Andrzej has left

  468. Andrzej has joined

  469. eta

    yeah

  470. lovetox has joined

  471. Ge0rG

    flow: testing is just unneeded work! it doesn't move the scrum tasks!

  472. mr-L has joined

  473. mr-L has left

  474. mr-L has joined

  475. Andrzej has left

  476. Andrzej has joined

  477. mr-L has left

  478. Andrzej has left

  479. marc

    SamWhited: regarding eIBR, any news about the things we discussed last time?

  480. chronosx88 has left

  481. alex-a-soto has left

  482. alex-a-soto has joined

  483. intosi has joined

  484. chronosx88 has joined

  485. Andrzej has joined

  486. focus121 has left

  487. focus121 has joined

  488. antranigv has joined

  489. intosi has left

  490. Andrzej has left

  491. Andrzej has joined

  492. antranigv has left

  493. antranigv has joined

  494. antranigv has left

  495. SamWhited

    marc: what discussion was that, I don't recall?

  496. floretta has joined

  497. Andrzej has left

  498. Andrzej has joined

  499. edhelas has left

  500. edhelas has joined

  501. Алексей has left

  502. antranigv has joined

  503. Andrzej has left

  504. Andrzej has joined

  505. Andrzej has left

  506. Alex

    hey guys, its member meeting time again

  507. Alex bangs the gavel

  508. Alex

    here is our Agenda for today: https://wiki.xmpp.org/web/Meeting-Minutes-2020-12-15

  509. Alex

    1) Call for Quorum

  510. adiaholic

    😀

  511. Alex

    as you can see 32 members voted via proxy, so we have a quorum

  512. Alex

    2) Items Subject to a Vote

  513. Alex

    new and returning members, you can see the applications here: https://wiki.xmpp.org/web/Membership_Applications_Q4_2020

  514. Alex

    3) Opportunity for XSF Members to Vote in the Meeting

  515. antranigv has left

  516. Alex

    anyone here who has not voted yet and wants to do so now?

  517. Zash

    Just had a chat with memberbot

  518. antranigv has joined

  519. Alex

    👍

  520. Alex

    anyone else?

  521. Alex

    okay

  522. Alex

    will shutdown memberbot then and start working on the results

  523. Andrzej has joined

  524. Alex

    4) Announcement of Voting Results

  525. Alex

    when you reload the page you can see the results here: https://wiki.xmpp.org/web/Meeting-Minutes-2020-12-15#Announcement_of_Voting_Results

  526. Alex

    all reappliers and applicants are accepted. Conrats all

  527. Alex

    5) Any Other Business?

  528. alameyo has left

  529. adiaholic

    Thanks a lot!

  530. Alex

    6) Formal Adjournment

  531. Alex

    I motion that we adjourn

  532. papatutuwawa has joined

  533. Alex bangs the gavel

  534. Alex

    thanks everyone

  535. Andrzej has left

  536. Andrzej has joined

  537. Daniel has left

  538. Daniel has joined

  539. j.r has left

  540. marc

    SamWhited: regarding feedback to the user based on the challenge's response

  541. j.r has joined

  542. SamWhited

    marc: oh, are you also zapb? I remember that; I just haven't prepared a new version yet.

  543. Andrzej has left

  544. marc

    SamWhited: yep, okay

  545. SamWhited

    Gotcha; sorry about that, I think I knew that but wasn't putting the names together for some reason.

  546. edhelas has left

  547. edhelas has joined

  548. antranigv has left

  549. krauq has left

  550. krauq has joined

  551. antranigv has joined

  552. Andrzej has joined

  553. xsf has left

  554. xsf has joined

  555. Aleksej has joined

  556. xsf has left

  557. xsf has joined

  558. intosi has joined

  559. marc

    No worries

  560. Maranda has left

  561. Maranda has joined

  562. mdosch has left

  563. mdosch has joined

  564. xsf has left

  565. xsf has joined

  566. DebXWoody has left

  567. x51 has joined

  568. krauq has left

  569. krauq has joined

  570. Andrzej has left

  571. krauq has left

  572. krauq has joined

  573. intosi has left

  574. neshtaxmpp has left

  575. deuill has left

  576. eevvoor has left

  577. deuill has joined

  578. Andrzej has joined

  579. neshtaxmpp has joined

  580. Andrzej has left

  581. Andrzej has joined

  582. Adi has left

  583. matkor has left

  584. matkor has joined

  585. stpeter has joined

  586. stpeter has left

  587. intosi has joined

  588. krauq has left

  589. neshtaxmpp has left

  590. krauq has joined

  591. Adi has joined

  592. intosi has left

  593. krauq has left

  594. chronosx88 has left

  595. krauq has joined

  596. alameyo has joined

  597. neshtaxmpp has joined

  598. alameyo has left

  599. Maranda has left

  600. Maranda has joined

  601. Andrzej has left

  602. wladmis has left

  603. wladmis has joined

  604. jcbrand has left

  605. krauq has left

  606. krauq has joined

  607. Andrzej has joined

  608. Mikaela has left

  609. x51 has left

  610. lovetox has left

  611. Andrzej has left

  612. Andrzej has joined

  613. krauq has left

  614. krauq has joined

  615. lorddavidiii has left

  616. Kev has left

  617. Tobias has left

  618. papatutuwawa has left

  619. Andrzej has left

  620. krauq has left

  621. krauq has joined

  622. Andrzej has joined

  623. krauq has left

  624. krauq has joined

  625. Andrzej has left

  626. Andrzej has joined

  627. jcbrand has joined

  628. intosi has joined

  629. krauq has left

  630. antranigv has left

  631. krauq has joined

  632. andy has left

  633. Andrzej has left

  634. krauq has left

  635. krauq has joined

  636. paul has left

  637. intosi has left

  638. debacle has left

  639. Aleksej has left

  640. krauq has left

  641. krauq has joined

  642. antranigv has joined