-
moparisthebest
has anyone ran MUC over MIX over MUX yet? https://xmpp.org/extensions/inbox/mux.html (or at least made the joke)
-
SamWhited
This whole Go XML debacle has made me think of another reason to use bytes instead of codepoints in references: if we ever want to sign references in the future you can't take a hash of codepoints without reencoding. Probably not applicable to @mentions, but references likely have applications far beond that. Being able to just pass the indexes directly to a byte slice operation and get a sha out seems like good practice.
-
Ge0rG
Until you realize that signing a subset of a message is a recipe for disaster
-
jonas’
ok, I read that mattermost article, and I’m like wtf
-
jonas’
it makes no sense whatsoever
-
Ge0rG
jonas’: there are also no examples in the CVEs.
-
Ge0rG
I suppose that you can craft XML that will be parsed incorrectly or something
-
Ge0rG
And apparently the validator will decode, re-encode, and compare the resulting strings
-
jonas’
they say it's in the roundtrips and somehow related to namespace prefixes
-
jonas’
and unfixable due to api
-
Ge0rG
Or rather, the xml structure.
-
Ge0rG
Yeah, that's not how you describe a vulnerability
-
jonas’
but at least it’s no RCE or something, so I don’t have to take down o.j.n
-
Ge0rG
When did you rewrite ojn in go?
-
jonas’
the probers always were go
-
jonas’
based an SamWhited’s nice low-level xmpp library
-
jonas’
was easier to use for such low level tasks than aioxmpp
-
mdosch
There are only low level xmpp libs in go…
-
Ge0rG
But you can use them to extract byte streams!
-
Ge0rG
Where are all the hard learned lessons about how (not) to hash xml content?
-
jonas’
in the xmlsec standard
-
jonas’
used by SAML
-
jonas’
so this reads dire for encoding/xml IMO
-
Ge0rG
there is only an xmlsec library. And it's written in C!
-
jonas’
Ge0rG, https://www.w3.org/TR/xmldsig-core/ https://www.w3.org/TR/xmlenc-core/
-
Ge0rG
jonas’: ah thanks. Did you consider those when designing 0390?
-
jonas’
no
-
edhelas
a small question about 0045
-
edhelas
what is the general purpose of muc#roomconfig_pubsub ?
-
mathieui
I thought it could be for 0316 but that does not appear therein
-
dwd
edhelas, I always assumed that was a half-baked idea that never went anywhere.
-
dwd
edhelas, Back in the day, there was a lot of "Oh, we can have pubsub here".
-
edhelas
Holger I see that the field is available trough the ejabberd MUC config, does it triggers some things in the backend or is it just pure metadata ?
-
Holger
edhelas: Just pure metadata.
-
SamWhited
Ge0rG: this is *not* the same as the partial signing nonsense that XML-DSig does, however, I take your point, might as well sign the whole body and still not be able to figure out what the signature matches up to because codepoints and different normalization forms were used.
-
edhelas
Holger ok thanks :)
-
edhelas
it can kinda make sense in Movim this field, then you can link a Movim Community (Pubsub Atom node) to a MUC, but I need to figure out the UI to send the correct Pubsub URI
-
SamWhited
jonas’: I must admit, I had wondered about why you were using mellium when you make an XMPP library; glad it was useful :) I'd be really curious what the differences are that made it easier for you if you remember. I'd like to develop a higher level library on top of it at some point and it would be helpful to figure out exactly where that dividing line lies to have real first-hand experience where a higher level library wasn't enough.
-
jonas’
SamWhited, easy: aioxmpp does not have s2s support whatsoever.
-
SamWhited
oh, hah, fair enough
-
jonas’
and it (intentionally) makes it hard to shoot yourself in the foot by messing with the lower layers of stream negotiation
-
SamWhited
Mellium doesn't either yet really, but I've got a package on a branch somewhere that should make it a little easier
-
jonas’
well, it can do enough. I don’t need to go beyond stream features really :)
-
jonas’
SamWhited, the main reason though (because I could easily have hacked that into aioxmpp and also did that by now for other reasons) is that the infrasturcture is based on prometheus and prometheus is very golang
-
SamWhited
Also makes sense; thanks.
- SamWhited goes to remind himself what state the SASL-EXTERNAL/BIDI implementations were in and see if they can be merged
-
wurstsalat
Zash, just in case you didn’t know about Ook yet https://sv.wikipedia.org/wiki/Ook
-
Zash
I knew about /that/ definition.
-
Ge0rG
the other one is in the XEP
-
Zash
I couldn't spot anything obviously disqualifying anyways. Maybe it's too dark to see up here.
-
MattJ
jonas’, I'm not sure I'm satisfied with the "it's like CORS" argument re. custom XEP-0363 headers
-
MattJ
CORS is largely protecting against the kinds of issues that wouldn't really be applicable to most XMPP clients, while we allow the server to set Authorization which is a very restricted header as far as CORS is concerned
-
MattJ
For web clients that do need to be careful, CORS will be there anyway, we don't need additional restrictions on our side
-
jonas’
I wish I had found the thread from when this was added
-
jonas’
MattJ, practically, though, you could put a shim proxy in front of whatever cloud service to use to translate a blob in authorized into whatever you need
-
SamWhited
Then you have to pay for all that bandwidth. This is what we did for HipChat (not with HTTP upload, but basically the same thing) and it cost a *lot* more.
-
jonas’
right
-
SamWhited
I mean, we had to do that anyways for auth reasons, so worth it, but I can imagine most services would just prefer to upload straight to <cloud provider>
-
jonas’
MattJ, I think your argument, if written out in more detail, would be a great addition to the current thread though
-
Zash
jonas’, https://logs.xmpp.org/xsf/2018-02-15?p=h#2018-02-15-a77a48f290b74a33
-
jonas’
Zash, so it’s your fault!!k
-
Zash
You were there!
-
Zash
MattJ too
-
MattJ
Yes
-
MattJ
But you are to blame for removal of X-* ;)
-
Zash
Can't let you have deprecated things!
-
SamWhited
I'm with Zash; X- isn't actually a thing, adding it is just a weird bandaid that makes some services happy but not others. Doesn't seem worth special casing it.
-
Zash
https://tools.ietf.org/html/rfc6648
-
Ge0rG
HTTP is a horrible footgun. It was a huge error embedding it into our clean and nice well-structured protocol
-
SamWhited
Something something glass houses and stones
-
moparisthebest
another group might say "Apple and Go can't even parse XML correctly why does XMPP use it"
-
Zash
Let's throw glass Go pieces at Apple
-
SamWhited
Literally no one can parse XML correctly; namespaces are a nightmare. Special casing attributes, but only sometimes, and also multiple ways to declare them, etc.
-
Zash
Nor can they parse HTML
-
Zash
or anything
-
SamWhited
And don't even get me started on anything like dsig (not relevant to us, thank goodness, we do this right ofr the most part I think) where things that aren't the actual bytes on the wire are hashed and you have a canonicalization mechanism to hopefully make signatures match)
-
Zash
Since we can't into computers, let's just become farmers
-
eta
compliance tests are pretty useful for this btw
-
eta
like, if the people who write the spec also write tests
-
Ge0rG
eta: compliance tests only test the positive case
-
Ge0rG
then hackers test the other cases.
-
eta
because I mean personally when implementing things I just bash stuff together until it works
-
SamWhited
Not relying on exact parser output for security is also useful :) (and now it's time to complain about SAML)
-
eta
Ge0rG: well you can test negative cases
-
Ge0rG
eta: you *can*, but why *would* you?
-
flow
causing testing more cases is generally a good thing?
-
eta
yeah
-
Ge0rG
flow: testing is just unneeded work! it doesn't move the scrum tasks!
-
marc
SamWhited: regarding eIBR, any news about the things we discussed last time?
-
SamWhited
marc: what discussion was that, I don't recall?
-
Alex
hey guys, its member meeting time again
- Alex bangs the gavel
-
Alex
here is our Agenda for today: https://wiki.xmpp.org/web/Meeting-Minutes-2020-12-15
-
Alex
1) Call for Quorum
-
adiaholic
😀
-
Alex
as you can see 32 members voted via proxy, so we have a quorum
-
Alex
2) Items Subject to a Vote
-
Alex
new and returning members, you can see the applications here: https://wiki.xmpp.org/web/Membership_Applications_Q4_2020
-
Alex
3) Opportunity for XSF Members to Vote in the Meeting
-
Alex
anyone here who has not voted yet and wants to do so now?
-
Zash
Just had a chat with memberbot
-
Alex
👍
-
Alex
anyone else?
-
Alex
okay
-
Alex
will shutdown memberbot then and start working on the results
-
Alex
4) Announcement of Voting Results
-
Alex
when you reload the page you can see the results here: https://wiki.xmpp.org/web/Meeting-Minutes-2020-12-15#Announcement_of_Voting_Results
-
Alex
all reappliers and applicants are accepted. Conrats all
-
Alex
5) Any Other Business?
-
adiaholic
Thanks a lot!
-
Alex
6) Formal Adjournment
-
Alex
I motion that we adjourn
- Alex bangs the gavel
-
Alex
thanks everyone
-
marc
SamWhited: regarding feedback to the user based on the challenge's response
-
SamWhited
marc: oh, are you also zapb? I remember that; I just haven't prepared a new version yet.
-
marc
SamWhited: yep, okay
-
SamWhited
Gotcha; sorry about that, I think I knew that but wasn't putting the names together for some reason.
-
marc
No worries