XSF Discussion - 2020-12-15


  1. intosi has joined
  2. Arne has left
  3. intosi has left
  4. andy has left
  5. stpeter has joined
  6. stpeter has left
  7. paul has left
  8. raghavgururajan has joined
  9. mukt2 has left
  10. j.r has left
  11. j.r has joined
  12. mukt2 has joined
  13. lskdjf has left
  14. deuill has left
  15. deuill has joined
  16. j.r has left
  17. Aleksej has left
  18. debacle has left
  19. intosi has joined
  20. Arne has joined
  21. peetah has left
  22. peetah has joined
  23. emus has left
  24. intosi has left
  25. intosi has joined
  26. Andrzej has joined
  27. govanify has left
  28. govanify has joined
  29. intosi has left
  30. dwd has left
  31. Andrzej has left
  32. govanify has left
  33. govanify has joined
  34. intosi has joined
  35. krauq has left
  36. krauq has joined
  37. chronosx88 has left
  38. chronosx88 has joined
  39. intosi has left
  40. Andrzej has joined
  41. arc has joined
  42. winfried has left
  43. winfried has joined
  44. peetah has left
  45. peetah has joined
  46. andrey.g has left
  47. govanify has left
  48. govanify has joined
  49. intosi has joined
  50. moparisthebest has anyone ran MUC over MIX over MUX yet? https://xmpp.org/extensions/inbox/mux.html (or at least made the joke)
  51. Andrzej has left
  52. Andrzej has joined
  53. Alex has left
  54. eta has left
  55. eta has joined
  56. LNJ has left
  57. wurstsalat has left
  58. intosi has left
  59. Andrzej has left
  60. krauq has left
  61. krauq has joined
  62. intosi has joined
  63. alex-a-soto has left
  64. alex-a-soto has joined
  65. david has left
  66. david has joined
  67. intosi has left
  68. govanify has left
  69. govanify has joined
  70. intosi has joined
  71. mukt2 has left
  72. intosi has left
  73. alameyo has left
  74. intosi has joined
  75. SamWhited This whole Go XML debacle has made me think of another reason to use bytes instead of codepoints in references: if we ever want to sign references in the future you can't take a hash of codepoints without reencoding. Probably not applicable to @mentions, but references likely have applications far beond that. Being able to just pass the indexes directly to a byte slice operation and get a sha out seems like good practice.
  76. Andrzej has joined
  77. intosi has left
  78. alameyo has joined
  79. krauq has left
  80. krauq has joined
  81. chronosx88 has left
  82. chronosx88 has joined
  83. Andrzej has left
  84. intosi has joined
  85. wladmis has left
  86. DebXWoody has joined
  87. Guus has joined
  88. intosi has left
  89. Guus has left
  90. Tobias has joined
  91. Andrzej has joined
  92. intosi has joined
  93. arc has left
  94. arc has joined
  95. arc has left
  96. arc has joined
  97. jcbrand has joined
  98. arc has left
  99. arc has joined
  100. slouchy6 has left
  101. slouchy6 has joined
  102. intosi has left
  103. andy has joined
  104. krauq has left
  105. krauq has joined
  106. moparisthebest has left
  107. Mikaela has joined
  108. moparisthebest has joined
  109. intosi has joined
  110. Yagiza has joined
  111. govanify has left
  112. govanify has joined
  113. intosi has left
  114. govanify has left
  115. govanify has joined
  116. paul has joined
  117. wurstsalat has joined
  118. intosi has joined
  119. dwd has joined
  120. lorddavidiii has joined
  121. intosi has left
  122. Arne has left
  123. emus has joined
  124. antranigv has left
  125. intosi has joined
  126. Arne has joined
  127. floretta has left
  128. andrey.g has joined
  129. Ge0rG Until you realize that signing a subset of a message is a recipe for disaster
  130. jonas’ ok, I read that mattermost article, and I’m like wtf
  131. jonas’ it makes no sense whatsoever
  132. Ge0rG jonas’: there are also no examples in the CVEs.
  133. Ge0rG I suppose that you can craft XML that will be parsed incorrectly or something
  134. Ge0rG And apparently the validator will decode, re-encode, and compare the resulting strings
  135. jonas’ they say it's in the roundtrips and somehow related to namespace prefixes
  136. jonas’ and unfixable due to api
  137. Ge0rG Or rather, the xml structure.
  138. Ge0rG Yeah, that's not how you describe a vulnerability
  139. jonas’ but at least it’s no RCE or something, so I don’t have to take down o.j.n
  140. pasdesushi has joined
  141. j.r has joined
  142. Ge0rG When did you rewrite ojn in go?
  143. jonas’ the probers always were go
  144. jonas’ based an SamWhited’s nice low-level xmpp library
  145. jonas’ was easier to use for such low level tasks than aioxmpp
  146. pasdesushi has left
  147. mdosch There are only low level xmpp libs in go…
  148. Ge0rG But you can use them to extract byte streams!
  149. Ge0rG Where are all the hard learned lessons about how (not) to hash xml content?
  150. jonas’ in the xmlsec standard
  151. jonas’ used by SAML
  152. jonas’ so this reads dire for encoding/xml IMO
  153. peetah has left
  154. peetah has joined
  155. Ge0rG there is only an xmlsec library. And it's written in C!
  156. jonas’ Ge0rG, https://www.w3.org/TR/xmldsig-core/ https://www.w3.org/TR/xmlenc-core/
  157. Ge0rG jonas’: ah thanks. Did you consider those when designing 0390?
  158. jonas’ no
  159. j.r has left
  160. j.r has joined
  161. APach has left
  162. paul has left
  163. APach has joined
  164. paul has joined
  165. eevvoor has joined
  166. Alex has joined
  167. govanify has left
  168. govanify has joined
  169. intosi has left
  170. Guus has joined
  171. Zash has left
  172. Zash has joined
  173. j.r has left
  174. Shell has left
  175. Kev has joined
  176. lskdjf has joined
  177. Steve Kille has left
  178. Kev has left
  179. Алексей has joined
  180. Steve Kille has joined
  181. Kev has joined
  182. Tobias has left
  183. j.r has joined
  184. Tobias has joined
  185. lskdjf has left
  186. lskdjf has joined
  187. andrey.g has left
  188. pasdesushi has joined
  189. pasdesushi has left
  190. APach has left
  191. pasdesushi has joined
  192. Aleksej has joined
  193. pasdesushi has left
  194. gav has left
  195. alameyo has left
  196. APach has joined
  197. krauq has left
  198. krauq has joined
  199. DebXWoody has left
  200. DebXWoody has joined
  201. intosi has joined
  202. Andrzej has left
  203. Andrzej has joined
  204. debacle has joined
  205. Aleksej has left
  206. Steve Kille has left
  207. Steve Kille has joined
  208. arc has left
  209. arc has joined
  210. arc has left
  211. arc has joined
  212. govanify has left
  213. govanify has joined
  214. arc has left
  215. arc has joined
  216. arc has left
  217. arc has joined
  218. arc has left
  219. arc has joined
  220. arc has left
  221. arc has joined
  222. pasdesushi has joined
  223. pasdesushi has left
  224. intosi has left
  225. papatutuwawa has joined
  226. alameyo has joined
  227. krauq has left
  228. krauq has joined
  229. Andrzej has left
  230. Andrzej has joined
  231. intosi has joined
  232. intosi has left
  233. govanify has left
  234. govanify has joined
  235. papatutuwawa has left
  236. papatutuwawa has joined
  237. Steve Kille has left
  238. papatutuwawa has left
  239. papatutuwawa has joined
  240. papatutuwawa has left
  241. papatutuwawa has joined
  242. papatutuwawa has left
  243. papatutuwawa has joined
  244. Alex has left
  245. papatutuwawa has left
  246. papatutuwawa has joined
  247. Steve Kille has joined
  248. Andrzej has left
  249. Andrzej has joined
  250. papatutuwawa has left
  251. papatutuwawa has joined
  252. Alex has joined
  253. papatutuwawa has left
  254. papatutuwawa has joined
  255. intosi has joined
  256. alameyo has left
  257. LNJ has joined
  258. Zash has left
  259. Zash has joined
  260. paul has left
  261. paul has joined
  262. intosi has left
  263. pasdesushi has joined
  264. pasdesushi has left
  265. DebXWoody has left
  266. larma has left
  267. larma has joined
  268. pasdesushi has joined
  269. govanify has left
  270. govanify has joined
  271. govanify has left
  272. govanify has joined
  273. papatutuwawa has left
  274. pasdesushi has left
  275. krauq has left
  276. krauq has joined
  277. wladmis has joined
  278. krauq has left
  279. krauq has joined
  280. peetah has left
  281. peetah has joined
  282. edhelas a small question about 0045
  283. edhelas what is the general purpose of muc#roomconfig_pubsub ?
  284. mathieui I thought it could be for 0316 but that does not appear therein
  285. dwd edhelas, I always assumed that was a half-baked idea that never went anywhere.
  286. dwd edhelas, Back in the day, there was a lot of "Oh, we can have pubsub here".
  287. edhelas Holger I see that the field is available trough the ejabberd MUC config, does it triggers some things in the backend or is it just pure metadata ?
  288. lorddavidiii has left
  289. Holger edhelas: Just pure metadata.
  290. SamWhited Ge0rG: this is *not* the same as the partial signing nonsense that XML-DSig does, however, I take your point, might as well sign the whole body and still not be able to figure out what the signature matches up to because codepoints and different normalization forms were used.
  291. edhelas Holger ok thanks :)
  292. edhelas it can kinda make sense in Movim this field, then you can link a Movim Community (Pubsub Atom node) to a MUC, but I need to figure out the UI to send the correct Pubsub URI
  293. APach has left
  294. SamWhited jonas’: I must admit, I had wondered about why you were using mellium when you make an XMPP library; glad it was useful :) I'd be really curious what the differences are that made it easier for you if you remember. I'd like to develop a higher level library on top of it at some point and it would be helpful to figure out exactly where that dividing line lies to have real first-hand experience where a higher level library wasn't enough.
  295. jonas’ SamWhited, easy: aioxmpp does not have s2s support whatsoever.
  296. SamWhited oh, hah, fair enough
  297. jonas’ and it (intentionally) makes it hard to shoot yourself in the foot by messing with the lower layers of stream negotiation
  298. SamWhited Mellium doesn't either yet really, but I've got a package on a branch somewhere that should make it a little easier
  299. jonas’ well, it can do enough. I don’t need to go beyond stream features really :)
  300. jonas’ SamWhited, the main reason though (because I could easily have hacked that into aioxmpp and also did that by now for other reasons) is that the infrasturcture is based on prometheus and prometheus is very golang
  301. SamWhited Also makes sense; thanks.
  302. SamWhited goes to remind himself what state the SASL-EXTERNAL/BIDI implementations were in and see if they can be merged
  303. APach has joined
  304. lorddavidiii has joined
  305. govanify has left
  306. govanify has joined
  307. eevvoor has left
  308. eevvoor has joined
  309. Adi has joined
  310. intosi has joined
  311. wladmis has left
  312. wladmis has joined
  313. krauq has left
  314. krauq has joined
  315. intosi has left
  316. nyco has left
  317. alameyo has joined
  318. APach has left
  319. xsf has left
  320. floretta has joined
  321. nyco has joined
  322. chronosx88 has left
  323. chronosx88 has joined
  324. krauq has left
  325. krauq has joined
  326. wurstsalat Zash, just in case you didn’t know about Ook yet https://sv.wikipedia.org/wiki/Ook
  327. Zash I knew about /that/ definition.
  328. Ge0rG the other one is in the XEP
  329. Zash I couldn't spot anything obviously disqualifying anyways. Maybe it's too dark to see up here.
  330. APach has joined
  331. Maranda has left
  332. Wojtek has joined
  333. xsf has joined
  334. xsf has left
  335. Maranda has joined
  336. peetah has left
  337. peetah has joined
  338. APach has left
  339. APach has joined
  340. APach has left
  341. APach has joined
  342. peetah has left
  343. peetah has joined
  344. Steve Kille has left
  345. Andrzej has left
  346. Andrzej has joined
  347. alex-a-soto has left
  348. APach has left
  349. APach has joined
  350. APach has left
  351. APach has joined
  352. APach has left
  353. APach has joined
  354. alex-a-soto has joined
  355. Steve Kille has joined
  356. APach has left
  357. APach has joined
  358. APach has left
  359. APach has joined
  360. APach has left
  361. APach has joined
  362. APach has left
  363. APach has joined
  364. APach has left
  365. APach has joined
  366. APach has left
  367. APach has joined
  368. APach has left
  369. APach has joined
  370. Andrzej has left
  371. Andrzej has joined
  372. Andrzej has left
  373. Andrzej has joined
  374. Shell has joined
  375. DebXWoody has joined
  376. intosi has joined
  377. MattJ jonas’, I'm not sure I'm satisfied with the "it's like CORS" argument re. custom XEP-0363 headers
  378. MattJ CORS is largely protecting against the kinds of issues that wouldn't really be applicable to most XMPP clients, while we allow the server to set Authorization which is a very restricted header as far as CORS is concerned
  379. MattJ For web clients that do need to be careful, CORS will be there anyway, we don't need additional restrictions on our side
  380. L29Ah has joined
  381. Daniel has left
  382. Daniel has joined
  383. intosi has left
  384. jonas’ I wish I had found the thread from when this was added
  385. jonas’ MattJ, practically, though, you could put a shim proxy in front of whatever cloud service to use to translate a blob in authorized into whatever you need
  386. peetah has left
  387. peetah has joined
  388. lovetox has joined
  389. SamWhited Then you have to pay for all that bandwidth. This is what we did for HipChat (not with HTTP upload, but basically the same thing) and it cost a *lot* more.
  390. jonas’ right
  391. SamWhited I mean, we had to do that anyways for auth reasons, so worth it, but I can imagine most services would just prefer to upload straight to <cloud provider>
  392. jonas’ MattJ, I think your argument, if written out in more detail, would be a great addition to the current thread though
  393. krauq has left
  394. krauq has joined
  395. murabito has joined
  396. APach has left
  397. APach has joined
  398. APach has left
  399. APach has joined
  400. Guus has left
  401. andrey.g has joined
  402. Andrzej has left
  403. Lance has joined
  404. Zash jonas’, https://logs.xmpp.org/xsf/2018-02-15?p=h#2018-02-15-a77a48f290b74a33
  405. peetah has left
  406. jonas’ Zash, so it’s your fault!!k
  407. Zash You were there!
  408. Zash MattJ too
  409. peetah has joined
  410. MattJ Yes
  411. MattJ But you are to blame for removal of X-* ;)
  412. serge90 has left
  413. sonny has left
  414. sonny has joined
  415. Zash Can't let you have deprecated things!
  416. SamWhited I'm with Zash; X- isn't actually a thing, adding it is just a weird bandaid that makes some services happy but not others. Doesn't seem worth special casing it.
  417. sonny has left
  418. sonny has joined
  419. peetah has left
  420. peetah has joined
  421. serge90 has joined
  422. Zash https://tools.ietf.org/html/rfc6648
  423. DebXWoody has left
  424. DebXWoody has joined
  425. murabito has left
  426. Lance has left
  427. murabito has joined
  428. Lance has joined
  429. emus has left
  430. andrey.g has left
  431. Andrzej has joined
  432. alex-a-soto has left
  433. alex-a-soto has joined
  434. emus has joined
  435. Yagiza has left
  436. xsf has joined
  437. Andrzej has left
  438. Andrzej has joined
  439. murabito has left
  440. floretta has left
  441. Ge0rG HTTP is a horrible footgun. It was a huge error embedding it into our clean and nice well-structured protocol
  442. murabito has joined
  443. SamWhited Something something glass houses and stones
  444. moparisthebest another group might say "Apple and Go can't even parse XML correctly why does XMPP use it"
  445. Zash Let's throw glass Go pieces at Apple
  446. SamWhited Literally no one can parse XML correctly; namespaces are a nightmare. Special casing attributes, but only sometimes, and also multiple ways to declare them, etc.
  447. lovetox has left
  448. Andrzej has left
  449. Andrzej has joined
  450. Zash Nor can they parse HTML
  451. Zash or anything
  452. SamWhited And don't even get me started on anything like dsig (not relevant to us, thank goodness, we do this right ofr the most part I think) where things that aren't the actual bytes on the wire are hashed and you have a canonicalization mechanism to hopefully make signatures match)
  453. Zash Since we can't into computers, let's just become farmers
  454. eta compliance tests are pretty useful for this btw
  455. eta like, if the people who write the spec also write tests
  456. Ge0rG eta: compliance tests only test the positive case
  457. Ge0rG then hackers test the other cases.
  458. eta because I mean personally when implementing things I just bash stuff together until it works
  459. SamWhited Not relying on exact parser output for security is also useful :) (and now it's time to complain about SAML)
  460. eta Ge0rG: well you can test negative cases
  461. Ge0rG eta: you *can*, but why *would* you?
  462. Andrzej has left
  463. Andrzej has joined
  464. flow causing testing more cases is generally a good thing?
  465. krauq has left
  466. krauq has joined
  467. Andrzej has left
  468. Andrzej has joined
  469. eta yeah
  470. lovetox has joined
  471. Ge0rG flow: testing is just unneeded work! it doesn't move the scrum tasks!
  472. mr-L has joined
  473. mr-L has left
  474. mr-L has joined
  475. Andrzej has left
  476. Andrzej has joined
  477. mr-L has left
  478. Andrzej has left
  479. marc SamWhited: regarding eIBR, any news about the things we discussed last time?
  480. chronosx88 has left
  481. alex-a-soto has left
  482. alex-a-soto has joined
  483. intosi has joined
  484. chronosx88 has joined
  485. Andrzej has joined
  486. focus121 has left
  487. focus121 has joined
  488. antranigv has joined
  489. intosi has left
  490. Andrzej has left
  491. Andrzej has joined
  492. antranigv has left
  493. antranigv has joined
  494. antranigv has left
  495. SamWhited marc: what discussion was that, I don't recall?
  496. floretta has joined
  497. Andrzej has left
  498. Andrzej has joined
  499. edhelas has left
  500. edhelas has joined
  501. Алексей has left
  502. antranigv has joined
  503. Andrzej has left
  504. Andrzej has joined
  505. Andrzej has left
  506. Alex hey guys, its member meeting time again
  507. Alex bangs the gavel
  508. Alex here is our Agenda for today: https://wiki.xmpp.org/web/Meeting-Minutes-2020-12-15
  509. Alex 1) Call for Quorum
  510. adiaholic 😀
  511. Alex as you can see 32 members voted via proxy, so we have a quorum
  512. Alex 2) Items Subject to a Vote
  513. Alex new and returning members, you can see the applications here: https://wiki.xmpp.org/web/Membership_Applications_Q4_2020
  514. Alex 3) Opportunity for XSF Members to Vote in the Meeting
  515. antranigv has left
  516. Alex anyone here who has not voted yet and wants to do so now?
  517. Zash Just had a chat with memberbot
  518. antranigv has joined
  519. Alex 👍
  520. Alex anyone else?
  521. Alex okay
  522. Alex will shutdown memberbot then and start working on the results
  523. Andrzej has joined
  524. Alex 4) Announcement of Voting Results
  525. Alex when you reload the page you can see the results here: https://wiki.xmpp.org/web/Meeting-Minutes-2020-12-15#Announcement_of_Voting_Results
  526. Alex all reappliers and applicants are accepted. Conrats all
  527. Alex 5) Any Other Business?
  528. alameyo has left
  529. adiaholic Thanks a lot!
  530. Alex 6) Formal Adjournment
  531. Alex I motion that we adjourn
  532. papatutuwawa has joined
  533. Alex bangs the gavel
  534. Alex thanks everyone
  535. Andrzej has left
  536. Andrzej has joined
  537. Daniel has left
  538. Daniel has joined
  539. j.r has left
  540. marc SamWhited: regarding feedback to the user based on the challenge's response
  541. j.r has joined
  542. SamWhited marc: oh, are you also zapb? I remember that; I just haven't prepared a new version yet.
  543. Andrzej has left
  544. marc SamWhited: yep, okay
  545. SamWhited Gotcha; sorry about that, I think I knew that but wasn't putting the names together for some reason.
  546. edhelas has left
  547. edhelas has joined
  548. antranigv has left
  549. krauq has left
  550. krauq has joined
  551. antranigv has joined
  552. Andrzej has joined
  553. xsf has left
  554. xsf has joined
  555. Aleksej has joined
  556. xsf has left
  557. xsf has joined
  558. intosi has joined
  559. marc No worries
  560. Maranda has left
  561. Maranda has joined
  562. mdosch has left
  563. mdosch has joined
  564. xsf has left
  565. xsf has joined
  566. DebXWoody has left
  567. x51 has joined
  568. krauq has left
  569. krauq has joined
  570. Andrzej has left
  571. krauq has left
  572. krauq has joined
  573. intosi has left
  574. neshtaxmpp has left
  575. deuill has left
  576. eevvoor has left
  577. deuill has joined
  578. Andrzej has joined
  579. neshtaxmpp has joined
  580. Andrzej has left
  581. Andrzej has joined
  582. Adi has left
  583. matkor has left
  584. matkor has joined
  585. stpeter has joined
  586. stpeter has left
  587. intosi has joined
  588. krauq has left
  589. neshtaxmpp has left
  590. krauq has joined
  591. Adi has joined
  592. intosi has left
  593. krauq has left
  594. chronosx88 has left
  595. krauq has joined
  596. alameyo has joined
  597. neshtaxmpp has joined
  598. alameyo has left
  599. Maranda has left
  600. Maranda has joined
  601. Andrzej has left
  602. wladmis has left
  603. wladmis has joined
  604. jcbrand has left
  605. krauq has left
  606. krauq has joined
  607. Andrzej has joined
  608. Mikaela has left
  609. x51 has left
  610. lovetox has left
  611. Andrzej has left
  612. Andrzej has joined
  613. krauq has left
  614. krauq has joined
  615. lorddavidiii has left
  616. Kev has left
  617. Tobias has left
  618. papatutuwawa has left
  619. Andrzej has left
  620. krauq has left
  621. krauq has joined
  622. Andrzej has joined
  623. krauq has left
  624. krauq has joined
  625. Andrzej has left
  626. Andrzej has joined
  627. jcbrand has joined
  628. intosi has joined
  629. krauq has left
  630. antranigv has left
  631. krauq has joined
  632. andy has left
  633. Andrzej has left
  634. krauq has left
  635. krauq has joined
  636. paul has left
  637. intosi has left
  638. debacle has left
  639. Aleksej has left
  640. krauq has left
  641. krauq has joined
  642. antranigv has joined