XSF Discussion - 2020-12-15

has anyone ran MUC over MIX over MUX yet? https://xmpp.org/extensions/inbox/mux.html (or at least made the joke)

This whole Go XML debacle has made me think of another reason to use bytes instead of codepoints in references: if we ever want to sign references in the future you can't take a hash of codepoints without reencoding. Probably not applicable to @mentions, but references likely have applications far beond that. Being able to just pass the indexes directly to a byte slice operation and get a sha out seems like good practice.

Until you realize that signing a subset of a message is a recipe for disaster

ok, I read that mattermost article, and I’m like wtf

it makes no sense whatsoever

jonas’: there are also no examples in the CVEs.

I suppose that you can craft XML that will be parsed incorrectly or something

And apparently the validator will decode, re-encode, and compare the resulting strings

they say it's in the roundtrips and somehow related to namespace prefixes

and unfixable due to api

Or rather, the xml structure.

Yeah, that's not how you describe a vulnerability

but at least it’s no RCE or something, so I don’t have to take down o.j.n

When did you rewrite ojn in go?

the probers always were go

based an SamWhited’s nice low-level xmpp library

was easier to use for such low level tasks than aioxmpp

There are only low level xmpp libs in go…

But you can use them to extract byte streams!

Where are all the hard learned lessons about how (not) to hash xml content?

in the xmlsec standard

used by SAML

so this reads dire for encoding/xml IMO

there is only an xmlsec library. And it's written in C!

Ge0rG, https://www.w3.org/TR/xmldsig-core/ https://www.w3.org/TR/xmlenc-core/

jonas’: ah thanks. Did you consider those when designing 0390?

no

a small question about 0045

what is the general purpose of muc#roomconfig_pubsub ?

I thought it could be for 0316 but that does not appear therein

edhelas, I always assumed that was a half-baked idea that never went anywhere.

edhelas, Back in the day, there was a lot of "Oh, we can have pubsub here".

Holger I see that the field is available trough the ejabberd MUC config, does it triggers some things in the backend or is it just pure metadata ?

edhelas: Just pure metadata.

Ge0rG: this is *not* the same as the partial signing nonsense that XML-DSig does, however, I take your point, might as well sign the whole body and still not be able to figure out what the signature matches up to because codepoints and different normalization forms were used.

Holger ok thanks :)

it can kinda make sense in Movim this field, then you can link a Movim Community (Pubsub Atom node) to a MUC, but I need to figure out the UI to send the correct Pubsub URI

jonas’: I must admit, I had wondered about why you were using mellium when you make an XMPP library; glad it was useful :) I'd be really curious what the differences are that made it easier for you if you remember. I'd like to develop a higher level library on top of it at some point and it would be helpful to figure out exactly where that dividing line lies to have real first-hand experience where a higher level library wasn't enough.

SamWhited, easy: aioxmpp does not have s2s support whatsoever.

oh, hah, fair enough

and it (intentionally) makes it hard to shoot yourself in the foot by messing with the lower layers of stream negotiation

Mellium doesn't either yet really, but I've got a package on a branch somewhere that should make it a little easier

well, it can do enough. I don’t need to go beyond stream features really :)

SamWhited, the main reason though (because I could easily have hacked that into aioxmpp and also did that by now for other reasons) is that the infrasturcture is based on prometheus and prometheus is very golang

Also makes sense; thanks.

Zash, just in case you didn’t know about Ook yet https://sv.wikipedia.org/wiki/Ook

I knew about /that/ definition.

the other one is in the XEP

I couldn't spot anything obviously disqualifying anyways. Maybe it's too dark to see up here.

jonas’, I'm not sure I'm satisfied with the "it's like CORS" argument re. custom XEP-0363 headers

CORS is largely protecting against the kinds of issues that wouldn't really be applicable to most XMPP clients, while we allow the server to set Authorization which is a very restricted header as far as CORS is concerned

For web clients that do need to be careful, CORS will be there anyway, we don't need additional restrictions on our side

I wish I had found the thread from when this was added

MattJ, practically, though, you could put a shim proxy in front of whatever cloud service to use to translate a blob in authorized into whatever you need

Then you have to pay for all that bandwidth. This is what we did for HipChat (not with HTTP upload, but basically the same thing) and it cost a *lot* more.

right

I mean, we had to do that anyways for auth reasons, so worth it, but I can imagine most services would just prefer to upload straight to <cloud provider>

MattJ, I think your argument, if written out in more detail, would be a great addition to the current thread though

jonas’, https://logs.xmpp.org/xsf/2018-02-15?p=h#2018-02-15-a77a48f290b74a33

Zash, so it’s your fault!!k

You were there!

MattJ too

Yes

But you are to blame for removal of X-* ;)

Can't let you have deprecated things!

I'm with Zash; X- isn't actually a thing, adding it is just a weird bandaid that makes some services happy but not others. Doesn't seem worth special casing it.

https://tools.ietf.org/html/rfc6648

HTTP is a horrible footgun. It was a huge error embedding it into our clean and nice well-structured protocol

Something something glass houses and stones

another group might say "Apple and Go can't even parse XML correctly why does XMPP use it"

Let's throw glass Go pieces at Apple

Literally no one can parse XML correctly; namespaces are a nightmare. Special casing attributes, but only sometimes, and also multiple ways to declare them, etc.

Nor can they parse HTML

or anything

And don't even get me started on anything like dsig (not relevant to us, thank goodness, we do this right ofr the most part I think) where things that aren't the actual bytes on the wire are hashed and you have a canonicalization mechanism to hopefully make signatures match)

Since we can't into computers, let's just become farmers

compliance tests are pretty useful for this btw

like, if the people who write the spec also write tests

eta: compliance tests only test the positive case

then hackers test the other cases.

because I mean personally when implementing things I just bash stuff together until it works

Not relying on exact parser output for security is also useful :) (and now it's time to complain about SAML)

Ge0rG: well you can test negative cases

eta: you *can*, but why *would* you?

causing testing more cases is generally a good thing?

yeah

flow: testing is just unneeded work! it doesn't move the scrum tasks!

SamWhited: regarding eIBR, any news about the things we discussed last time?

marc: what discussion was that, I don't recall?

hey guys, its member meeting time again

here is our Agenda for today: https://wiki.xmpp.org/web/Meeting-Minutes-2020-12-15

1) Call for Quorum

😀

as you can see 32 members voted via proxy, so we have a quorum

2) Items Subject to a Vote

new and returning members, you can see the applications here: https://wiki.xmpp.org/web/Membership_Applications_Q4_2020

3) Opportunity for XSF Members to Vote in the Meeting

anyone here who has not voted yet and wants to do so now?

Just had a chat with memberbot

👍

anyone else?

okay

will shutdown memberbot then and start working on the results

4) Announcement of Voting Results

when you reload the page you can see the results here: https://wiki.xmpp.org/web/Meeting-Minutes-2020-12-15#Announcement_of_Voting_Results

all reappliers and applicants are accepted. Conrats all

5) Any Other Business?

Thanks a lot!

6) Formal Adjournment

I motion that we adjourn

thanks everyone

SamWhited: regarding feedback to the user based on the challenge's response

marc: oh, are you also zapb? I remember that; I just haven't prepared a new version yet.

SamWhited: yep, okay

Gotcha; sorry about that, I think I knew that but wasn't putting the names together for some reason.

No worries