XSF Discussion - 2021-06-01

  1. şişio


  2. deuill

    Matrix *does* have a stronger product apparatus though, which I guess is what people mean when they say that XMPP is "almost dead".

  3. Zash

    Indeed, our hype machine is severely underfunded.

  4. jonas’

    which hype machine

  5. şişio

    Xmpp is still alive everything is active

  6. şişio

    Only Matrix is new

  7. şişio

    Both of them safe but ı prefer XMPP

  8. şişio

    Why dead?

  9. şişio

    What is a product apparatus

  10. şişio


  11. Zash

    Marketing department.

  12. şişio

    This is true

  13. şişio

    But still Matrix hasn't got tor option

  14. Zash

    Why not?

  15. Sam

    I'm glad that's useful for you, but most people don't need/want a Tor option, so it doesn't help XMPP much.

  16. Sam

    From a user perspective I don't think we really have any great feature that makes us look better than Matrix, unfortunately.

  17. Zash

    I don't see why Tor would not work with either.

  18. şişio

    > Sam wrote: > I'm glad that's useful for you, but most people don't need/want a Tor option, so it doesn't help XMPP much. I need a tor. condition

  19. moparisthebest

    "working servers" isn't a great feature that looks better than Matrix ?

  20. Sam

    Yes, but most people don't. It might attract a small number of people, but not enough to keep the network alive.

  21. şişio

    > Zash wrote: > I don't see why Tor would not work with either. Sometimes I have to turn off the tor

  22. Sam

    moparisthebest: no. the users don't know or care about the differences. Only devs do.

  23. Zash

    Sam: Resource efficiency is one thing we seem to be winning at.

  24. moparisthebest

    users usually care if the server is down/working or not

  25. deuill

    Anecdotally, I

  26. Sam

    Sure, but they do a good enough job keeping it up. Alternatively: tons of tiny servers run by individuals who don't have backups and what not also go down even if they use lower resources.

  27. Zash

    If the "instant" part of Instant Messaging ever becomes hip again, we'll have a slight edge there too.

  28. Sam

    I don't disagree with you, but I don't think a marketing pitch that says "our servers are slimmer!" Is goingn to be very effective.

  29. moparisthebest

    how about "our stuff actually works"

  30. deuill

    Anecdotally, I've been told by at least one person that use Conversations or Siskin isn't as good as Viber/Facebook Messenger/etc. because it doesn't have stickers/GIFs.

  31. Sam

    From a users perspective matrix works great.

  32. Zash

    Sam: I'm basing this on observed fediverse chatter.

  33. Sam

    Zash: then you've already selected a tiny subset of people that mostly don't represent the broader internet.

  34. Sam

    Again, not disagreeing with any of this, it's jut not something we can market. deuill is more on the right track.

  35. deuill

    So I'll agree with Sam's perspective that people are at the very least willing to put up with at least some jank if the features are there.

  36. Zash

    I almost typed out that it was probably biased. There'll be bias anywhere you go tho.

  37. mdosch

    > From a users perspective matrix works great. From a user perspective I found their client slow and laggy, on mobile it also devoured my battery. Also those annoying (cross signing?) pop ups. When I wanted to join a fosem talk, I wanted to join that talk and not click away a lot of pop ups first.

  38. Zash

    deuill, true.

  39. deuill

    I mean the IETF discussion isn't about stickers or GIFs, obviously, but maybe it is about having a cohesive product?

  40. Zash

    Users don't care about protocol. As MattJ wrote in some presentation way back, users care about cat pictures and talking to their friends.

  41. mdosch

    I still don't get why their clients get so much praise. I like conversations, gajim, dino and profanity a lot more.

  42. şişio

    XMPP is not dead!

  43. Zash

    IETF needs something to support their protocol development work, for meetings etc.

  44. deuill

    "It's just resting:

  45. deuill

    "It's just resting"

  46. deuill

    I jest I jest

  47. Zash

    As long as someone is running some XMPP software, it's not dead.

  48. DebXWoody

    we are also developing software :-)

  49. moparisthebest

    gah I saw the perfect meme representing this on the fediverse months ago but can't find it

  50. moparisthebest

    it was like this one https://i.kym-cdn.com/entries/icons/original/000/033/984/cover4.jpg but top was "matrix sucks" and the crying guy saying how it was so great etc, then bottom said "xmpp sucks" and an xmpp user saying "I know"

  51. Zash

    I too remember seeing this.

  52. emus

    > Zash escribió: > Indeed, our hype machine is severely underfunded. Yes, I should start more hyping

  53. şişio

    You need money?

  54. şişio

    Or XSF

  55. şişio

    Matrix and XMPP serve the same role

  56. şişio

    That's the future of XMPP, but Matrix more

  57. wgreenhouse

    şişio: re Matrix + Tor, I don't think that's a real problem; element is a web app and runs fine in tor browser

  58. wgreenhouse

    whether they can _federate_ over tor idk

  59. şişio

    > wgreenhouse wrote: > şişio: re Matrix + Tor, I don't think that's a real problem; element is a web app and runs fine in tor browser > whether they can _federate_ over tor idk Mobile?

  60. wgreenhouse

    şişio: yes, element in mobile tor browser works fine

  61. wgreenhouse

    also orbotting their official app which is just a webview anyway

  62. şişio

    It's a little impractical.

  63. wgreenhouse

    şişio: sure, but in principle works. it's not an issue of the protocol not working over tor. "protocols not products" ;)

  64. wgreenhouse

    I consider xmpp more privacy-preserving, but it's untrue to say matrix can't be used with tor

  65. şişio


  66. şişio

    Switching between data, mobile and wifi. Sometimes it doesn't work. therefore

  67. şişio

    But we know both of them safe messenger

  68. Link Mauve

    qrpnxz, I have friends who defintely use a domain which starts with a digit, and it’s been working fine forever, so your parser should be fixed for real-world use-cases even if some interpretations of some RFCs might lead to you disallow it.

  69. qrpnxz

    bro that convo is ages ago and we already concluded that

  70. şişio

    > qrpnxz wrote: > bro that convo is ages ago and we already concluded that What is the result

  71. Link Mauve

    I’m still backlogging.

  72. qrpnxz

    literally weeks ago not looking to rehash it, but yes numbers are ok: 404.city, 4chan.org, 2ch, 8chan, 37signals.com, etc.

  73. Zash


  74. Zash

    And thank glob the .42 TLD doesn't exist.

  75. qrpnxz

    y'know, google actually has TLD `google`, but it doesn't route straight to google.com. I wonder if that's actually impossible to do or what.

  76. jonas’

    A/AAAA records on TLDs are … frowned upon

  77. jonas’

    as are MX records

  78. jonas’

    the `io.` TLD once had some

  79. Zash

    Also frowned upon, answering ` IN A` queries, like my previous ISP used to do.

  80. moparisthebest

    so frowned upon dnsmasq has an option to transform those back to NXDOMAIN

  81. deuill

    Anything you think can't happen in DNS has already happened

  82. qrpnxz


  83. deuill

    NS that does horizontal referral to itself, paths that don't resolve based on which of the many NS you end up going through, and more.

  84. mathieui

    Zash: you mean the .42 tld died rather

  85. Zash

    The .42 tld is not real, it can't hurt you

  86. moparisthebest

    wait that was an actual TLD ? yikes

  87. qrpnxz

    no harm

  88. moparisthebest

    seems super harmful, is an IPv4 or a domain name :)

  89. jonas’

    moparisthebest, easy, IPv4. a domain name would have a trailing dot :-X

  90. Zash

    There's some words in an RFC somewhere, hold on

  91. qrpnxz

    moparisthebest, oh right yeah xd

  92. Zash

    > `domainpart = IP-literal / IPv4address / ifqdn` > the "IPv4address" and "IP-literal" rules are defined in RFCs 3986 and 6874, > respectively, and the first-match-wins (a.k.a. "greedy") algorithm described > in Appendix B of RFC 3986 applies to the matching process

  93. qrpnxz

    even for hostnames this is the case, so that would indeed be read as an ipv4

  94. qrpnxz

    and again no harm except to the fool who made it

  95. Zash

    I would like to hope that this means "if it looks like an IP address then it is an IP address"

  96. qrpnxz

    i assert so

  97. qrpnxz

    and as jonas said if they wanted it to be interpreted as a domain name they would need a trailing dot. Though that would not be able to be used as a jid, which wants that dot stripped.

  98. Zash

    Let's just not go there, stop anyone from registering {0..255}. as a TLD and then live happily ever after.

  99. qrpnxz

    unless "enforcements" means to just strip it yourself, not always to reject it

  100. qrpnxz

    then you could use it

  101. jonas’

    good thing that IPv6 uses colons

  102. moparisthebest

    is an IP address

  103. jonas’

    moparisthebest, SHUSH

  104. Zash

    jonas’, and is enclosed in []

  105. jonas’

    Zash, sometimes

  106. jonas’

    (in XMPP, yes)

  107. qrpnxz

    no way

  108. moparisthebest

    I swear I just read a vulnerability regarding hex and octal in ip addresses...

  109. jonas’

    (in XMPP always)

  110. jonas’

    moparisthebest, also fun is e.g. `10.1` as IPv4

  111. jonas’

    or `10.257`

  112. qrpnxz

    which side is implied

  113. jonas’

    or just `2130706433`

  114. qrpnxz

    are you getting this from rfc 3986

  115. jonas’

    I’m getting this from reality, no idea if that’s in any standard

  116. jonas’

    $ ping -c1 2130706433 PING 2130706433 ( 56(84) bytes of data. 64 bytes from icmp_seq=1 ttl=64 time=0.073 ms

  117. qrpnxz

    idk wym by reality

  118. jonas’

    see above ^ :)

  119. Zash


  120. qrpnxz

    just because ping accepts it doesn't make it a valid serialization of an ipv4 addr

  121. jonas’

    qrpnxz, I never said it was, I said reality, not standard or validity :)

  122. moparisthebest

    qrpnxz, welcome to the internet where if enough tools accept it as valid, it's valid, regardless of what RFCs say

  123. qrpnxz

    yeah but that's not helpful, i'm also talking about reality, but reality of a specific thing

  124. Zash

    moparisthebest, which makes it scary that curl now supports it...

  125. jonas’

    you’re talking about the theory of a standard, which unfortunately rarely matches the reality :)

  126. jonas’

    the difference is real and needs to be acknowledged when writing software :)

  127. moparisthebest

    ah there we go, that curl blog post has all the links to the vulnerabilities I mentioned, nice!

  128. qrpnxz

    the case that many tools accept something is not the case that all compliant tools must accept something, which is the only thing i'm interested in

  129. Zash

    Prosody (release versions) will not federate with bare IP addresses and we haven't had all that much complaints about it, so you can certainly get away with _only_ supporting domain names.

  130. jonas’

    I (aioxmpp client library dev) had a bunch of folks wanting to talk to IP addresses and it makes for all kinds of trouble

  131. jonas’

    so that’s the flipside of that reality coin

  132. moparisthebest

    qrpnxz, unless of course you want interop with any of those other tools

  133. qrpnxz

    i have no problem federating with ip addresses so long they have a certificate or even as a special case you can give them credentials

  134. qrpnxz

    moparisthebest, all the tools give you ip addresses in the correct form.

  135. moparisthebest

    a recent example is I was sending a perfectly valid stream header and ejabberd wouldn't accept it

  136. moparisthebest

    now you could wave your fist at the air and refuse to federate with any ejabberd in the wild

  137. moparisthebest

    .... or send the stream header they expect

  138. qrpnxz

    stick it to them

  139. jonas’

    reminds me of this: Jun 01 13:05:05 s2sin55562e999090 debug Received invalid XML (parser error: not-well-formed: unexpected '<?xml' token in text node (expected one of: Text, '<', '</')) 532 bytes: "<?xml version=\'1.0\'?><stream:stream xml:lang=\'en\' to=\'dreckshal.de\' xmlns:db=\'jabber:server:dialback\' version=\'1.0\' xmlns=\'jabber:server\' from=\'search.chinwag.im\' xmlns:stream=\'http://etherx.jabber.org/streams\'><?xml version=\'1.0\'?><stream:stream xml:lang=\'en\' to=\'dreckshal.de\' xmlns:db=\'jabber:serv"

  140. Zash

    Outch, owie, my eyes

  141. qrpnxz


  142. jonas’

    qrpnxz, and then what? there’ll still be many (and not small) domains in the wild running such software, so you’re faced with the choice of being correct and being interoperable

  143. qrpnxz


  144. qrpnxz

    wait, is ejabberd expecting an invalid header or a valid one

  145. Zash

    FTR: Next Prosody major version will support IP address federation, but good luck getting certs for those.

  146. jonas’

    qrpnxz, it is expecting a valid one, but not accepting all valid ones

  147. qrpnxz

    ah, then i'd send the valid one they expect, but let them know

  148. moparisthebest

    qrpnxz, oops not stream header, stream features https://github.com/moparisthebest/xmpp-proxy/blob/master/src/tls.rs#L183

  149. moparisthebest

    I did let them know, but even if I sent a patch, that doesn't magically deploy it everywhere

  150. şişio

    Is there a difference in Matrix and XMPP from a security perspective

  151. qrpnxz

    moparisthebest, you better be defining that stream prefix

  152. jonas’

    qrpnxz, `xmlns:stream` is already defined on the stream header

  153. jonas’

    şişio, this is not the XMPP vs. Matrix room, sorry

  154. moparisthebest

    qrpnxz, yep it's of course defined, they should be identical per XML+XMPP rules, but ejabberd only accepts the second and not the first, prosody accepts both

  155. qrpnxz

    are you just guessing, i'm asking about moparis' code

  156. qrpnxz

    ol right good

  157. moparisthebest

    I think Holger said that's just some old code hard-coding it the second way, but regardless, can't fix everything at once even if you want

  158. moparisthebest

    sometimes you have to go with the status quo instead of the spec :)

  159. qrpnxz

    i thought that ejabberd was supposed to be the respectable paid super-server, not garbage

  160. moparisthebest

    it is a great server, everything has bugs

  161. jonas’

    ~all men must die~ every software has bugs

  162. Zash

    it has gotten way better over the years

  163. Holger

    ejabberd sometimes has more historical baggage than others due to being older.

  164. qrpnxz


  165. qrpnxz


  166. moparisthebest

    I almost said "everything has bugs and legacy code" but I realized "legacy code" is often either bug free or bug riddled :)

  167. şişio

    > jonas’ wrote: > qrpnxz, `xmlns:stream` is already defined on the stream header > şişio, this is not the XMPP vs. Matrix room, sorry 👍

  168. Zash

    legacy code has so many bugs nobody wants to touch it, or so few bugs nobody needs to touch it? 🙂

  169. qrpnxz


  170. moparisthebest

    or both at the same time

  171. Zash

    ah yes, "it works, don't touch it"

  172. moparisthebest

    I don't want to seem like I'm picking on ejabberd either, try sending a stream header without version= set to prosody and you'll be in for a fun time too :)

  173. moparisthebest

    (RFC says to set it, you might expect a server to reject something without it, but that's not what happens)

  174. jonas’

    moparisthebest, haha, yeah, I found that quirky handling while writing xmppstream.rs :D

  175. moparisthebest

    jonas’, did you do the right thing and rm -rf it :D

  176. jonas’

    moparisthebest, no, I’m drop-in-replacing, not rewriting :)

  177. jonas’

    (the handling is outside xmppstream.lua)

  178. moparisthebest

    ah, fair

  179. jonas’

    (amusing was, I found it because aioxmpp rejected the resulting response stream header after xmppstream.rs did emit a nil version because I left that one out at first)

  180. moparisthebest

    I found it because I'm writing all this TLS code, and using a prosody module to hijack all outgoing connections to go through my proxy, and every prosody server I tried to negotiate with rejected my TLS negotiation, even though it looked fine

  181. qrpnxz

    total sadnes

  182. qrpnxz

    total sadness

  183. moparisthebest

    finally determined the prosody module didn't set version= and prosody rejects even successful TLS if version= is not sent :D

  184. moparisthebest

    but I spent like a week debugging my TLS code on and off lol

  185. qrpnxz


  186. Sam

    Reminder that the Office Hours start in 15 minutes! Today's presentation is a demo of ad-hoc commands and forms in Mellium and some discussion about the relevant XEPs. https://socialcoop.meet.coop/sam-pku-dud-niv

  187. Sam

    And we're starting!

  188. şişio

    > Sam wrote: > And we're starting! Thanks, Sam!

  189. lovetox

    Sam, was it recorded?

  190. eevvoor

    lovetox, yes.

  191. eevvoor

    But it is difficult to get it out of BBB, as fasr as I know. Let's see whether Sam fiddles his rec aout of BBB :D.

  192. Zash

    It's been done before

  193. Sam

    yah, I don't know if it's worth putting this one up or not though, I'll go back through and see when BBB finishes processing it

  194. lovetox

    i was interested in it because i spent quite some time on the forms GUI in Gajim

  195. lovetox

    and wondered about the problems you encountered with the spec

  196. Zash

    I wish I had remembered that adhoc demo module earlier.

  197. emus

    Hello everyone, please check if your clients / applications / projects are placed and updated here: https://xmpp.org/software/clients.html

  198. deuill

    Also might need to blur out your phone number before you post this on the Internet Sam, heh

  199. Sam

    lovetox: video uploading https://youtu.be/C2oyAfJeqno

  200. Sam

    Sorry for the long rambling look at code; I'll skip that next time and just do the demo and call it done.

  201. Sam

    If you were there but left when we originally started the recording, the stuff that happened afterwards where Zash pointed out a cool module we could use to demo it starts at around 27:48 https://youtu.be/C2oyAfJeqno?t=1668

  202. Sam

    stopped the recording, even.