XSF Discussion - 2021-06-01

XMPP>Matrix

Matrix *does* have a stronger product apparatus though, which I guess is what people mean when they say that XMPP is "almost dead".

Indeed, our hype machine is severely underfunded.

which hype machine

Xmpp is still alive everything is active

Only Matrix is new

Both of them safe but ı prefer XMPP

Why dead?

What is a product apparatus

User?

Marketing department.

This is true

But still Matrix hasn't got tor option

Why not?

I'm glad that's useful for you, but most people don't need/want a Tor option, so it doesn't help XMPP much.

From a user perspective I don't think we really have any great feature that makes us look better than Matrix, unfortunately.

I don't see why Tor would not work with either.

> Sam wrote: > I'm glad that's useful for you, but most people don't need/want a Tor option, so it doesn't help XMPP much. I need a tor. condition

"working servers" isn't a great feature that looks better than Matrix ?

Yes, but most people don't. It might attract a small number of people, but not enough to keep the network alive.

> Zash wrote: > I don't see why Tor would not work with either. Sometimes I have to turn off the tor

moparisthebest: no. the users don't know or care about the differences. Only devs do.

Sam: Resource efficiency is one thing we seem to be winning at.

users usually care if the server is down/working or not

Sure, but they do a good enough job keeping it up. Alternatively: tons of tiny servers run by individuals who don't have backups and what not also go down even if they use lower resources.

If the "instant" part of Instant Messaging ever becomes hip again, we'll have a slight edge there too.

I don't disagree with you, but I don't think a marketing pitch that says "our servers are slimmer!" Is goingn to be very effective.

how about "our stuff actually works"

Anecdotally, I've been told by at least one person that use Conversations or Siskin isn't as good as Viber/Facebook Messenger/etc. because it doesn't have stickers/GIFs. ✏

From a users perspective matrix works great.

Sam: I'm basing this on observed fediverse chatter.

Zash: then you've already selected a tiny subset of people that mostly don't represent the broader internet.

Again, not disagreeing with any of this, it's jut not something we can market. deuill is more on the right track.

So I'll agree with Sam's perspective that people are at the very least willing to put up with at least some jank if the features are there.

I almost typed out that it was probably biased. There'll be bias anywhere you go tho.

> From a users perspective matrix works great. From a user perspective I found their client slow and laggy, on mobile it also devoured my battery. Also those annoying (cross signing?) pop ups. When I wanted to join a fosem talk, I wanted to join that talk and not click away a lot of pop ups first.

deuill, true.

I mean the IETF discussion isn't about stickers or GIFs, obviously, but maybe it is about having a cohesive product?

Users don't care about protocol. As MattJ wrote in some presentation way back, users care about cat pictures and talking to their friends.

I still don't get why their clients get so much praise. I like conversations, gajim, dino and profanity a lot more.

XMPP is not dead!

IETF needs something to support their protocol development work, for meetings etc.

"It's just resting" ✏

I jest I jest

As long as someone is running some XMPP software, it's not dead.

we are also developing software :-)

gah I saw the perfect meme representing this on the fediverse months ago but can't find it

it was like this one https://i.kym-cdn.com/entries/icons/original/000/033/984/cover4.jpg but top was "matrix sucks" and the crying guy saying how it was so great etc, then bottom said "xmpp sucks" and an xmpp user saying "I know"

I too remember seeing this.

> Zash escribió: > Indeed, our hype machine is severely underfunded. Yes, I should start more hyping

You need money?

Or XSF

Matrix and XMPP serve the same role

That's the future of XMPP, but Matrix more

şişio: re Matrix + Tor, I don't think that's a real problem; element is a web app and runs fine in tor browser

whether they can _federate_ over tor idk

> wgreenhouse wrote: > şişio: re Matrix + Tor, I don't think that's a real problem; element is a web app and runs fine in tor browser > whether they can _federate_ over tor idk Mobile?

şişio: yes, element in mobile tor browser works fine

also orbotting their official app which is just a webview anyway

It's a little impractical.

şişio: sure, but in principle works. it's not an issue of the protocol not working over tor. "protocols not products" ;)

I consider xmpp more privacy-preserving, but it's untrue to say matrix can't be used with tor

😀😀

Switching between data, mobile and wifi. Sometimes it doesn't work. therefore

But we know both of them safe messenger

qrpnxz, I have friends who defintely use a domain which starts with a digit, and it’s been working fine forever, so your parser should be fixed for real-world use-cases even if some interpretations of some RFCs might lead to you disallow it.

bro that convo is ages ago and we already concluded that

> qrpnxz wrote: > bro that convo is ages ago and we already concluded that What is the result

I’m still backlogging.

literally weeks ago not looking to rehash it, but yes numbers are ok: 404.city, 4chan.org, 2ch, 8chan, 37signals.com, etc.

42elks

And thank glob the .42 TLD doesn't exist.

y'know, google actually has TLD `google`, but it doesn't route straight to google.com. I wonder if that's actually impossible to do or what.

A/AAAA records on TLDs are … frowned upon

as are MX records

the `io.` TLD once had some

Also frowned upon, answering `192.0.2.123. IN A` queries, like my previous ISP used to do.

so frowned upon dnsmasq has an option to transform those back to NXDOMAIN

Anything you think can't happen in DNS has already happened

xd

NS that does horizontal referral to itself, paths that don't resolve based on which of the many NS you end up going through, and more.

Zash: you mean the .42 tld died rather

The .42 tld is not real, it can't hurt you

wait that was an actual TLD ? yikes

no harm

seems super harmful, is 192.168.1.42 an IPv4 or a domain name :)

moparisthebest, easy, IPv4. a domain name would have a trailing dot :-X

There's some words in an RFC somewhere, hold on

moparisthebest, oh right yeah xd

> `domainpart = IP-literal / IPv4address / ifqdn` > the "IPv4address" and "IP-literal" rules are defined in RFCs 3986 and 6874, > respectively, and the first-match-wins (a.k.a. "greedy") algorithm described > in Appendix B of RFC 3986 applies to the matching process

even for hostnames this is the case, so that would indeed be read as an ipv4

and again no harm except to the fool who made it

I would like to hope that this means "if it looks like an IP address then it is an IP address"

i assert so

and as jonas said if they wanted it to be interpreted as a domain name they would need a trailing dot. Though that would not be able to be used as a jid, which wants that dot stripped.

Let's just not go there, stop anyone from registering {0..255}. as a TLD and then live happily ever after.

unless "enforcements" means to just strip it yourself, not always to reject it

then you could use it

good thing that IPv6 uses colons

is 192.168.1.0x7F an IP address

moparisthebest, SHUSH

jonas’, and is enclosed in []

Zash, sometimes

no way

I swear I just read a vulnerability regarding hex and octal in ip addresses...

(in XMPP always) ✏

moparisthebest, also fun is e.g. `10.1` as IPv4

or `10.257`

which side is implied

or just `2130706433`

are you getting this from rfc 3986

I’m getting this from reality, no idea if that’s in any standard

$ ping -c1 2130706433 PING 2130706433 (127.0.0.1) 56(84) bytes of data. 64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.073 ms

idk wym by reality

see above ^ :)

https://daniel.haxx.se/blog/2021/04/19/curl-those-funny-ipv4-addresses/

just because ping accepts it doesn't make it a valid serialization of an ipv4 addr

qrpnxz, I never said it was, I said reality, not standard or validity :)

qrpnxz, welcome to the internet where if enough tools accept it as valid, it's valid, regardless of what RFCs say

yeah but that's not helpful, i'm also talking about reality, but reality of a specific thing

moparisthebest, which makes it scary that curl now supports it...

you’re talking about the theory of a standard, which unfortunately rarely matches the reality :)

the difference is real and needs to be acknowledged when writing software :)

ah there we go, that curl blog post has all the links to the vulnerabilities I mentioned, nice!

the case that many tools accept something is not the case that all compliant tools must accept something, which is the only thing i'm interested in

Prosody (release versions) will not federate with bare IP addresses and we haven't had all that much complaints about it, so you can certainly get away with _only_ supporting domain names.

I (aioxmpp client library dev) had a bunch of folks wanting to talk to IP addresses and it makes for all kinds of trouble

so that’s the flipside of that reality coin

qrpnxz, unless of course you want interop with any of those other tools

i have no problem federating with ip addresses so long they have a certificate or even as a special case you can give them credentials

moparisthebest, all the tools give you ip addresses in the correct form.

a recent example is I was sending a perfectly valid stream header and ejabberd wouldn't accept it

now you could wave your fist at the air and refuse to federate with any ejabberd in the wild

.... or send the stream header they expect

stick it to them

reminds me of this: Jun 01 13:05:05 s2sin55562e999090 debug Received invalid XML (parser error: not-well-formed: unexpected '<?xml' token in text node (expected one of: Text, '<', '</')) 532 bytes: "<?xml version=\'1.0\'?><stream:stream xml:lang=\'en\' to=\'dreckshal.de\' xmlns:db=\'jabber:server:dialback\' version=\'1.0\' xmlns=\'jabber:server\' from=\'search.chinwag.im\' xmlns:stream=\'http://etherx.jabber.org/streams\'><?xml version=\'1.0\'?><stream:stream xml:lang=\'en\' to=\'dreckshal.de\' xmlns:db=\'jabber:serv"

Outch, owie, my eyes

wut

qrpnxz, and then what? there’ll still be many (and not small) domains in the wild running such software, so you’re faced with the choice of being correct and being interoperable

yes

wait, is ejabberd expecting an invalid header or a valid one

FTR: Next Prosody major version will support IP address federation, but good luck getting certs for those.

qrpnxz, it is expecting a valid one, but not accepting all valid ones

ah, then i'd send the valid one they expect, but let them know

qrpnxz, oops not stream header, stream features https://github.com/moparisthebest/xmpp-proxy/blob/master/src/tls.rs#L183

I did let them know, but even if I sent a patch, that doesn't magically deploy it everywhere

Is there a difference in Matrix and XMPP from a security perspective

moparisthebest, you better be defining that stream prefix

qrpnxz, `xmlns:stream` is already defined on the stream header

şişio, this is not the XMPP vs. Matrix room, sorry

qrpnxz, yep it's of course defined, they should be identical per XML+XMPP rules, but ejabberd only accepts the second and not the first, prosody accepts both

are you just guessing, i'm asking about moparis' code

ol right good

I think Holger said that's just some old code hard-coding it the second way, but regardless, can't fix everything at once even if you want

sometimes you have to go with the status quo instead of the spec :)

i thought that ejabberd was supposed to be the respectable paid super-server, not garbage

it is a great server, everything has bugs

~all men must die~ every software has bugs

it has gotten way better over the years

ejabberd sometimes has more historical baggage than others due to being older.

i

c

I almost said "everything has bugs and legacy code" but I realized "legacy code" is often either bug free or bug riddled :)

> jonas’ wrote: > qrpnxz, `xmlns:stream` is already defined on the stream header > şişio, this is not the XMPP vs. Matrix room, sorry 👍

legacy code has so many bugs nobody wants to touch it, or so few bugs nobody needs to touch it? 🙂

lol

or both at the same time

ah yes, "it works, don't touch it"

I don't want to seem like I'm picking on ejabberd either, try sending a stream header without version= set to prosody and you'll be in for a fun time too :)

(RFC says to set it, you might expect a server to reject something without it, but that's not what happens)

moparisthebest, haha, yeah, I found that quirky handling while writing xmppstream.rs :D

jonas’, did you do the right thing and rm -rf it :D

moparisthebest, no, I’m drop-in-replacing, not rewriting :)

(the handling is outside xmppstream.lua)

ah, fair

(amusing was, I found it because aioxmpp rejected the resulting response stream header after xmppstream.rs did emit a nil version because I left that one out at first)

I found it because I'm writing all this TLS code, and using a prosody module to hijack all outgoing connections to go through my proxy, and every prosody server I tried to negotiate with rejected my TLS negotiation, even though it looked fine

total sadness ✏

finally determined the prosody module didn't set version= and prosody rejects even successful TLS if version= is not sent :D

but I spent like a week debugging my TLS code on and off lol

🍹️

Reminder that the Office Hours start in 15 minutes! Today's presentation is a demo of ad-hoc commands and forms in Mellium and some discussion about the relevant XEPs. https://socialcoop.meet.coop/sam-pku-dud-niv

And we're starting!

> Sam wrote: > And we're starting! Thanks, Sam!

Sam, was it recorded?

lovetox, yes.

But it is difficult to get it out of BBB, as fasr as I know. Let's see whether Sam fiddles his rec aout of BBB :D.

It's been done before

yah, I don't know if it's worth putting this one up or not though, I'll go back through and see when BBB finishes processing it

i was interested in it because i spent quite some time on the forms GUI in Gajim

and wondered about the problems you encountered with the spec

I wish I had remembered that adhoc demo module earlier.

Hello everyone, please check if your clients / applications / projects are placed and updated here: https://xmpp.org/software/clients.html

Also might need to blur out your phone number before you post this on the Internet Sam, heh

lovetox: video uploading https://youtu.be/C2oyAfJeqno

Sorry for the long rambling look at code; I'll skip that next time and just do the demo and call it done.

If you were there but left when we originally started the recording, the stuff that happened afterwards where Zash pointed out a cool module we could use to demo it starts at around 27:48 https://youtu.be/C2oyAfJeqno?t=1668

stopped the recording, even.