XSF Discussion - 2021-07-27

Couldn't resist :) and maybe, same name there

hi guys,if u want find my group..on gajim.. u only type this keyword "maskuga" on search box. start/join. then click button Global Group Chat Search. that all.

I warned him he should stop with the spam in dino channel before this, he insists it's not spam, this is channel #4 that I've seen

Thanks, moparisthebest. Spam is in the eye of the beholder.

The office hours are today at 1600 UTC! Join us for "Building a Chat Bot on Ad Hoc Commands" by Christopher Vollick: https://socialcoop.meet.coop/sam-pku-dud-niv

Seems 0060's integer-or-max thing was defined for pubsub#max_items and two other node config options, but e.g. not for pubsub#max_payload_size, where I'd think it would make sense as well?

Sam, sounds interesting, was wondering how to go about creating XMPP bots – and there's a few hours left before that so i can get some food in me. :)

Sam, is it alright to share this invite link on the fediverse?

phryk, https://fosstodon.org/@xmpp/106642759433718435

Oooh, didn't even know the XSF had a fedi account, but that makes so much sense in hindsight that I'm embarassed I didn't realize it.^^

wait lol, i already follow that account :D

any clue whether i need previous knowledge about ad-hoc commands or the internals of any other xmpp spec/xep?

I'm not sure, I haven't talked to the presenter about the content

alrighty. it seems as though this sort of talk is at least a semi-regular occurance?

In theory; lately no one seems to want to sign up

When I got this setup finished, I might be interested in saying a bit about secure XMPP setups.

That's gonna take at the very least a month tho. Besides some more minor stuff, I still have to implement a custom invite page, fix at least one bug in mod_e2e_policy and extend its featureset by a good chunk, and I never programmed in lua before. :P

Currently I'm writing a bunch of texts for the website to onboard people and give them what they need to make informed decisions.

You could always present on what you plan to do instead; that way it's more likely to happen 🙂

But that way, I don't have any actual findings. :P

Plus, it's an anarchist thing – I want propaganda of the deed: if I already did it and show it off it shows to others that and how it's possible. :)

The office hours start in about 30 mins! Join us for "Building a Chat Bot on Ad Hoc Commands" by Christopher Vollick: https://socialcoop.meet.coop/sam-pku-dud-niv

Sam, what's your final take on https://github.com/xsf/xeps/pull/1090, after list discussion?

can it be closed, do you want to update it?

I still think it's fine as is, but might as well update it for the mam thing too

Sam, could you explain where the current methods are not sufficient on list so that we have it documented? It's still not obvious to me.

jonas’: hi, I didn't change the status from Deferred to experimental for https://github.com/xsf/xeps/pull/1094, will it be done automatically?

apparently not, I'll make an other PR then

goffi: thx!

<iteam-hat>I guess the E2EE SIG wants a mailing list? How about a MUC? (cc vanitasvitae)

jonas’: https://github.com/xsf/xeps/pull/1097/files

I have thought about that as well, but I'm not sure how muvh benefit dedicated lists and rooms would bring.

But it can't hurt either I guess. Whats the process of getting a MUC registered on xmpp.org?

My opinion is that a MUC would be valuable, but list discussion would be better on standards@ if the traffic is low

Yeah, thats more or less my opinion as well

Too many lists to keep track of :D

But never enough MUCs!

#thatsXMPP!

> MattJ wrote: > My opinion is that a MUC would be valuable, but list discussion would be better on standards@ if the traffic is low What muc address would that be?

It was stated here, not so long ago, that the XSF makes no software for XMPP but only discusses the standards, XEPs. Or did I get this wrong? Does it also write the XEPs? I mean defining something in detail without making it would feel weird to me.

people write the XEPs, anyone can, the XSF discusses+publishes them

sometimes code comes before XEPs or after or sometimes never, personally I agree with you, for me code always comes first

"Rough consensus and running code" is the way

Ok, thanks.

me9: the XSF is a volunteer organization. When a XEP is written there is usually someone with an interest in implementing it, and they are involved in the process (often they are the XEP's author)

Mhm.

Where are past presentations hosted? Would be especially interested in talks giving a good high-level overview of the specs and terminology.

phryk: Do you mean the XMPP Office Hours?

For example, but if there's more than just that, I'm happy, too. ;)

Ah found XSF's Youtube channel and Sam's talk.

4/20 \o/

> phryk wrote: > Ah found XSF's Youtube channel and Sam's talk. I think Sam made that channel and puts the recordings on there. ✏

lol grindr is built on xmpp?

Yes.

and fucking zoom? jeebus. :F

language maybe

Yes, maybe keep a civil language

I'll try.^^

Under protest. :P

Didn't know about zoom, that's pretty nifty :)

Is there a recording of the "Towards XMPP 2.0" thing?

https://www.youtube.com/watch?v=oc5844dyrsc and this one is going into my future watch list :3

phryk, Zoom posted some job offer on https://xmpp.work/ recently.

But looking at their docs is enough to know they use XMPP.

I never used Zoom and never looked at their docs. :P

I even dislike jitsi because goddamnit, just build an A/V MUC thing I can join with a normal XMPP client. :F

phryk, that’s exactly what they have done.

"just"

They did?

They do.

Wait, can I join jitsi meets with conversations, then?

Nope

You can join any Jitsi MUC with any other client, yes.

you won't get A/V though

Yeah, I meant the A/V part. :P

phryk, their main meet.jit.si server only exposes a WebSocket entrypoint, no plain TCP ones.

phryk, get any other client to implement multi-party A/V first?

Link Mauve, though nowadays you need to send <nick/> in presence for things to work IIRC

jonas’, yes, even back then.

back then™ it was sufficient to send <nick/> in <message/>, not in presence.

Or you get weird auto-generated ids instead of your nick.

Link Mauve, Conversations doesn't implement multi-party A/V yet? I thought they did…

phryk, nope, it doesn’t.

I think they're webrtc only now, last time I tried I couldn't connect anymore

Damn.^^

It doesn't and Jitsi doesn't want to cooperate

Link Mauve, I know because my bot got away with that, while injecting it into presence was so annoying that I replaced it with a prosody module :D

The only clients I know of which implement that are Jitsi Meet, Jitsi, Empathy, and I guess Zoom.

Isn't everything "webrtc" these days tho?

Link Mauve, dino is on it though, or so I hear

Yeah figures, I guess they also didn't hand in an XEP to specify how multi-party A/V either?

Sam, always has been WebRTC, it wouldn’t do audio/video in a browser otherwise.

and Conversations is interested to follow suit

phryk, they are based on XEPs which specify multi-party A/V :)

Link Mauve: the signaling is webrtc now too, I mean

Note that Conversations, Movim, Dino and whatnot are also WebRTC, with Dino being the only one not WebRTC only.

those haven't been kept up to date though :(

Sam, WebRTC doesn’t do signaling though.

It leaves that out to the client.

jonas’, care to throw me the XEP numbers? :)

It does whatever you send over it.

phryk, check the list for COLIBRI

Sam, you need something to exchange the SDPs over though, before you can even exchange peer-to-peer data

phryk, XEP-0298, XEP-0340 are the main ones.

right, Coin and COLIBRI

I couldn't see a websocket connection last time I tried anyways, I could see IQs in a webrtc error message.

(make sure to enable Deferred ones in the view)

What was "WebRTC" even? Some profile of codecs and stuff? RTP over UDP over DTLS over HTTP over SCTP over DTLS over ...???

Dino just uses rtp directly?

Sam, in any given room, press F12, go to the network tab, and look for the wss://meet.jit.si/xmpp-websocket?room=yourroom connection, it has HTTP status 101.

Then in the Response tab you can see the WebSocket exchanges.

(In Firefox, I don’t know how it is in other browsers.)

phryk, yes, or with DTLS-SRTP to negociate the encryption, which is basically what WebRTC is.

Plus a bunch of other extensions made mandatory.

cool.

Now, I think, I'll finally go read that mod_e2e_policy code. :3

MattJ, others interested in E2EE might be interested in an e2ee ietf mailinglist: https://mailarchive.ietf.org/arch/msg/ietf-announce/JD82eEVcnGOYCYCcIjRDwiZlB6Q

Link Mauve, can you actually join meet.jit.si with any other client? i thought they disabled s2s?

southerntofu, sounds like you can join chats if your client supports xmpp over websocket.

so, i assume that basically means conversejs and nothing else?^^

idk phryk i dug through my browser console to find the muc address and tried to join, but it failed

southerntofu, yes you can, configure your client to use this WebSocket endpoint, and then join the MUC you want.

ok strange, thanks

Most desktop clients don’t support WebSocket though, so use something like Gajim, Converse.js or such.

I have successfully used Gajim.

Sounds like Gajim is the best client for debugging XMPP stuff…

good to know! like we were talking in some other chan, i'd find it great to have better desktop/mobile clients for Jitsi Meet

<open xmlns="urn:ietf:params:xml:ns:xmpp-framing" is WebSocket C2S, anyone have opinions on what S2S should look like? unless I hear complaints I'm going with xmlns="urn:ietf:params:xml:ns:xmpp-framing-server"

Zash, created on 27.07? Coincidence? :O

southerntofu, phryk I'm close to releasing a tool that'll let any normal-xmpp-speaking client connect over WebSockets FYI

a MUC<->websocketMUC gateway?

websockify?^^

webmucket

moparisthebest: The framing that is only really needed with clients that are limited to DOM entire-document parsers? Why would you ever keep that? Why do we still have it for c2s???

a TCP-XMPP -> websocket-xmpp proxy

Zash, yea, wouldn't *need* the framing I guess, on the other hand why not

phryk, I usually use poezio, but it’s a matter of preferences really.

It doesn’t support WebSocket though, nor WebRTC.

My preference UI wise is dino, tho I'd like it to be a bit mor explicit and offer more things on context…

Might actually end up writing my own client, but that's one of those potential projects like me writing my own wayland composer or webframework. :P

phryk, why not contribute to Dino?

I mean I am doing the latter, but I started in 2011-2012 and it's been in it's third iteration since 2015 and still isn't even at alpha^^

Link Mauve, because the devs made it clear they don't see eye to eye with me concerning UX.

fork!

No way.

why? certainly nicer than totally starting from scratch when you are 90% of the way there

No, and a whole bunch of reasons.

For one, I'm not gonna learn yet another language just to fork a thing when I'm already currently learning D for that wayland compositor, have to get back into Perl for a job and am about to embark on learning Lua.

Learning 3 languages in parallel is enough for me, thank you very much.

Also, because time and time again I've found that using other peoples codebases for complex stuff turns out to be a complete cl*****f*** when trying to bend it to my needs.

For example in my webframework I tried using pandas (python data analysis module) for over a year and everything was pain and suffering for that time.

When I decided to just throw the damn thing out, I was at feature parity with my old stuff in about a month and a week later had more features than before, the thing worked more generically and the serialization was more reliable while not changing its interface at all. ✏

other people's code is terrible, your code is terrible, welcome to programming

Nah, it's not only that.

programmers like rewriting things :) https://www.joelonsoftware.com/2000/04/06/things-you-should-never-do-part-i/

*Some* other peoples code is great, amazing even. I've only ever once had a problem with flask for example when it was relatively fresh, dumped my concerns into IRC and forgot about it – only to come back to it a couple months later and found that all my issues had been fixed in ways that were better than what i proposed.

and some other people's code is garbage, like ansible which has over 1000 papercuts/m² which are very counter-intuitive

And XMPP implementations are one of those things where I'd be *extremely* cautious. Been playing with the tought of implementing it myself, but then it's not a medium-sized domain-specific project anymore, but a multi-year one.^^

The concept for an XMPP messenger I came up with some time last year was using python + kivy so I can do responsive design from the ground up and do desktop + android + iOS (+ pinephone or whatever) – basically one client to rule them all. :P

But honestly, I'd like it to be compiled, so currently I'd be leaning more towards D, but then I don't know of any compatible GUI toolkit being constructed with responsive design methodology built-in…

Plus, I'd still lose the whole "support for any and all platforms" thing…

phryk, sounds a lot like libervia.org (except python)

Isn't that just an online service, not a client?

phryk, it's a client with different frontends: gtk, web, cli, tui, android...

oh, like mplayer but for XMPP? :D

something like that :P

good approach, I'd say. but I want just one frontend that' responsive.

also you may be interested in some rust GUI frameworks which support web platform, like https://github.com/hecrj/iced

or keep an eye on WASI project to reuse web technologies everywhere (except JS of course)

No, no, aand no. ^^

And definitely no electron or anything like that.

it's not EXACTLY "anything like that" but it's the same spirit yes

Don't get me wrong, I've been doing web development for some 15 odd years now and I love what the web enables, but I hate how the web is used to replace anything native.

https://hacks.mozilla.org/2019/03/standardizing-wasi-a-webassembly-system-interface/ <--- not exactly sure it's the best but if web platform is on your list, then it may be the most appropriate

My webframework has a strict policy about no client-side scripting and no third-party requests. enforced by CSP in its core so you'd have to fork the damn thing to use that stuff. :F

phryk, i also hate it, but with a proper desktop/system integration, lightweight runtime, and distribution on proper package systems (appimage/guix/flatpak) i think i could actually like it

phryk, i really like what i hear, do you have a link? is everything handled via <form>s?

No, web platform is absolutely not on my list. I'll begrudgingly deploy converse on the XMPP service I'm currently building, but only for onboarding and fallback.

phryk, libervia already has a Kivy frontend named Cagou.

ah sorry i thought "web" was in the "one client to rules them all" :D :D

You may also be interested in Kaidan, doing the same but with Kirigami.

Yes, I have an integrated custom form system that also allows building complex, stateful applications powered by encrypted server-side sessions out of webforms.

So far I’m not impressed on desktop, but maybe with more workforce they could become good.

Kirigami doesn't ring a bell. I wanted to try Kaidan on my system, but it only ever segfaulted – I thought it was KDE?

sounds useless for e2e chat though right?

phryk, it’s one of the KDE frameworks, targetting mobile too.

So KDE developed a desktop<->mobile portable GUI framework independently from Qt?

phryk, also libervia project could use some help, it's pretty cool and the maintainer has an interesting vision from what i could chat with

server-side anything without client-side scripting is useless for e2e chat I mean

phryk, I don’t think it’s independent on it, probably building on top of it.

southerntofu, https://rnd.phryk.net/phryk-evil-mad-sciences-llc/poobrains/ <- the framework

I haven’t looked much into it, so I can’t help you more with that.

moparisthebest, it's not useless, you can build encryption by making your own user agent for those HTTP requests :)

Mhh, Qt is complicated because I don't know if we can depend on it to stay open/maintained or if it'll diverge from the commercial one.

encryption in the browser is the worst idea already

ehh

X.509 is the worst idea already. :P

sure, but at least you can do it in a real language with webasm

Worst. Spec. Ever.

moparisthebest, not all browsers support that, we're already trying to remove JS, without adding an even bigger attack surface :P :P

for me WASM is only useful for cross-platform applications, not on the actual WWW

it brings the good stuff of the web (HTML+CSS) on the desktop via WASI, and we can keep client-side scripting outside of the browser :)

(because of fingerprinting, sandbox escapes, rowhammer-style attacks..)

phryk, Libervia’s Cagou is built on Python + Kivy, have a look at it, the room is at xmpp:sat@chat.jabberfr.org?join fyi.

southerntofu, how is wasm a bigger attack surface than JS?

X.509 is great because it caused this to be written: https://www.cs.auckland.ac.nz/~pgut001/pubs/x509guide.txt

It also brings neither HTML nor CSS into wasi.

Link Mauve, doesn't have to be bigger (in fact can be smaller) but it's bigger than no client-side scripting at all

Link Mauve, no but WASI + a desktop browser engine allows good cross-platform web-based UI, that's what i meant

How is that different from a browser?

Zash, It also caused this to be written: https://phryk.net/article/zomgwtftls/ :P

(CW: language)

Link Mauve, it doesn't run random code from the internet to just display stuff

it runs an application you downloaded and vetted, hopefully through trustworthy chanels

southerntofu, I mean, a browser engine + a wasm interpreter which has access to local stuff (wasi) is worse than a browser engine + a wasm interpreter which is restricted to HTTP resources to me.

The former is pretty much electron.

The latter, any standard browser.

oO? you'd rather run random code from the internet?

I’d rather have a sandbox than none.

Which is why I do use the web, and why I don’t use electron.

well sure you can sandbox stuff, but in my view that'd be the role of firejail/flatpak/chroot not the role of the runtime itself

also browser sandboxes are a joke, people keep on poking holes through all the time

> X.509 - the PDF of IT Security <- I'm still *extremely* proud of that heading. :P

personally i'd much rather run code packaged by my distro without a sandbox, than sandboxed code fro mthe internet

Well, good for you I guess.

sure. i mean how much malware distributed through debian? vs how much malware due to browser vulns?

southerntofu, full ACK on that. I especially hate the implications of client-side scripting code delivered by servers being able to be different for every request. theoretically you can target by demographics or users to only *sometimes* deploy malicious code making any audit basically meaningless.

phryk, exactly! plus i recently learnt about rowhammer.js and i was like "wow is this what we have come to?"

When I install packages from the distro package repo (or my own one), I have strong cryptographic assurance that it hasn't been tampered with between compilation and delivery.

Computers bad. Grow potatoes. 🤷️

Heh, yeah, I still remember that ASLR-defeating exploit that worked over javascript.

Exactly, run GNU Hurd and bury thyself!

he said, running FreeBSD and being very unGNU… ^^

don't forget your GNU/shovel to resolve (`dig`) where this whole is taking you :) :)

I often say we should have abolished UNIX and all used Lisp machines, only half-jokingly. :P

well that is an interesting paradigm! but i'm afraid we're growing offtopic here :D

Aye, was thinking the same thing.

To get a bit more on-topic: Is the server domain alone a valid (but somehow special) JID? If so, where is that defined? ✏

All browsers support wasm, and I'd rather they only support wasm and not js

Yes, a bare hostname is a valid JID. XMPP-Core and/or XMPP-Addr

Thanks.

https://xmpp.org/rfcs/rfc6120.html#rfc.section.2.1 and https://xmpp.org/rfcs/rfc6122.html