XSF Discussion - 2022-01-26

  1. Neustradamus

    I can create a ticket about the bad logo here: https://opencollective.com/xmpp? I have already informed a long time ago but it has been forgotten, I think, and without ticket, no following.

  2. mjk

    What's bad about it? Raster?

  3. emus

    Neustradamus: As I recommended in my message to you yesterday, I think and still recommend you give it a bit of time before you engage in new tickets of any regard currently. You can find a decent logo in Wikipedia.

  4. Neustradamus

    emus: It is for this that I have posted this message here.

  5. Neustradamus

    mjk: Good logo is here: https://commons.wikimedia.org/wiki/File:XMPP_logo.svg + https://commons.wikimedia.org/wiki/File:XMPP_logo_(without_text).svg

  6. mjk

    Their canonical source is probably here: https://github.com/xsf/xmpp.org/blob/master/static/images/logos Anyway, what's _really_ horrible is the C++ pseudo-logo on the front page of xmpp.org! Here's a real one: https://github.com/isocpp/logos/blob/master/cpp_logo.svg

  7. mjk

    Shall I PR?

  8. Guus


  9. Neustradamus

    mjk: it has been updated, you can look here: https://github.com/xsf/xmpp.org/blob/master/static/images/logos

  10. Neustradamus

    The issue: https://github.com/xsf/xmpp.org/issues/608

  11. Neustradamus

    It is good now at this place

  12. Guus

    mjk: maybe pre-emptively point to https://isocpp.org/home/terms-of-use in your PR

  13. mjk

    Guus: right (I haven't studiet the ToU yet)

  14. Guus

    ianal, but "sure, go ahead as long as you're not suggesting we're endorsing you"

  15. Guus

    How do contributions to the XSF through OpenCollective compare to the good old XSF sponsoring we also/used to have?

  16. emus

    Guus: tell me more?

  17. Daniel

    regular sponsorship is rather expensive (for individuals) but comes with perks

  18. emus


  19. Daniel

    benefits https://xmpp.org/community/sponsorship/

  20. guus.der.kinderen

    Is the money earmarked differently? Should we start using OpenCollective's payment processing services (that also support recurring payments) for 'old style' sponsoring too?

  21. guus.der.kinderen

    Or, if there is a difference, we might want to document that publicly?

  22. guus.der.kinderen

    Linking to OpenCollective from https://xmpp.org/community/sponsorship/ might draw more attention to that, which I suppose is a good thing.

  23. dwd

    I've just noticed that sponsors can submit blog posts to the XSF Blog. And they're vetted by the Council for some reason.

  24. guus.der.kinderen

    We had that since the beginning of time, I think.

  25. guus.der.kinderen

    One benefit of OC-for-sponsors is that it might take away our annual manual generation of invoices, which we are bad at.

  26. guus.der.kinderen

    Plus, the exposure/transparency might be good.

  27. emus

    > guus.der.kinderen escribiĆ³: > Linking to OpenCollective from https://xmpp.org/community/sponsorship/ might draw more attention to that, which I suppose is a good thing. could you PR what you have in mind?

  28. guus.der.kinderen

    I'm not sure if it is a good idea. I wanted to start a discussion here, first. šŸ˜Š

  29. dwd

    I'm not sure that OC is the right vehicle for corproate sponsorship, but really from the corporate sponsor's side - people do seem to like invoices and suchlike.

  30. emus

    Do we do financial reporting actually?

  31. guus.der.kinderen

    Doesn't OC provide those? I can imagine that they must, if.only for their accounting.

  32. guus.der.kinderen

    emus: our treasurer does that.

  33. dwd

    Sorry, to be clear: "I'm not sure that" is for once a genuine statement of uncertainty, not me being polite and British and saying "You're completely wrong".

  34. emus

    guus.der.kinderen: is it public?

  35. guus.der.kinderen

    emus: unsure if they are published, but I don't think that they're secret.

  36. MattJ

    dwd, https://docs.opencollective.com/help/expenses-and-getting-paid/submitting-expenses#invoices

  37. MattJ

    It's my understanding that OC is specifically designed to be a good bridge between the corporate and FOSS worlds

  38. emus

    Would be interested

  39. Guus

    MattJ, that link describes invoices for the payee, I think, not the payer.

  40. Guus

    > What's the difference between an individual and an organization profile? > Organizations represent a company or entity, while individual profiles represent a person. Organization profiles can have multiple team members (individual profiles) who have access to edit it and make financial contributions in its name. If a contribution or expense is for a company, it's important to use an organization profile so the correct billing information shows up on receipts and invoices. Organizations can also issue gift cards.

  41. Guus

    that suggests that invoices are supplied to payers

  42. dwd

    MattJ, Ah, nice.

  43. Guus

    but, stepping back: do we _want_ these contributions to go through the same mechanism?

  44. Guus

    I'm not seeing an immediate reason to not do this, but it's worth thinking about that for a second or two, maybe.

  45. Zash

    It's probably looking more Serious to send proper invoices without an intermediary

  46. Sam

    Just catching up, but FWIW I know a lot of organizations that do corporate sponsorship through Open Collective.

  47. dwd

    Yeah, I can't think of any reason as long as they handle decent invoincing, and they probably do that better than us.

  48. dwd

    As for intermediaries, even my plumber sends me invoivcing through Xero now.

  49. Sam

    As far as I know OC doesn't generate invoices in any meaningful sense though. That is, you can put your info in and it will make a single one geared towards expenses, and only if the other party is on OC themselves

  50. Sam

    I've been using https://app.workspace.fiverr.com/ to keep track of clients and generate recurring invoices that get automatically sent and the like, unsure if there are better options but that's been working for me (and I got it free through the freelancers union)

  51. Sam

    Or rather, you can upload your own invoice on OC and input the details, it doesn't really generate it.

  52. mjk

    >> Anyway, what's _really_ horrible is the C++ pseudo-logo on the front page of xmpp.org! >> Shall I PR? > yesplease Done! https://github.com/xsf/xmpp.org/pull/1062

  53. mjk


  54. Neustradamus

    Thanks mjk!

  55. mjk

    np. Wanted to do it for a long time :))

  56. Neustradamus

    mjk: Never too late ^^

  57. dwd

    Well, CVE-2021-4034 looks like a barrel of laughs.

  58. moparisthebest

    dwd, yep linked it in xmpp operators channel yesterday https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034 fun since 2009 !

  59. Zash

    And wasn't it discovered in 2013 but not fixed?

  60. moparisthebest

    ah I didn't read that ?

  61. Zash


  62. moparisthebest


  63. junaid

    well... that's embrassing

  64. moparisthebest

    by all means though continue writing important things in C, nothing wrong with that :D

  65. dwd

    Real programmers write in C.

  66. jonasā€™

    like pkexec?

  67. dwd

    Real engineers don't, but that's another matter.

  68. jonasā€™

    oh wow

  69. Zash

    programmers ^ engineers you say?

  70. moparisthebest

    does anyone know of any use of https://xmpp.org/extensions/xep-0451.html in the wild ? cc Sam

  71. moparisthebest

    on a related note, is there really not a generic way you can send a certificate along with a signature to prove you have the associated private key ? (outside of TLS negotiation, that is)

  72. Zash

    stop right there, before you invent something like what email, matrix or mastodon uses

  73. MattJ


  74. Zash

    Why would you need to anyway?

  75. moparisthebest

    MattJ, searches aren't really fruitful, happen to know any more words? :)

  76. Zash

    Anything sent via TLS is implicitly signed by the TLS cert key, no?

  77. Zash

    What problem are you trying to solve?

  78. moparisthebest

    Zash, to avoid dialback/mux, for piggybacking

  79. MattJ

    moparisthebest, sorry, it was a name proposal, not an existing technology. Zash has been complaining about DKIM all week.

  80. moparisthebest

    you just "hey looks like you also serve muc.yourdomain, care to send me the cert to prove it? thanks!"

  81. moparisthebest

    or the other direction, "hey I'm already connected/authenticated to you for example.org, but I also host muc.example.org and have a few stanzas to send, here's proof"

  82. Zash

    renegotiation and ask for another client cert? good thing renegotiation has been killed with fire

  83. Zash

    how about this solution: don't

  84. jonasā€™

    moparisthebest, I don't quite yet see the problem statement :)

  85. moparisthebest

    wouldn't it be a lot nicer than everything else ? assuming it was simple and secure that is

  86. Zash

    demand it be covered by SAN in the already sent certificate or open another connection

  87. moparisthebest

    jonasā€™, avoiding dialback/mux/extra connections

  88. jonasā€™

    what's wrong with mux?

  89. jonasā€™

    I mean I can agree on dialback being bad

  90. jonasā€™

    but I don't see what's wrong with mux or even multiple TCP streams (though you may now say file descriptors, I'll raise you a "rate limiting is much easier if you only have a single stream per entity)

  91. jonasā€™

    but I don't see what's wrong with mux or even multiple TCP streams (though you may now say file descriptors, I'll raise you a "rate limiting is much easier if you only have a single stream per entity")

  92. jonasā€™

    so, what is the *problem* you're trying to solve, not the thing you're trying to make fancier :)

  93. moparisthebest

    mux is better than dialback, that's why I was asking about implementations

  94. Zash

    I'm firmly in the "use BIDI, burn dialback, be happy" camp

  95. moparisthebest

    but it'd be even better to *not* have to create new connections

  96. Zash

    Because really, how much does multiplexing really give you?

  97. Zash

    (Actual question that I would like to see answered with statistics and surveys)

  98. moparisthebest

    the end game here is I'm working on a spec for XMPP-over-QUIC, and so have the opportunity to make all the good things MUST

  99. moparisthebest

    bidi, mux, forbid dialback, it's all on the table

  100. moparisthebest

    I don't want to *invent* a way to prove you have a cert outside of TLS, but it's kind of something I assume exists already, somewhere, and if it was nice, it could be good to re-use

  101. jonasā€™

    oh right

  102. jonasā€™

    I meant bidi, not MUX

  103. jonasā€™

    just BIDI, KISS things.

  104. moparisthebest

    or you could forbid BIDI by only allowing one-way streams for s2s connections, which is a concept QUIC supports

  105. moparisthebest

    you can open multiple streams per connection, either way actually

  106. jonasā€™

    moparisthebest, IIRC you need the back channel actually

  107. jonasā€™

    for stream errors or so

  108. moparisthebest

    yea that's what I concluded too, just stating the options

  109. moparisthebest

    multiplexing without head-of-line blocking would be pretty nice for s2s though

  110. moparisthebest

    could be for a client with multiple accounts on the same server as well, I guess

  111. moparisthebest

    Is there precedent for deprecating half of a final xep? Specifically the zlib method of https://xmpp.org/extensions/xep-0138.html

  112. jonasā€™

    moparisthebest: unlikely

  113. Zash

    awkward with MTI

  114. moparisthebest

    So, suggestions? Deprecate whole thing and next method can re-spec it in a separate xep ?

  115. moparisthebest

    Probably wouldn't make sense to make it a new xep now with no methods...

  116. jonasā€™

    yeah, probably obsolete the entire thing

  117. Zash

    Anyone know how to turn 3 sentences into an informal XEP about the proper procedure for service discovery?Ā©

  118. Zash

    Anyone know how to turn 3 sentences into an informal XEP about the proper procedure for service discovery?

  119. moparisthebest

    slap some XML tags around it and send it to the editor

  120. Zash

    `echo "Start with disco#info the domain part of your JID, then disco#items and recurse, but don't get into an infinite loop." | pandoc -t tools/2xep.lua`

  121. Zash

    missing *all* the required metadata!

  122. Zash

    Tho it could just as well be a section of XEP-0030

  123. Zash

    > Version 2.5rc3 (2017-10-03) still so weird

  124. qwestion

    Hi noob here, so sorry if I should RTFM or ask elsewhere first, but I didn't find much in my xmpp hist about status.im, its tech and what xsf/xmpp devs think of them?

  125. qwestion

    Unrelated : https://tidelift.com/ is other possible complement to opencollective

  126. moparisthebest

    qwestion, status.im is not XMPP and is therefore trash not worth considering :D

  127. Zash

    Not XMPP? Not on-topic. Simple as that.

  128. emus

    After I told Neustradamus to stop highlighting people, he is doing it again. Maybe more steps are necessary now.

  129. emus

    Sorry, different repository, but related to xmpp. got confused

  130. Neustradamus

    emus: The error is human, I forgive you.

  131. Neustradamus

    For information, maybe some people had not seen, I have renamed https://github.com/scram-xmpp/info/issues/1 to https://github.com/scram-sasl/info/issues/1 for a better deployment :) I am verry happy to see that SCRAM is increasingly used. The work done for many years shows success. I want to thank the developers who have been able to move this in our community.