emusOne question on the MoM from yesterday: What is the topic "Security bounties"?
derdanielhas left
raucaohas left
archas left
archas joined
Samhas left
eevvoorhas joined
Samhas left
lovetoxhas joined
marc0shas left
marc0shas joined
Samhas joined
adiaholichas joined
mhhas left
adiaholichas left
mhhas joined
mathijshas left
mathijshas joined
pasdesushihas left
MattJemus, the possibility that the XSF could have an official bug bounty program ( https://en.wikipedia.org/wiki/Bug_bounty_program ) for security issues in the XMPP protocol and maybe certain software projects
gooyahas joined
mhhas left
emusMattJ: ah then I got it right already. wasnt sure if it really was about bug bounty. I support this!
emusGe0rG: can you repeat the idea to automatically list the CVEs from all xeps? Was it as I stated?
harry837374884has left
harry837374884has joined
xnamedhas joined
wgreenhousehas left
eevvoorhas left
Skull Fuckerhas joined
wurstsalatI'd help with the website if that's necessary :)
Ge0rGI'm not even sure any more what the perceived benefit was
emusGe0rG: well, a clear overview and centralized place to review what happened
emusI assume?
KevThe only benefit to anyone I see from a page listing CVEs for unrelated XMPP projects is so someone can link to it when they want to say "Look, XMPP software has lots of vulnerabilities", to be perfectly honest.
emusI think that would go hand in hand with the bug bounty
KevI'm not arguing against CVEs.
konstantinoshas left
emusif we want to track them.as well (which I still think.would be good practice, right?)
KevDo we have any CVEs against the protocol? I admit I didn't realise that was a thing.
emusGe0rG: ?
pablohas left
Danielhas joined
marc0shas left
marc0shas joined
wgreenhousehas joined
Ge0rGKev: I'm pretty sure we don't, and I think that's not how CVEs work in general. We've had vulnerable protocols in the past (e.g. compression), but our solution was to deprecate them. We also have protocols that are CVE magnets, notably 0280/0313 and XHTML-IM
Ge0rGIMHO the scary <cve> blocks in the XEPs, while technically not part of the protocol specification, are a good trade-off between notifying prospective developers of the challenges and making public how "horrible" our specs are ;)
pasdesushihas joined
sebastianhas left
sebastianhas joined
konstantinoshas left
konstantinoshas joined
petrescatraianhas left
emusGe0rG: so you also dont want to track them centralized?
Ge0rGemus: I don't remember what it would be good for
emusHmm, but as you said, isnt the idea to make such things public and easy to follow? like devs and others can subscribe to such a page for example. each time something pops up they will be notified?
emusother opinions?
eevvoorhas joined
mhhas left
Mario Sabatinohas left
mhhas joined
marc0shas left
marc0shas joined
marc0shas left
marc0shas joined
Skull Fuckerhas left
Skull Fuckerhas joined
Samhas left
adiaholichas left
Dele Olajidehas left
Skull Fuckerhas left
Dele Olajidehas joined
Skull Fuckerhas joined
raucaohas left
Alastair Hoggehas joined
adiaholichas joined
raucaohas joined
Mario Sabatinohas joined
gooyahas joined
alex11has joined
alex11has left
antranigvhas left
pasdesushihas left
adiaholichas left
adiaholichas joined
pasdesushihas joined
adiaholichas joined
singpolymahas left
singpolymahas joined
Wojtekhas joined
xeckshas left
singpolymahas left
singpolymahas joined
harry837374884has joined
Fishbowlerhas left
Fishbowlerhas joined
Wojtekhas left
Calvinhas joined
adiaholichas joined
Menelhas left
Menelhas joined
benhas joined
benhas left
atomicwatchhas left
Wojtekhas joined
Wojtekhas left
Wojtekhas joined
mjkhas left
alex11has left
adiaholichas left
adiaholichas joined
mjkhas joined
restive_monkhas left
restive_monkhas joined
antranigvhas joined
antranigvhas left
antranigvhas joined
Yagizahas left
harry837374884has left
marc0shas left
marc0shas joined
singpolymahas left
singpolymahas joined
singpolymaThere's no practical difference for privacy between owned hardware, leased hardware, and a VM anyway. People in the data centre can get at the server either way
Skull Fuckerhas joined
jcbrandI think there is a practical difference if you have to physically access the hardware versus accessing data through cloud management software.
ZashVirtualization has more attack surface. Bugs in hypervisors or even CPUs do happen.
mhhas left
Ge0rGAnd then the whole speculative fault execution mess
singpolyma"cloud management software" = ssh. Full disk encryption does nothing while the server is powered on. I agree about VM attack surface that does sometimes happen
marc0shas left
marc0shas joined
Ge0rGsingpolyma: how would you extract data from a server that's powered on?
mhhas joined
marc0shas left
marc0shas joined
ZashI'm not convinced this would weigh much for our purposes tho.
Patigahas joined
marc0shas left
marc0shas joined
singpolymaGe0rG: oh I see, your argument is that to get in if it's well secured I have to do something that would interrupt operation. Probably true. Though that's true for full disk encryption in other cases too unless a backdoor was preinstalled when they setup for you
ZashThis very chat runs on a VM. 🤷️
singpolymaAnyway, I'm not against people running their own hardware of course, but it's too much work to bother for most full-timers, nevermind volunteers so I think any small trade-offs point heavily to simplifying
Ge0rGBut the original question was about our mailing lists? Given that "we" are a US based 501c, we can't enforce the GDPR anyway in any reasonable manner, so we could as well rent some cloud service. Maybe there are list operators that are doing this for other (FOSS) communities?
marc0shas left
marc0shas joined
singpolymaThe mailing lists seem like a simple case? Can run basically anywhere, just need good IP rep or an SMTP relay for deliverability. Or are you meaning to stop running them and use "hosted mailing lists"?
singpolymaYeah. And IIRC they're all mailman2 already so no real benefit to changing that
Ge0rGsingpolyma: while mailman2 runs on its own, IP reputation doesn't
flowisn't mailman2 deprecated, or soon to be?
singpolymaGe0rG: sure, so use an SMTP relay if that's a concern
singpolymaflow: dunno. Mailman2 wasn't ready for prime time when I last looked
ZashI'm certain I recently saw a post saying mailman3 would break all permalinks... so that seems fun
singpolymamailman2 is the stable one everyone uses. mailman3 is the rewrite
flowbut I would be happy if we would use discourse, as I believe we need a central place that brings together developer, protocol architects *and* users
emusflow: we have lemmy for a few months
flowmanaging igniterealtime's discourse isntance is pretty low-maintenance
singpolymaflow: yes, but it would be a big migration thing to move over to it from the current setup
flowthere is an alternative to migration
Zash"don't" ? :)
flowbesides, I wouldn't be suprised if somebody hasn't already written a migration tool from mailman to discourse
Ingolfhas left
flowZash, no, freeze and conserve mailman, and then start over
flowI would, but last time I suggested discourse, some voices where raised against it
Patigahas left
flowso the problem is to find a tool that everyone can aggree on
singpolymaemus: yes, we're just discussing what software to use for the maillists
flowand that's it's terrible to find things there, if you aren't zash
flowI think alone the fact that with discourse we could tag every discussion with the related XEPs would be a big win
singpolymaWell, "the youth" mostly don't use message boards or email at all anymore, just chat, so MUC is perfect there
emusI was suggesting an evaluation of services before deployment but that was not of interest 🤷🏻♂️
singpolymaLemmy is a platform for making multiple link aggregation communities
flowclearly there are techies out there who don't like the appeal of mailman2 and would be happy to use a web based interface instead✎
flowclearly there are techies out there who don't like the appeal of mailman2 (and mailing lists in general) and would be happy to use a web based interface instead ✏
flowclearly there are techies out there who don't like the appeal of mailman2 (and mailing lists in general) and would be happy to use a web-based interface instead ✏
flowand by sticking with mailing lists only, we don't reach those
flowso it seems only sensible to pick a solution that provides both interfaces, that is, mailing list and web-based, to the discussion
marc0shas left
marc0shas joined
singpolymaSure. I said discourse would be better. But when the discussion started with "how do we make this easier" I think expanding the use case / doing the migration is asking for more work not less. Of course, nothing is up to me and I'll happily abide the decision of those doing the work
flowI find it especially appealing that a web-based interface would also help XMPP users to report their issues, which would greatly help us with future protocol design
Paganinihas joined
rebeld22has joined
singpolymaflow: you'll just get people whining about their apps that way :P
Dele Olajidehas left
flowand developers struggling with increasing the user experience can be directly directed to protocol architects
flowsingpolyma, that is right, and another reasons why user reports should happen at the same venue where developers and architects meet
MSavoritias (fae,ve)What does matrix have? The chats?
MSavoritias (fae,ve)I havent seen discourse being used much by any community that has adopted it personally
MSavoritias (fae,ve)People stick to chats or some ticket system like github
wgreenhousehas joined
Zashsingpolyma, that what the kids call it these days?
Guesthas joined
flowZash, hence I wrote "part of"
Guesthas left
Alastair Hoggehas joined
neshtaxmpphas left
emusflow: having both is not a thing?
mjkhas left
mjkhas joined
singpolymaOh yeah, discord is chat again
flowemus, clarify "both" please :)
restive_monkhas left
emusDiscourse and new mail setup
ZashTwo mailing lists?
emusZash: or can they run on the same database with different interfaces?
flowemus, ideally, discourse is able to replace the mailing lists, so having both would be not an ideal solution, but if it's the only way we can have discourse, then it's better than nothing
singpolymaYeah, two mailing lists seems redundant
singpolymaTwice as many emails! ;)
wgreenhousehas left
robertooohas left
petrescatraianhas joined
Dele Olajidehas joined
emusOk, I though it can be run as just two interfaces and you just choose mail or discourse
adiaholichas joined
moparisthebestyes, but that's just running discourse
mathieuiMSavoritias (fae,ve): I have seen community adopting discourse to some good level of success, I just stopped interacting with them because discourse is quite bad at replacing a mailing list, but I guess people like it
MSavoritias (fae,ve)Wait discourse is supposed to replace a mailing list?
Its horrible for that personally.
Ui wise and functionality
edhelasTo me discourse is a no go :p
MSavoritias (fae,ve)I thought we were talking about a forum thing
singpolymaMSavoritias (fae,ve): if you use it via email UI should be the same
mathijshas left
MSavoritias (fae,ve)Depends how its done then.
In terms of compatibility between the too then
marc0shas left
marc0shas joined
mathijshas joined
antranigvhas left
gooyahas joined
antranigvhas joined
marc0shas left
marc0shas joined
adiaholichas left
antranigvhas left
wgreenhousehas joined
antranigvhas joined
wgreenhousehas left
antranigvhas left
wgreenhousehas joined
MSavoritias (fae,ve)has left
petrescatraianhas left
Guushas left
Fishbowlerhas left
Guushas joined
Fishbowlerhas joined
singpolymahas left
Ray22has joined
antranigvhas joined
MSavoritias (fae,ve)has joined
antranigvhas left
marc0shas left
marc0shas joined
singpolymahas joined
emusMSavoritias (fae,ve): we have Lemmy already
MSavoritias (fae,ve)Thats my thought too.
Discource seems too much effort for little gain
antranigvhas joined
MSavoritias (fae,ve)I think lemmy has more chances to attract users to xmpp than a forum
MSavoritias (fae,ve)Federation and stuff
lovetoxhas left
gooyahas left
gooyahas joined
Danielhas left
lovetoxhas joined
Patigahas joined
SteveFhas left
flowhttps://lwn.net/Articles/901744/
Danielhas joined
marc0shas left
marc0shas joined
marc0shas left
marc0shas joined
moparisthebestlemmy doesn't do email though
paulhas left
Shackletonhas joined
Tobiashas left
Tobiashas joined
Tobiashas left
Tobiashas joined
Shackletonhas left
robertooohas joined
jjrhhttps://discourse.slicer.org/t/using-discourse-as-a-mailing-list/67 looks like you can use discourse as a traditional mailing list
florettahas left
flowOh, I guess I didn't make myself clear, as that is what I was trying to say all the time :)
jjrhOnly backing up your statement :)
flowDiscourse provides a web-based interface to the discussion, while addionally providing a mailing list based one
flowArguably the mailing list one is not exactly like mailman's interface
flowbut I guess it is enough to follow and engage in the conversation via mail
florettahas joined
Titihas left
marc0shas left
marc0shas joined
atomicwatchhas joined
jjrhI think the problem with mailing lists is they are increasingly used less by new projects and thus are new to younger people and sometimes intimidating. It also requires one to setup mail filters to avoid having your inbox get flooded.
ZashThis feels like a thing that could be done with one click if someone at $EmailVendor cared enough to implement it.
adiaholichas joined
papatutuwawahas left
jjrhSure, but no one has.
ZashThis = create folder and a filter rule for email with the current List-Id
Ray22has left
raghavgururajanhas left
benk> This = create folder and a filter rule for email with the current List-Id
I do this
adiaholichas left
ZashDid you make a button in your email client to do that in a single click?
moparisthebestI don't mind mailing lists but ours are totally broken, I know mailman3 has all the knobs to fix them, I don't know if mailman2 does, but discourse does things correctly out of the box
moparisthebestand by broken, I mean don't deliver to anyone implementing decade old mail standards
singpolymamoparisthebest: that's a mailserver concern
moparisthebestsingpolyma, no it's not, the mailing list software can't modify bodies
moparisthebestwell, it can't modify bodies and also send from an email it doesn't own, it has to pick one or the other
singpolymamoparisthebest: you mean headers? DKIM doesn't usually secure the body? But yeah, you just add a sender header and can keep everything else the same. Standard practise at any SMTP relay
moparisthebestDKIM signs the body, you either have to not modify the body and just add the List-Id header *or* do whatever you want with the body, modify the From, and sign it with your own DKIM key
pasdesushihas left
moparisthebestour current mailing lists modify the body and leave the signature causing messages not to be delivered to the majority of recipients
pasdesushihas joined
goffihas left
singpolymahas left
singpolymahas joined
singpolymamoparisthebest: you don't have to modify from. You add a sender header and re-sign. Again, standard practise at any competent SMTP relay so don't need special support in the mailing list software
Ingolfhas joined
moparisthebestquick search has everyone configuring mailman for it so https://nanoy.fr/post/dkim-and-mailman3/ https://wiki.list.org/DEV/DKIM
moparisthebestbut that's fine, just pointing out our current solution doesn't work well
singpolymaSure, they're probably not using a relay and just using vanilla postfix or something
singpolymaBut yeah, managing an outgoing mailserver is a thing. It's not impossible, but if we want to reduce work then outsourcing *that* is probably a good move
singpolymaMailgun or someone normal that does this all day long
singpolymaKeep inbound with a vanilla mailserver because rep and such aren't an issue for inbound, probably
L29Ahhas left
adiaholichas joined
singpolymahas left
Tobiashas left
Tobiashas joined
singpolymahas joined
Tobiashas left
Tobiashas joined
petrescatraianhas joined
eevvoorhas joined
Tobiashas left
Tobiashas joined
rootI am kind of walking into this conversation halfway through (read up the last roughly 120 messages) so I may be a little lost on what's happening, but is the current idea(s) to move infrastructure (website, mail, chats,?) to something different? How are things set up currently? What is the aim, exactly? I gather obviously something that requires less maintenance by the XSF, but also encourages engagement? What am I missing?
marc0shas left
marc0shas joined
KevThe mail server's on old hardware that needs replacing. That's the fundamental desire.
xeckshas joined
moparisthebestif I understand correctly, the current infrastructure is super ancient and can't be upgraded, and also lives in a bunker where we may or may not be able to contact hands there to fix things if they go wrong, so the conversation is really 2 independent decisions:
1. new hardware there or elsewhere, or "the cloud", or whatever
2. what to do with mailing lists
adiaholichas left
KevFrom my PoV, the bunker's treated us very well, hasn't given us any significant issues, and there's no reason to move away from it for its own sake.
KevThere may be reasons to do something that isn't the bunker, but not because it's not the bunker.
ZashNothing says we have to have everything in the same place.
ZashWe already don't.
papatutuwawahas joined
KevIndeed.
rootOk. On discourse, can't really say I have used it much, but to me as a user where I have seen it implemented, and tried to use it, it was a PIA, didn't help that ad/script blockers hate it too. But to me it felt scetchy trying to make contact with the site's team/community, most often I just left and didn't return. Perhaps some of those issues are mine, as well the sites I saw using them were not Foss communities.
mhhas left
moparisthebestroot, so you were trying to use it in the browser as a forum and not as a mailing list ?
alex11has joined
antranigvhas left
rootmoparisthebest: that is correct. I did not know until today it had that functionality, but I have never researched either, so take my opinion with a grain of salt.