-
emus
One question on the MoM from yesterday: What is the topic "Security bounties"?
-
MattJ
emus, the possibility that the XSF could have an official bug bounty program ( https://en.wikipedia.org/wiki/Bug_bounty_program ) for security issues in the XMPP protocol and maybe certain software projects
-
emus
MattJ: ah then I got it right already. wasnt sure if it really was about bug bounty. I support this!
-
emus
Ge0rG: can you repeat the idea to automatically list the CVEs from all xeps? Was it as I stated?
-
wurstsalat
I'd help with the website if that's necessary :)
-
Ge0rG
I'm not even sure any more what the perceived benefit was
-
emus
Ge0rG: well, a clear overview and centralized place to review what happened
-
emus
I assume?
-
Kev
The only benefit to anyone I see from a page listing CVEs for unrelated XMPP projects is so someone can link to it when they want to say "Look, XMPP software has lots of vulnerabilities", to be perfectly honest.
-
emus
I think that would go hand in hand with the bug bounty
-
Kev
I'm not arguing against CVEs.
-
emus
if we want to track them.as well (which I still think.would be good practice, right?)
-
Kev
Do we have any CVEs against the protocol? I admit I didn't realise that was a thing.
-
emus
Ge0rG: ?
-
Ge0rG
Kev: I'm pretty sure we don't, and I think that's not how CVEs work in general. We've had vulnerable protocols in the past (e.g. compression), but our solution was to deprecate them. We also have protocols that are CVE magnets, notably 0280/0313 and XHTML-IM
-
Ge0rG
IMHO the scary <cve> blocks in the XEPs, while technically not part of the protocol specification, are a good trade-off between notifying prospective developers of the challenges and making public how "horrible" our specs are ;)
-
emus
Ge0rG: so you also dont want to track them centralized?
-
Ge0rG
emus: I don't remember what it would be good for
-
emus
Hmm, but as you said, isnt the idea to make such things public and easy to follow? like devs and others can subscribe to such a page for example. each time something pops up they will be notified?
-
emus
other opinions?
-
singpolyma
There's no practical difference for privacy between owned hardware, leased hardware, and a VM anyway. People in the data centre can get at the server either way
-
jcbrand
I think there is a practical difference if you have to physically access the hardware versus accessing data through cloud management software.
-
Zash
Virtualization has more attack surface. Bugs in hypervisors or even CPUs do happen.
-
Ge0rG
And then the whole speculative fault execution mess
-
singpolyma
"cloud management software" = ssh. Full disk encryption does nothing while the server is powered on. I agree about VM attack surface that does sometimes happen
-
Ge0rG
singpolyma: how would you extract data from a server that's powered on?
-
Zash
I'm not convinced this would weigh much for our purposes tho.
-
singpolyma
Ge0rG: oh I see, your argument is that to get in if it's well secured I have to do something that would interrupt operation. Probably true. Though that's true for full disk encryption in other cases too unless a backdoor was preinstalled when they setup for you
-
Zash
This very chat runs on a VM. 🤷️
-
singpolyma
Anyway, I'm not against people running their own hardware of course, but it's too much work to bother for most full-timers, nevermind volunteers so I think any small trade-offs point heavily to simplifying
-
Ge0rG
But the original question was about our mailing lists? Given that "we" are a US based 501c, we can't enforce the GDPR anyway in any reasonable manner, so we could as well rent some cloud service. Maybe there are list operators that are doing this for other (FOSS) communities?
-
singpolyma
The mailing lists seem like a simple case? Can run basically anywhere, just need good IP rep or an SMTP relay for deliverability. Or are you meaning to stop running them and use "hosted mailing lists"?
-
singpolyma
Yeah. And IIRC they're all mailman2 already so no real benefit to changing that
-
Ge0rG
singpolyma: while mailman2 runs on its own, IP reputation doesn't
-
flow
isn't mailman2 deprecated, or soon to be?
-
singpolyma
Ge0rG: sure, so use an SMTP relay if that's a concern
-
singpolyma
flow: dunno. Mailman2 wasn't ready for prime time when I last looked
-
Zash
I'm certain I recently saw a post saying mailman3 would break all permalinks... so that seems fun
-
singpolyma
mailman2 is the stable one everyone uses. mailman3 is the rewrite
-
flow
fedora using mailman3 IIRC✎ -
flow
fedora is using mailman3 IIRC ✏
-
flow
but I would be happy if we would use discourse, as I believe we need a central place that brings together developer, protocol architects *and* users
-
emus
flow: we have lemmy for a few months
-
flow
managing igniterealtime's discourse isntance is pretty low-maintenance
-
singpolyma
flow: yes, but it would be a big migration thing to move over to it from the current setup
-
flow
there is an alternative to migration
-
Zash
"don't" ? :)
-
flow
besides, I wouldn't be suprised if somebody hasn't already written a migration tool from mailman to discourse
-
flow
Zash, no, freeze and conserve mailman, and then start over
-
flow
I would, but last time I suggested discourse, some voices where raised against it
-
flow
so the problem is to find a tool that everyone can aggree on
-
singpolyma
emus: yes, we're just discussing what software to use for the maillists
-
flow
and that's it's terrible to find things there, if you aren't zash
-
flow
I think alone the fact that with discourse we could tag every discussion with the related XEPs would be a big win
-
singpolyma
Well, "the youth" mostly don't use message boards or email at all anymore, just chat, so MUC is perfect there
-
emus
I was suggesting an evaluation of services before deployment but that was not of interest 🤷🏻♂️
-
singpolyma
Lemmy is a platform for making multiple link aggregation communities
-
flow
clearly there are techies out there who don't like the appeal of mailman2 and would be happy to use a web based interface instead✎ -
flow
clearly there are techies out there who don't like the appeal of mailman2 (and mailing lists in general) and would be happy to use a web based interface instead ✏
-
flow
clearly there are techies out there who don't like the appeal of mailman2 (and mailing lists in general) and would be happy to use a web-based interface instead ✏
-
flow
and by sticking with mailing lists only, we don't reach those
-
flow
so it seems only sensible to pick a solution that provides both interfaces, that is, mailing list and web-based, to the discussion
-
singpolyma
Sure. I said discourse would be better. But when the discussion started with "how do we make this easier" I think expanding the use case / doing the migration is asking for more work not less. Of course, nothing is up to me and I'll happily abide the decision of those doing the work
-
flow
I find it especially appealing that a web-based interface would also help XMPP users to report their issues, which would greatly help us with future protocol design
-
singpolyma
flow: you'll just get people whining about their apps that way :P
-
flow
and developers struggling with increasing the user experience can be directly directed to protocol architects
-
flow
singpolyma, that is right, and another reasons why user reports should happen at the same venue where developers and architects meet
-
MSavoritias (fae,ve)
What does matrix have? The chats?
-
MSavoritias (fae,ve)
I havent seen discourse being used much by any community that has adopted it personally
-
MSavoritias (fae,ve)
People stick to chats or some ticket system like github
-
Zash
singpolyma, that what the kids call it these days?
-
flow
Zash, hence I wrote "part of"
-
emus
flow: having both is not a thing?
-
singpolyma
Oh yeah, discord is chat again
-
flow
emus, clarify "both" please :)
-
emus
Discourse and new mail setup
-
Zash
Two mailing lists?
-
emus
Zash: or can they run on the same database with different interfaces?
-
flow
emus, ideally, discourse is able to replace the mailing lists, so having both would be not an ideal solution, but if it's the only way we can have discourse, then it's better than nothing
-
singpolyma
Yeah, two mailing lists seems redundant
-
singpolyma
Twice as many emails! ;)
-
emus
Ok, I though it can be run as just two interfaces and you just choose mail or discourse
-
moparisthebest
yes, but that's just running discourse
-
mathieui
MSavoritias (fae,ve): I have seen community adopting discourse to some good level of success, I just stopped interacting with them because discourse is quite bad at replacing a mailing list, but I guess people like it
-
MSavoritias (fae,ve)
Wait discourse is supposed to replace a mailing list? Its horrible for that personally. Ui wise and functionality
-
edhelas
To me discourse is a no go :p
-
MSavoritias (fae,ve)
I thought we were talking about a forum thing
-
singpolyma
MSavoritias (fae,ve): if you use it via email UI should be the same
-
MSavoritias (fae,ve)
Depends how its done then. In terms of compatibility between the too then
-
emus
MSavoritias (fae,ve): we have Lemmy already
-
MSavoritias (fae,ve)
Thats my thought too. Discource seems too much effort for little gain
-
MSavoritias (fae,ve)
I think lemmy has more chances to attract users to xmpp than a forum
-
MSavoritias (fae,ve)
Federation and stuff
-
flow
https://lwn.net/Articles/901744/
-
moparisthebest
lemmy doesn't do email though
-
jjrh
https://discourse.slicer.org/t/using-discourse-as-a-mailing-list/67 looks like you can use discourse as a traditional mailing list
-
flow
Oh, I guess I didn't make myself clear, as that is what I was trying to say all the time :)
-
jjrh
Only backing up your statement :)
-
flow
Discourse provides a web-based interface to the discussion, while addionally providing a mailing list based one
-
flow
Arguably the mailing list one is not exactly like mailman's interface
-
flow
but I guess it is enough to follow and engage in the conversation via mail
-
jjrh
I think the problem with mailing lists is they are increasingly used less by new projects and thus are new to younger people and sometimes intimidating. It also requires one to setup mail filters to avoid having your inbox get flooded.
-
Zash
This feels like a thing that could be done with one click if someone at $EmailVendor cared enough to implement it.
-
jjrh
Sure, but no one has.
-
Zash
This = create folder and a filter rule for email with the current List-Id
-
benk
> This = create folder and a filter rule for email with the current List-Id I do this
-
Zash
Did you make a button in your email client to do that in a single click?
-
moparisthebest
I don't mind mailing lists but ours are totally broken, I know mailman3 has all the knobs to fix them, I don't know if mailman2 does, but discourse does things correctly out of the box
-
moparisthebest
and by broken, I mean don't deliver to anyone implementing decade old mail standards
-
singpolyma
moparisthebest: that's a mailserver concern
-
moparisthebest
singpolyma, no it's not, the mailing list software can't modify bodies
-
moparisthebest
well, it can't modify bodies and also send from an email it doesn't own, it has to pick one or the other
-
singpolyma
moparisthebest: you mean headers? DKIM doesn't usually secure the body? But yeah, you just add a sender header and can keep everything else the same. Standard practise at any SMTP relay
-
moparisthebest
DKIM signs the body, you either have to not modify the body and just add the List-Id header *or* do whatever you want with the body, modify the From, and sign it with your own DKIM key
-
moparisthebest
our current mailing lists modify the body and leave the signature causing messages not to be delivered to the majority of recipients
-
singpolyma
moparisthebest: you don't have to modify from. You add a sender header and re-sign. Again, standard practise at any competent SMTP relay so don't need special support in the mailing list software
-
moparisthebest
quick search has everyone configuring mailman for it so https://nanoy.fr/post/dkim-and-mailman3/ https://wiki.list.org/DEV/DKIM
-
moparisthebest
but that's fine, just pointing out our current solution doesn't work well
-
singpolyma
Sure, they're probably not using a relay and just using vanilla postfix or something
-
singpolyma
But yeah, managing an outgoing mailserver is a thing. It's not impossible, but if we want to reduce work then outsourcing *that* is probably a good move
-
singpolyma
Mailgun or someone normal that does this all day long
-
singpolyma
Keep inbound with a vanilla mailserver because rep and such aren't an issue for inbound, probably
-
root
I am kind of walking into this conversation halfway through (read up the last roughly 120 messages) so I may be a little lost on what's happening, but is the current idea(s) to move infrastructure (website, mail, chats,?) to something different? How are things set up currently? What is the aim, exactly? I gather obviously something that requires less maintenance by the XSF, but also encourages engagement? What am I missing?
-
Kev
The mail server's on old hardware that needs replacing. That's the fundamental desire.
-
moparisthebest
if I understand correctly, the current infrastructure is super ancient and can't be upgraded, and also lives in a bunker where we may or may not be able to contact hands there to fix things if they go wrong, so the conversation is really 2 independent decisions: 1. new hardware there or elsewhere, or "the cloud", or whatever 2. what to do with mailing lists
-
Kev
From my PoV, the bunker's treated us very well, hasn't given us any significant issues, and there's no reason to move away from it for its own sake.
-
Kev
There may be reasons to do something that isn't the bunker, but not because it's not the bunker.
-
Zash
Nothing says we have to have everything in the same place.
-
Zash
We already don't.
-
Kev
Indeed.
-
root
Ok. On discourse, can't really say I have used it much, but to me as a user where I have seen it implemented, and tried to use it, it was a PIA, didn't help that ad/script blockers hate it too. But to me it felt scetchy trying to make contact with the site's team/community, most often I just left and didn't return. Perhaps some of those issues are mine, as well the sites I saw using them were not Foss communities.
-
moparisthebest
root, so you were trying to use it in the browser as a forum and not as a mailing list ?
-
root
moparisthebest: that is correct. I did not know until today it had that functionality, but I have never researched either, so take my opinion with a grain of salt.