XSF Discussion - 2022-12-21

moparisthebest: should I change something in my git config to make my PRs easier to handle?

nicoco, it's fine, though I am curious what made that other one, did you edit something with the github UI maybe?

I was just using your PR for testing my triage script since it's the first PR I saw that edited just 1 existing xep

I may have used the github UI at some point yes

truenicoco is my github username

so, the 2 emails I sent to standards@xmpp.org yesterday never reached the mailing list it seems. example of sent mail: https://paste.sr.ht/~nicoco/aeab19abcec27bbd20e261657f1fc9d906d4ea51 - I did not even receive a delivery failure or anything. Also, I am apparently subscribed to the mailing list but never received the 4 emails of yesterday? What did I do wrong? Apologies for being a little dumb about something as straightforward as using a mailing list

mailing lists are not straightforward at all, unfortunately

you are sure you are subscribed with that email ? https://mail.jabber.org/mailman/listinfo/standards

the mail not reaching you is more easily explainable, I hardly get any mail from the lists too, because my server is set up properly to apply DMARC policies and such

ok, it's too early in the morning here, I did receive yesterday's email after all -_-

but my emails not reaching the list is really happening though. Anything in the email I have pasted that can explain it? This is just vanilla thunderbird from debian stable sending a plain text email.

I can't explain that, maybe you got moderated somehow and someone has to allow it through the first time or something?

possibly, yes. I know that gmail does not like my @nicoco.fr emails and they end up in spam (I'm not even selfhosting, it's provided by my registrar :/)

Maybe check SPF, dmarc and so on. E.g. there https://mecsa.jrc.ec.europa.eu

mdosch: hmmm indeed my email provider does not seem great: CONFIDENTIAL DELIVERY: 3.5/5 PHISHING AND IDENTITY THEFT: 0/5 INTEGRITY OF MESSAGES: 0/5 ✏

I'll just send from my old gmail account I guess, bye bye swag

as a qmailer I would be likely to show low confidentiality on that absurd score

well, it helped me set up a few magic things in my dns entries, and now I see that my mails now reach the mailing list! thanks mdosch, that was a useful tip

I think I've seen a writeup somewhere about the dangers of stanza address spoofing. Can someone unearth a link?

nicoco: yw

Guus, which kind of spoofing?

clients receiving stanzas with a 'from' address that is not the address of the entity that sent the stanza.

Guus: I think that should never happen™. it's only a concern for wrapped stanzas, e.g., when carbons are used. I believe the carbons xep has some words about it, maybe you mean that?

Guus, flow: except when there are bugs https://bugs.chromium.org/p/project-zero/issues/detail?id=2254

of course, if you are not standards compliant then it can happen

but with <forwarded/> the situation is slighlty different as it is hard, if not impossible, to validate the value

I am also not sure if Guus really wants to know about the dangers, or rather the causes of address spoofing

Finding motivation for others to validate 'from' addresses in their client.

what do you mean by "validate" in this context?

ensure that the sender of an IQ result is the one that you sent the IQ get/set to.

oh, when you only check the id?

Not accept roster pushes from anything but your local domain - something like that.

https://xmpp.org/extensions/xep-0280.html#security has some CVEs you can scare people with :)

ah, thanks.

Hm, I sorta expected Ge0rG or xnyhps to have blogged something on the subject but I find nothing.

One of those CVEs is from Ge0rG

Guus, I think you need to take from address *and* stanza id into account when matching an IQ response to an result

of course, that is not trivial in XMPP

(or use sufficently random IDs, that is)

Even if you use address but bad IDs it can be an issue. I had a stack that was using sequential IDs and every time the software restarted it would start at 1 again. Was a pretty big problem. I patched it to uuids

Hello, a kind reminder to reach out if you are interested to apply with your project at the GSoC 2023 via the XSF. Furthermore, we need a backup for the Org Admin role (me). Most required information is in the wiki page: https://wiki.xmpp.org/web/Google_Summer_of_Code_2023 Last but not least we are looking for volunteers to create a little but hopefully entertaining XMPP quiz for appliers. It should contain basically: - General questions on what XMPP is - General architectural question to understand the setup - First technical questions - What you can think of Collect your questions (but *not* the answers!) here: https://yopad.eu/p/XMPP-Quiz-365days ✏