XSF Discussion - 2023-02-23


  1. khirput

    Any way of blocking them? It's getting very tiring opening the gallery and getting "surprised"...

  2. khirput

    I'm using a fork of Conversations on Android. Just wondering if I can do that at the app level.

  3. Menel

    You can configure your fork to not download pictures in public channels. Beside the spam that is also a security risk.

  4. khirput

    Security? How so?

  5. khirput

    Menel: Security? How so?

  6. khirput

    And thanks, just disabled that 👍

  7. Menel

    Viruses are possible... There was a bug not long ago that clients just believed the size of the picture, but if the sever continues to send data, they would continue until their storage is full. Especially conversations forks were vulnerable for a longer time after it was known.

  8. khirput

    Oh, right. They didn't use hashes?

  9. jonas’

    hashes?

  10. Kev

    Looks like we've made it into GSoC again. Congrats to everyone involved.

  11. jonas’

    \o/

  12. wurstsalat

    └⁠|⁠∵⁠|⁠┐⁠♪

  13. khirput

    jonas’: some kind of hash to check the properties of the file match what the server is giving them?

  14. jonas’

    nah, simpler than that.

  15. jonas’

    they ignored the Content-Length header

  16. khirput

    Right

  17. khirput

    Are there any public security audits of XMPP that have been done recently?

  18. jonas’

    XMPP is tricky to audit, as it's a protocol

  19. jonas’

    a rather modular protocol to make things trickier

  20. jonas’

    I don't know if there are audits of specific applications though

  21. jonas’

    probably there are

  22. Menel

    I bet it is always per application. Or are there audits for https?

  23. jonas’

    Menel, I wouldn't be surprised if there are audits of TLS

  24. jonas’

    protocols can be fatally broken, too

  25. jonas’

    (e.g. with downgrade attacks or so)

  26. emus

    > Kev: > 2023-02-23 09:19 (GMT+01:00) > Looks like we've made it into GSoC again. Congrats to everyone involved. good to know, havent had the chance to check yet 🚅🇧🇻

  27. emus

    Kev: but kev, where you got the information from exactly?

  28. Kev

    When the mail went out about accepted orgs I checked the site.

  29. emus

    I see they published already: https://summerofcode.withgoogle.com/programs/2023/organizations/xmpp-standards-foundation then is fine. Just saying because we are not allowed to tell before Google has published on the website

  30. Kev

    I know, I've done this before ;)

  31. emus

    Kev: Perfect 😊👌

  32. singpolyma

    khirput: my fork of Conversations includes the ability to permanently block any image or media or avatar in the current pre-release, as well as some other moderation related stuff, if you're interested