XSF Discussion - 2024-02-02


  1. jonas’

    fun question!

  2. jonas’

    when a remote server is unavailable, is that type="wait" or type="cancel,?

  3. jonas’

    when a remote server is unavailable, is that type="wait" or type="cancel"?

  4. jonas’

    asking for an IRC transport which fails to join a room because it's failing to connect to an IRC network.

  5. jonas’

    (and asking because a certain client seems to delete bookmarks of MUCs which fail to join with type="cancel", because that's considered a permanent error by that client, hence the bookmark is considered worthless)

  6. MattJ

    jonas’: right, I would say 'wait'

  7. jonas’

    prosody does cancel tho :)

  8. jonas’

    (when I had routing issues to a domain the other day, I got `user@domain.example: cancel: recipient-unavailable` according to poezio)

  9. MattJ

    I'm guessing that's what the RFC recommends for remote-server-not-found (which is understandable)

  10. jonas’

    for recipient-unavailable it's type="wait"

  11. jonas’

    for recipient-unavailable the RFC recommends type="wait"

  12. deport

    here's a useless question: is xmpp a fediverse?

  13. Daniel

    No

  14. MattJ

    Yes

  15. jonas’

    "Part of", rather.

  16. MattJ

    jonas’: what made Prosody return that error?

  17. jonas’

    MattJ, unreachability on layer 3

  18. jonas’

    potentially one-way

  19. MattJ

    We don't use recipient-unavailable for s2s issues

  20. jonas’

    fun!

  21. jonas’

    it definitely was an s2s issue though :)

  22. MattJ

    Was it a component?

  23. jonas’

    no

  24. jonas’

    it was an individual, Zash.

  25. jonas’

    I can probably try to dig up logs, but I expect to only have info level available

  26. jonas’

    no, logs are gone

  27. mdosch

    Zashs server recently had an error as the presented cert was different from the hash in the tlsa record, maybe that caused the error?

  28. jonas’

    unlikely, I don't validate TLSA

  29. jonas’

    (and the timing coincided perfectly with the moment when routing to my server was borked)

  30. MattJ

    jonas’, now I'm at my laptop, I checked, and basically the only place we send cancel:recipient-unavailable is when a smacks client goes offline and we bounce errors for undelivered stanzas

  31. jonas’

    wat

  32. jonas’

    s2s smacks?

  33. jonas’

    s2s smacks maybe?

  34. MattJ

    Ah, perhaps

  35. jonas’

    (not enabled on my end though)

  36. jonas’

    makes no sense all over all

  37. manday

    Is there anything which permits to group/classify chats in different categories (for ease of access)?

  38. jonas’

    okay, I hear that s2s stream management is enabled by default so it might've been tat

  39. jonas’

    okay, I hear that s2s stream management is enabled by default so it might've been that

  40. Zash

    https://hg.prosody.im/prosody-modules/rev/9a7671720dec#l1.104 I don't see XEP-0198 say anything about errors, but then I might not be awake yet

  41. MattJ

    manday, 30 XMPP developers are currently in a room in Brussels discussing how to do that

  42. manday

    > manday, 30 XMPP developers are currently in a room in Brussels discussing how to do that and just a few minutes after I asked the question! I'm much flattered by the effort! 😆

  43. MattJ

    😃

  44. singpolyma

    manday: you mean to group your own chats in your client? there are roster groups and a few clients support these for channels as well

  45. manday

    I suppose, singpolyma - that's not the topic the 30ish are discussing, then?

  46. singpolyma

    I think the discussion is more about grouping them for public consumption vs grouping for yourself. but it's a big topic with lots of discussion

  47. manday

    I see. For the usecase I have in mind, the grouping could be "suggested" for public consumption while users eventually choose themselves.

  48. singpolyma

    right, so that kind of flexible thing is under discussion

  49. Tobi

    XEP-0050 examples are a bit weird. Example 14 for example doesn't provide an action, even though the previous example says it should be either prev or complete.

  50. singpolyma

    hmm, yes, example 14 looks non-compliant

  51. singpolyma

    note that examples are non-normative. but this should be fixed

  52. Tobi

    Ta. Just wanted to confirm I don't misunderstand things. Ta

  53. singpolyma

    hmm, maybe not.

  54. singpolyma

    4.1 says execute is the "default value" so maybe leaving off action is technically allowed

  55. Tobi

    Ah.

  56. singpolyma

    yeah, and schema says optional

  57. singpolyma

    so I was wrong. if not present it's the same as specifying execute

  58. singpolyma

    still maybe a bad example, but there it is

  59. Tobi

    Right. That makes sense

  60. flow

    that xep50 execute topic pops up once every few eyars

  61. flow

    that xep50 execute topic pops up once every few years

  62. singpolyma

    generally for an interactive use case you don't use action=execute at all

  63. Tobi

    flow, good to know :D

  64. flow

    Tobi, the lastest version (1.3.0) of the xep did add some clarification, but I am sure we could still improve here

  65. flow

    so if you are currently implementing xep50 things, and have an idea on how to improve the xep, then please share :)

  66. blue

    Hello, a quick question: XEP-333 is still the way clients exchange information about who read what? There is nothing that made it obsolete?

  67. singpolyma

    blue: correct

    👍 1
  68. Holger

    If I explicityly subscribe a contact's PEP node. And then send presence without +notify. Should the server unsubscribe me from that node?

  69. singpolyma

    I don't think so? explicit subscribe takes priority, surely

  70. Holger

    So the server would have to store the subscription mechanics together with each subscription.

  71. flow

    I sense an implicit MAY

    😄 1
  72. Holger

    😀

  73. Holger

    Either way the 0115 optimization goes quite besides today's IM use cases in my book. You typically want persistent subscriptions anyway, who cares about avoiding the one-time subscription cost per contact. What you want to avoid instead is the last notification spam on session creation (i.e. we need roster versioning for PEP), no?

  74. Zash

    I wouldn't complain about an opt-in receiver side filtering and forking method

  75. moparisthebest

    (moving this discussion from summit channel) pep., Mari0: so an informational XEP about privacy, what users should expect, data minimization, best practices etc (even a "some people think if you follow these you might be GDPR compliant" note) would be fine, I'm just super against a server disco feature for "I'm GDPR compliant"

  76. singpolyma

    A XEP for *users*?

  77. moparisthebest

    Well, to summarize to client authors what to tell users maybe, I mean it already exists spread out among all the XEPs and RFCs

  78. MSavoritias fae.ve

    that would work better imo if it was guidelines that govern: 1. what xeps xsf accepts 2. what clients/servers it lists

  79. jonas’

    moparisthebest, wanna ressurect the ToS protoXEP I once wrote?

  80. pep.

    jonas’, "pep.> Somewhat related, someday when I find the energy again I'd probably revive the ToS attempt" :)

  81. jonas’

    :)

  82. pep.

    moparisthebest, I'm done with this topic for now, tired of your pessimism. Not eveyrone is bad, evil, what have you. Really

  83. pep.

    Stay in your world where you trust no one alone

  84. SavagePeanut

    > Well, to summarize to client authors what to tell users maybe, I mean it already exists spread out among all the XEPs and RFCs I think pointing them to https://snikket.org/app/privacy/ or making one for your client is where to point that

  85. moparisthebest

    > moparisthebest, I'm done with this topic for now, tired of your pessimism. Not eveyrone is bad, evil, what have you. Really pep.: Where are you seeing pessimism ? I'm not saying any of this

  86. moparisthebest

    To quote myself from the summit channel: > You can do everything right, follow every best practice, and still leak data > The only way to guarantee that I don't leak your data is for you not to send it to me in the first place > Therefore the "solution" is to send me the bare minimum, and clearly communicate to users what exactly that is and the risks

  87. moparisthebest

    I'm interested in real solutions, not empty promises, empty apology emails when data is inevitably leaked, or potential fines paid to govts that don't help users...

  88. pep.

    "Literally nothing stops an evil server from advertising GDPR compliance and then just doing whatever they want with the data"

  89. moparisthebest

    Yes, that too, but it's an aside, not the real problem

  90. pep.

    It's everywhere you go and I'm tired of it

  91. moparisthebest

    Again no idea what you mean

  92. pep.

    Whatever

  93. moparisthebest

    Agreed

  94. Mari0

    Literally nothing stops an evil government from advertising peace and then just selling weapons all over the world. But we, te people want peace and a law who promote peace is our allie.

  95. Mari0

    In the case of personal data protection we don't have only al written principle of law but compulsory norms and if f yuo don't respect them there are sanctions.

  96. Mari0

    In the case of personal data protection we don't have only al written principle of law but compulsory norms and if you don't respect them there are sanctions.

  97. moparisthebest

    Only in the EU (the EU can't do anything to me) and even then it doesn't actually help users

  98. jonas’

    this is getting off-topic

  99. Mari0

    how to write a xep? are there any guidelines? :-)

  100. jonas’

    Mari0, https://xmpp.org/extensions/xep-0143.html

  101. jonas’

    Mari0, XEP 0001 is also relevant to some extent

  102. Mari0

    okk thx

  103. jonas’

    Mari0, also look at other XEPs for inspiration

  104. moparisthebest

    > how to write a xep? are there any guidelines? :-) Generally, try to find a similar one, copy+paste+change it :)

  105. Mari0

    thank you I'll ask for help if needed

  106. Winfried

    We can do quite a lot sensible actions to aid with GDPR compliant deployments of XMPP. But it needs a bit of merging the technical with legal.

  107. jonas’

    certainly

  108. jonas’

    the ToS ProtoXEP back then was a start

  109. jonas’

    just needs someone to pick it up again

    👍️ 1
  110. Mari0

    it's a great challenge to me :-)

  111. Mari0

    .

  112. jonas’

    for those who don't know where it is: https://xmpp.org/extensions/inbox/tos.html

  113. Mari0

    > We can do quite a lot sensible actions to aid with GDPR compliant deployments of XMPP. But it needs a bit of merging the technical with legal. it's a great challenge to me :-)

  114. moparisthebest

    I don't see anything wrong with the TOS protoxep at first glance

  115. jonas’

    scour the archives to figure out why it was rejected

  116. jonas’

    IIRC it was because of the embedding of ad-hoc or so

  117. pep.

    One thing I wouldn't want in any case if enforce it via compliance suites and the like. Either have a GDPR-specific document and that's it, and other legislations may want to have their own, or have a somewhat generic thing that can be encouraged via regular channels.

  118. jonas’

    TOS should be generic enough to work with any legal framework, supposing that legal framework deems the consent mechanisms in there sufficient

  119. pep.

    fwiw I'm ok without a consent mechanism first I guess, or having it optional (I haven't reread the spec yet)

  120. pep.

    Informing users is already a good thing

  121. jonas’

    I think informationality should be possible

  122. jonas’

    maybe it needs a slight modification of flows

  123. singpolyma

    pep.: btw next Cheogram Android release will support password argument in MUC join uri, for use with token invites

  124. pep.

    woo. I sent something in council@ today, not sure what happened with this spec

  125. pep.

    It's ok if it's just lost in translation

  126. Winfried

    First of all we must be clear in what role and for what audience we write. The GDPR knows 'data subjects' (about who the data is processed), 'controllers' (responsible for the processing of the data) and 'processors' (doing work on behalve of the controller). A server operator may depending of the setting (and some more nuance), be a controller or a processor. A controller has to do all the compliance work, a processor has the obligation to aid with that and to stick to what the controller has instructed.

  127. singpolyma

    pep.: I'm hoping to prototype half of it in prosody soon and probably issuing with ad hoc since that'll make one less thing for me to build

  128. pep.

    Yeah, adhoc is handy for technies but terrible UX imo

  129. Winfried

    First obligation of the GDPR is to know what personal data is processed and stored for what purposes, for how long and what data is exchanged. Some of them are really straigtforward and obvious in XMPP, but some XEPs (like securite reporting) might take more consideration. It would be good to map the data of the RFC's and (a subset of the) XEPs to processings and purposes, this would already be the first big hit towards compliance.

  130. Winfried

    Some XEP's might need some extra consideration, would be good to instruct some do's and dont's

  131. Winfried

    Then is the question of how to inform the datasubjects...

  132. Winfried

    (note asking permission would not be needed in 99% of the cases)

  133. moparisthebest

    > know what personal data is processed and stored for what purposes, for how long and what data is exchanged Ignoring GDPR, this is super important for users to be made aware of And agreed that it's all "out there" but not very handy for client authors to gather and summarize

  134. singpolyma

    > Yeah, adhoc is handy for technies but terrible UX imo The UX can be whatever you want (including a custom UI for certain commrnds if really needed). Have your tried our implementation? It can be improved more I'm sure but I think it's getting there

  135. pep.

    singpolyma, I don't believe in a generic adhoc UI. I know it's a thing but I'd rather have specific UIs per feature. And while one doesn't prevent the other, you have to admit many clients stop at that :)

  136. pep.

    I mean, as a technie it's ok to me, but I don't think that's what I would want in a client for all to consume

  137. singpolyma

    In general it's my goal do have enough UI building blocks that the "generic" UI is identical to the one I would build custom anyway. I just spec it in XML instead of in .. well in android it's XML either way I guess

  138. winfried

    >> know what personal data is processed and stored for what purposes, for how long and what data is exchanged > Ignoring GDPR, this is super important for users to be made aware of > > And agreed that it's all "out there" but not very handy for client authors to gather and summarize Not only for client authors but also for people running servers (aimed at EU inhabitants)

  139. moparisthebest

    Only the client author knows what it can send

  140. emus

    Fresh for the FOSDEM - the first release this year: https://xmpp.org/2024/02/the-xmpp-newsletter-december-2023-january-2024/ 🥳

  141. mathieui

    emus: congrats

  142. Seve

    Suuuper, will forward it

  143. emus

    Seve: we have also.much more to.mimic if you want

  144. Seve

    I do! Taking it over the comms room

  145. emus

    kk