XSF Discussion - 2024-02-13


  1. singpolyma

    hmm, https://xmpp.org/extensions/xep-0292.html#contacts first says "If the other person or entity is in the user's roster" and also "SHOULD contain the Jabber ID of the person or entity." but then says "When a client stores items at this node, it MUST include an ItemID set to the bare JID of the contact." so I guess if they don't have a JID then there is a format for them, but they must be stored in some other pep node?

  2. singpolyma

    and if they have multiple jids I guess just pick one

  3. Schimon

    Maranda > MIX is just what soon became a Frankensteinian that with good reason will never see the light I think I have an idea on how to urge the transfer to MIX

  4. pep.

    Why is it so important?

  5. gidepi

    Shortly, what is XSF?

  6. Schimon

    XSF (XMPP Standards Foundation), is an organization that develops open extensions to XMPP (the core communication protocol for instant messaging and presence).

  7. Schimon

    > Why is it so important? pep. I do not know. I do feel inconvenient with the command execution which allows revealing JID.

  8. Guus

    Can anyone that's speaking French natively find a page with job vacancies on https://www.silverpeas.com/ ? They appear to be using XMPP / eJabberd, which puts it on my xmpp.work radar.

  9. pep.

    https://www.linkedin.com/company/silverpeas/ ?

  10. Guus

    Yeah, I found that, but prefer to link to websites of companies directly, rather than go through LInkedIn (or any other job board)

  11. pep.

    I'm not finding much :/

  12. Guus

    Ok, thanks. Neither did I though Google Translate

  13. Guus

    They're even mentioning ConverseJS - anyone know these people?

  14. mathieui

    Guus: they are part of a group which has https://www.oosphere.com/candidat/candidat-consultez-les-offres/ for job offers

  15. Guus

    Ah, thanks. That's not updated with what they have on LinkedIn though: https://www.linkedin.com/jobs/view/3828858110/

  16. Guus

    I'll just point at that for now.

  17. mathieui

    (Also re: converse, in a previous company which did not have anything linked to XMPP, we had a client asking for XMPP integration so the developers just dropped in converse and tweaked things until it worked, without really engaging in anything protocol-wise, so they also have the option of not being actively part of the community from my experience)

  18. Guus

    Sure - it's true for many jobs on xmpp.work that XMPP might be a marginal thing of the overall job. These people, however, also list ejabberd - so that suggest a bit more XMPP in their stack, I suppose.

  19. moparisthebest

    >> Why is it so important? > pep. I do not know. > I do feel inconvenient with the command execution which allows revealing JID. Schimon: MIX "reveals your JID" at least as much as MUC, maybe more, can't remember

  20. Kev

    In the sense of less? :)

  21. MSavoritias fae.ve

    the fud around MIX seems to be a lot :)

  22. Schimon

    moparisthebest, does it reveal to anyone? My issue is that me and bot are participants in a groupchat where JIDs are not revealed to participants. This can be circumvented by sending an IQ request - to execute a command - to the bot. Is this an intended scenario?

  23. moparisthebest

    Schimon: I didn't follow that fully but wasn't that a bug?

  24. moparisthebest

    > the fud around MIX seems to be a lot :) What FUD ? If you send a message to a remote muc/mix service that service has your JID

  25. Schimon

    > wasn't that a bug? I think it is not a bug.

  26. moparisthebest

    The "can't remember" is muc has semi-anonymous that hides jid from non admins and I can't remember if mix does, iirc it didn't originally

  27. Schimon

    My bot can reveal JID of anyone that attempts to ask it for list of commands

  28. pep.

    I'm wondering if that's an implementation detail of some server

  29. Schimon

    pep., it happens on every MUC

  30. pep.

    Which every?

  31. Schimon

    Every MUC I tried the bot at

  32. moparisthebest

    > My bot can reveal JID of anyone that attempts to ask it for list of commands Then this is 100% a bug, or multiple bugs

  33. pep.

    On prosody?

  34. Schimon

    Yes, also on Prosody

  35. pep.

    Because I know prosody forwards iq requests even on semi-anon MUCs so I'm wondering if there's something to look for there

  36. Schimon

    I will write a bot that will reveal "part" of participant JID upon asking it for command list.

  37. Schimon

    *I will write a bot that will reveal "part" of participant JID upon asking it for command list.*

  38. moparisthebest

    Yes please share more details so it can be fixed

  39. Schimon

    *I will write a bot that will reveal _part_ of participant JID upon asking it for command list.* *Hi! The <number> letter of yor JID is <letter>.*

  40. Daniel

    Is this a client bug where the client contacts the bot on its actual jid after retrieving the commands through the muc jid?

  41. pep.

    Possible

  42. Daniel

    I'm not implementing ad hoc commands (especially not with muc participants) but that sounds like a possible way to fuck this up

  43. Kev

    I don't immediately see how.

  44. Schimon

    Daniel, this is the bot https://gitgud.io/sjehuda/slixfeed It displays JID in the form it offers.

  45. Kev

    In as much as if the sender doesn't know the bot's JID because it's a semi-anon room, how would it send direct to the bot's JID?

  46. pep.

    Hmm yeah I guess the muc should rewrite that jid

  47. Daniel

    Kev: the command list has jids to contact, no?

  48. Schimon

    I guess the bit sends JID and then the client begins to interact with that JID using its own.

  49. Kev

    > : the command list has jids to contact, no? Oh, you mean #items?

  50. Daniel

    Isn't that the 'command list' in a way?

  51. Schimon

    I guess the bot sends JID and then the client begins to interact with that bot JID using its own.

  52. Kev

    Yes.

  53. Kev

    That sounds plausible.

  54. Schimon

    It is the command list

  55. Schimon

    It is the command list, yes

  56. Kev

    In which case, it's not really a bug, exactly.

  57. moparisthebest

    I'm wildly guessing the bot sends it's own jid back (maybe a bug) the muc doesn't rewrite it (maybe a bug) and the client reveals it's own jid (definitely a bug)

  58. Schimon

    Give me an hour and I will provide a bot that realize this.

  59. Schimon

    Give me an hour and I will provide a bot that realizes this issue.

  60. Daniel

    Can you not just explain the issue

  61. Kev

    Rather that running commands on an arbitrary JID reveals the sender's JID to the target entity.

  62. Daniel

    Instead of writing a poc

  63. Daniel

    > In which case, it's not really a bug, exactly. Sure. Schimon seems to hint at some clients doing that (meaning command discovery) semi automatically or something

  64. Schimon

    Daniel, Once requested (queried) for command-list, I suppose that the bot (slixmpp) reveals its JID. Then the requesting JID (you or me) sends back their JID or negotiating with the bot JID directly. P.S. I am a lawyer, not a programer.

  65. Daniel

    Which would probably be a bug

  66. Schimon

    Daniel, Once requested (queried) for command-list, I suppose that the bot (slixmpp) reveals its JID. Then the requesting JID (you or me) sends back our own JID to the bot or negotiating with the bot JID directly. P.S. I am a lawyer, not a programer.

  67. Kev

    > Which would probably be a bug I think a note to the user is in order, more than anything else.

  68. Schimon

    The description I gave is a guess, after observing and reading your comments here

  69. Daniel

    Do you - the owner of the bot - want to avoid this or are you (bot) actively malicious in that scenario?

  70. Schimon

    > I think a note to the user is in order, more than anything else. You mean a warning message?

  71. Daniel

    If a) return the muc jid instead of the real jid if b) fix the client to display appropriate warnings

  72. Schimon

    > Do you - the owner of the bot - want to avoid this. Yes. > are you (bot) actively malicious in that scenario? No.

  73. Daniel

    Then see (a)

  74. Schimon

    > a) return the muc jid instead of the real jid This is what I expected to see, when I first made that attempt a couple of days ago. > b) fix the client to display appropriate warnings This is up to Gajim, Psi, Conversations etc.

  75. Schimon

    > a) return the muc jid instead of the real jid I am intending to look into this, once I am done structuring the Ad-hoc forms or once Gajim has a new release.

  76. Schimon

    Daniel, we still can not prevent others from abusing this mechanism; so, at the very least, this should also be taken care of by clients (i.e. display warning to user).

  77. mathieui

    I think this is yet another case of underspecified semi-anon in 0045, I think services should plainly drop ad-hoc requests going to participant JIDs

  78. Daniel

    > Daniel, we still can not prevent others from abusing this mechanism; so, at the very least, this should also be taken care of by clients (i.e. display warning to user). A agree. It's just that the angle of "this is a muc bug we need mix" was very confusing

  79. Daniel

    > I think this is yet another case of underspecified semi-anon in 0045, I think services should plainly drop ad-hoc requests going to participant JIDs I don't think this is ad hoc specific. If anything you are making a point to disallow iq routing

  80. Kev

    I don't see how MIX vs MUC would help in this example.

  81. Daniel

    Which has always been weird anyway

  82. mathieui

    Daniel, ad-hoc is a bit specific because answers by your client exposes your JID

  83. Kev

    > > I think this is yet another case of underspecified semi-anon in 0045, I think services should plainly drop ad-hoc requests going to participant JIDs > I don't think this is ad hoc specific. If anything you are making a point to disallow iq routing I think it's disco#items specific, kinda.

  84. mathieui

    most IQs payloads don’t, AFAIK

  85. Schimon

    *I am intending to write a bot as a Proof of Concept to present this issue, be it an exploit or not.* *I sense we would all benefit from utilizing such software.*

  86. mathieui

    most IQ payloads don’t, AFAIK

  87. singpolyma

    > Daniel, ad-hoc is a bit specific because answers by your client exposes your JID Can, anyway, does in this case

  88. singpolyma

    It's arguably a bug in the clients not to show a warning or anything. But hardly anything to do with MUC protocol wise. It's the same if I send an xmpp uri to the channel rnd someone clicks it

  89. singpolyma

    > I think this is yet another case of underspecified semi-anon in 0045, I think services should plainly drop ad-hoc requests going to participant JIDs Hmm. I mean if we're going to have bots in chrnnels then we probably want this to work. I'm not the biggest bot fan always but yeah

  90. singpolyma

    I understand MUC iq is messy but if you allow semi anon then it's an essential feature

  91. Schimon

    A warning would be nice. I have received this revelation with a big surprise.

  92. singpolyma

    Schimon: do you understand how to fix the bot now?

  93. mathieui

    singpolyma, the issue I have here means that as a library developer I have too either keep track *in 0050* of what constitues a semi-anon MUC and what does not, or keep a global state doing the same thing

  94. mathieui

    singpolyma, the issue I have here means that as a library developer I have to either keep track *in 0050* of what constitues a semi-anon MUC and what does not, or keep a global state doing the same thing

  95. singpolyma

    mathieui: you can either keep track of if it is semi anon or just keep track of if it is a MUC if you prefer

  96. singpolyma

    You don't have to, but if you don't want to ask people for their jid then you need to yeah

  97. mathieui

    or count on clients showing a warning when doing ad-hoc inside a MUC (which does not help cases where you do not want to expose the bot JID)

  98. Schimon

    > Schimon: do you understand how to fix the bot now? singpolyma, I think I do, but I am not sure yet. I would have to test. I will make the bot to fetch MUC JID instead of sharing real JID (and consequently directly negotiate)

  99. singpolyma

    There's nothing to "fetch" you know your MUC jid already based on your nick

  100. moparisthebest

    To be clear if a bot can trick a client into exposing their jid that's a client bug too

  101. singpolyma

    Yes for sure

  102. dwd

    Are there any council minutes about for recentish council meetings?

  103. singpolyma

    Does the MUC have mam?

  104. Zash

    minutes != logs tho

  105. Guus

    True, but paging back week by week on https://logs.xmpp.org/council/ is helpful. The meetings are typically pretty concise.

  106. Guus

    (The've been on Tuesdays, recently)

  107. singpolyma

    are there any clients that support disabling all storage of chat logs client side?

  108. Schimon

    I _guess_ Profanity or Poezio

  109. grin

    profanity has logs for me by default, maybe you can turn it off

  110. grin

    they're in ~/.local/share/profanity/chatlogs

  111. moparisthebest

    > Are there any council minutes about for recentish council meetings? I haven't even thought about council minutes in years, longer than I've been on it 🤣

  112. grin

    also ~/.local/share/profanity/database/jid/chatlog.db

  113. singpolyma

    grin: how do you turn it off? besides deleting that file sometimes which isn't quite the same I guess

  114. grin

    i have no clue :/ sorry

  115. singpolyma

    apparently gajim can, just found it in account settings

  116. manday

    Link Mauve could you do whatever needs to be done so I can speak in the OSM chat, please?

  117. manday

    I get an error in Moving saying that "Only occupants can send messages", whatever that means.