XSF Discussion - 2024-02-27


  1. flow

    MattJ, it appears the semantics of the 'trust' attribute value are not defined in https://xmpp.org/extensions/inbox/xep-reporting-account-affiliations.html? is 100 high trust? or is it 0? I mean, I can guess that it is probably 100 that expressed the most trust, but I can not find this spelled out in the specification

  2. MattJ

    Yeah, trust=0 is no trust, trust=100 is full trust. I can clarify this in the next update.

  3. MattJ

    I'm still undecided about the embedding vs querying thing

  4. Zash

    Querying would put more load on the "victim" than the origin of whatever stanzas, right?

  5. MattJ

    Yeah

  6. flow

    MattJ, I haven't formed an opinion on embedding or not. That said, with embedding there is the danger of spoofing the information which should be also discussed in the specification and the specification should spell out countermeasures

  7. flow

    countermeasures could include:

  8. MattJ

    https://xmpp.org/extensions/inbox/xep-reporting-account-affiliations.html?#spoofing

  9. flow

    right those, plus I wonder if a second hop server could also be required strip the embedded element if the sender doesn't announce the feature

  10. flow

    uh, wait the spoofing section doesn't discuss the recipient ignoring the info element

  11. MSavoritias fae.ve

    is there a guide somewhere how to operate your own rtbl list that others can source?

  12. MattJ

    MSavoritias fae.ve, it's "just" a simple pubsub node, so not really

  13. MSavoritias fae.ve

    so how would i go to making one for joinjabber and our prosody server?

  14. MattJ

    Component "something.joinjabber.org" "pubsub"

  15. flow

    so, unless I am missing something, a receiving client not using a xep-raa server could be xep-raa compliant and still be subject to spoofing?

  16. flow

    so, unless I am missing something, a receiving client not using a xep-raa aware server could be xep-raa compliant and still be subject to spoofing?

  17. MSavoritias fae.ve

    ah just an extra component okay

  18. MattJ

    flow, I hadn't anticipated clients implementing RAA at all

  19. MSavoritias fae.ve

    does prosody have a guide how to add stuff manually in a pubsub node?

  20. flow

    MattJ, ahh, so who is processing the <info/> element?

  21. MattJ

    MSavoritias fae.ve, Prosody doesn't support that, you need to use some XEP-0060 client

  22. MSavoritias fae.ve

    damn :/ on to find a client then

  23. MattJ

    MSavoritias fae.ve, libervia might be a good fit for this, but I haven't tested

  24. flow

    I somehow assumed that the <info/> information is also processed by receiving clients

  25. flow

    especially since it can also embedded in <presence/>

  26. MSavoritias fae.ve

    ah libervia is not packaged for guix

  27. flow

    especially since it can also be embedded in <presence/>

  28. MattJ

    flow, for 1:1 stuff, the server will use it to filter stuff before it reaches a user's clients

  29. MattJ

    For a MUC, the MUC would use it as part of whatever policies it applies (e.g. whether to automatically grant voice or not)

  30. flow

    which server, the one of the sending entity or the one of the receiving entity?

  31. MSavoritias fae.ve

    ah i see also https://xmpp.org/extensions/xep-0377.html needs to be updated

  32. MattJ

    flow, the receiving entity of course. The sending entity can just not forward it if it decides it's spam/abuse.

  33. flow

    MattJ, what if only the sending entity supports raa and not the receiving? then no filtering, for example of <info/> in <presence/>, will take place, or am I missing something?

  34. flow

    MattJ, what if only the sending server supports raa and not the receiving? then no filtering, for example of <info/> in <presence/>, will take place, or am I missing something?

  35. MattJ

    If only the sender supports, nothing will change

  36. MattJ

    Both the sending and receiving server need to support it

  37. flow

    how can you gurantee the constellation that both servers support it? seems easy to create a situation where only the sending server supports it

  38. flow

    how can you guarantee the constellation that both servers support it? seems easy to create a situation where only the sending server supports it

  39. MattJ

    Sure, that will be quite common

  40. MattJ

    But the failure case is... just what we have today

  41. MattJ

    RAA only adds, so there's no "problem" if the receiving server doesn't do anything with the info

  42. flow

    but then the receiving server will not strip the element and a spoofed <info/> may arrive a the receiving client

  43. MattJ

    The client doesn't need to do anything with that info

  44. MattJ

    But if it does, it will need to follow the rules in the XEP to verify it

  45. flow

    maybe, but the, potentially spoofed, <info/> arrives at the client and I assume sooner or later clients will be tempted use that information

  46. lovetox

    flow, then they have to read the XEP or?

  47. MattJ

    Then the client authors should read the XEP

  48. MattJ

    Yes

  49. MattJ

    Anything anyone sends you can be "spoofed"

  50. lovetox

    not sure what you are trying to say, we cannot prevent people from exchanging stanzas with whatever content

  51. flow

    MattJ, my initial point was that the xep does not mandate the receiving client to put spoofing countermeasures in place

  52. jonas’

    just make it clear that this is information intended for servers, and clients shouldn't process it?

  53. flow

    in § 7.2, in only says that "Receiving servers MUST ignore <info/>"

  54. MattJ

    flow, right, I think this is because the XEP says things like "the receiving server MUST [...]" but it should say "receiving entity MUST [...]"

  55. MattJ

    Because I did not expect that clients would implement this stuff

  56. flow

    MattJ, now you got it :)

  57. MattJ

    But they can if they want, the XEP will need some clarification

  58. flow

    MattJ, now you got where I was heading at :)

  59. MattJ

    So I'll fix that, but also clarify a bit more my intention that the filtering decisions are typically expected to be implemented at the server level

  60. MattJ

    I don't like a world where one of my clients is filtering spam locally, but it still arrives at all my other clients

  61. flow

    it is also not clear to me why it is assumed by many that clients will not process the information. It seems kind of helpful for clients too

  62. MattJ

    What will the clients do with it?

  63. flow

    for example, visually indicate the trust level?

  64. MattJ

    For what purpose?

  65. MattJ

    Presumably by the time the user received the spam, they know it's spam

  66. MattJ

    I'd like to stop it before it gets into their MAM archive

  67. flow

    I hadn't really the spam use-case in mind, more like that if I am in a groupchat I may want to know if the other participants are on a burner jid or not

  68. MattJ

    Mmm, right

  69. flow

    to be clear, I am perfectly fine if the specification mandates that the element is removed before it arrives at the recipient

  70. MattJ

    It can't really mandate that, because as you pointed out, the receiving server(s) might not support it

  71. flow

    however, as we have figured out, you can't gurantee that this will happen because the recipient's server may not support xep-raa

  72. MattJ

    So it's just in the same category of all the other information that might be included in a stanza, untrusted by default

  73. flow

    well you can mandate it if the recipients server announce support for xep-raa

  74. flow

    however, there appears to be little gain doing so

  75. pep.

    Hmm, I may actually be interested in not showing I'm on a burner jid :x

  76. pep.

    It's the salle account after all

  77. flow

    s/all the other informatin/all the other information later embedded in the stanza by entities that are not the sending entity/

  78. pep.

    It's the same account after all

  79. flow

    s/all the other information/all the other information later embedded in the stanza by entities that are not the sending entity/

  80. pep.

    Same authenticated person rather

  81. MattJ

    flow, you can't necessarily trust what's put in the stanza by the original entity, e.g. if they include <x xmlns="muc" affiliation="owner">

  82. MattJ

    MUCs obviously strip that, but my point is that sending entities can lie too

  83. flow

    MattJ, that <x/> wouldn't survive the MUC component and therefore not arrive at the recipient, would it?

  84. MattJ

    Correct

  85. flow

    so in a MUC I can trust the content of <x/>, but not if it was send in a 1:1 message (however, it is probably of little value there)

  86. flow

    but in general, I really think we should tighten security, especially with regard to spoofing, by explicitly spelling what each, of the usually 4 involved entities, is supposed to add/verify/strip/trust. given our history with spoofed informations issues, for example with carbons

  87. flow

    but in general, I really think we should tighten security, especially with regard to spoofing, by explicitly spelling out what each, of the usually 4 involved entities, is supposed to add/verify/strip/trust. given our history with spoofed informations issues, for example with carbons

  88. flow

    xep raa already did a good job, but it was missing the reciving client side. Of course, I get that this was because the author had in mind that the client does not see or process the <info/>. However, as we have established, it can not be guaranteed that the <info/> element arrives at the reciving client

  89. MattJ

    I don't think it was missing the receiving client side, it's just that I wrote "server" instead of the more general "entity"

  90. MattJ

    Because that was the only intended use case, but you're right that it could be used by clients too if they follow the same rules

  91. flow

    MattJ: sure, wasn't trying to criticize you. I guess we are on the same page

  92. MSavoritias fae.ve

    heads up. i sent a proposal to update XEP-0377: Spam Reporting

  93. MSavoritias fae.ve

    to the mailing list

  94. MSavoritias fae.ve

    (i dont have a github account)

  95. lovetox

    MSavoritias fae.ve, did you miss > Reports MAY contain a user provided message explaining or providing context about the reason for the report

  96. lovetox

    sounds a client can put anything in there what you wish, exactly the label you mention

  97. MSavoritias fae.ve

    thats for the text tho no? not the reason urn

  98. MSavoritias fae.ve

    the text field that is

  99. MSavoritias fae.ve

    if i can add any reason in the urn then yeah thats what i want

  100. pep.

    fwiw I also think these categories aren't exactly.. adequate. It's certainly not the only two options, it's also not entirely clear what these options mean

  101. Daniel

    > heads up. i sent a proposal to update XEP-0377: Spam Reporting > > to the mailing list > > (i dont have a github account) Discussing this on the mailing list is the correct way fwiw. You don't need a github account for that

  102. lovetox

    MSavoritias fae.ve, if you can put anything in a defined attribute, its free text, exactly what you have with the <text> element in the XEp

  103. lovetox

    of course we could extend the defined reasons, but they will never be complete

  104. MSavoritias fae.ve

    i think we are talking past each other here. i mean i want to do: urn:xmpp:reporting:hate-speech

  105. MSavoritias fae.ve

    or urn:xmpp:reporting:transphobia

  106. Daniel

    I may or may not make sense to register additional reasons. I don't think it makes sense to have two free text fields (duplicating text)

  107. pep.

    Daniel, title / description wouldn't be too bad imo

  108. MSavoritias fae.ve

    hmm maybe. basically the usecase is that: i would like to be able to have categories on a db with these reports

  109. pep.

    Or maybe some predefined reasons on the entity to report to, dunno

  110. pep.

    (that means another round-trip though)

  111. Daniel

    One is for automation / check box thingy and thus should offer a limited amount of options (even if one of the options might be 'other') the other is where the user can enter a description

  112. MSavoritias fae.ve

    and as a server operator/person that uses an app to see what categories a block belongs too

  113. lovetox

    as said makes sense to add a few more

  114. lovetox

    but free text is already possible

  115. lovetox

    i simply doubt that its much use when users pick the category

  116. lovetox

    admin has to read the messages anyway

  117. pep.

    Certainly we don't have the same considerations regarding moderation :P

  118. MSavoritias fae.ve

    apparently its supported already to add stuff https://xmpp.org/extensions/xep-0377.html#registrar-reporting

  119. lovetox

    i just fail to see why i should care about the category a users picks for a message he does not like

  120. MattJ

    Using the examples from the mailing list post: is there a situation where you would want to filter out hate speech but allow transphobia? I don't think so. Is there harm in just categorizing them as "abuse" and using the text field for more detail if needed?

  121. MattJ

    (that's what xmppbl.org basically does)

  122. MSavoritias fae.ve

    not that specifically. but imagine if somebody wants to block cryptocurrency

  123. MSavoritias fae.ve

    but somebody else doesnt

  124. MattJ

    There are a practically infinite number of kinds of abuse, and it's going to be impossible to define them all

  125. MattJ

    So it's hard to know, if we start, where to stop

  126. MSavoritias fae.ve

    sure. thats why pep. said to make it free form :)

  127. MattJ

    and if we don't stop, it will just become equivalent to the existing <text> field

  128. MattJ

    The <text> field is already there for that

  129. MSavoritias fae.ve

    a synopsis on top or tags could work the same way

  130. MSavoritias fae.ve

    the text is more a description tho no? its no tags or categories

  131. MattJ

    I think support for multiple reasons could be the answer, if any

  132. MattJ

    So that implementations that only support "urn:xmpp:reporting:abuse" can still understand that, but implementations that understand more detail can use the more detailed reasons

  133. pep.

    pep.> Or maybe some predefined reasons on the entity to report to, pep.> (that means another round-trip though)

  134. pep.

    That'd be tricky? Not really?

  135. MSavoritias fae.ve

    also just thought about it

  136. MSavoritias fae.ve

    we should have references too

  137. pep.

    Add that to disco#info somewhere on the entity and other entities can query it?

  138. MattJ

    To avoid breaking compatibility too much, it probably just makes sense to define child elements for additional "tags"

  139. lovetox

    yeah, im sure as hell dont implement every month the newest fancy phobia anyone wants to tag

  140. pep.

    lovetox, wtf?

  141. pep.

    fancy phobia?

  142. MSavoritias fae.ve

    if they are customizable you dont have to :)

  143. MSavoritias fae.ve

    a visual example of what i am thinking at https://gui.fediseer.com/instances/censured

  144. pep.

    lovetox, maybe you're not subject to these and good for you, but don't dismiss them as if if didn't exist

  145. Daniel

    MSavoritias fae.ve: what use case do you have in mind where you need categorization? My personal use case is 'user reports unwanted content', admin takes a look, bans account if necessary

  146. MSavoritias fae.ve

    it has instance, reasons/categories and evidence

  147. pep.

    lovetox, maybe you're not subject to these and good for you, but don't dismiss them as if it didn't exist

  148. jonas’

    lovetox, I'd like to remind you about XEP-0458, section 2.2, 2.3, 3.4 and 3.5

  149. jonas’

    lovetox, I'd like to remind you about XEP-0458, section 2.2, 2.3, 2.4 and 2.5

  150. MSavoritias fae.ve

    > a visual example of what i am thinking at https://gui.fediseer.com/instances/censured Daniel this is what i have in mind ^

  151. MSavoritias fae.ve

    it has multiple reasons and also evidence/reciepts

  152. MattJ

    I don't think that level of detail can really be enshrined in a XEP, and I don't think even a registry (at the XSF anyway) would suit that data

  153. MSavoritias fae.ve

    not xsf no. but what if we had fediseer in xmpp ?

  154. MSavoritias fae.ve

    as a seperate project

  155. MSavoritias fae.ve

    if you mean level of detail by multiple reasons no

  156. lovetox

    jonas’, are you saying im breaching code of conduct, because as a developer i state that i will not every month add new phobias to a list of report reasons?

  157. jonas’

    lovetox, yes, very much.

  158. jonas’

    the terminology "fancy phobias" is dismissive at the very least.

  159. MSavoritias fae.ve

    i think a customizable field for reasons and a reciept that can be url or a picture or something would be a good step to make this usable

  160. pep.

    (Also "phobia" isn't the proper term, but that's another debate, these words do contain "-phobia" currently so..)

  161. MSavoritias fae.ve

    which again its basically what fediseer already does.

  162. MSavoritias fae.ve

    i dont see how an admin can use rtbl or get reports without evidence atm. and an rtbl without categories/reasons or evidence is not very transparent

  163. jonas’

    the current rtbl does have reasons ftr

  164. jonas’

    but no evidence indeed

  165. pep.

    Yeah currently the rtbl is based on trust

  166. pep.

    Yeah currently the rtbl is based on trust on specific individuals

  167. MSavoritias fae.ve

    > the current rtbl does have reasons ftr right sorry. i meant reasons beside abuse and spam

  168. jonas’

    me too

  169. jonas’

    it's essentially a free-form field

  170. MattJ

    MSavoritias fae.ve, it has text descriptions for the entries, often explaining what occurred, and where

  171. MattJ

    I say "often" because it's not strictly enforced, especially if there is a wave of JIDs in short succession, but that's partly the fault of the tooling which could be improved

  172. MattJ

    As far as I can tell, Fediseer has no canonical list of reasons

  173. MattJ

    It just relies on freeform text and word matching

  174. MSavoritias fae.ve

    it does yeah.

  175. MSavoritias fae.ve

    i do think that adding more reasons on the urn is impractical.

  176. MSavoritias fae.ve

    because they will become too many and/or be restrictive

  177. lovetox

    the more reasons there are, the less helpful is it to you as admin

  178. MSavoritias fae.ve

    my main thought was that "reason" could be used to automatically short or put in categories a blocklist

  179. lovetox

    but you should not block people automatically because someone reports them ..

  180. pep.

    That's obviously not what is being discussed

  181. MSavoritias fae.ve

    another example https://tweaking.thebad.space/location/4e1cca60-50b7-4f24-b9ed-2e31ee9fce57 it has a seperate description which is text for us. and also a reference that is evidence or reciepts

  182. MattJ

    MSavoritias fae.ve, probably just encourage people to add a reason, and use something like https://github.com/Fediseer/fediseer/blob/c72866a4eeb875e7624a4cebdb871294ad1cbf2b/fediseer/apis/v1/censures.py#L71

  183. MSavoritias fae.ve

    so filter on the text you mean?

  184. MSavoritias fae.ve

    > but you should not block people automatically because someone reports them .. if you trust the blocklist you should. and it already happens with rtbl

  185. MSavoritias fae.ve

    the current instance that is

  186. MattJ

    I just added the "evidence" part to Prosody's mod_spam_report_forwarder a day or two ago. I think Conversations already supports it.

  187. MSavoritias fae.ve

    ah so its just the xep lagging behind

  188. MSavoritias fae.ve

    ok

  189. MattJ

    No, see for example here where it references two messages: https://xmpp.org/extensions/xep-0377.html#example-5

  190. MSavoritias fae.ve

    ah so basically you give the stanza-ids to the server operator as evidence and they search them on their server?

  191. MattJ

    Yes

  192. pep.

    But does the entity that get these have access to these messages?

  193. MattJ

    Well Prosody does this for you automatically

  194. MSavoritias fae.ve

    hmm. okay then. this seems better than just links tbh

  195. MattJ

    pep., Prosody will include the full message in an external report

  196. MattJ

    That format could be documented in the XEP, I'm using it for a bunch of things

  197. MattJ

    It's just <forward>

  198. pep.

    I guess if you're in a MUC you should report that to the MUC? Or would you report that to your own server? both? all involved entities?

  199. MattJ

    Good question, I don't think we have MUCs sorted yet

  200. MattJ

    I guess yes, report to the MUC

  201. MattJ

    Since MUCs are "opt in" anyway, it's not exactly up to your own admin to deal with that stuff (unlike incoming presence/messages)

  202. MattJ

    But I can also imagine it might be useful to report a MUC elsewhere, so we should have a standard way to do that

  203. lovetox

    also MUCs, have moderators ..

  204. pep.

    That could be reported to moderators of the MUC by the MUC itself maybe. Also if moderators are away that can be forwarded to operators

  205. lovetox

    though sometimes spamers join, and then you actually want to report them to their home server

  206. MattJ

    Yeah, so in that case it ideally goes to the MUC, which has their JID (even if the reporter does not)

  207. MattJ

    Another use case is banning someone, and including a report for their server

  208. lovetox

    ... i think this will get confusing or is a thin line

  209. lovetox

    because people get removed from MUCs for a lot of reasons

  210. lovetox

    and not all are stuff that you need to report to their server operator

  211. MattJ

    Sure

  212. MattJ

    Most other platforms make it quite straightforward. Removing someone from a group and flagging/reporting them are different UI actions.

  213. MattJ

    Flagging/reporting will generally also block/remove them though

  214. MSavoritias fae.ve

    reporting could be very useful depending on what they did yeah

  215. MattJ

    Assuming you have the power to do that (if you're not the owner of the group, it may need an admin or someone else to take action)

  216. MSavoritias fae.ve

    i would expect a server operator to delete a user that is transphobic

  217. MSavoritias fae.ve

    for example

  218. lovetox

    oh i see server operators will have fun, remember me to never become one

  219. MattJ

    And for the record, there is probably stuff that we want to do that I consider strictly outside the scope of XEP-0377

  220. MattJ

    lovetox, indeed, I don't advise it

  221. lovetox

    do we need a feature to flag server operators that dont agree with our reports?

  222. pep.

    I would also expect servre operators to delete transphobic users. The least we can do is give them the information. If it doesn't happen I'd probably defederate

  223. pep.

    lovetox, are you seriously going this way?

  224. MSavoritias fae.ve

    > do we need a feature to flag server operators that dont agree with our reports? flag where

  225. MSavoritias fae.ve

    defederate probably yeah

  226. pep.

    I mean, questioning the necessity of these actions

  227. MSavoritias fae.ve

    thats why i have been asking about the rtbl

  228. lovetox

    pep., did you not just say the same thing? if a server operator does not agree with your reports you "defederate" which means blocking

  229. pep.

    Yes blocking

  230. Daniel

    > do we need a feature to flag server operators that dont agree with our reports? I think they are talking about creating a block list (that you don't have to subscribe to)

  231. pep.

    That's what fediseer is about

  232. MSavoritias fae.ve

    yep. its a blocklist

  233. jonas’

    If a server operator does not handle reports to ensure the traffic their server emits conforms with the values of a specific block list, that block list should probably block that server, but I'm not sure whether that needs protocol?

  234. Daniel

    Sure. You can't expect everyone to just know that

  235. MSavoritias fae.ve

    personally the question came because i saw the rtbl used 377 so i was wondering if I could use it to make a "badspace" for xmpp

  236. MSavoritias fae.ve

    as in the blocklist

  237. lovetox

    can server be blocked in third party MUCs? Say you are A and block B, but A.user and B.user meet in C.MUC

  238. lovetox

    they can talk to each other or?

  239. pep.

    Yeah no these two users can still talk via third-party

  240. jonas’

    they can, yeah

  241. MattJ

    > personally the question came because i saw the rtbl used 377 so i was wondering if I could use it to make a "badspace" for xmpp I'd say "yes", definitely

  242. MattJ

    AFAICT, again, the badspace list is just freeform

  243. MattJ

    and if you want to communicate more than that, take advantage of XMPP's extensibility and layer in some tagging

  244. MattJ

    The additional tags don't need to be part of XEP-0377, you can just provide info for consumers of the list (if you want them to understand the tags)

  245. MattJ

    But current solutions seem to be doing fine (?) without that

  246. MSavoritias fae.ve

    yeah tbh the biggest problems with this is: governance model, appeals and how to deal with people who dont like you

  247. MSavoritias fae.ve

    i doubt xmpp is going to be the problem

  248. MattJ

    I have been thinking about those things too

  249. MSavoritias fae.ve

    the easiest i have thought is to have jj CoC as the rules and have the abuse room as a place for reports

  250. MSavoritias fae.ve

    appeals is the tricky part.

  251. jonas’

    > and how to deal with people who dont like you step 1: get a hoster with DDoS mitigation.

  252. singpolyma

    MattJ: the main raa spoofing problem is if the receiver supports but not the sender, right?

  253. MattJ

    singpolyma, right

  254. MattJ

    If a recipient of the stanza doesn't support RAA then it doesn't matter if it's spoofed