XSF Discussion - 2024-03-06


  1. imsxm15

    Hello where can i find a list of public canal that I can add ?

  2. Menel

    Hi imsxm15, some are listed here: https://search.jabber.network

  3. alom

    Anybody know of an xmpp client for windows that has support for video/audio calls? I dont understand why this should be so hard to find... I found a Dino Windows version here but its not from the official Dino repositories so am hesitant to use it: https://github.com/LAGonauta/dino/releases

  4. MattJ

    alom, Dino for Windows or Movim (web)

  5. alom

    MattJ: Thanks this is also what I found. I want an installed client and not web. So it seems am left with an unofficial Dino version for windows. Well you dont seem to have any problem with it so I guess its fine👍 I was just worried it could be malware in disguise or simply not secure/buggy/lack of updates

  6. edhelas

    Movim is a progressive Web App, you can also "install" it on your OS :) /ads

  7. alom

    edhelas: Oh ok, thank you so much!😊👍

  8. edhelas

    Same on Android, and there's push notification and a few other "native" features that comes with it

  9. alom

    edhelas: Ok! Well I like conversations and cheogram on android so guess I will stick with that there🙂

  10. edhelas

    XMPP, the power of choice ✨

  11. alom

    edhelas: Right, nice one!😂😂

  12. Daniel

    xep-0333 is one of the widest implemented XEPs that currently is non-stable (deferred even). I intent to bring this to stable over the coming months. Here is my current proposal on how to achieve that: https://gultsch.de/files/xep-0333.html

  13. Daniel

    (tldr: remove everything but <displayed/>)

  14. emus

    Daniel: 👍 I wish we could have more statements like this on our media and show activity. But I would need help for formulation

  15. Andrzej

    Daniel, what is reasoning behind removing <received/>? I wonder as I preferred this approach over XEP-0184. I know that with 333 we are losing information that particular message was delivered but I’m not sure people actually expect that or rather expect if „last message” was received/displayed what we get with 333

  16. Daniel

    two reasons. a) I think for reliability tracking a lot of people prefer per message tracking b) 184 is widely deployed and realistically not going to go away

  17. Andrzej

    I didn’t see harm in having both in 333 as I’ve sent in clients <received/> from 333 and 184 in a single stanza (when it was possible)

  18. Daniel

    > I didn’t see harm in having both in 333 as I’ve sent in clients <received/> from 333 and 184 in a single stanza (when it was possible) right. Conversations does that. but when implemented that way you literally are just replicating 184

  19. Andrzej

    not really, I’ve did 333 only for „live” messages or for last message from the MAM archive if I recall

  20. Andrzej

    I did 184 for each message as I’ve had 184 implementation before and was hoping to deprecate it from my clients

  21. Zash

    How would you notice a message in the middle disapearing into the void then?

  22. Zash

    > (tldr: remove everything but <displayed/>) 👍

  23. Andrzej

    I’m aware that I wouldn’t get when some message would be lost

  24. Andrzej

    However, with 184 you may not get ack, if I’m correct, when it was sent to the user when he was offline and user’s client only relies on MAM to sync history (XEP-0184, 5.5). In this case you should assume that those messages were not delivered and that is also not good…

  25. singpolyma

    I agree that 0333 received never made sense to me, not sure where I would use that. I know probably no one is implementing acknowledged but it seems safe to keep and the semantics make sense?

  26. MattJ

    At the time '333 was discussed, acknowledged was certainly requested by some folk in certain industries where it's important

  27. MattJ

    Whether they ended up using it, I don't know

  28. Zash

    Today reactions may fill that role?

  29. MattJ

    I'm also in favour of not duplicating '184, I think the per-message receipts with per-conversation display markers is a good balance between the two models

  30. Zash

    Today reactions may fill that role (explicit ack)?

  31. singpolyma

    Zash: reactions can be a hack for ack, but it doesn't have the same semantics so I'm loathe to consider it a full replacement

  32. singpolyma

    I honestly thing 184 per-message receipts and what make 0333 "up to" displayed markers work at all. Otherwise you have no idea what actually came before this?

  33. singpolyma

    I guess if all three links have sane sm on them you shouldn't need 184, but that's not where we live today

  34. Daniel

    > I honestly thing 184 per-message receipts and what make 0333 "up to" displayed markers work at all. Otherwise you have no idea what actually came before this? +1

  35. moparisthebest

    MattJ: I'm not clear at all which one the XSF uses, did you see https://opencollective.com/opensource/updates/regarding-the-announcement-to-dissolve-open-collective-foundation ?

  36. singpolyma

    XSF doesn't use any, XSF is its own

  37. MattJ

    ^

  38. singpolyma

    you can use XSF instead of OCF

  39. singpolyma

    (if we let you)

  40. MattJ

    It's very confusing, but it does not affect the XSF or any of our projects

  41. moparisthebest

    MattJ, singpolyma: what's https://opencollective.com/xmpp

  42. singpolyma

    moparisthebest: that is the XSF

  43. MattJ

    opencollective.com != The Open Collective Foundation

  44. MattJ

    This is what's shutting down: https://opencollective.com/foundation

  45. moparisthebest

    You are right it's very confusing lol, but ok glad we aren't affected :)

  46. MattJ

    i.e. an alternative to the XSF

  47. TheCoffeMaker

    Don't know if here is the right place to share this, but I think u will find it interesting (from Meta): > "Taking the example of WhatsApp, third-party clients will connect to WhatsApp servers using our protocol (based on the Extensible Messaging and Presence Protocol – XMPP). The WhatsApp server will interface with a third-party server over HTTP in order to facilitate a variety of things including authenticating third-party users and push notifications." https://engineering.fb.com/2024/03/06/security/whatsapp-messenger-messaging-interoperability-eu/

  48. singpolyma

    xmpp for c2s, http for s2s

  49. moparisthebest

    "our protocol (based on...)" Gives me some pause, also why should my clients connect there instead of my server

  50. moparisthebest

    I assume because that gives them a bunch more data to sell

  51. TheCoffeMaker

    > I assume because that gives them a bunch more data to sell this

  52. singpolyma

    > This allows users of third-party providers who choose to enable interoperability (interop) to send and receive messages with opted-in users of either Messenger or WhatsApp haha, opted-in 🙃

  53. emus

    🙈

  54. singpolyma

    moparisthebest: well, I expect they won't let you connect from a server mostly due to e2ee preservation bs

  55. MSavoritias fae.ve

    also they dont want to bother with keeping up with standards

  56. MSavoritias fae.ve

    and dealing with spam/abuse from other servers

  57. moparisthebest

    "hi this is the XSF, we'd like to opt in for the entire public XMPP network, so just turn on S2S on your end kthx"

  58. MSavoritias fae.ve

    from what i have seen from my partner whatsapp has less spam than the federated xmpp network as it currently stands

  59. MSavoritias fae.ve

    so i would expect facebook and people that use whatsapp to object to that

  60. singpolyma

    meta products hide all the spam in a different ui place. I get lots on messenger but I never see it

  61. moparisthebest

    > from what i have seen from my partner whatsapp has less spam than the federated xmpp network as it currently stands MSavoritias fae.ve: are they in public channels? Do those even exist in WhatsApp?

  62. MSavoritias fae.ve

    no idea

  63. MSavoritias fae.ve

    > meta products hide all the spam in a different ui place. I get lots on messenger but I never see it that sounds like the moderation panel from yesterday :D

  64. singpolyma

    > When a third-party user registers on WhatsApp or Messenger,

  65. moparisthebest

    100% of XMPP spam is on public channels though

  66. MSavoritias fae.ve

    i dont see why public channels have to make spam worse

  67. MSavoritias fae.ve

    if they do its a failure of moderation tools

  68. singpolyma

    moparisthebest: uh, most spam is 1:!

  69. singpolyma

    moparisthebest: uh, most spam is 1:1

  70. moparisthebest

    Not in XMPP in my experience

  71. singpolyma

    I don't think any meta product has public channels

  72. MattJ

    moparisthebest, Your experience is (surprise!) subjective :)

  73. singpolyma

    moparisthebest: it's just a statistical fact. spam on 1:! outnumbers MUC spam by over 100:1

  74. singpolyma

    moparisthebest: it's just a statistical fact. spam on 1:1 outnumbers MUC spam by over 100:1

  75. moparisthebest

    I get a ton of 1:1 spam with SMS and email

  76. MSavoritias fae.ve

    i have blocked sms from non contacts at this point

  77. MSavoritias fae.ve

    email is thing i want to delete at some point. if only for guix using email :/

  78. singpolyma

    despite all the caveats, this meta thing is still interesting. but someone(tm) is gonna have to actually try the process with them. I guess we'll start by seeing what the requirements docuement says

  79. MattJ

    moparisthebest, your JID is either on the spammers' lists or it isn't. If it isn't, you'll obviously get zero spam, and JIDs are not enumerable like phone numbers are.

  80. moparisthebest

    That's the strange part though, my jid is actually public on xmpp.org and years and years ago I got a bunch of 1:1 spam but not again

  81. moparisthebest

    Family/friends I have on XMPP have never seen spam

  82. singpolyma

    you're the lucky ones then :)

  83. singpolyma

    admittedly spam on xmpp is currently not very sophisticated

  84. MSavoritias fae.ve

    yeah i wish i was that lucky

  85. MattJ

    There are at least two different lists around - for each spam wave generally one set of users or a second set of users will receive the spam (from, we believe, different spammers)

  86. MSavoritias fae.ve

    its waves personally

  87. MattJ

    The wave that started a few weeks ago has been targeting user accounts that haven't been targeted for a long time, which is why everyone is suddenly caring about it again

  88. moparisthebest

    Is it only XSF members or are your family/friends also getting them?

  89. MattJ

    It's far from only XSF members

  90. singpolyma

    but more likely to get spam as a longer-time user of course than on a fresh jid

  91. MattJ

    My own family don't receive spam, but I've heard from people who do have that problem

  92. singpolyma

    I get spam to lots of jids that don't even exist but are email addresses, so they're sharing lists with someone

  93. singpolyma

    🍯

  94. MattJ

    🤫

  95. moparisthebest

    It's likely my family have never shared their JID with anyone but it's the same as their email and they have certainly shared that

  96. MattJ

    Maybe you have mod_block_strangers? or mod_firewall with the anti-spam ruleset in prosody-modules?

  97. Daniel

    > My own family don't receive spam, but I've heard from people who do have that problem Yes my family members receive spam and they never published their jid anywhere

  98. Daniel

    But it is the same address as their semi public email address

  99. singpolyma

    yeah. sharing jid spam with email spam lists is definitely happening some

  100. moparisthebest

    No blocking here except to the kid's JIDs, but then I'd get a message that someone spammed them and I haven't either

  101. moparisthebest

    You all need to be more explicit 🤣 you said "spam" and I thought we were just talking about MUC trolls, oops

  102. singpolyma

    nah, I honestly barely consider any of the MUC abuse we've seen as spam. I'm not sure any of it is even automated yet

  103. singpolyma

    whereas the 1:1 spam is clearly automated

  104. MattJ

    Yeah, same, when I say "spam" I'm generally referring to the mass 1:1 spam that resembles email spam

  105. MattJ

    Not MUCs, though we occasionally see manual MUC spam (which I also consider separate to flooding)

  106. moparisthebest

    Having not had 1:1 spam since 2016 or whatever I would never have imagined that's what you meant haha

  107. TheCoffeMaker

    none of my users are having spam issues... maybe it's linked to server's popularity and jid using simple words and not fantasy nick names picked by users

  108. meson

    > are they in public channels? Do those even exist in WhatsApp? afaik WhatsApp only knows private groups, they only become public if the invite link becomes publicly shared. The invite link can be invalidated at any time by the group admin however.

  109. MSavoritias fae.ve

    sounds like that invite xep that gets shared around

  110. meson

    Then there a read-only broadcast channels and so called "communities", which just bundle several related group chats together.

  111. meson

    Then there read-only broadcast channels and so called "communities", which just bundle several related group chats together.

  112. MattJ

    TheCoffeMaker, it's not linked to server popularity - I am the only person on this domain and I receive spam

  113. TheCoffeMaker

    🙇️

  114. MattJ

    Again, JID == email though, so it's probably scraped that way

  115. MattJ

    While many XMPP services don't have JID == email

  116. Trung

    MattJ: perhaps you have a few enemies...

  117. MattJ

    Seeing how many JIDs are sending spam - thousands ;)

  118. TheCoffeMaker

    🤣️

  119. Kev

    > TheCoffeMaker, it's not linked to server popularity - I am the only person on this domain and I receive spam I'm sure you're just downplaying your popularity :)

  120. MattJ

    Hmm, no... someone voted "no" to me being an XSF member. So I have at least one enemy :P

  121. moparisthebest

    MattJ: also your JID is literally everywhere no? Unless it's a secret one :)

  122. MattJ

    moparisthebest, yeah, it's my everywhere JID. I have a separate JID for family, and that's spam-free of course.

  123. TheCoffeMaker

    > > TheCoffeMaker, it's not linked to server popularity - I am the only person on this domain and I receive spam > I'm sure you're just downplaying your popularity :) lol not intended at least

  124. Daniel

    I did some more minor adjustments to https://gultsch.de/files/xep-0333.html including adding some business rules and some design considerations that explain what happened to ack and received

  125. Daniel

    my goal here is to get this through last call as quickly as possible. so any feedback that helps achieve that is welcome

  126. lovetox

    You could mention occupant-id

  127. lovetox

    But not that important to this xep I guess

  128. Daniel

    lovetox, how does the occupant id relate to the xep?

  129. lovetox

    Attributing it to the right user

  130. Daniel

    fair enough. let's see if i can come up with something

  131. lovetox

    I would think just a note in security consideration?

  132. lovetox

    That the MUC xep does not on its own prevent forgety

  133. lovetox

    That the MUC xep does not on its own prevent forgery and if that's important occupant Id should be validated

  134. Zash

    How much do you even need <markable> ?

  135. Daniel

    Not much. But 184 has it too

  136. lovetox

    In theory you save traffic

  137. Daniel

    By having it or by not having it?

  138. lovetox

    The idea is if it's not on the message the client is not interested in a marker

  139. lovetox

    So one less stanza to send

  140. Daniel

    Yeah I think it makes sense to have some signaling at least in 1:1

  141. lovetox

    But of course we use it also for read state sync so I'm sending it anyway for my other clients

  142. Daniel

    > But of course we use it also for read state sync so I'm sending it anyway for my other clients Not anymore with mds

  143. MattJ

    FWIW I think the MUC markers/RAI plugins for Prosody depend on <markable> in MUC

  144. Daniel

    >> But of course we use it also for read state sync so I'm sending it anyway for my other clients > Not anymore with mds https://gultsch.de/files/xep-mds.html

  145. lovetox

    Daniel: do we have some mitigation to endless growing pep node with that xep?

  146. lovetox

    I guess at some point someone will run into a server limit what happens then ?

  147. lovetox

    Which item will be dropped?

  148. lovetox

    I hope the oldest one

  149. MattJ

    Yes

  150. Daniel

    i don’t know. I was considering adding something along the lines of 'when a client deletes a chat it MAY delete the item' or so

  151. Daniel

    which doesn’t exactly fix the issue

  152. Daniel

    but at least points people in some direction

  153. Daniel

    however if the server deletes the oldest item this seems like relatively acceptable behaviour

  154. pep.

    > I hope the oldest one Wasn't that unspecified?

  155. pep.

    https://bpa.st/UFDA Date: Sun, 06 Oct 2019 14:12:44 +0200 on standards@

  156. singpolyma

    probably most people wont' get to 10k chats anyway so hopefully we can set limits high enough to not be an issue

  157. Guus

    > probably most people wont' get to 10k chats anyway so hopefully we can set limits high enough to not be an issue I've not read back for context, so I'm not sure if this is relevant, but: not all XMPP entities are human end-users.

  158. Guus

    I've been bitten before by limits that I never imagined would ever be hit.

  159. Zash

    Will this be relevant for those tho?

  160. moparisthebest

    > probably most people wont' get to 10k chats anyway so hopefully we can set limits high enough to not be an issue Challenge accepted

  161. singpolyma

    Yeah I think non-human users mostly shouldn't need private PEP at all, especially not for this kind of thing

  162. Guus

    famous last words...

  163. edhelas

    I don't get how https://xmpp.org/extensions/xep-0474.html#hash is actually secure. If Eve (that is doing the MITM attack) can actually change the stanzas she can: 1. Change the SASL mechanisms list initially sent by the server 2. Calculate her own hash and replace the d= parameter in the base64 provided by the server 3. Also inject her own hash in the d= parameter provided by the client I'm missing something there 🤔

  164. MattJ

    edhelas: it depends on the existing mutual authentication of SCRAM. Eve does not have the user's credentials and cannot calculate the correct proof for the modified 'd' hash.

  165. edhelas

    Ah !

  166. edhelas

    > Hash S using the same hash mechanism as used for the SCRAM mechanism currently in use and encode the result using base64

  167. edhelas

    So this means that it's more than a simple sha* of the string, but the complete SCRAM flow applied to it (number of iterations...). So indeed it is unique.

  168. MattJ

    edhelas: no, just one iteration