XSF Discussion - 2024-08-27


  1. singpolyma

    Well sounds like they're choosing the telegram server because of the telegram server's policies

  2. singpolyma

    Which indicates to me that they do care

  3. moparisthebest

    kurisu: I think you are saying "expiration times/sizes/etc should be discoverable for clients" ? Seems right to me

  4. singpolyma

    Once your client is connected you've already signed up, no?

  5. moparisthebest

    Before signup might be important but so is after you are connected, not like it can't change

  6. singpolyma

    Hopefully it's not drastically changing without a serious announcement, but I guess so

  7. moparisthebest

    Also users should be able to configure it :)

  8. singpolyma

    It hasn't been said, but I think kurisu has an assumption people are googling "xmpp server" and signup for a random one run by someone they don't have any knowledge of or some similarly bad flow

  9. singpolyma

    > Also users should be able to configure it :) Yes for some users this would be good

  10. moparisthebest

    > It hasn't been said, but I think kurisu has an assumption people are googling "xmpp server" and signup for a random one run by someone they don't have any knowledge of or some similarly bad flow That would indeed be bad

  11. SavagePeanut

    > It hasn't been said, but I think kurisu has an assumption people are googling "xmpp server" and signup for a random one run by someone they don't have any knowledge of or some similarly bad flow It would surprise me if this wasn't happening

  12. singpolyma

    Sure, I have evidence some people are doing that. And the ecosystem is weak enough right now that I can sometimes see why. But the solution is to not do that

  13. SavagePeanut

    That would be the ideal solution Better account migration may also help a bit

  14. kurisu

    > It hasn't been said, but I think kurisu has an assumption people are googling "xmpp server" and signup for a random one run by someone they don't have any knowledge of or some similarly bad flow And there are so many famous servers with well known policies

  15. singpolyma

    kurisu: I assume you're being sarcastic. And yes, there are almost no services I would suggest a new user to sign up with at the moment. It's a weak point for sure

  16. kurisu

    Weak more like breaking

  17. moparisthebest

    For new users I suggest: Running your own Snikket, paying for Snikket to run your Snikket, conversations.im. In that order. There are other good options too. Other lesser chat systems only have 1 choice so we are at least 4x better from the start

  18. singpolyma

    moparisthebest: those are indeed pretty much the options, but only if you want what they happen to offer which eg kurisu's requirements are different

  19. kurisu

    >for new users: running your own This must be a joke.

  20. singpolyma

    Depends on the user 🙂

  21. moparisthebest

    If you want unlimited storage you can run your own or pay someone to do it. If you want unlimited slack retention you can only pay slack a shitload.

  22. kurisu

    > Other lesser chat systems only have 1 choice so we are at least 4x better from the start This must be a joke too.

  23. SavagePeanut

    You are in a room for a decentralized chat protocol and are surprised that the people in it like self hosting and choices?

  24. kurisu

    > If you want unlimited storage you can run your own or pay someone to do it. If you want unlimited slack retention you can only pay slack a shitload. Telegram gives you unlimited storage for free

  25. moparisthebest

    Not free, you pay with your data

  26. kurisu

    > You are in a room for a decentralized chat protocol and are surprised that the people in it like self hosting and choices? I am surprised people don't care about usability.

  27. moparisthebest

    Plus they can change their minds literally at any time

  28. kurisu

    > Not free, you pay with your data From normie pov that's free.

  29. moparisthebest

    Sounds like a much worse deal to me

  30. moparisthebest

    >> Not free, you pay with your data > From normie pov that's free. Maybe, but that's wrong. Educate them.

  31. kurisu

    > Plus they can change their minds literally at any time The likelihood of that in my experience has been less than an xmpp server keeling over dead or just glitching.

  32. moparisthebest

    Must not have that long of experience?

  33. moparisthebest

    Google alone has killed what 85 entire chat systems?

  34. moparisthebest

    AOL, msn, icq, I mean this list never ends

  35. kurisu

    >> From normie pov that's free. > Maybe, but that's wrong. Educate them. If educating them worked, it would've worked already. If xmpp or some other privacy friendly solution were equally as useful, then they might switch. Very few will sacrifice usability for ideology, and it shows.

  36. moparisthebest

    No need to sacrifice usability

  37. kurisu

    > AOL, msn, icq, I mean this list never ends Long enough period for people to just switch. E.g. by the time icq was stopped it had basically no users.

  38. moparisthebest

    We've already established XMPP supports infinite history, and can support the other stuff you want, just do it?

  39. kurisu

    > No need to sacrifice usability You suggested self hosting as the best option. If self hosting is the best solution, than YES it is need to sacrifice usability and by a lot.

  40. moparisthebest

    Not sure what you mean?

  41. moparisthebest

    I've always said the best case is for everyone to use a small server hosted by themselves or close family/friends

  42. kurisu

    No significant chunk of the population is ever going to do that. People don't work like that.

  43. kurisu

    And I don't know a single person who I would rely on to keep a server running over a decade at least.

  44. kurisu

    And I don't know a single person irl who I would rely on to keep a server running over a decade at least.

  45. moparisthebest

    Why not? Sure they do, I think you have an antiquated notion of what it takes to run a server.

  46. moparisthebest

    If you can install an app on a phone or TV or plug a box into a wall you can host your own server, that's it

  47. kurisu

    No I don't, computers are still fucked up and overcomplicated. And >sure they do Yeah sure we see that everywhere?

  48. moparisthebest

    That all the code isn't yet done to enable this is a small detail, something that again, just needs done

  49. kurisu

    > If you can install an app on a phone or TV or plug a box into a wall you can host your own server, that's it A server run on a shitdroid phone? I wouldn't expect that to last a month without downtime.

  50. kurisu

    > That all the code isn't yet done to enable this is a small detail, something that again, just needs done No it's no small detail. Crossing between theory and practice is no small detail lol.

  51. moparisthebest

    This is perhaps the best thing about XMPP. You seem driven to make a discord/slack alternative, you can make that happen. I want tiny servers everywhere, I can work on enabling that. And our individual disconnected efforts end up benefitting each other. 😁

  52. kurisu

    I want a discord/slack alternative in the sense that I want people out of surveilled walled gardens. How that "alternative" works is an implementation detail. "Small servers everywhere" has proven to not be viable, otherwise it would've prevailed by now, as the tools are there and have been there for a long time.

  53. deport

    2 more weeks

  54. moparisthebest

    > I want a discord/slack alternative in the sense that I want people out of surveilled walled gardens. How that "alternative" works is an implementation detail. Sure, sounds great, please do it! > "Small servers everywhere" has proven to not be viable, otherwise it would've prevailed by now, as the tools are there and have been there for a long time. Not really but I guess we'll see.

  55. fugata

    > I want a discord/slack alternative in the sense that I want people out of surveilled walled gardens. How that "alternative" works is an implementation detail. "Small servers everywhere" has proven to not be viable, otherwise it would've prevailed by now, as the tools are there and have been there for a long time. kurisu: I generally avoid making statements like "not viable, otherwise it would have prevailed by now" - 1. If it isn't widespread, there is a reason 2. If there is a reason, it can be fixed 3. If or when it is fixed, what is "unviable" will suddenly become very "viable".

  56. mike

    Also the notion that "it isn't popular, therefore it must not be good" is quite flawed

  57. kurisu

    > If there is a reason, it can be fixed Not always plus it's been plenty of time for it to get fixed so

  58. MSavoritias fae.ve

    has it? computer science and computing are very much in their infancy still. so there hasnt been plenty of time at all.

  59. kurisu

    Xmpp has existed for 25 years. In computer years that's basically since the big bang.

  60. mathieui

    kurisu: many things have come and gone in that period, yet XMPP is still there

  61. opinionplatform.org

    > 3. If or when it is fixed, what is "unviable" will suddenly become very "viable". After "the ship has sailed" it may be theoretically possible to overtake it, but unlikely in practice...

  62. deport

    I might be crazy but I always find myself being stuck on the fence regarding the smallness of the xmpp community and relatively small user base and whether we would be better off with more people involved

  63. kurisu

    > kurisu: many things have come and gone in that period, yet XMPP is still there Icq was considered dead when it still had many more users than xmpp ever had. So this "still there" is technical.

  64. opinionplatform.org

    > I might be crazy but I always find myself being stuck on the fence regarding the smallness of the xmpp community and relatively small user base and whether we would be better off with more people involved I agree people running the xmpp (public) show enjoy being among few fish in small ponds, rather than minnows among sharks in a bigger ocean...

  65. deport

    yes, that's part of it

  66. mathieui

    kurisu: technically wrong, there are and were many more users of XMPP, they just did not know it (now of course private or in-app deployments don't bring street cred on the wide internet, but this is not something I care about personally)

  67. lissine

    > Icq was considered dead when it still had many more users than xmpp ever had. So this "still there" is technical. Do you know how many xmpp users there are? If so, provide a reference

  68. kurisu

    > kurisu: technically wrong, there are and were many more users of XMPP, they just did not know it (now of course private or in-app deployments don't bring street cred on the wide internet, but this is not something I care about personally) I care about people being in our out of walled gardens, so what whatsapp may or may not run under the hood of irrelevant

    👍 1
  69. kurisu

    > kurisu: technically wrong, there are and were many more users of XMPP, they just did not know it (now of course private or in-app deployments don't bring street cred on the wide internet, but this is not something I care about personally) I care about people being in our out of walled gardens, so what whatsapp may or may not run under the hood is irrelevant

  70. opinionplatform.org

    >> kurisu: technically wrong, there are and were many more users of XMPP, they just did not know it (now of course private or in-app deployments don't bring street cred on the wide internet, but this is not something I care about personally) > I care about people being in our out of walled gardens, so what whatsapp may or may not run under the hood of irrelevant "Out of walled gardens" makes a catchy slogan, but does not well describe the public muc experience for _some people_. When run as tiny fiefdoms by petty people, it is just as walled as anywhere. IMO.

  71. lissine

    kurisu: so you want a centralized system (for "usability", infinite retention etc.), but not a " surveilled walled garden" Explain how you can have the former without the latter (let's say you have 100 Million users)

  72. lissine

    And if you have a viable plan, why not execute it? Whatsapp was started based on xmpp

  73. opinionplatform.org

    How many lurker ids do there need to be before you consider it surveiled?

  74. opinionplatform.org

    Apologies. Back to lurking. 🙂

  75. lissine

    opinionplatform.org: this is a public channel, and you know that anyone can read what's here. Talking about surveillance for _public_ chats doesn't make sense

  76. opinionplatform.org

    lissine: Logged to a website too, iiuc....

  77. lissine

    opinionplatform.org: so what?

  78. opinionplatform.org

    Does talking about surveillance on public streets make sense?

  79. opinionplatform.org

    But again, apologies for disturbing the bubble.

  80. lissine

    A more correct analogy would be a town square, not public streets

  81. kurisu

    >> I care about people being in our out of walled gardens, so what whatsapp may or may not run under the hood of irrelevant > "Out of walled gardens" makes a catchy slogan, but does not well describe the public muc experience for _some people_. When run as tiny fiefdoms by petty people, it is just as walled as anywhere. IMO. I wasn't talking about mucs

  82. threadmisser

    https://upload.jabber.cz/upn2/7ed88d5535b6c74f4535cbc31d92bf97ba534328/EoLbXftht8Rkt68v3cxPCXpoYMK28HkZ2JKbiGNe/antieverythingchad.jpg

  83. kurisu

    Pubsub notifications are sent via message to all currently subscribed entities, and from what I understand there's no checking if the latest notification was actually delivered?

  84. lovetox

    Checking?

  85. lovetox

    You mean if the server checks?

  86. kurisu

    Yeah

  87. kurisu

    I'm specifically interested in the context of avatars. Like what's the algorithm? Just listen for updates or should I also request manually on each client start or something like that?

  88. moparisthebest

    > I might be crazy but I always find myself being stuck on the fence regarding the smallness of the xmpp community and relatively small user base and whether we would be better off with more people involved I wouldn't call everyone who's ever used a smart phone a small userbase but ok...

  89. kurisu

    Oh wait, do the updates end up in mam?

  90. lovetox

    kurisu: no

  91. lovetox

    kurisu: on coming online you place a +notify in your disco info for the node

  92. lovetox

    Then the server will send you the last message

  93. Menel

    moparisthebest: people always confuse the protocol with some client or "the open xmpp chat community" or....

  94. lovetox

    Is this not in the user avatar yep described?

  95. moparisthebest

    Daniel, Link Mauve, mathieui: did you see https://njump.me/nevent1qvzqqqqqqypzpk9xancv89h24rme53yhl6dh0hyhwce528eu5hrrfcsgvkg3vermqqsdz7p7mn89064lpnp4lepc2wu8tzeqe0z49sgvkzghcjdnpm3wd7c99wm30 ? If it's to be believed the Telegram guy was arrested in France for running a "cryptology service" without registering with the French govt first... 💀

  96. Menel

    Some old laws from the crypto wars? Didn't know that is still around

  97. kurisu

    This is a PR campaign just like their "banning" by Russia was. So people think that in terms of security Telegram is anything more than yet another centralized social network with no e2ee

  98. kurisu

    This is probably just another PR campaign just like their "banning" by Russia was. So that people think that in terms of security Telegram is anything more than yet another centralized social network with no e2ee

  99. moparisthebest

    Telegram is nothing more than another centralized silo, where e2e or not doesn't matter at all

  100. moparisthebest

    But that's beside the point that if France really arrested him for running an unregistered chat service that public XMPP operators, especially those in France, might have reason to worry

  101. Menel

    Read a fedi post that signal _did_ register it

  102. Menel

    Semeone wrote how cumbersome / hard it was

  103. kurisu

    I'd say no unless ru military actively uses your xmpp server like they do telegram

  104. kurisu

    > that public XMPP operators, especially those in France, might have reason to worry Re:

  105. mathieui

    moparisthebest: this is certainly a pretext in that case, but also servers operators do not "import cryptographic mechanisms", and the restriction is rather on client authors on marketplaces

  106. mathieui

    Additionally we at least reply to law enforcement and comply to orders from judges, which is more than what telegram ever did, from what I gather

  107. kurisu

    I mean, Telegram erased info upon Russian and Iranian government's requests, so it definitely did more than that...

  108. kurisu

    Not to mention how much it had to cooperate to be based in UAE in ways we'll never know about

  109. moparisthebest

    > moparisthebest: this is certainly a pretext in that case, but also servers operators do not "import cryptographic mechanisms", and the restriction is rather on client authors on marketplaces mathieui: I can't imagine all your crypto code was written in France so you are importing it, no?

  110. mathieui

    moparisthebest: it is a bullshit law but TLS stacks are not part of the equation

  111. moparisthebest

    So then is Daniel screwed on running a server *and* providing a client with OMEMO? Should he avoid France? :/

  112. edhelas

    French citizen there, but hosting in Germany, how does it apply for me :D ?

  113. moparisthebest

    edhelas: well the arrested guy was a French citizen not hosting in France so I'm afraid it doesn't look good for you 😞

  114. mathieui

    moparisthebest: I believe Daniel has filled the paperwork years ago

  115. Menel

    Also, not beeing frensh and not hosting there, then it doesn't apply, does it?

  116. mathieui

    Menel: it does if you sell your app on French app store fronts, afaik

  117. mathieui

    (iOS and Android, notably)

  118. mathieui

    Durov being French has not much link to his arrest, as far as I understand it

  119. mathieui

    (His French citizenship is also a very dubious affair)

  120. moparisthebest

    Regardless I think it's worth watching closely and being somewhat concerned about, especially if you travel to France

  121. kurisu

    "Durov being French"

  122. Menel

    Hm seems impossible to use playstore, not limiting it to any country. Then you need to know the laws of every country in the world? Quite impossible even for some lawyers

  123. moparisthebest

    You can limit to country, but yes, how many full time lawyers do you need on staff to analyze all law changes in all countries ?

  124. moparisthebest

    And how/why is "app store" different from "installing from a web page" or "Debian repos" ?

  125. moparisthebest

    gajim and Dino devs are breaking French laws too? Or Debian packagers? Or Debian? 🤷‍♂️

  126. Menel

    That would be a good job for Google. And acutall, why isn't it the play stores fault to ship it there

  127. mathieui

    Menel: when you allow the store to distribute to France, it asks you the question (see https://mastodon.social/@fj/113032860763121615 )

  128. Menel

    👍

  129. moparisthebest

    Menel: I agree, why does the multi billion dollar company actually capable of doing this escape responsibility...

  130. kurisu

    > Then the server will send you the last message I only get the my own pfp. I don't get messages for any other users. Am I supposed to request those myself manually? Or to somehow explicitly subscribe to them?

  131. singpolyma

    No, you just get them if you have +notify and they are in your roster with presence permission

  132. kurisu

    on every reconnect?

  133. singpolyma

    Yes

  134. Seve

    "Malware infiltrates Pidgin messenger's official plugin repository" https://news.ycombinator.com/item?id=41370714

  135. mimi89999

    What's the best place to discuss proposed XEPs?

  136. hook

    > "Malware infiltrates Pidgin messenger's official plugin repository" https://news.ycombinator.com/item?id=41370714 Tangental question: how well is XMPP/Jabber support in Pidgin nowadays?

  137. singpolyma

    Not great

  138. singpolyma

    Does work at all

  139. hook

    Too bad

  140. moparisthebest

    > What's the best place to discuss proposed XEPs? mimi89999: here is good, or mailing list

  141. kurisu

    I advertised urn:xmpp:avatar:metadata+notify in my toy client's presence caps, but I only get <message> from a couple of contacts. A particular contact for which I see a pfp on dino/conversations/gajim isn't sending theirs. Why could that happen?

  142. kurisu

    that person is running monocles but I think that's not that point as from what I understand the message is sent on their behalf by my server anyway?

  143. mimi89999

    I saw https://matthewwild.co.uk/uploads/xeps-tmp/xep-oauth-client-login.html#nt-idm109 proposed by MattJ and I saw that it depends on RFC 7591, but I have some doubts about that standard.

  144. mimi89999

    With RFC 7591 either you need to find a way for xmpp/email client devs to obtain the _Initial Access Token_ which is just shifting the problem from having xmpp/email clients register their apps with all xmpp/mail providers or you have open registration. If I understand that RFC correctly, a malicious party could set any `client_name` and `logo_uri` making it possible to impersonate any service. What would a Firefox user click if they see the message "Firefox wants to access..." and the Firefox logo?

  145. moparisthebest

    mimi89999: feel free to continue but that's a protoxep currently so it would really be best for you to send this to the mailing list if possible

  146. mimi89999

    How are such attacks prevented?

  147. singpolyma

    mimi89999: yes it's true there's no vetting of the branding by default

  148. singpolyma

    Though hopefully the user knows which app they just came from...

  149. kurisu

    When a client sees a pubsub <item>, that's basically "add or update", right, so the item is to be stored in addition to what the client already has? But then different user avatars as I understand will have different item ids, based on the hash of the image. Thus when changing the avatar, does the client first <retract> the old one?...

  150. kurisu

    oh so like in some cases it may only store the last one... my goodness

  151. kurisu

    I thought my client would cache all the pubsub nodes it knows of but apparently that's the wrong strategy

  152. mimi89999

    singpolyma: What about a scenario where a user receives the message: "Hey, check out that great article: [shortened link]" The user then clicks on the link and sees the message: "To allow Firefox to access your account bob@example.com and associated data, select 'Allow'. Otherwise, select 'Deny'" Or "To allow Conversations to access your account bob@example.com and associated data, select 'Allow'. Otherwise, select 'Deny'" What will the user select?