Modern XMPP project discussion - 2021-08-31

southerntofu, no, it's not in there.

southerntofu: the hosting stuff isn't open-source (currently?). Not against it in principle being public some day, but it's of negligible value to most people.

not to the ones who want to host ;)

i actually built a small hosting company almost a decade ago, and our infra config/automation code is now like 25% of all our code. now i'm building a co-op that will also offer hosting, and we're having the infra code be open source from the start. still difficult to know how to set it all up yourself, but at least you can find out how the various systems and services are installed and configured in theory: https://gitea.kosmos.org/kosmos/chef

hoping that we can maybe turn some of it into an omnibus installer for people that want to self-host

https://github.com/chef/omnibus

raucao: self-hosting Snikket is super easy, and that's a primary goal of the project

Mass hosting of Snikket instances is not a primary goal of the project

yeah, that makes sense! ✏

that's good

but many people need hosted solutions, because they don't have someone in the family to set up their own servers

so i'm sure you'll get quite some interest for that, too

i wish one of the gazillion "easy open-source home server" solutiions had gained massive traction and good enough UX, for people to be able to just buy one, plug it in, and go. alas, registering a domain is already a massive hurdle. or even chosing a domain name

Yep. People who aren't able to self-host are the least likely to want to go browsing source code 🙂

yes, but people who want to host for others, and browse source code for how others do it, usually don't have much to browse

(not arguing that it's necessary for snikket code. just sharing information)

(and hoping that others also share more details of their hosting configurations)

There is a lot of responsibility in hosting a service for others. The software stack is just one small part of it, it's not something you would ever just be able to set up and move on (I'm sure you know this already)

yes, of course

as i said, i'm running a hosting company for nearly a decade now

If someone is really interested in that, they can certainly talk to me, it doesn't mean the code has to necessarily be public

When I first started coding, I amassed so many projects on my hard drive that never saw daylight. I started participating in open-source and it was amazing, and I realised I could just publish stuff I wrote online and it would gain a whole new life.

Now, years later, I've realised it's not that simple. Lots of stuff I published was stuff I had a personal use for, it was adapted to my needs and not the needs of others.

The stuff I published with the expectation of having no strings attached ended up a growing burden, as people expected me to maintain it, package it, merge patches they sent me

I would like to enter into such a "contract" with society when I feel there is value in it, and I feel comfortable taking on that burden

.. provide top-notch five-nines hosting for it

But > THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED [...]

i don't think anything published needs to fulfill the needs of others directly, or be maintained for them. if the README doesn't invite anyone to use it, then i consider it merely shared knowledge, not a shared product

That's not how other people seem to think tho

If only everyone else shared that view 🙂

i like the MIT license for being unequivocal about that, too :)

I've had some horrible emails over the years

I almost took all my personal projects offline a couple of times

ouch

sad to hear

some people exhibit horrible behavior

> some people exhibit horrible behavior humanity in a nutshell. 😀

Sometimes you need a crisis and see people helping each other to not completely lose faith in humanity.

“humanity in a nutshell” < Let's not forget the opposite is also true, it's not all bad :)

raucao, agree with your analysis, but you should probably be aware of yunohost/freedombox who are gaining many non-technical users in the past years (including non-profits/coops) especially yunohost

yes, i am aware, of course

good to hear they're gaining users. freedombox seemed pretty much dead for the longest time

yunohost is more for VMs than home servers, no? or is it also easy to install on a raspi at home?

raucao, i don't follow development closely, but last i checked that's because they had setup a crazy-precise testing system to make sure stuff that's packaged is never broken, so it took a lot of time to package anything... while yunohost went the other way :)

Actual modern XMPP question: How should offline messages work these days? How should it interact with MAM?

oh no yunohost is perfect at home! many local ISPs/hackerspaces in france (and belgium) distribute yunohost with ODroid boards

ooh, nice

the early days was a bit rough, especially with SD cards having such limited life, but now there's borg apps on yunohost to automate backups to/from your friends

Zash, is tere other mechanisms than MAM for offline messages?

There's offline storage, which predates MAM

Only really captures messages received while the user is completely offline.

raucao, feel free to join xmpp:co-op@mellium.chat?join to discuss cooperative concerns

(hah! I'm not the only one using the apex to host MUCs)

(I mean, and dino)

of course! it's a feature, for collective spaces :)

same here, also using .chat for MUC

Zash: I think as a first step, offline messages should not be sent to clients that request MAM

Later, clients that do bind 2.0

You can't know when a client will request MAM though right?

Poezio doesn't request MAM directly after binding for example

We request when necessary (open tabs)

Aren't offline messages sent directly after binding?

Race condition it is then

No, after initial presence

Ok, vaguely the same

(concerning poezio)

Could base it on disco#info caps...

Clients likely don't advertise MAM, right?

(Yet)

Doesn't mean they'll do MAM for whatever you expect

Maybe have them advertize "no-offline-message"

Yeah, something like that would work

But bind2 is only a tiny bit extra effort 🙂

Is that the thing that'll allow me to finally request a password change

pre-initial presence MAM would likely be good enough until then

pep., no that's ... SASL2? or is it IBR2?

AOTA2 (all of the above)

But isn't bind2 a requirement or something for sasl2?

I should get back into all of this someday

It's not afaik

I don't have AOTA2 swapped in atm

They could be anywhere from vague ideas to almost implementable.

hmm

But obviously the Really Modern thing would be to stuff it into the TLS ClientHello message!!1/s

but client hello isn't encrypted!!k

yes it is!

or is it?

I don't think it is

totally secure!

https://datatracker.ietf.org/doc/draft-ietf-tls-esni/ but it will be?

that's only encrypting SNI, not the entire client hello, is it?

> TLS Encrypted Client Hello - draft-ietf-tls-esni-13

Naming things...

It seems to have evolved from ESNI tho

Encrypting an encryption handshake?

Starting with "Thou shalt do DANE"?

No

DNS over Cloudflare

Ah that

I'm assuming it'll use the new everything-you-need record type, SVCB

/mute sadness

... or the variant called HTTPS