• 4 Posts
Joined 1Y ago
Cake day: Apr 12, 2022


heh I didn’t know this made it here. Unfortunately there isn’t much progress at the time as I moved to another project, but I will come back to it in time.

Good to see alternatives to libpurple!

Poezio still supports OTR, and also supports OMEMO mostly[1].

To be honest I’m also not entirely sure why OTR was dropped. At the time when OMEMO was introduced it may have had a better crypto mechanism (based on Signal’s) but OTR has caught up with this not so long after.

One common argument I hear against OTR is that it is transport-agnostic, and this prevents features from being used and included in the encryption. But the same argument that OMEMO (0.3) prevents features from being used and included in the encryption could have been made when it was first adopted, and it is still the case today while nobody implements the latest spec version (0.8). Hopefully this should change soon.

Note that being transport-agnostic is also an argument in favor for some use-cases, such as gateways. Plug in your OTR addon of choice and chat across various bridges. Otherwise both sides of the bridge need to agree on a common encryption mechanism and a serialization format. I’m not sure there is any other use-case where this (being transport-agnostic) is actually useful though.

  1. UI and trust mangement aren’t there, but one can send and receive ↩︎

I doubt they’ve “done” anything to GitHub. GitHub has done that to themselves by buying into capitalism, being a centralized platform, etc. I’m not sure what else people expected of it.

To me it’s just a confirmation that accumulation of wealth is not something to wish for. One person – or a small group of people – shouldn’t be able to make this kind of decision on their own.

Very little if not nothing changes for Twitter. They’re losing a marginal amount of users, just like every time there’s a scandal around Facebook, some people leave, but the vast majority stays and they still benefit from network effect and will do for the foreseeable future.

I’m trying not to be pessimistic but it’s not an easy exercise.

Still getting used to this type of medium, but it looks ok. I guess we’re missing users now :)

I’m wondering what to do with other languages? I’d like not to shutdown attempts at creating language-specific communities. Is this something that we want to manage on this instance?

Is there a place somewhat obvious to see user activity as an admin? I haven’t seen it at all, just got warned on the channel. I can see lots of activity in the modlog for sure!

I reworked the original ProtoXEP that had been refused. Slightly changed goals as well. You can see requirements are different. This should all be explained in 'Security considerations' and 'Design considerations'!

As pointed out on different channels by various people, the issue here is the maintenance burden of such lists. If it’s not automated it’s quickly going to be out-of-date (and it has been the case already for some servers at the time of publication). It may be a goal of their but it’s just not there yet, not sure. Not everything is automatable also. I guess operators can join the effort of updating it if they’re interested in it.

I think diversity in this kind of list is necessary. There is no universal solution, there can’t be a single set of criteria. I wish for JoinJabber to get its own list at some point (that I don’t think should be exposed to users though, as opposed to this one).

Poezio 0.14 release!
Releases for poezio 0.14, slixmpp 1.8.2, poezio-omemo 0.6.0 and slixmpp-omemo 0.7.0!

One thing I like very much about this is the links below the short block of text to whoever can act on this. While we find out what we’re gonna put as CoC, we should probably work out who can do anything about it. Admins? a specific team? appointed by who? who can replace them? Can they dismiss any admins? etc.

In JoinJabber we’re not afraid to use the P(olitics) word, does that make us behind the line? :)

toInfoSecWhat's your threat model?

I agree this would be nice. I’ve also been wanting something like this à la OAuth scopes.

toInfoSecWhat's your threat model?

I started writing an answer here yesterday, and I decided to write an article instead: https://bouah.net/2022/04/an-overview-of-my-threat-model/

Having a baseline document to refer to is definitely something I’d be in favour of. There are many examples of CoCs around that we can reuse/adapt to our use-case :)

Thanks for posting it! Feedback appreciated indeed :)

What’s your threat model?
As a user, what kind of protection do you expect? Who/What are you trying to protect against? What implementation (client/server/something else?) allows you to do this? What would be missing?

Hello JoinJabber!
Hi all! I created the community, have fun!