Gajim - 2023-10-23


  1. Web-4-WAP

    Hello, World!

  2. var

    > var: Uninstall Gajim with 'Bulk Crap Uninstaller'. Then go inside 'Documents and Settings' and inside 'AppData' hidden folder. And from Local and Roming folders, delete the Gajim Folder and everything inside them. I don't see gajim folder anywhere

  3. dryan

    niggerfetus was trolling. He has account on anonym.im. he knows how to change his name.

  4. dryan

    > I've been manually retracting @#$%ery in a room for 15mn now and it's no fun > maybe with a warning dialog before the action that tells you how many messages will be retracted That would be usefull in 1:1 chats also for messages that I,h sent.

  5. dryan

    > I guess that's already been mentioned yesterday. I think that's a pretty bad habit to force users to adopt. Every X months having them ignore a warning because they don't understand it pep.: I use that every day for everything I can. I manually save the fingerprint and expiration date for the mail provider, exchanges and so on. Make it configurable like in Conversations. But the guys from Coversations said that the even approch is to addapt channel binding.

  6. dryan

    > I guess that's already been mentioned yesterday. I think that's a pretty bad habit to force users to adopt. Every X months having them ignore a warning because they don't understand it pep.: I use that every day for everything I can. I manually save the fingerprint and expiration date for the mail provider, exchanges and so on. Make it configurable like in Conversations. But the guys from Coversations said that the even better approch is to addapt channel binding.

  7. dryan

    > I guess that's already been mentioned yesterday. I think that's a pretty bad habit to force users to adopt. Every X months having them ignore a warning because they don't understand it pep.: I use that every day for everything I can. I manually save the fingerprint and expiration date for the mail provider, exchanges and so on. Make it configurable like in Conversations. But the guys from Coversations said that the even better approch is to adopt channel binding.

  8. dryan

    > I guess that's already been mentioned yesterday. I think that's a pretty bad habit to force users to adopt. Every X months having them ignore a warning because they don't understand it pep.: I use that every day for everything I can. I manually save the fingerprint and expiration date for the mail provider, exchanges and so on. Make it configurable like in Conversations. But the guys from C said that the even better approch is to adopt channel binding.

  9. bard_

    it's frankly pretty ridiculous that gajim seems to hide the omemo fingerprint for the current device and only show me the other ones... had someone ask me to verify my fingerprint over IRC and I literally don't know how to find it, I only see the ones for my other devices. so am I supposed to get on another device to find out what this device's fingerprint is? insane

  10. bard_

    false alarm, my friend who said my key didn't match was looking at the wrong key(??)

  11. dryan

    > it's frankly pretty ridiculous that gajim seems to hide the omemo fingerprint for the current device and only show me the other ones... had someone ask me to verify my fingerprint over IRC and I literally don't know how to find it, I only see the ones for my other devices. so am I supposed to get on another device to find out what this device's fingerprint is? insane bard_: With OMEMO plugin you could see the fingerprint in the plugin menu.

  12. bard_

    aha so multiple issues really were going on at once

  13. bard_

    I see now in the somewhat hidden gear area for the plugin it does show a different fingerprint

  14. bard_

    wow this is extremely confusing and poorly laid out... ugh

  15. Lightning Bjornsson (they, he, xe/hir)

    this is what happens when you overhaul the macro UI to comply with the gnome style guide, literally everyone else gets confofe

  16. bard_

    ambiguity about which keys are the contact's device or your device and what's your current machine / maybe hiding current machine's from the list under the shield icon, had to go to the plugin settings

  17. bard_

    yeah I'm been saying to people for a while that we really need Gajim but in Qt. if someone is interested in gnomeware, Dino is already there to adequately disappoint

  18. bard_

    while I'm complaining, my messages are getting cut off due to my small window width. I seem to have to scroll horizontally. weird it doesn't just squish the message text in more

  19. bard_

    if I close my roster there's enough space but with it open + the user list on my portrait monitor (1200 px width) it doesn't look great

  20. bard_

    not sure why there's an _ in my name here. somehow xmpp manages to have weird issues that I don't run into with either irc or matrix. maybe I was joined to this room separately from another device at some point and it conflicted

  21. dryan

    bard_: I don't think it is that bad to go to the plugin section to get your device fingerprint

  22. nicoco

    bard_: roster or "chat list"? what version of gajim are you using?

  23. bard_

    well it's bad enough that I had already tried before being told to do so and failed to find it, I had to just look harder when told to look there again

  24. bard_

    I said roster because the bind to toggle is ctrl-r, I don't know what it's called

  25. bard_

    1.7.3

  26. bard_

    guix may be behind

  27. nicoco

    That would be the chat list then yeah.

  28. dryan

    bard_: Upgrade to 1.8.1. Has OMEMO integrated in the program and in the UI I think.

  29. bard_

    not a realistic option for me, but good to know things will be better someday

  30. bard_

    to be clear I don't like staying on old versions, but I also don't like installing things outside my distro's package manager

  31. dryan

    bard_: It is an option. Add stable-backports to your apt. deb https://url stable-backports main

  32. nicoco

    > there's an _ in my name here. somehow xmpp manages to have weird issues that I don't run into with either irc or matrix The nickname was probably taken, possibly by another device of yours. I'm not sure you can really connect with several "devices" using the same nick in IRC either. Matrix does not have (semi)anonymous chats so that's one way of solving this complexity, sure. I think (semi)anon chats are a nice XMPP feature.

  33. bard_

    why do you think I'm using debian? lol

  34. bard_

    I already mentioned guix, I'm using guix system

  35. bard_

    it's rolling release, this particular package has simply been neglected for a bit I guess

  36. nicoco

    It's not _that_ old, it's fine. But the development has sure been very active for the past months, and each release has been bringing very sweet improvements.

  37. dryan

    > why do you think I'm using debian? lol > > I already mentioned guix, I'm using guix system Ok. Well, Debian is still the most tested out there. Devuan has no systemd. I see it like the FreeBSD of Linux.

  38. bard_

    > > there's an _ in my name here. somehow xmpp manages to have weird issues that I don't run into with either irc or matrix > The nickname was probably taken, possibly by another device of yours. I'm not sure you can really connect with several "devices" using the same nick in IRC either. Matrix does not have (semi)anonymous chats so that's one way of solving this complexity, sure. I think (semi)anon chats are a nice XMPP feature. With IRC I have one irssi session in tmux that I can connect to comfortably from my phone or PC. I haven't found a similarly elegant solution for XMPP (profanity is awful). With Matrix the nick collision thing doesn't happen.

  39. dryan

    > why do you think I'm using debian? lol > > I already mentioned guix, I'm using guix system Ok. Well, Debian is still the most tested out there. Devuan has no systemd. I see it like the FreeBSD of Linux. Maby even OpenBSD. Why? The stable part. Convervatorism.

  40. nicoco

    No nick collision in Matrix because not even the concept of semi-anonymous chats indeed. I'm not fond of CLI clients eithers because I often like to share images. Maybe give poezio a try? Also, there are excellent XMPP<>IRC gateways, which can make "always connected" to an IRC chat even without keeping a persistent tmux session. This is a nice way to have history. Anyway, we're getting a bit off topic. :)

  41. nicoco

    No nick collision in Matrix because there's not even the concept of semi-anonymous chats indeed. I'm not fond of CLI clients because I often like to share images. Maybe give poezio a try? Also, there are excellent XMPP<>IRC gateways, which can make "always connected" to an IRC chat even without keeping a persistent tmux session. This is a nice way to have history. Anyway, we're getting a bit off topic. :)

  42. bard_

    Would be TUI rather than CLI, and profanity is horrible not because it's TUI, but because it pales in comparison to irssi or weechat.

  43. jsv

    > I see it like the FreeBSD of Linux. Maby even OpenBSD. Speaking of those, OpenBSD has gajim 1.8, but on FreeBSD it's still 1.3.3

  44. bard_

    apologies for all the complaints, XMPP is definitely one of those "okay enough if you don't think about it" things and after someone asked me to do the unusual thing of supplying my omemo fingerprint, things started to quickly fall apart.

  45. polarian

    bard_, complaining is not going to make a difference, contribute to it :)

  46. polarian

    or write your own client

  47. polarian

    jsv, seems pretty typical

  48. lovetox

    bard_: the fingerprint window has been redesigned and it solves your problem

  49. lovetox

    Maybe someone can post a screenshot

  50. dryan

    > How would a normal user know what's the right fingerprint for this month? Menel: you store the issuer, the date of the renewal and the fingerprint. If the renewal happends sonner, or the issuer change, then we might have a problem. I personally have another account on which I go and ask about the new fingerprint in the server's public muc. And the response is public for anyone to see.

  51. dryan

    > that being said, obviously this is a option disabled by default lovetox: sure. > actually gajim had this back in the old days 6-7 years ago lovetox: do you know if gajim 1.3.1 has it? If it does, I can go back to that.

  52. dryan

    Menel: actually, a script that checks automaticly the website cert with one that is manualy downloaded it is a great option even at the user level. Saves time.

  53. dryan

    Menel: actually, a script that checks automaticly the website cert with one that is localy downloaded it is a great option even at the user level. Saves time.

  54. dryan

    Menel: actually, a script that checks automatically the website cert with one that is localy downloaded it is a great option even at the user level. Saves time.

  55. dryan

    Menel: actually, a script that checks automatically the website cert with one that is locally downloaded it is a great option even at the user level. Saves time.

  56. dryan

    > hm maybe I should start publishing my fingerprints for my services and GPG signing them polarian: I love if anybody will do that. But doing it manually every 30 days... And if you do it automatically, defeats the purpouse.

  57. dryan

    > hm maybe I should start publishing my fingerprints for my services and GPG signing them polarian: I love if anybody will do that. But doing it manually every 30 days it is a pain in the ass. And if you do it automatically, defeats the purpose.

  58. dryan

    If you renew the certs slower, like 6 months, then you got other problems.

  59. bard_

    > bard_, complaining is not going to make a difference, contribute to it :) This is wrong, I file issues all the time and it absolutely makes a difference. Semantics, maybe, but QA, bug reports, feedback, etc. is essentially complaining while also being essential. You need people actually using the software and sharing their perspective.

  60. bard_

    > bard_: the fingerprint window has been redesigned and it solves your problem Awesome, good to know.

  61. polarian

    > If you renew the certs slower, like 6 months, then you got other problems. renewing certs every 6-12 months is not bad either

  62. polarian

    but it does mean if you mess up and your certificate is intercepted, you have a much bigger window before the certificate is renewed

  63. dryan

    > but it does mean if you mess up and your certificate is intercepted, you have a much bigger window before the certificate is renewed Very probably if it is targeted like it was in the case of jabber.ru

  64. polarian

    There is nothing you can do in that situation though

  65. polarian

    jabber.ru was wiretapped under legal purposes

  66. Lightning Bjornsson (they, he, xe/hir)

    polarian: That doesn't make it good

  67. polarian

    You can not stop your cloud provider from intercepting your packets, or breaking into your virtual machines

  68. polarian

    they have the physical hardware after all

  69. polarian

    sure you could FDE the virtual machine

  70. Lightning Bjornsson (they, he, xe/hir)

    > polarian a écrit : > You can not stop your cloud provider from intercepting your packets, or breaking into your virtual machines you can't, but that doesn't mean you shouldn't try to detect it.

  71. polarian

    I am not saying you shouldn't try to detect it

  72. polarian

    What I am saying is the situation which you are trying to "patch" here is impossible

  73. polarian

    You put a certain amount of trust in your cloud provider, but your cloud provider is also subject to the law

  74. polarian

    and if they are told to intercept your certificate and MitM you, then they will do that

  75. dryan

    We should go with local hosting?

  76. dryan

    We should go with local hosting? And I say local I mean home. Basement home.

  77. pep.

    Fwiw your ISP can also mitm

  78. dryan

    pep.: your certificates stored on your server ? Server which only you have physical access to?

  79. pep.

    That's not what mitm involves

  80. dryan

    In this case, it does.

  81. pep.

    Another cert can be issued

  82. dryan

    Well never mind. That's why we need tor only servers. Or i2p and so on.

  83. dryan

    Well never mind. That's why we need tor only servers. Or i2p and so on. Until then, every user should try to manually verify the certs.

  84. dryan

    > I don't see gajim folder anywhere C:\Users\your user\AppData\ look there for gajim.

  85. dryan

    > I don't see gajim folder anywhere var: C:\Users\your user\AppData\[Local Roaming] and look there for gajim. Also inside Documents and Settings.

  86. pep.

    > The nickname was probably taken, possibly by another device of yours. In xmpp there's what's called MSN, Multi-Session Nicks. The MUC should be able to merge them as long as it sees you're the same account

  87. dryan

    > I don't see gajim folder anywhere var: C:\Users\your user\AppData\[Local Roaming] and look there for gajim. Also inside 'Documents and Settings'.

  88. chud

    >nick per device Incredibly idiotic tbh

  89. meson

    chud: Ready to publish your MR? :)

  90. polarian

    > We should go with local hosting? And I say local I mean home. Basement home. Go ahead

  91. dryan

    It> if I close my roster there's enough space but with it open + the user list on my portrait monitor (1200 px width) it doesn't look great Is there a way to change the font size in gajim?

  92. chud

    > chud: Ready to publish your MR? :) Probably the day after tomorrow. Been busy with other things

  93. polarian

    I think it might be a good idea to enforce OMEMO by default as well

  94. polarian

    I am pretty sure you can configure it to be on by default, but maybe make it opt out not opt in

  95. polarian

    But at this point it is "how much annoyance can you introduce before the security features become a detriment to users"

  96. cal0pteryx

    polarian: Gajim 1.8.1 added an option to always select omemo by default (opt in). If it works well enough, we could change its default

  97. polarian

    cal0pteryx, that is useful :)

  98. dryan

    > But at this point it is "how much annoyance can you introduce before the security features become a detriment to users" In Conversations is 'On by defaults'. But you can select 'Allways' or 'Off by default'.

  99. polarian

    dryan, yeah that is why I suggested it

  100. polarian

    but conversations (and its forks) tend to be more reliable when it comes to OMEMO

  101. polarian

    gajim sometimes breaks and fails to fetch fingerprints

  102. dryan

    I'm on an older version with the OMEMO plugin. OMEMO is off by default for every chat. But it does not bother me. I verify the fingerprint then I enable it. I'm happy.

  103. polarian

    dryan, the issue is the average user is not going to do that

  104. polarian

    The biggest thing which is holding XMPP back is the fact that only those tech saavy enough are able to use it

  105. polarian

    Conversations helps a lot, it is very abstracted and makes XMPP easy to use, but it still has a long way to go

  106. polarian

    The average person doesn't want to deal with end to end encryption setup etc, if you give them a choice between whatsapp or XMPP, where whatsapp is "automatic" and XMPP isn't... which do you think they will pick?

  107. dryan

    > I'm on an older version with the OMEMO plugin. OMEMO is off by default for every chat. But it does not bother me. I verify the fingerprint then I enable it. I'm happy. That's because it is built by tech savy people. This is why GNOME hired as CEO the shaman lady. She is not tech at all and she has artistic background. That's what all those projects need. Jobs was so successful. He wasn't technical. He was just artistic.

  108. dryan

    > The average person doesn't want to deal with end to end encryption setup etc, if you give them a choice between whatsapp or XMPP, where whatsapp is "automatic" and XMPP isn't... which do you think they will pick? XMPP still has the problem of PFS when OMEMO is enabled. You can't decrypt older messages on new devices.

  109. dryan

    Some user suggested that we should have an option for Automatic Trust Managenet for new devices.

  110. cal0pteryx

    That's a feature, but yes, account migration including messages should be a thing

  111. dryan

    > Some user suggested that we should have an option for Automatic Trust Managenet for new devices. Something like, I have a trusted device allready and I am able to mark other devices as trusted.

  112. dryan

    And the new device will be automatically verified for others.

  113. dryan

    And PFS will be activated only if you lost access to all devices.

  114. polarian

    > That's because it is built by tech savy people. This is why GNOME hired as CEO the shaman lady. She is not tech at all and she has artistic background. That's what all those projects need. Jobs was so successful. He wasn't technical. He was just artistic. But the issue with gnome is they have went too much into the user experience that they have forgot about well designed software.

  115. polarian

    You need to remain central, you can not go too far off into making something look and feel good, but you can not go all out of features and make something extremely difficult to use.

  116. dryan

    That's why open source or free/libre projects fail. We need security experts, we need artistic people, we need technical people and all of those people need social skills.

  117. dryan

    And marketing experts. free projects don't even know how to ask for donations.

  118. dryan

    Why people are so affraid of saying 'We are working very hard, night and day to develop these software. We will be happy if you will make a donation. We will not get rich but be abble to survive to work on this'

  119. dryan

    Sorry cuz I got offtopic.

  120. polarian

    > XMPP still has the problem of PFS when OMEMO is enabled. You can't decrypt older messages on new devices. This is a good thing

  121. chud

    > That's because it is built by tech savy people. This is why GNOME hired as CEO the shaman lady. She is not tech at all and she has artistic background. That's what all those projects need. Jobs was so successful. He wasn't technical. He was just artistic. ... And gnome literally went to shit

  122. dryan

    > > XMPP still has the problem of PFS when OMEMO is enabled. You can't decrypt older messages on new devices. > This is a good thing For me it's amazing. I even disable archiving for the contacts. But for Whatsapp users, it's inconvenient.

  123. polarian

    > ... And gnome literally went to shit well I am pretty sure it is still the most widely used desktop environment

  124. polarian

    But it has become very resource intensive, and definitely feels like it is appealing to the windows users

  125. polarian

    trying to do everything graphically, trying to make everything eye candy

  126. polarian

    > For me it's amazing. I even disable archiving for the contacts. But for Whatsapp users, it's inconvenient. Something which I do not think it pointed out enough, is do you actually go back over your chat histories and check what you spoke about? For most people it is extremely rare, instead over the course of the year you rack up tons of storage usage storing messages and http downloads which you will most likely never go back over again.

  127. polarian

    I periodically clear my stored messages and http uploads (and end up breaking the client a lot of the time) :P

  128. polarian

    Gajim doesn't like you poking about its storage path

  129. polarian

    https://dev.gajim.org/gajim/gajim/-/issues/11640

  130. polarian

    nicoco, is it a good idea to add http previews though?

  131. cal0pteryx

    polarian: please read the link I attached to that issue. It has been discussed

  132. polarian

    I read it :)

  133. polarian

    not a single solution seems to be a good idea though...

  134. polarian

    sender side could open up malicious intent, server side would require protocol change and also would increase the bandwidth use of server daemons, and client side would expose the client location/IP address... so is the issue still going ahead or is it just stagnated?

  135. dryan

    > https://dev.gajim.org/gajim/gajim/-/issues/11640 > nicoco, is it a good idea to add http previews though? I disable that future on every client I use. Even if the sender is generating the previews, most of the time can be a security issue. But again. If we talk about average Joe, it is something nice to have.

  136. dryan

    It's a good ideea.

  137. dryan

    But it must be an opt out option for every client.

  138. cal0pteryx

    Surely it would have an option to disable it. But yes, it is a feature many people want. And sender side generated previews seem to be the best way forward. But nobody is working on this, and it's not a priority at the moment.

  139. polarian

    > Surely it would have an option to disable it. But yes, it is a feature many people want. And sender side generated previews seem to be the best way forward. But nobody is working on this, and it's not a priority at the moment. But that could be a problem couldn't it... sender side could send a link and make its preview look legitimate but then it be a virus or something... A lot of people click first and think later...

  140. Menel

    You can already just share the virus and people Klick it.

  141. cal0pteryx

    That's not a valid point for me. It's about the best of 3

  142. cal0pteryx

    And yes, if you don't trust people, don't click links

  143. cal0pteryx

    social engineering cannot be prevented

  144. polarian

    Will it be enabled by default or disabled by default?

  145. cal0pteryx

    polarian, somebody opened an issue on our gitlab. nothing more happend until now. there is no plan yet

  146. polarian

    > polarian, somebody opened an issue on our gitlab. nothing more happend until now. there is no plan yet I guess I am asking questions too soon :P

  147. nicoco

    I'm not sure how a title and description could be a security issue if the URL can be checked before opening? I can see why thumbnails could be a security issue but not more than previewing images inline which gajim allows anyway. Since a lot of us mostly use XMPP to chat with friends and family, I wouldn't even mind recipient-generated previews in a lot of my chats. I am going to open the URLs anyway. But as cal0pteryx said, nobody's working on implementation AFAIK. I opened the issue because someone mentioned it here, and I knew Cheogram has started work about it, so I thought it was important to have their work referenced somewhere easily discoverable. It would be a pity if different XMPP clients implemented different protocols IMHO.

  148. cal0pteryx

    nicoco, 👍

  149. chud

    > But it has become very resource intensive, and definitely feels like it is appealing to the windows users No. It's too foreign for them and frankly inconvenient for anyone

  150. dryan

    > I can see why thumbnails could be a security issue but not more than previewing images inline which gajim allows anyway. - In Conversations I have disabed the autodownload future. It shows me with text if it is a picture or a video or something else, but I have to click download for inline preview. - In gajim you could only disable files preview completly. But it is good that you can keep it for private chats.

  151. dryan

    > I can see why thumbnails could be a security issue but not more than previewing images inline which gajim allows anyway. - In Conversations I have disabed the autodownload future. It shows me with text if it is a picture or a video or something else, but I have to click download for inline preview. - In gajim you could only disable files preview completly. But it is good that you can keep it only for private chat and disable it for mucs, nicoco. But again, I don't think this is such a big priority. Thank you very much.

  152. dryan

    > I can see why thumbnails could be a security issue but not more than previewing images inline which gajim allows anyway. - In Conversations I have disabed the autodownload future. It shows me with text if it is a picture or a video or something else, but I have to click download for inline preview. - In gajim you could only disable files preview completly. But it is good that you can keep it only for private chat and disable it for mucs, nicoco. Anyway, I don't think this is a priority. Thank you very much.

  153. dryan

    > I can see why thumbnails could be a security issue but not more than previewing images inline which gajim allows anyway. - In Conversations I have disabed the autodownload future. It shows me with text if it is a picture or a video or something else, but I have to click download for inline preview. - In gajim you could only disable files preview completly. But it is good that you can keep it only for private chats and disable it for mucs, nicoco. Anyway, I don't think this is a priority. Thank you very much.

  154. dryan

    > I can see why thumbnails could be a security issue but not more than previewing images inline which gajim allows anyway. - In Conversations I have disabed the autodownload future. It shows me with text if it is a picture or a video or something else, but I have to click download for inline preview. - In gajim you could only disable files preview completly. But it is good that you can keep it only for private chats and disable it for mucs, nicoco. - Anyway, I don't think this is a priority. - Thank you very much.

  155. dryan

  156. dryan

    What does gajim uses for files download?

  157. cal0pteryx

    dryan, why do you ask?

  158. dryan

    What does gajim uses for file download when preview files?

  159. cal0pteryx

    libsoup

  160. dryan

    What does gajim uses for file download when files preview are activated?

  161. cal0pteryx

    dryan, please read my answer. you asked three times already

  162. cal0pteryx

    gajim uses libsoup for HTTP downloads

  163. dryan

    I have asked only once. But corrected the message.

  164. dryan

    What does gajim uses for file download when 'file preview' is activated?

  165. cal0pteryx

    dryan, please stop correcting your message then :)

  166. dryan

    cal0pteryx, I don't get 😂️ but ok!

  167. cal0pteryx

    dryan, your "corrections" appear as new messages (at least for me)

  168. dryan

    > I don't get *it*, but ok. > dryan, your "corrections" appear as new messages (at least for me) I use gajim on desktop and C on mobile. I have corrected the message on C and on my version of Gajim does not appear more then once.

  169. dryan

    > What does gajim uses for file download when 'file preview' is activated? *Could anyone please confirm? Do you saw that message more then once?*

  170. MSavoritias (fae,ve)

    I did

  171. MSavoritias (fae,ve)

    On cheogram

  172. Menel

    It depends on the receiving client, if there was any network interruption between the original and the edit, it will show as separate. That's not a bug and nothing new. I public groups edits often show like new messages for that reason

  173. dryan

    > I did > I did MSavoritias (fae,ve), Thank you. Probably I will stop using the future.

  174. dryan

    Menel, All right.

  175. Menel

    Also for every client not online while edit or original was send it will show as new message too

  176. Menel

    Because you can't be 100% sure it is the same user from the client perspective in anonymous groups where everyone can use your nick while offline

  177. franck-x

    Hi there, i'm using gajim on my pro computer, for pro and private usage. Since few days, a man in the middle app has been deployed into our workstations, something called netskope. That's mean that all requests from apps, system wide, are intercepted and altered to add a netskope tls layer, deciphered and relayed via their servers, and finally returned to me. Now, when i'm connecting to my prosody server via gajim, i can check the server certificate, which is the real one, not a netskope cert. Is that because gajim and prosody are connected via direct tcp or something ? Are my credentials mitm'ed ? I'm worrying mostly for my creds because all my 1:1 chats are under omemo so i'm not too much concerned, even if they got filesystem access and btw they can read my gajim db. Thanks and sry for the text brick

  178. Lightning Bjornsson (they, he, xe/hir)

    You shouldn't do private usage on a known-compromised work computer.

  179. fjklp

    have we considered doing things like typing notifications in a new location above the text input box?

  180. franck-x

    Pro or private, that's not the point. My question is about the ability for someone to sniff my creds and impersonate me, add an omemo key and so on. Even if i know how that we can prevent that client side by asking recipients to disable automatic key approval.

  181. Menel

    If gajim sees your real sever cert, I guess it is not intercepted. Maybe they just think about http(s) stuff

  182. cal0pteryx

    fjklp, yes, but jumping text is a no-no

  183. fjklp

    I see that cal0pteryx had the same expectation for chat notification location as me.

  184. franck-x

    It's what i'm thinking too. So http request to prosody should be intercepted, http_file_upload for example.

  185. cal0pteryx

    franck-x, could well be. if encrypted via omemo, this should not be an issue

  186. fjklp

    > fjklp, yes, but jumping text is a no-no I completely agree, which is half of my concern about the current implementation. Things moving on the screen in the chat banner and in the chat list are both distracting and kind of undesirable. But if it's limited to the central area of focus, it's probably better. Also, I don't expect dynamic information such as typing notifications to display in the chat banner, much better to be above the text input area. As for the "text bumping", I would definitely be against that. I would instead suggest a permanent element for things like typing notifications and maybe other things I can't think of right now. Think maybe a single text row above the text input field.

  187. fjklp

    Also, typing notifications are more useful if I see them. I'm more likely to focus on the bottom half of the screen, not the chat banner area.

  188. polarian

    No gajim release in a while 👀 Is the next one going to be a big one... I have seen commits to the repository so you must be working on something \o/

  189. franck-x

    cal0pteryx: even with omemo: if i'm not wrong when mitm'ed the url#secretkey is catched, so file could be retrieved and decrypted

  190. dryan

    franck-x, The secret keys are never sent online. Each device secret key is stored only on that device. If you verified the OMEMO keys of your contacts ( marked the key as 'verified' ) then

  191. Menel

    No franck-x, the part about # is not send

  192. Menel

    That part is only send online via omemo xmpp

  193. franck-x

    (I was talking about file uri encrypted via omemo)

  194. Menel

    Your HTTP upload path and the #key are transmitted behind tls, behind omemo to your contact

  195. Menel

    I don't know what you mean with cached. But it is behind transport encryption and behind end to end encryption, so no simple way to mitm it

  196. dryan

    franck-x, *#nobody_can_read_your_new_messages* > The OMEMO secret keys are never sent online. Each device secret key is stored only on that device. If you have verified the OMEMO keys of your contacts ( marked the key as 'verified' ) then .. then 'Blind Trust' is deactivated for those verified contacts. So even if you make your password public, nobody is able to read the messages that you send to those verified contacts. And viceversa if those contacts have verified your OMEMEO keys. *#about_old_messages* PFS, Perfect Forward Secrecy, makes that the old messages can't be decrypted on new devices ( with new OMEMO keys). If some mitm knows your password and connects to your account, he can't read your old messages. *#about_e2ee_url_files* When you send someone a file, before it is uploaded to the server, your client is encrypting that file. The password of the file it is stored inside the URL. Then the URL is only sent to the other contact, via OMEMO end to end encryption. Nobody can't see that message . Even those who know your password. So nobody can decrypt your files.

  197. franck-x

    Oh got it ! Thx mates

  198. franck-x

    I though full url was requested. Downloaded encrypted, and decrypted locally via secret key encrypted via omemo. Got it.

  199. dryan

    > I though full url was requested. Downloaded encrypted, and decrypted locally via secret key encrypted via omemo. Got it. Exactly.

  200. dryan

    franck-x, What can somebody who knows your passwords can do: - impersonate you in public channels (mucs). - read your 'secret messages' from public channels (mucs). - see the list of your contacts. ( But if you disable 'server archiving' he can't get the list of your contacts. *Keep in mind that this is also available for you. So if your current device break, then you lose your contacts* ) - He can send messages to those contacts. But your contacts can see the new device as untrusted. ( But again, if you have the server archiving disabled, the mitm can't get your contact list. )

  201. dryan

    What can somebody who knows your *password* can do:

  202. franck-x

    👌

  203. dryan

    franck-x, Also, disabling the 'server archive' can make it unconveniet if you have multiple devices for one contact. You can't sync old messages on multiple devices without the 'server archive'

  204. dryan

    > franck-x, Also, disabling the 'server archive' can make it unconveniet if you have multiple devices for one *account*. You can't sync old messages on multiple devices without the 'server archive'

  205. franck-x

    Obviously, not usable in real world situation, especially on muc

  206. dryan

    You can see the old messages on public mucs with multiple devices without the archive. But you won't be abble to see old messages in private mucs with multiple devices without the archive.

  207. cal0pteryx

    disabling "server archive" does no prevent gajim from synchronizing your roster with the server. the roster (i.e. your contact list) ist always syncronized with your server

  208. cal0pteryx

    disabling "message archive management (MAM)" would prevent the server from storing messages for you (which would have various side-effects, which you normally do not want)

  209. fjklp

    here I am waiting for someone to finish typing, my eyes are going back and forth between the top of the screen, at the typing notification, and the bottom of the screen, for a new message. Not comfortable.

  210. fjklp

    here I am waiting for someone to finish typing, my eyes are going back and forth between the top of the screen, at the typing notification, and the bottom of the screen, for a new message. Not comfortable. Pretty awkward.

  211. fjklp

    (this is meant as constructive criticism/feedback)

  212. dryan

    fjklp, On gajim?

  213. dryan

    >contact list ist always syncronized with your server cal0pteryx, I didn't know that!

  214. Menel

    Disable typing indication altogether, makes everything calmer and better

  215. fjklp

    > fjklp, On gajim? yes, it's a new feature not yet in a release

  216. fjklp

    > Disable typing indication altogether, makes everything calmer and better Thanks for reminding me of this option. I might do that in the end. Though, I still stand by my criticisms. It looks like this has to be done in the ACE presently.

  217. bot

    Daniel Brötzmann pushed 1 commit to branch _refs/heads/master_ of _gajim_ < https://dev.gajim.org/gajim/gajim >: *78315d84* < https://dev.gajim.org/gajim/gajim/-/commit/78315d84de5db2148db30126ff837ea6f4adb8a2 > fix: SynchronizeAccounts: Adapt to connection state changes Fixes #11650 and #11651

  218. dryan

    > Daniel Brötzmann pushed 1 commit to branch _refs/heads/master_ of _gajim_ < https://dev.gajim.org/gajim/gajim >: > > *78315d84* < https://dev.gajim.org/gajim/gajim/-/commit/78315d84de5db2148db30126ff837ea6f4adb8a2 > > fix: SynchronizeAccounts: Adapt to connection state changes > > Fixes #11650 and #11651 > My older version of Gajim 1.3.1, still worked if my net would go down for some time. This new version (1.5) does not work.

  219. dryan

    I know I can use gajim-remote.

  220. cal0pteryx

    dryan: if you have issues with Gajim, please report them including a debug log. It does not help if you're saying "it worked better before"

  221. dryan

    I think it's a normal behaviour. I know I can use gajim-remote for connection state addaptation. But on the older version of gajim, worked without it.

  222. cal0pteryx

    ... without a proper issue description, there is nothing we could improve

  223. goran

    Is it possible to add a STUN server address?

  224. lovetox

    no

  225. goran

    That makes things harder to reach people behind a router.

  226. goran

    Is there a reason why no STUN is possible?

  227. lovetox

    because nobody implemented

  228. dryan

    https://share.conversations.im/dryan89/tFJgkPPTTToZGQRW/picture.jpg

  229. dryan

    I know it is a stupid question, but I swear a few days ago I saw there a button to remove chat history. I can't seem to find it anywere. gajim 1.5.1 (1.4.7 backport on devuan chimaera [debian bulleye])

  230. dryan

    > ... without a proper issue description, there is nothing we could improve cal0pteryx, I was the issue. Sorry to waste your time. > I know it is a stupid question, but I swear a few days ago I saw there a button to remove chat history. I can't seem to find it anywere. gajim 1.5.1 (1.4.7 backport on devuan chimaera [debian bulleye]) Never mind. Don't waste time with this. I will roll back to 1.3.1 or something else.

  231. lissine

    roll forward to 1.8.x

  232. dryan

    Guys, I hope I'm not to offtopic.

  233. dryan

    *#verifiable_identiy_in_public_mucs* https://conference.gajim.org:5281/pastebin/72c6360a-ef21-4903-a134-b634c76cbe47

  234. dryan

    *#verifiable_identiy_in_public_mucs* https://conference.gajim.org:5281/pastebin/b9fb3add-2c36-4ddd-9928-c4b888ff13e8

  235. fjklp

    Looks like show_chatstate_in_banner in the ACE does not affect typing notifications in the chat banner in MUCs. Is not possible to deactivate these notifications?

  236. lovetox

    the commit was done yesterday

  237. lovetox

    you need to check what you are running

  238. fjklp

    gitlab says merged 2 days ago

  239. fjklp

    gitlab says merged 2 days ago. I'm running 20231022-1