Gajim - 2023-10-24

dryan: u wanna sign ur messages with pgp?

umu: do you have an ideea?

wym

ig u can just do inline for now if you'd like

> wym umu: *#verifiable_identiy_in_public_mucs* In case someone is trying to impersonate you *IN A PUBLIC MUC* -aka MITM ( like in the case of jabber.ru ) -or malicious admin -or somebody who stoled/knows the password of your xmpp account ✏

*#how* I wish I attach to this account a PGP public key. And change my name to: *[key id] dryan* or something like that, where *key id = last 8 digits of the PGP public key fingerprint*

This way, if I chat a lot, people could recognize it ( I hope ). So, if someone somehow gets my password and tries to impersonate me in a public MUC, he can't demonstrate that is me. -If he says something funny, he is unable to sign that message with my public key at someones request. -If he is trying to change the PGP key, he will need to also change the "key id" at the nickname. And people will notice ( Again. I hope. ).

*#question* When I create the gnupg key pair, it asks me for "name, email, etc". Should I put my xmpp account, ex: dryan@xmpp.com ? Is it a good ideea to keep my xmpp address private?

why not just every day ur online set an account canary comment in ur vcard signing the time and the btc block #

in gajim

umu: I have to understand the method. And your slang 😂 Someone else suggested https://xmpp-util.keyoxide.org/ is one suggestion

https://www.digitalocean.com/community/tutorials/how-to-use-gpg-to-encrypt-and-sign-messages

umu: you suggest to sign a message and put in the comments every day? A bit of pain in the ass. ✏

umu: you suggest to sign a message and put in the comments every day? A bit of pain in the ass. And does not prevent someone to impersonate me latter in the day. ✏

umu: you suggest to sign a message and put in the comments every day? A bit of pain in the ass. And does not prevent someone from impersonating me latter in the day. ✏

umu: you suggest to sign a message and put in the comments every day? A bit of pain in the ass. And does not prevent someone from impersonating me latter in the day. And I don't think anyone will verifiy that signed message every day. ✏

Omemo already signs messages. You dont have to use a different encryption to sign messages.

what might cause corrected messages to display as separate messages instead of replacing the original?

gajim is constantly consuming 10-15% of my CPU even when idle

no log activity, no xml log activity

mrdoctorwho: are there any chats that are in a reconnecting state where the chat row in the chat list to the left shows the rotating icon?

fjklp, yes

stop those and check cpu usage

yes, it helped

thanks fjklp

you're welcome, I've run into that myself

fjklp, did you report it?

I have in this chat

I think it's just one of those things where the only thing that could reduce cpu usage is eliminating the animation

For how long does gajim run on python?

I don't know what my opinion is on these things. Maybe a static "connecting" icon would be better?

I doubt that a CSS animation causes 15% cpu

dryan: 19 years

> I doubt that a CSS animation causes 15% cpu it does something close to that for me. I believe over 10%. No, it's not an ancient or slow cpu. ✏

Modern CPUs can go down to very low frequencies, mine for instance can stay at 400 MHz when in idle, in that case 15% isn’t that much.

They can also go much higher, mine turbos to 3.6 GHz.

Link Mauve, that's not the case

mrdoctorwho, what frequency is yours?

Honestly, I have no idea how monitoring tools like htop or gnome-system-monitor calculate cpu percent used. Are they counting percentage against current frequency or max frequency?

mrdoctorwho, also you can run `perf top -p $(pidof gajim)` to get a feeling of where that CPU time is spent.

fjklp, against current of course.

that's not at all my intuition

Also they only report what the kernel reports.

That’s why profiling usually counts in cycles, not in percentage of usage.

that kind of makes the percent numbers meaningless

but

cpu regulates itself

Indeed, they have been meaningless ever since the first CPUs with frequency scaling.

depends on it's state

if it's overheated the capacity is reduced

so it works from both ends

Still a good indicator if e.g. you have one core used at 100%, you know there is either a long computation going on, or an infinite loop of some kind.

can someone summarize how these tools do or can measure this? ✏

Link Mauve, I'm sure my cpu was not running at 400MHz as it was used by other applications. I can't reproduce the problem now, but if I see it, I'll see which core that was and what frequency it was at

umu, when writing software, one of the goals is to not overheat anything, to maximise battery usage, to minimise power consumption, etc.

whhhaa

why would it overheat when writing software?

fjklp, I’m not well-versed in the details, but some tools (like valgrind) will run the program in a simulator, keeping track of every single instruction, this is obviously quite costly.

Some tools (like perf) use a stochastic approach, where they will poll hardware counters at regular interval to estimate how much time is spent where.

Some tools (like cProfile) will instrument the code, adding overhead at the beginning and end of each function in order to obtain informations about it.

Which one(s) you use depends on which particular areas you are interested in, which language the program you’re profiling is written in, etc.

umu, I mean you write the software hoping that it will not cause those issues on the users’ computers.

wouldn't the CPU handle that tho?

the not overheating part

Many developers don’t take those into account, this creates software which is less efficient for every user.

umu, sure, at worst your computer will shut down instead of destroying itself, but unless the software you are using is a scientific program which uses as much computation as possible, it’s generally expected that you don’t overheat anything.

Even (good) video games try to avoid overheating anything, so that it continues running correctly during a long period of time.

hi

Hi dashabi, welcome here. :)

> Many developers don’t take those into account, this creates software which is less efficient for every user. In this context I'd like to mention the > FOSS Energy Efficiency Project and the > Blauer Engel For FOSS (BE4FOSS) certification of the German Environment Agency, which together aim to enhance the efficiency of software in order to reduce the energy consumption of the system: https://eco.kde.org/de/#feep ✏

gajim support o memo and it is safe

what about otr

Otr is obsolete

(sigh) I guess this “dashabi” is another Chinese who still persists OTR.

☭Mike Yellow, how rude

rudeness is the meaning of "da shabi" in chinese, i'm right Mike ?

Please, talk in private messages.

MSavoritias (fae,ve), not exactly, it is still used for rigidly anonymous clients (such as coyim)

OMEMO is now preferred for every day use

but OTR is still useful for a one off conversation which you never want to be seen

no its not

cryptography has moved on

if you want to see metadata resistant protection i reccomend reading the bramble protocol from briar

it will give you a sense where we are currently in cryptography.

that and signal stuff of course

MSavoritias (fae,ve), well tell other clients to catch up then if you want to be a twat about it

I think you forget the complexity of implementing secure encryption algorithms

some XMPP clients support no E2E encryption at all

every xmpp app i have come across has caught up so no idea what you are talking about

Spark doesn't have any encryption

and I am pretty sure Coyim still uses OTR

i feel like we are getting ot here. and these seem like clients that need to be updated. especially since they dont have a doap file to be added to the xmpp.org site

It is possible to look for https://dev.gajim.org/gajim/python-nbxmpp/-/issues/128? Thanks in advance

ah

channel bindings has been coming up a ton in the XMPP community since the MitM

but channel bindings is designed to prevent authentication credentials being yanked and reused

also

channel bindings require a large amount of time and developer effort, other XMPP software has stated to implement it they would need a full time developer to do so

Maybe its different for gajim, but thats what I have heard

rr

MSavoritias (fae,ve), I assume, OTR might still come handy, if you like to communicate encrypted with IRC users over Biboumi.

ah there yeah probably it does. i wonder how many actually do that nowadays though. with choices like jami, briar and i2pbote even. i hope at least.

Hello ! I have Gajim 1.8.1. Since some time, I have a trouble : when I connect, i don't join my room automatically. it say that "i left this room". But I never leave, only close Gajim at the end of the night... There are an option to change this ?

Zatalyz, maybe it's just a question of UX. Technically you do leave everytime you disconnect. Just that maybe it was never shown this way in previous releases

How do you test the flatpak version, is there some trick like pip -e ?

I'm having a hard time getting flatpak-builder to actually "notice" the changes I'm making

Zatalyz, there would be an issue if you had to rejoin manually (by clicking something), but I don't think that's the case, right?

I can join manually, no problem for this

juste it take a long time to click on each room one after the other

Ah so you do have to click?

yes, click and click again :)

Ok that's meh

Zatalyz, do you know whether your bookmarks are set to autojoin?

This sounds like they aren’t.

No. It is not a Conversations bug it seems. I send a pm from Gajim. But the reply is received only on C. I tought that's because I use C and Gajim at the same time. Or because I have the server archive disabled ( sorry Licaon_Kter 😆️ ). But it seems it is a Gajim bug. I can see I'm sending pms. But I can't see those I receive. I have to close the PM windows, and reopen it. And only then the pms seem to appear. Gajim 1.5.1 ( 1.4.7 really debian oldstable backports ), connected over Tor to a clearnet provider.

Link Mauve : I don't know where we see "bookmark" on gajim. Maybe that but where i can fix it ?

> Link Mauve : I don't know where we see "bookmark" on gajim. Maybe that but where i can fix it ? Zatalyz, look on 'Advanced Configuration Editor'. Search there for 'bookmark'. Change some settings and the restart. Don't forget to make a backup.

Zatalyz: this button only appears if the bookmark is not set to autojoin

Zatalyz, I think just joining a room once sets the autojoin to true.

But perhaps not if it’s set to false before? I don’t know.

>> Link Mauve : I don't know where we see "bookmark" on gajim. Maybe that but where i can fix it ? > Zatalyz, look on 'Advanced Configuration Editor'. Search there for 'bookmark'. Change some settings and the restart. Don't forget to make a backup. That is plain wrong. Please don't ↺

Zatalyz, i think your server has a problem storing the bookmark information

you would need to provide debug logs

there is nothing you can do yourself probably

I am on movim :s

ok...

(.eu)

(yes ^^ )

ah no movims bookmarks are broken

the server currently has problems

lovetox, the server does?

they investigate this currently

Isn't it just movim?

Ok so... it is this, I just wait :)

thanks lovetox !

(the client and not the xmpp server, I mean)

i assumed his server is movim.eu

why would he come to gajim chat, and tell us that he uses movim

their*, yes

fyi pep https://github.com/processone/ejabberd/issues/4106

ugh, ok I see

Yes, my account is on movim.eu and I use gajim has client ;)

sorry for noise, as I had updated the computer shortly before seeing this problem, I thought it was my client who was at fault

> No. It is not a Conversations bug it seems. I send a pm from Gajim. But the reply is received only on C. I tought that's because I use C and Gajim at the same time. Or because I have the server archive disabled ( sorry Licaon_Kter 😆️ ). But it seems it is a Gajim bug. > I can see I'm sending pms. But I can't see those I receive. I have to close the PM windows, and reopen it. And only then the pms seem to appear. > Gajim 1.5.1 ( 1.4.7 really debian oldstable backports ), connected over Tor to a clearnet provider. I don't see the PMs I should receive on gajim. I see only those I sent.

> I don't see the PMs I should receive on gajim. I see only those I sent. Should I open an issue?

You didn't mention that you disabled server archiving...

> You didn't mention that you disabled server archiving... Or because I have the server archive I did. But I did some tests with it enabled and it is the same thing. Thank's that you rememberd me to disable it again.

Oh sorry, it's actually mentioned in the quote that you disabled archiving

lissine And with Conversations, the PMs in *public mucs* work fine without server archiving. On Gajim doesn't work either way.

Philipp Hörist pushed 1 commit to branch _refs/heads/master_ of _python-nbxmpp_ < https://dev.gajim.org/gajim/python-nbxmpp >: *8a87dc77* < https://dev.gajim.org/gajim/python-nbxmpp/-/commit/8a87dc77b3f8ef56aa5deea5a06d1782d7bc237d > refactor: Rewrite channel binding code - Fix some bugs related to XEP-0388 (SASL2)

> refactor: Rewrite channel binding code congrats!

the code is non-functional, its just there in case of GLib supports it some day

Philipp Hörist pushed 1 commit to branch _refs/heads/master_ of _python-nbxmpp_ < https://dev.gajim.org/gajim/python-nbxmpp >: *bf73fcc1* < https://dev.gajim.org/gajim/python-nbxmpp/-/commit/bf73fcc1d7232e4e2039ea688d01a63f93729270 > change: Raise GLib version

lovetox, what is missing in glib?

Is there an issue?

not exactly glib, its the bindings

https://gitlab.gnome.org/GNOME/pygobject/-/issues/603

seems the developer adding channel binding to glib, chose a very rare way to pass the data

one thats not currently supported by the bindings

or broken

Thoughts on simplex claims its better than xmpp and matrix

var, You belive me I was about to ask the same thing?

Apparently its funded by village global

Which is funded by bill gates, Jeff bezos, mark zuck

Well, it is still open source.

AGPL-3. Not open-source. It is free/libre software really.

Daniel Brötzmann pushed 1 commit to branch _refs/heads/master_ of _gajim_ < https://dev.gajim.org/gajim/gajim >: *4fd5f6a0* < https://dev.gajim.org/gajim/gajim/-/commit/4fd5f6a091cf73f8ed10d1a67b0edf4ea1cefc83 > imprv: ChatBanner: Don't show QR code for privated MUCs Fixes #11647

> Well, it is still open source. Open source, decentralized, no identifiers ↺

You connect by sharing a link

But the funding is suspect

It looks amazing. But I don't know how it really works. I'm not that skilled and I don't have the time. I'm way to poor.

lovetox, Thank you for all the great work you do.

> > No. It is not a Conversations bug it seems. I send a pm from Gajim. But the reply is received only on C. I tought that's because I use C and Gajim at the same time. Or because I have the server archive disabled ( sorry Licaon_Kter 😆️ ). But it seems it is a Gajim bug. > > I can see I'm sending pms. But I can't see those I receive. I have to close the PM windows, and reopen it. And only then the pms seem to appear. > > Gajim 1.5.1 ( 1.4.7 really debian oldstable backports ), connected over Tor to a clearnet provider. > I don't see the PMs I should receive on gajim. I see only those I sent. > > You didn't mention that you disabled server archiving... > Or because I have the server archive > I did. But I did some tests with it enabled and it is the same thing. Thank's that you rememberd me to disable it again. > lissine > And with Conversations, the PMs in *public mucs* work fine without server archiving. On Gajim doesn't work either way. Should I open an issue about this, or should I wait to upgrade to 1.8.1 before anything?

And lovetox, regarding this issue, https://dev.gajim.org/gajim/gajim/-/issues/11654 about 'Distrust all certificates'. There are xmpp servers operators like creep.im and xmpp.is which have the fingerprint of the certificate posted on their websites. So again, I think that option it is really usefull for some people.

you should try gajim 1.8.x because you are the first user in a long time that reports problems with PMs

dryan, a website also uses TLS and a cert, why would you trust the website cert more than the xmpp server cert?

chud, i think you have to build the flatpak after each code change, not sure why you would want to do that though

Actually, I recently reported problems with PMs =] But not this specific problem

what problem?

I should run the older version, 1.3.1. I think it didn't open the pm in a separate window. It may be something about that.

> a website also uses TLS and a cert, why would you trust the website cert more than the xmpp server cert? lovetox, you are right. creep.im is uses the same cert for the web also. Hmm. And the warrent canarry is outdated.

real

does gajim default to starttls

or does it use regular tls

if both are availible

Depends on the priority set by the server no?

Unless all have the same priority, right.

does it?

It should. Otherwise we might as well get rid of SRV priority straight away

i thot

there was seprate

srv records

for both starttls and tls

they arent in the same record meme

isnt the priority determined for that single txt entery?

hmm that's true they aren't

Whice one is better? umu Direct or Start?

direct obcourse

Gajim defaults to start tls.

hm

itsover

why did startls take over than direct tls?

afaik startls is less secure

because the initial connection is unencrypted

and it has to be upgraded

Noo wayyy.

Because once it was the successor of plaintext and a second tls port

still..

probably internal firewall reason

It's jsut the standard for historical reasons. But every server can signal to support direct tls and clients will follow if they can

> because the initial connection is unencrypted > and it has to be upgraded I didn't know that. I have to change all my passwords. But I use the gajim version of the last year. Maby 1.8.x is different.

xmpp and email is intended to be used on corportate networks

Menel, so basically direct tls should be used...

well I know why SMTP uses startls

dryan, umu, STARTTLS isn’t any less secure no.

its for compatibility

>> because the initial connection is unencrypted >> and it has to be upgraded > I didn't know that. I have to change all my passwords. > But I use the gajim version of the last year. Maby 1.8.x is different. No. That's not how it works

You're fine

The only benefits of direct TLS are one roundtrip less, and better integration with reverse proxies and such.

start tls has different shape than tls tho

Other than that, STARTTLS is the same.

if u were multiplexing on 443 for fun might not be good4u

If the first connection is not encrypted, I might get mitm.

dryan, direct TLS also isn’t encrypted on the first connection.

AA. Yea. I remember. That's why we need certificates.

You first start by sending in clear text “hi, I’d like to talk with <domain>” and then the server replies with “oh sure, I’m <domain>, here is my certificate.”

Then you can start encrypting.

That’s exactly the same as STARTTLS, except there it’s done using XMPP stanzas instead of TLS.

This comes from the era before SNI was a thing, XMPP got the ability to have per-domain certificates long before the web did.

Ahaa. Thank you. Not the place for the discussion. But thank you very much Link Mauve.

does gajim default to websockets on connection?

You’re welcome. :)

Link Mauve, I have a question if you have the time and the others. If some mitm intercept the handshake can he redirect me to another website and give the certificate of that other website? I mean if the is able to also mitm my dns request.

Of course not, that’s what the certificate protects against.

A DNS attacker can trick your client into thinking it has to connect to evil.com when you ask for your server, but then evil.com has to present a valid certificate for your domain.

If the attacker controls DNS, and you don’t validate DNSSEC, that is.

Also in that case, your server won’t even see the request, as it would be redirected to evil.com instead.

Aha. I understand that. But let's say he is redirecting me from xmpp.com to zmpp.com and I didn't notice. And the zmpp.com has a certificate that's valid.

If it is too complex and takes a lot of your time, I will search in other place. Thank you anyway for everything. I really apreciate it. 👍️

You're thinking like a browser does use http `moved`? That's not a thing. You want xmpp.com and your client will not somehow go to something else

If you want xmpp.com your client will error on anything except a valid cert for xmpp.com

> You're thinking like a browser does use http `moved`? That's not a thing. You want xmpp.com and your client will not somehow go to something else AA. Yea. That makes sense! Such a stupid question. I hope someday I will find enough time to learn about these things. I love it. Thank you very much Menel. And all of you.

pep., fyi Gajim will always use direct tls if available first, there was this one xep that said to gather all priorities from all the connection methods and choose the highest or something, but its way to much work, no network lib supports mixing priorities from different dns entries, so you need to query all the dns entries and then add this logic on top

we had a discussion about this a few years back, and the conclusion was, to not do this

Sounds reasonable, especially since everyone deploying direct tls as a sever sets records with higher priority for them anyway as far as I've seen.

https://step.im:5444/82661ca73d6d31c03c22aa090b7ae4fdf7813c07/OBC1oLVL9DmFVV3BDvSOA62j3iqcOTyUHM50CEXo/zb2rhZDmHs4FphPDLxqKhuHwJZN85nzDDaZmQrviKKjtj8aKs.jpg

So its the same thing with less code, and why not let the client deside in the first place

> https://step.im:5444/82661ca73d6d31c03c22aa090b7ae4fdf7813c07/OBC1oLVL9DmFVV3BDvSOA62j3iqcOTyUHM50CEXo/zb2rhZDmHs4FphPDLxqKhuHwJZN85nzDDaZmQrviKKjtj8aKs.jpg can it do multi device?

var: from one vendor controlled protocol, with exactly one implementation? You can move there if you want but don't have to hijack rooms with other topics

>> https://step.im:5444/82661ca73d6d31c03c22aa090b7ae4fdf7813c07/OBC1oLVL9DmFVV3BDvSOA62j3iqcOTyUHM50CEXo/zb2rhZDmHs4FphPDLxqKhuHwJZN85nzDDaZmQrviKKjtj8aKs.jpg > can it do multi device? Not yet ↺

lovetox - I managed to hack somebody who has Blind Trust activated. He was such a not techical person. So, nothing worth bragging about 😂️. But young. So. I don't know. - A friend of mine. I was testing the security of our setup. I made an account that looked pretty similar to the one we chat on. I'v sent him a message. 'Please give me my number FAST, cuz I don't know it and I don't have it stored anywhere. I need it very fast'. And he did. And started talking about his personal stuff afterwards with somebody that wasn't technicaly me.

*The unverified chats should be colored the same way untrusted or unencrypted ones are.* Ok. Maby not red. But orange or yellow. - Or at least make that *lock* or *shild* icon bright yellow or birght or something that popsup.. The way it is right now, you don't really differentiate between verified and just blind trusted.

real

I made an account that looked very much like mine + the blind trust *icon* that you could barely differentiate that is not an verified account = WE HAVE A BIG SECURITY ISSUE.

> I'm having a hard time getting flatpak-builder to actually "notice" the changes I'm making chud, if you are using the yaml files from repository, you have to change the source of the gajim module. You could change `type: git` to `type: dir` and `url: https://...` to `path: ..`.

> I made an account that looked very much like mine + the blind trust *icon* that you could barely differentiate that is not an verified account = WE HAVE A BIG SECURITY ISSUE. - Even for someone techy and worried about security, he can't easily differentiate between blind trusted and verified. And everyone has bad days. I think it's really really important to make the difference pop up. - Not an annoying difference. But a easy visible difference. Like making the icon really pop up either for blind trusted, either for verified.

> Every blindly trusted message has a lock, verified ones have a shield For which you need superman vision + eyeglasses + time + focus + and luck to differentiate.

> No message history isn't an indicator it is a different contact? Belive that when we talk about security, won't be any history most of the time.

I have sent him a video tutorial about how to set that autodelete to 1 day. Easy. It would be nice to have a future to delete his history like in TG or even Whatsapp. But I didn't requested that. I have requested a more visible difference between blind trusted and verified.