Bug#803396: [Debian-rtc-admin] Bug#803396: options for developers who don't want to use debian.org XMPP

[Gunnar Wolf]

Rhonda:

> Of course people could be concerned about that forward bot (which
> could even take care of replying) be facilitated as sort of a MITM
> attack pattern, so it might make sense to have people run such a bot
> themself on some host they trust.
>
> Not so sure about how this would work if it's more than just plain
> messages though, like OTR (which could be encapseled somehow) or
> other things like voice/video chat.

FWIW, if the user were to be transparently redirected from an
unused/unprefered $f...@rtc.debian.org to the DD's prefered contact,
this would be a problem. But, given that OTR has a session
establishment phase, what could be done is to auto-answer to any
incoming message with "DD $foo does not use their RTC account" or "DD
$foo prefers contact via their other XMPP account,
$f...@otherserver.info"

Bug#803396: options for developers who don't want to use debian.org XMPP

[Rhonda D'Vine]

 Hi,

* Daniel Pocock  [2015-10-29 17:09:36 CET]:
> If a developer has their own XMPP account elsewhere or simply doesn't
> want to use it, any requests to be in their roster will simply not be
> responded to.  Should we provide an option to automatically reject
> requests sent to accounts that are not used or automatically give some
> reply scripted by the developer?

 I think a forward possibility would be useful.  The LDAP already has a
field for Jabber ID.  I guess it might make sense to forward things to
there; I'm not sure if it's possible to send stuff back somehow then
though.

 Also, if it gets implemented that stuff gets forwarded there people
should be explicitly made aware that this will happen beforehand so that
they can decide if they want to remove the entry from ldap or not.
Maybe a flag might make sense - or a new field that explicitly states
"xmpp messages forwarded to" like we have for "email forwarded to" right
now?

 Just some thoughts,
Rhonda
-- 
Fühlst du dich mutlos, fass endlich Mut, los  |
Fühlst du dich hilflos, geh raus und hilf, los| Wir sind Helden
Fühlst du dich machtlos, geh raus und mach, los   | 23.55: Alles auf Anfang
Fühlst du dich haltlos, such Halt und lass los|

Bug#803396: [Debian-rtc-admin] Bug#803396: options for developers who don't want to use debian.org XMPP

[Matthew Wild]

On 6 November 2015 at 09:48, Rhonda D'Vine  wrote:
>  Hi,
>
> * Daniel Pocock  [2015-10-29 17:09:36 CET]:
>> If a developer has their own XMPP account elsewhere or simply doesn't
>> want to use it, any requests to be in their roster will simply not be
>> responded to.  Should we provide an option to automatically reject
>> requests sent to accounts that are not used or automatically give some
>> reply scripted by the developer?
>
>  I think a forward possibility would be useful.  The LDAP already has a
> field for Jabber ID.  I guess it might make sense to forward things to
> there; I'm not sure if it's possible to send stuff back somehow then
> though.

You're basically right. Forwarding could be done, but XMPP is not
email - it's not possible to forward with the same 'from' address, so
it would be a bit unintuitive. Likewise there's no way they could
reply back via debian.org to use the address as an alias.

There is a 'redirect' error we could use, however I don't know of
anyone using it in practice, which is a shame (it's a bit of a
chicken-and-egg problem). There were also some security concerns about
XMPP servers automatically following redirects on behalf of users.

Regards,
Matthew

Bug#803396: [Debian-rtc-admin] Bug#803396: options for developers who don't want to use debian.org XMPP

[Rhonda D'Vine]

Hi,

* Matthew Wild  [2015-11-06 14:14:26 CET]:
> On 6 November 2015 at 09:48, Rhonda D'Vine  wrote:
> >  Hi,
> >
> > * Daniel Pocock  [2015-10-29 17:09:36 CET]:
> >> If a developer has their own XMPP account elsewhere or simply doesn't
> >> want to use it, any requests to be in their roster will simply not be
> >> responded to.  Should we provide an option to automatically reject
> >> requests sent to accounts that are not used or automatically give some
> >> reply scripted by the developer?
> >
> >  I think a forward possibility would be useful.  The LDAP already has a
> > field for Jabber ID.  I guess it might make sense to forward things to
> > there; I'm not sure if it's possible to send stuff back somehow then
> > though.
> 
> You're basically right. Forwarding could be done, but XMPP is not
> email - it's not possible to forward with the same 'from' address, so
> it would be a bit unintuitive. Likewise there's no way they could
> reply back via debian.org to use the address as an alias.

 Right, but that information could be added to the forwarded message.
Of course people could be concerned about that forward bot (which could
even take care of replying) be facilitated as sort of a MITM attack
pattern, so it might make sense to have people run such a bot themself
on some host they trust.

 Not so sure about how this would work if it's more than just plain
messages though, like OTR (which could be encapseled somehow) or other
things like voice/video chat.  Those most probably won't be possible to
tunnel through a dedicated bot; but maybe my knowledge of the underlying
protocol is just too limited to see how that might be possible.

 Just some thoughts,
Rhonda
-- 
Fühlst du dich mutlos, fass endlich Mut, los  |
Fühlst du dich hilflos, geh raus und hilf, los| Wir sind Helden
Fühlst du dich machtlos, geh raus und mach, los   | 23.55: Alles auf Anfang
Fühlst du dich haltlos, such Halt und lass los|

Bug#803396: options for developers who don't want to use debian.org XMPP

[Daniel Pocock]

package: rtc.debian.org
severity: wishlist

If a developer has their own XMPP account elsewhere or simply doesn't
want to use it, any requests to be in their roster will simply not be
responded to.  Should we provide an option to automatically reject
requests sent to accounts that are not used or automatically give some
reply scripted by the developer?