Re: [Standards] XEP-0060: Pubsub - Questions and proposals
On 12/17/16 3:08 AM, Goffi wrote:
Le jeudi 15 décembre 2016, 08:51:35 CET Jaussoin Timothée a écrit :
Hi,
I'm currently doing a more complete implementation of Pubsub in Movim
(affiliations and access-models management) and I have a couple of
questions.
5.4 Discover Node Metadata : I'd like to know if it's also possible to
expose pubsub#access_model here. I'd like to display in the UI of Movim
this information ("This node is private", "This node is open to
everyone"…). Will it bring security problems?
The owner can get this information using configuration (§8.2), and I'm not
sure if it's a good idea to expose it to everybody (the subscribers or lambda
entities don't need to know the access model, and they can just try to
subscribe).
Yeah, I was thinking about it some more, and I agree that there's no
great reason to expose this information. For instance, if an attacker
learns that the access model is "presence", then it knows which kind of
attack it needs to perform (perhaps some trickery to get onto the
person's roster) in order to gain access.
6.5.7 Requesting the Most Recent Items : "When max_items is used,
implementations SHOULD return the N most recent (as opposed to the N
oldest) items."
Here I'd like to know if the items are ordered by their creation date or
their last update date.
The N most recent (as opposed to the N oldest) seems clear to me : the older
are the ones created first, so it's by creation date.
This difference is important to me because I'd like to know if I can
rely on this order to display the posts of Movim (which are logically
ordered by their creation date for now). If a user is making a small
edit months after the publication it will move the post in front of all
the others. This question could also apply to XEP-0059: Result Set
Management.
For MAM/RSM it's specified in MAM (The archive results MUST be sorted in
chronological order §4.2) which is creation date too. But this could be
changed by a query, I have asked the question at 2016 Fosdem's meeting, and it
was stated that a XEP can change this order if needed.
It would be good to have consistency across these various specs. Note
that creation time is not the same as last-update time, though...
Peter
___
Standards mailing list
Info: https://mail.jabber.org/mailman/listinfo/standards
Unsubscribe: standards-unsubscr...@xmpp.org
___
Re: [Standards] XEP-0060: Pubsub - Questions and proposals
Le jeudi 15 décembre 2016, 08:51:35 CET Jaussoin Timothée a écrit :
> Hi,
>
> I'm currently doing a more complete implementation of Pubsub in Movim
> (affiliations and access-models management) and I have a couple of
> questions.
>
> 5.4 Discover Node Metadata : I'd like to know if it's also possible to
> expose pubsub#access_model here. I'd like to display in the UI of Movim
> this information ("This node is private", "This node is open to
> everyone"…). Will it bring security problems?
The owner can get this information using configuration (§8.2), and I'm not
sure if it's a good idea to expose it to everybody (the subscribers or lambda
entities don't need to know the access model, and they can just try to
subscribe).
> 6.5.7 Requesting the Most Recent Items : "When max_items is used,
> implementations SHOULD return the N most recent (as opposed to the N
> oldest) items."
> Here I'd like to know if the items are ordered by their creation date or
> their last update date.
The N most recent (as opposed to the N oldest) seems clear to me : the older
are the ones created first, so it's by creation date.
> This difference is important to me because I'd like to know if I can
> rely on this order to display the posts of Movim (which are logically
> ordered by their creation date for now). If a user is making a small
> edit months after the publication it will move the post in front of all
> the others. This question could also apply to XEP-0059: Result Set
> Management.
For MAM/RSM it's specified in MAM (The archive results MUST be sorted in
chronological order §4.2) which is creation date too. But this could be
changed by a query, I have asked the question at 2016 Fosdem's meeting, and it
was stated that a XEP can change this order if needed.
Goffi
___
Standards mailing list
Info: https://mail.jabber.org/mailman/listinfo/standards
Unsubscribe: standards-unsubscr...@xmpp.org
___
Re: [Standards] XEP-0060: Pubsub - Questions and proposals
On 16/12/2016 03:07, Peter Saint-Andre wrote:
On 12/15/16 12:51 AM, Jaussoin Timothée wrote:
Hi,
I'm currently doing a more complete implementation of Pubsub in Movim
(affiliations and access-models management) and I have a couple of
questions.
5.4 Discover Node Metadata : I'd like to know if it's also possible to
expose pubsub#access_model here. I'd like to display in the UI of Movim
this information ("This node is private", "This node is open to
everyone"…). Will it bring security problems?
It seems to me that making the access model discoverable will not
increase the security risk, because an attacker will just try to
subscribe to a node instead of querying the metadata.
So is it OK if I do a PR on 0060 and add this information in the metadata?
6.5.7 Requesting the Most Recent Items : "When max_items is used,
implementations SHOULD return the N most recent (as opposed to the N
oldest) items."
Here I'd like to know if the items are ordered by their creation date or
their last update date.
This difference is important to me because I'd like to know if I can
rely on this order to display the posts of Movim (which are logically
ordered by their creation date for now). If a user is making a small
edit months after the publication it will move the post in front of all
the others. This question could also apply to XEP-0059: Result Set
Management.
We haven't specified the order yet. I'm curious what existing
implementations do.
From what I'm seeing on Metronome, it's ordered by "updated" and not by
"published" dates.
The current Pubsub model says that if an item is published with the same
id as an existing one it should replace it. I'd find natural that the
new item should then stay at the same position as the other in the list.
I think that specifying that a server MUST return the items ordered by
"published" dates should solve the issue.
I also saw in the specifications that the server have a
pubsub#notify_sub configuration boolean (Notify owners about new
subscribers and unsubscribes). But nowhere it is specified how those
owners are notified about theses subscriptions. Should we also specify
this in the 0060?
Peter
___
Standards mailing list
Info: https://mail.jabber.org/mailman/listinfo/standards
Unsubscribe: standards-unsubscr...@xmpp.org
___
Regards,
Timothée
___
Standards mailing list
Info: https://mail.jabber.org/mailman/listinfo/standards
Unsubscribe: standards-unsubscr...@xmpp.org
___
Re: [Standards] XEP-0060: Pubsub - Questions and proposals
On 12/15/16 12:51 AM, Jaussoin Timothée wrote:
Hi,
I'm currently doing a more complete implementation of Pubsub in Movim
(affiliations and access-models management) and I have a couple of
questions.
5.4 Discover Node Metadata : I'd like to know if it's also possible to
expose pubsub#access_model here. I'd like to display in the UI of Movim
this information ("This node is private", "This node is open to
everyone"…). Will it bring security problems?
It seems to me that making the access model discoverable will not
increase the security risk, because an attacker will just try to
subscribe to a node instead of querying the metadata.
6.5.7 Requesting the Most Recent Items : "When max_items is used,
implementations SHOULD return the N most recent (as opposed to the N
oldest) items."
Here I'd like to know if the items are ordered by their creation date or
their last update date.
This difference is important to me because I'd like to know if I can
rely on this order to display the posts of Movim (which are logically
ordered by their creation date for now). If a user is making a small
edit months after the publication it will move the post in front of all
the others. This question could also apply to XEP-0059: Result Set
Management.
We haven't specified the order yet. I'm curious what existing
implementations do.
Peter
___
Standards mailing list
Info: https://mail.jabber.org/mailman/listinfo/standards
Unsubscribe: standards-unsubscr...@xmpp.org
___
[Standards] XEP-0060: Pubsub - Questions and proposals
Hi,
I'm currently doing a more complete implementation of Pubsub in Movim
(affiliations and access-models management) and I have a couple of
questions.
5.4 Discover Node Metadata : I'd like to know if it's also possible to
expose pubsub#access_model here. I'd like to display in the UI of Movim
this information ("This node is private", "This node is open to
everyone"…). Will it bring security problems?
6.5.7 Requesting the Most Recent Items : "When max_items is used,
implementations SHOULD return the N most recent (as opposed to the N
oldest) items."
Here I'd like to know if the items are ordered by their creation date or
their last update date.
This difference is important to me because I'd like to know if I can
rely on this order to display the posts of Movim (which are logically
ordered by their creation date for now). If a user is making a small
edit months after the publication it will move the post in front of all
the others. This question could also apply to XEP-0059: Result Set
Management.
Regards,
Timothée Jaussoin
___
Standards mailing list
Info: https://mail.jabber.org/mailman/listinfo/standards
Unsubscribe: standards-unsubscr...@xmpp.org
___
Re: [Standards] XEP-0060: PubSub questions
Hi, check here: http://xmpp.org/extensions/xep-0248.html So basically a PubSub implementation can neglect the associate and disassociate element. this is the application protocol specific error. it should be used in conclusion with not-authorized error from the RFC. Check here: http://www.xmpp.org/extensions/xep-0060.html#subscriber-subscribe-error-presence I know what it is, but the question is: Why it is needed in addition to the 6120 error? It seems to have the same semantic. 4. max-nodes-exceeded error is defined in XML Schema but not described anywhere. It is still used or is it deprecated? Probably, it needs to be clarified but I believe that the meaning of it is obvious, is not it? Yes, but on the other hand it might have been removed from the spec. Maybe it was only part of an old version, but it was forgotten to remove it from the schema. The XMPP XML Schemas are often not accurat. 5. The 'node' attribute is missing in XML Schema for the http://jabber.org/protocol/pubsub; namespace in the configure element. I believe that it is not needed there. If you are considering the #215 example, I believe that namespace there have to be #owner… Yes, I was considering example #215. You might be right, that it should be #owner namespace. I am not sure. Some owner related use cases, like creating nodes, aren't in the #owner namespace either (which also made me wonder). Thank you for your attention of the problem. Unfortunately, XEP-0060 has a lot of problems and I hope that your letter will attract attention to it. I wanted to help and point to errors in the spec. Hopefully the authors or some editors will fix the bugs. I also reported other bugs in old specs (like XEP-0013, XEP-0048), but people seem to be more busy with some new, experimental XEP-3xx specs. Kind regards, Christian
Re: [Standards] XEP-0060: PubSub questions
On 16/03/2014 23:18, Christian Schudt wrote: Hi, Hello Christian, I am implementing XEP-0060 and therefore working through the specification. A few things caught my attention and I'd like to hear your comments about it. 1. 6.5 Retrieve Items from a Node vs 5.5 Discover Items for a Node is a little bit unclear. Where's the difference really? I mean, if I want to get the items for a node, should I use 6.5. or 5.5? 6.5 seems to do the same but more complete (i.e. it also returns the item payload). In 6.5 you retrieve items directly from node with payloads. With 5.5 you can instead just check which items are there. 2. The event namespace defines a collection element with a associate and disassociate element. These are nowhere defined or explained. Are they still needed? check here: http://xmpp.org/extensions/xep-0248.html I am not sure though if it still needs to be in XEP-0060... 3. Why is there a presence-subscription-required error, if RFC 6120 already defines subscription-required stanza error? this is the application protocol specific error. it should be used in conclusion with not-authorized error from the RFC. Check here: http://www.xmpp.org/extensions/xep-0060.html#subscriber-subscribe-error-presence 4. max-nodes-exceeded error is defined in XML Schema but not described anywhere. It is still used or is it deprecated? Probably, it needs to be clarified but I believe that the meaning of it is obvious, is not it? 5. The 'node' attribute is missing in XML Schema for the http://jabber.org/protocol/pubsub; namespace in the configure element. I believe that it is not needed there. If you are considering the #215 example, I believe that namespace there have to be #owner... 6. The retrieve-default-sub feature is missing in XML Schema (#errors) and in 16.3 Service Discovery Features yes, that's probably a problem. Thank you for your attention of the problem. Unfortunately, XEP-0060 has a lot of problems and I hope that your letter will attract attention to it. Best regards, Christian
[Standards] XEP-0060: PubSub questions
Hi, I am implementing XEP-0060 and therefore working through the specification. A few things caught my attention and I'd like to hear your comments about it. 1. 6.5 Retrieve Items from a Node vs 5.5 Discover Items for a Node is a little bit unclear. Where's the difference really? I mean, if I want to get the items for a node, should I use 6.5. or 5.5? 6.5 seems to do the same but more complete (i.e. it also returns the item payload). 2. The event namespace defines a collection element with a associate and disassociate element. These are nowhere defined or explained. Are they still needed? 3. Why is there a presence-subscription-required error, if RFC 6120 already defines subscription-required stanza error? 4. max-nodes-exceeded error is defined in XML Schema but not described anywhere. It is still used or is it deprecated? 5. The 'node' attribute is missing in XML Schema for the http://jabber.org/protocol/pubsub; namespace in the configure element. 6. The retrieve-default-sub feature is missing in XML Schema (#errors) and in 16.3 Service Discovery Features Best regards, Christian
