We are happy to announce that the XMPP Standards Foundation (XSF) is applying as Google Summer of Code (GSoC) organization.

Open source projects are now able to add their XMPP-related project ideas to

https://wiki.xmpp.org/web/GSoC/2019/Project_Ideas

Interested parties are also invited to join us at gsoc@muc.xmpp.org. Feel free to stop by, ask questions and to discuss your project idea. We welcome everyone, not only those new to GSoC and consider participating.

Google will publish the list of accepted mentoring organizations on 2019-02-26 12:00 UTC. We hope to continue the long tradition of the XSF participating in GSoC, so keep your fingers crossed.

You can find more about the GSoC under https://developers.google.com/open-source/gsoc/.

In my philosophy department talk last October, I said something that might turn out to be more true than I had realized: it's a worthy ambition to become an accomplished person. Recalling that there used to be a philosophical journal called The Personalist, I've started to wonder if "personalism" might be an appropriate name for my approach to philosophy. A quick Internet search revealed that there has been a loose tradition of personalism over the last 200 years, encompassing thinkers as diverse as William James, Karol Wotyla (Pope John Paul II), and, appropriately enough for this weekend, Martin Luther King, Jr. (who studied with personalist theologian Edgar Sheffield Brightman at Boston University)....

Requirements on encryption change from time to time. New technologies pop up and crypto protocols get replaced by new ones. There are also different use-cases that require different encryption techniques.

For that reason there is a number of encryption protocols specified for XMPP, amongst them OMEMO and OpenPGP for XMPP.

Most crypto protocols share in common, that they all aim at encrypting certain parts of the message that is being sent, so that only the recipient(s) can read the encrypted content.

OMEMO is currently only capable to encrypt the messages body. For that reason the body of the message is being encrypted and stored in a <payload/> element, which is added to the message. This is inconvenient, as it makes OMEMO quite inflexible. The protocol cannot be used to secure arbitrary extension elements, which might contain sensitive content as well.

<message to='juliet@capulet.lit' from='romeo@montague.lit' id='send1'>
  <encrypted xmlns='eu.siacs.conversations.axolotl'>
    <header>...</header>
    <!-- the payload contains the encrypted content of the body -->
    <payload>BASE64ENCODED</payload>
  </encrypted>
</message>

The modern OpenPGP for XMPP XEP also uses <payload/> elements, but to transport arbitrary extension elements. The difference is, that in OpenPGP, the payload elements contain the actual payload as plaintext. Those <payload/> elements are embedded in either a <crypt/> or <signcrypt/> element, depending on whether or not the message will be signed and then passed through OpenPGP encryption. The resulting ciphertext is then appended to the message element in form of a <openpgp/> element.

<signcrypt xmlns='urn:xmpp:openpgp:0'>
  <to jid='juliet@example.org'/>
  <time stamp='...'/>
  <rpad>...</rpad>
  <payload>
    <body xmlns='jabber:client'>
      This is a secret message.
    </body>
  </payload>
</signcrypt>

<!-- The above element is passed to OpenPGP and the resulting ciphertext is included in the actual message as an <openpgp/> element -->

<message to='juliet@example.org'>
  <openpgp xmlns='urn:xmpp:openpgp:0'>
    BASE64_OPENPGP_MESSAGE
  </openpgp>
</message>

Upon receiving a message containing an <openpgp/> element, the receiver decrypts the content of it, does some verity checks and then replaces the <openpgp/> element of the message with the extension elements contained in the <payload/> element. That way the original, unencrypted message is constructed.

The benefit of this technique is that the <payload/> element can in fact contain any number of arbitrary extension elements. This makes OpenPGP for XMPPs take on encrypting message content way more flexible.

A logical next step would be to take OpenPGP for XMPPs <payload/> elements and move them to a new XEP, which specifies their use in a unified way. This can then be used by OMEMO and any other encryption protocol as well.

The motivation behind this is, that it would broaden the scope of encryption to cover more parts of the message, like read markers and other metadata.

It could also become easier to implement end-to-end encryption in other scenarios such as Jingle file transfer. Even though there is Jingle Encrypted Transports, this protocol only protects the stream itself and leaves the metadata such as filename, size etc. in the clear. A unified <encrypted/> element would make it easier to encrypt such metadata and could be the better approach to the problem.

I am an engineer not an UI/UX designer. I dabble in those things and sometimes have an idea of what is good and bad from past experience but it is certainly not my strength. You can see that in the evolution of Monal over the past decade. We are always presented with a need to balance user friendliness with lots of options. I have rarely seen anything get the balance right. Oddly artwork has always been one of the hardest things to deal with.

Icons are super important. I started off using icons from KDE and later bought Glyphish, which I have been using since iOS 5 or so. I recently discovered Icon Deposit, where a lot of things I would have killed for in the past are available for free with attribution. It is the open source model applied to artwork. This is something I would recommend other developers checkout. Are there other resources like this? I haven’t paid attention to it in ages.

OMEMO key viewer is in. Trust/untrust toggle doesn’t work yet and you can’t view your keys yet. Those are all coming.

Federated Networks are AWESOME! When I first learned about the concept of federation when I started using Jabber/XMPP, I was blown away. I could set up my own private chat server on a Raspberry Pi and still be able to communicate with people from the internet. I did not rely on external service providers and instead could run my service on my own hardware.

About a year ago or so I learned about ActivityPub, another federated protocol, which allows users to share their thoughts, post links, videos and other content. Mastodon is probably the most prominent service that uses ActivityPub to create a Twitter-like microblogging platform.

But there are other examples like PeerTube, a YouTube-like video platform which allows users to upload, view and share videos with each other. Pleroma allows users to create longer posts than Mastodon and Plume can be used to create whole blogs. PixelFed aims to recreate the Instagram experience and Prismo is a federated Reddit alternative.

But the best thing about ActivityPub: All those services federate not only per service, but only across each other. For instance, you can follow PeerTube creators from your Mastodon account!

And now the icing on the cake: You can now also follow this particular blog! It is traveling the fediverse under the handle @vanitasvitae@blog.jabberhead.tk

Matthias Pfefferle wrote a WordPress plugin, that teaches your WordPress blog to talk to other services using the ActivityPub protocol. That makes all my blog posts available in and a part of the fediverse. You can even comment on the posts from within Mastodon for example!

In my opinion, the internet is too heavily depending on centralized services. Having decentralized services that are united in federation is an awesome way to take back control.

@akrherz wrote:

The Ignite Realtime Community is thrilled to announce the promotion of release version 4.3.0 of Openfire. A changelog denotes 130 Jira issues resolved with this release! There are a few gotchas / unresolved issues we would like to inform you of.

• OF-1615 Openfire Preference Pane crashes on MacOS.
  If you are a Mac user and try to start Openfire via ‘Start Openfire’, it will fail. We are very much desperate for MacOS developers to help us figure out how to fix it.
• OF-1647 Upgraded Openfire on Windows sometimes fails to start.
  Some users have been able to reproduce a bug that an upgraded Openfire to 4.3.0 release will fail to properly start. The workaround is to locate the plugins/admin/webapp/WEB-INF/lib, delete it, then start Openfire again.
• OF-1432 meaning of property xmpp.pubsub.create.anyone is inverted.
  The release of Openfire 4.3.0 corrected the behavior of having that property set. Setting it now to true means that anybody can create pubsub nodes.
• OF-1594 bookmarks are unexpectedly copied to other users.
  It is not clear this bug actually exists, but we wanted to make you aware of it as the Ignite Realtime Openfire host routinely reproduces the issue, but nobody else has :). The impact is that sometimes logged in users are given other users bookmarks. This will cause them to perhaps auto-join rooms with that user’s handle. We hope that this issue is some one-off that is only due to our usage of Ignite Realtime for testing development releases!
• OF-1383 Support Java 11. (this ticket is not completed, there is no support for Java 10/11 yet, read more below)
  Openfire currently requires Java 8 to properly run. We are hoping to support newer JVMs, but need things like upstream releases of Apache MINA to happen.

Have the above issues scared you off yet from trying this release? We certainly hope not! We always recommend you have tested backups and a testing environment to see how this release works for you.

The release can be downloaded from our Downloads Page and the artifacts have the following sha1sums.

32e02876340404f36de93d1a8812f3e5a0eb3502  openfire-4.3.0-1.i686.rpm
6b1b960da879bd27e25365e214915cfe44b40c78  openfire-4.3.0-1.noarch.rpm
a588f28e8a5a043e6a02dfceb67256d5a4572b87  openfire-4.3.0-1.x86_64.rpm
40a44e444a2d91f7cd68f4bb97632bd3073e8928  openfire_4.3.0_all.deb
27846f2a9995394cae72df9597438da4e10a42c3  openfire_4_3_0_bundledJRE.exe
4fd7cee7fb4d372e12d193d54c0bc192880d8b8c  openfire_4_3_0_bundledJRE_x64.exe
41e3cbb6e2cd67f7d92b508be9fdff47bbdf537d  openfire_4_3_0.dmg
01c3a796ab6d6b741614f70f13187e0b11e1cb83  openfire_4_3_0.exe
962e161ac8b7c5e231016ce1f471d6a7e4762b41  openfire_4_3_0.tar.gz
10654ece9d6825e8430c9501ce0fe41518a9f4da  openfire_4_3_0_x64.exe
2803a1693c949b3ae86b56def2eb5809cc042cfc  openfire_4_3_0.zip
635c4e3cfa9193bbba6bac11698a01d5f5c59e92  openfire_src_4_3_0.tar.gz
bf63a63e77f932a0c5b2863ab4df02ce0fdb9d2a  openfire_src_4_3_0.zip

A special recognition for this release goes to @guus and @gdt who did a tremendous amount of work in the area of Maven migration and improving how Openfire plugin development happens. Please remember that we are all volunteers here and very much looking for others to help develop, document, and test Openfire. Please stop by our open_chat to say “Hi” if you are interested in learning more!

Posts: 10

Participants: 5

Read full topic

• 

• 

A quick glimpse at the key management screens and the new details screen on macOS. These will be in the next beta.

The Web is built by people. Authors are producing content that makes the web as it is. They write blog posts, microblog entries, share pictures and videos, etc. And people have typically profile pages to introduce themselves and showcase their work.

Consolidating online activity profiles

In the original vision of the web, the information sharing is decentralized. Anyone can generally read content on a web site without the need to have an account on that specific web site. Being decentralized, it means that people can have many facets of their life spread across different services. You can share your photos on some website, posts your video somewhere else and your blog posts on a third site.

However, even if those activities are spread, you may want to gather them under the same identity (if you want to, no one is forcing you to do so). This consolidation promotes a web that is centralized when implemented by services that are trying to be your primary identity provider. Facebook, Twitter, Google, etc. They are all trying to be the central point of convergence for your identity to lock users in. The problem is that it often comes with an invasion of your privacy as a result of this centralization.

However, if we stick to a vision of a web that is decentralized, you have standard ways to link your profiles together without the need to resort to a central authority. Web microformats define a way to link your various profiles online together. This is called, “identity consolidation” (or profile equivalency).

So, how does it work ?

The whole mechanism relies on the ability to add extra data on a link using the rel=”me” attribute. This attribute can be added to a standard HTML link. For example, Twitter supports this. On your Twitter profile, the link you have provided to Twitter links back to a page of your choice. That link includes the rel=”me” attribute. It means that the Twitter profile page and the link the page is pointing to forms the same identity.

For example, here is what is in the code of my @mickael Twitter profile page:

<a class="u-textUserColor" target="_blank" rel="me nofollow noopener" href="https://t.co/qnpvEmTm9Z" title="http://www.process-one.net/">process-one.net</a>

As you can see, there is a rel=”me” attribute on that link. It makes it possible to link the two profiles together. The t.co url redirects to https://blog.process-one.net/author/mickael_remond/, which is my profile page at ProcessOne.

However, having a single link is not enough. Anyone could open a Twitter account, link to the same page and try to impersonate me on Twitter with a fake account.

That’s why rel=”me” needs to rely on a bidirectional relationship to build the trust. On my ProcessOne blog profile, I have a link to my Twitter profile.

The links looks as follows:

<a class="twitter" rel="me" href="https://twitter.com/mickael" target="_blank">@mickael</a>

The fact that both pages link to each other with that rel=”me” attributes means that the profile on both pages are controlled by the same person.

As you are not limited to linking to a single page, it is possible to crawl the rel=”me” links and consolidate a group of profiles for the same person or identity.

That’s this simple. That’s the beauty of how the web is designed ¹.

I have several more remarks to add:

• Twitter is not doing everything right, as it is using URL shortener. I already wrote why we need to stop using URL shorteners.
• LinkedIn is supposed to be an important profile page and does not support the rel=”me” attribute (at least I could not find it in the page This is really unfortunate given the role of those pages. Someone reading at Microsoft? :)
• Github developer profiles properly support rel=”me” links.
• The rel=”me” approach can link more than web pages. A link can point to a mail (mailto:) or an XMPP (xmpp:) address. Sharing that online is prone to spam, but that’s another story.

Finally, you should know that the rel=”me” attribute does not have to be visible on the page. You can put a link in the header of one profile page to other profile pages, using the link tag. For example, it would look like:

<html>
 <head>
 <link rel="me" href="https://indieauth.com/auth">
 ...
 </head>
...
</html>

Calling to action

After ditching short URLs, you can help the decentralized Web easily by paying attention to profile consolidation. You can put it in place on your own code and you can favour services that using rel=”me” properly. Check the source code of your profile page on various online services and take actions!

You are not forced to use them, and you can still group your own identities as you wish, but rel=”me” adds value to the web when used properly.

Why am I writing on decentralized web ?

The decentralized Web today is simply a way to put emphasis on the web itself. This is the web as it was designed, that is a decentralized system.

Building the decentralized web is about breaking silos. By breaking silos, I also means breaking the protocols’ barriers to use standards on what they are good at and intended for. XMPP federation is a decentralized web but it is in some way living in its own domain. I think we can go further. We took several steps further in breaking protocols’ silos as we made ejabberd able to support XMPP, SIP, and MQTT. You can expect thus to read more from me on decentralized web on my journey to breaking those silos.

Further reading

Here are some interesting pages on rel=”me”:

• Rel=”me” on microformats.org
• Rel-me on Indieweb.org
• The Real Deal About rel=”me”

My nightly beta release continues. There are new Mac and iOS betas where I am trying to address issues with OMEMO device synch, duplicate recipients and in iOS I have added the ability to view your own keys (Settings->Accounts->your account->Keys)

We are pleased to announce a new minor release from our stable branch.

This is a minor bugfix release. It fixes a handful of small but important issues.

A quick fix for decryption issues. If you have used earlier betas, after upgrading, remove your account on every device with monal (iOS and Mac) and re-add it. There was a bug in earlier betas that messed up the signal session and a clean slate should help a lot.

There are new betas for Mac and iOS. This should resolve crashes on the iPad as well as any decryption issues seen on both platforms.

Building command-line tools with Go is quite handy as it allows building standalone static binary. This is quite easy to build ready-to-use binaries for distribution.

While working on my Data Portability Kit, I wanted to be able to produce ready-made binaries to make the tools more accessible. Anyone should be able to use the software without deep technical knowledge.

In this article, I will show how I automated the build and distribution of the prebuilt tools for multiple platforms. I rely on Gox, a tool to easily cross-compile multiple version of a binary in parallel. I also used Ghr, a tool to upload multiple binary files as a Github release.

First of all, you need to install Gox and Ghr, with the following Go commands:

go get -u github.com/mitchellh/gox
go get -u github.com/tcnksm/ghr

Building binary for multiple platforms

First of all, you will need to tag your Git repository before the release:

git tag -a v0.0.1 -m "Release description"
git push --tags

You can then use Gox to build the mget tool for Windows, MacOS and Linux, focusing on the 64bits architecture:

(cd cmd/mget/; ~/go/bin/gox -os="linux darwin windows" -arch="amd64" -output="../../dist/mget_{{.OS}}_{{.Arch}}")
(cd dist; gzip *)

You end up with a dist directory containing three gzipped executable files, one for each OS.

Uploading the binary files to Github

You can now upload them, with Ghr. You will need to generate a personal token on Github. You can do so at the following URL: Github Personal Access Token. For a private repository, you need repo scope and for a public repository, you need public_repo scope.

export GITHUB_TOKEN=mytoken
export TAG=v0.0.1
~/go/bin/ghr -t $GITHUB_TOKEN -u processone -r dpk --replace --draft  $TAG dist/

It will create a draft release on Github. You can edit the release and describe the release before actually publishing it.

Here is an example release: mget v0.0.1

That’s it! Your users can now enjoy prebuilt release of your tool.

There are new betas of the Mac and iOS clients up. I have tried to address issues with synching between your own devices. If you see and error instead of the message on synching, send a few messages back and forth. If it doesnt work for you, I recommend readding your account in Monal. This will create a new device in OMEMO, so you will need everything you contact to trust the new device. This should generally happen automatically with most apps.

There is a new iOS beta with the current OMEMO code and UI enabled. I am still testing this and there are more UI elements that need to be added/adjusted. Please let me know how it works for you.

I have also worked on push support. I am moving towards improved push reliability at the expense of older servers that do not support it. This is largely a desire on my part to remove stale code and reduce complexity. Push has seen sufficient adoption that I believe this should not be a problem for most people.

Happy 2019 and welcome to the XMPP newsletter.

If you have an article, tutorial or blog post you'd like us to include in the newsletter, please submit it on the XMPP wiki.

News

Today is Jabber's 20th anniversary! Jabber would later be standardized and renamed to XMPP.

If you'd like a trip down memory lane, have a look at this 2001 Linux Magazine interview with Jeremie Miller or the original Slashdot release announcement by him on 4 January 1999.

Linux Journal has published an article Lessons in Vendor Lock-in: Messaging, reflecting on the last 20 years of instant messaging and the fact that vendor lock-in is still as relevant an issue as ever.

---

Subscribe to receive the next edition in your inbox

The Prosody team has written a blog post welcoming 2019 where they look back at the progress made in 2018 and forward towards what can be expected in 2019. It also contains a community survey to help the developers guide their effort for the future.

Tumblr started blocking adult content on December 17th, which caused many users to complain of false positives and prompted some to look for alternatives. In response Timothée Jaussoin wrote a blog post suggesting that Tumblr users migrate to Movim. The post was subsequently discussed on Hacker News and was on its front page for a while.

Logitech's Harmony Hub home automation device uses XMPP and they apparently inadvertently allowed local access to customers. When a 3rd party cyber security firm found multiple vulnerabilities, Logitech made a firmware update that disabled XMPP access thereby angering many users who had added extra functionality via XMPP. In response Logitech has created a new XMPP beta program that will give users access to the local controls that were removed and they plan to release an official firmware update with XMPP controls this month.

Howtos

• How to configure HAProxy and ejabberd together.

Announcements

ProcessOne have announced that they will shut down their free XMPP servers oneteam.im and talkr.im.

Videos

In episode S3E08 of Matrix Live, developer Half-Shot talks about bridging Matrix and XMPP with matrix-appservice-purple.

Recent Events

Maxime Buquet wrote a short summary of the XMPP meetup held at the recent Chaos Communication Congress in Leipzig, Germany.

Upcoming Events

• The Brussels UX sprint will be held on Wednesday the 30th of January.
• The 23rd XMPP Summit will be held on January 31st & February 1st in Brussels.

Software releases

Servers

• Ejabberd versions 18.12 and 18.12.1 which add support for XML compression in message archive storage and converting bookmarks from private XML to PEP.
• Openfire version 4.3.0 beta
• Jackal version 0.4.0 which adds cluster mode support.

Clients

• BeagleIM version 1.1. A new lightweight XMPP client for MacOS.
• ChatSecure version 4.3.6

Bridges

• matrix-appservice-purple. Despite the name, the XMPP stack being used is XMPP.js rather than libpurple

As you may have noticed, I’ve bounced over to do more OMEMO work. I’ve been improving the UI and UX (mostly on iOS at the moment) as well as testing it with Conversations (and legacy) on my old HP touchpad. I have released a new Mac beta with a lot of OMEMO fixes under the hood. To the end user, things should just work, conversations should sync between devices and it should remember that a conversation should be encrypted now. I hope to work on the OSX UI some more this week and bring it up to parity with the iOS one. Let me know how this build works for you.

Happy New Year!

It is my firm belief that it is the community, and not the code, that makes an open-source project what it is. With that in mind, I’d like to thank you, the community around Prosody for making the project what it is. Whether you contribute code, help test nightly builds, develop packages, support others in our chatroom and mailing lists, or simply report bugs so that we can fix them - you have helped shape the project, and helped make the project better for everyone. For that - thank you!

As well as reflecting on what we have to be grateful for, there is no better time than the start of a new year to look at the past and what we have achieved, the present, and of course look forward to the future. First, let’s start with our achievements over the past 12 months.

A first take at this screen. I’ve tried to keep it as simple as possible. Establishing the circle of trust is important in cryptography and is one thing OMEMO does not actually address. While you should verify identities, how does someone do it? A simple way it to look at the strings side by side. Ideally this is something that can be done with a QR code to eliminate the manual process.

Here's a list of the books I read in 2018 (including the complete works of Aristotle and a number of related scholarly books, along with a smattering of fiction):...

After 11 years, we are going to sunset our free XMPP servers at oneteam.im and talkr.im. The shutdown will occur on Jan 14, 2019.

Since a decade ago, we offered free, open source and fully featured XMPP services to promote federated messaging across the world. Today, instant messaging is as common as email. Although IM services rely on different platforms, XMPP is the underlaying technology of many, and you have plenty options to choose from.

Therefore, we decided it is better to point you in the direction of such dedicated communication services instead of maintaining our free XMPP servers on the side.

We recommend visiting this Getting Started guide to choose the best server and client for your XMPP communications.

Happy chatting!

This new ejabberd 18.12.1 is a bugfix release optimizing several components. With this holiday release we would like to wish you a very Merry Christmas and a Happy New Year! We look forward to 2019 to keep delivering the world’s best real-time server.

Changes

Since ejabberd 18.12 you have an option to configure ejabberd to use port 5443 and secure TLS access. Version 18.12.1 is re-enabling the port 5280 in default config for web and admin access to make it faster and easier to log into the ejabberd dashboard.

Other changes include bug fixes to rebar3, message carbons, prosody imports and roster versioning.

Download and install ejabberd 18.12.1

The source package and binary installers are available at ProcessOne.

As usual, the release is tagged in the Git source code repository on Github. If you suspect that you’ve found a bug, please search or fill a bug report in Issues.

---

There is a new iOS beta. With grouped notifications. Notifications are grouped by app as well as by conversation. If you get a lot of messages on a certain MUC, this should make life a lot easier. Merry Christmas.