Planet Jabber

January 20, 2019

The XMPP Standards Foundation

Google Summer of Code 2019

We are happy to announce that the XMPP Standards Foundation (XSF) is applying as Google Summer of Code (GSoC) organization.

Open source projects are now able to add their XMPP-related project ideas to

Interested parties are also invited to join us at Feel free to stop by, ask questions and to discuss your project idea. We welcome everyone, not only those new to GSoC and consider participating.

Google will publish the list of accepted mentoring organizations on 2019-02-26 12:00 UTC. We hope to continue the long tradition of the XSF participating in GSoC, so keep your fingers crossed.

You can find more about the GSoC under

by Flow at January 20, 2019 21:00

January 19, 2019

Peter Saint-Andre


In my philosophy department talk last October, I said something that might turn out to be more true than I had realized: it's a worthy ambition to become an accomplished person. Recalling that there used to be a philosophical journal called The Personalist, I've started to wonder if "personalism" might be an appropriate name for my approach to philosophy. A quick Internet search revealed that there has been a loose tradition of personalism over the last 200 years, encompassing thinkers as diverse as William James, Karol Wotyla (Pope John Paul II), and, appropriately enough for this weekend, Martin Luther King, Jr. (who studied with personalist theologian Edgar Sheffield Brightman at Boston University)....

January 19, 2019 00:00

January 17, 2019

Paul Schaub

Unified Encrypted Payload Elements for XMPP

Requirements on encryption change from time to time. New technologies pop up and crypto protocols get replaced by new ones. There are also different use-cases that require different encryption techniques.

For that reason there is a number of encryption protocols specified for XMPP, amongst them OMEMO and OpenPGP for XMPP.

Most crypto protocols share in common, that they all aim at encrypting certain parts of the message that is being sent, so that only the recipient(s) can read the encrypted content.

OMEMO is currently only capable to encrypt the messages body. For that reason the body of the message is being encrypted and stored in a <payload/> element, which is added to the message. This is inconvenient, as it makes OMEMO quite inflexible. The protocol cannot be used to secure arbitrary extension elements, which might contain sensitive content as well.

<message to='juliet@capulet.lit' from='romeo@montague.lit' id='send1'>
  <encrypted xmlns='eu.siacs.conversations.axolotl'>
    <!-- the payload contains the encrypted content of the body -->

The modern OpenPGP for XMPP XEP also uses <payload/> elements, but to transport arbitrary extension elements. The difference is, that in OpenPGP, the payload elements contain the actual payload as plaintext. Those <payload/> elements are embedded in either a <crypt/> or <signcrypt/> element, depending on whether or not the message will be signed and then passed through OpenPGP encryption. The resulting ciphertext is then appended to the message element in form of a <openpgp/> element.

<signcrypt xmlns='urn:xmpp:openpgp:0'>
  <to jid=''/>
  <time stamp='...'/>
    <body xmlns='jabber:client'>
      This is a secret message.

<!-- The above element is passed to OpenPGP and the resulting ciphertext is included in the actual message as an <openpgp/> element -->

<message to=''>
  <openpgp xmlns='urn:xmpp:openpgp:0'>

Upon receiving a message containing an <openpgp/> element, the receiver decrypts the content of it, does some verity checks and then replaces the <openpgp/> element of the message with the extension elements contained in the <payload/> element. That way the original, unencrypted message is constructed.

The benefit of this technique is that the <payload/> element can in fact contain any number of arbitrary extension elements. This makes OpenPGP for XMPPs take on encrypting message content way more flexible.

A logical next step would be to take OpenPGP for XMPPs <payload/> elements and move them to a new XEP, which specifies their use in a unified way. This can then be used by OMEMO and any other encryption protocol as well.

The motivation behind this is, that it would broaden the scope of encryption to cover more parts of the message, like read markers and other metadata.

It could also become easier to implement end-to-end encryption in other scenarios such as Jingle file transfer. Even though there is Jingle Encrypted Transports, this protocol only protects the stream itself and leaves the metadata such as filename, size etc. in the clear. A unified <encrypted/> element would make it easier to encrypt such metadata and could be the better approach to the problem.

by vanitasvitae at January 17, 2019 13:28

January 13, 2019

Monal IM

Icons and Art

I am an engineer not an UI/UX designer. I dabble in those things and sometimes have an idea of what is good and bad from past experience but it is certainly not my strength. You can see that in the evolution of Monal over the past decade. We are always presented with a need to balance user friendliness with lots of options. I have rarely seen anything get the balance right. Oddly artwork has always been one of the hardest things to deal with.

Icons are super important. I started off using icons from KDE and later bought Glyphish, which I have been using since iOS 5 or so. I recently discovered Icon Deposit, where a lot of things I would have killed for in the past are available for free with attribution. It is the open source model applied to artwork. This is something I would recommend other developers checkout. Are there other resources like this? I haven’t paid attention to it in ages.

by Anu at January 13, 2019 17:51

Next Mac beta up

OMEMO key viewer is in. Trust/untrust toggle doesn’t work yet and you can’t view your keys yet. Those are all coming.

by Anu at January 13, 2019 01:23

January 12, 2019

Paul Schaub

Join the Fediverse!

Federated Networks are AWESOME! When I first learned about the concept of federation when I started using Jabber/XMPP, I was blown away. I could set up my own private chat server on a Raspberry Pi and still be able to communicate with people from the internet. I did not rely on external service providers and instead could run my service on my own hardware.

About a year ago or so I learned about ActivityPub, another federated protocol, which allows users to share their thoughts, post links, videos and other content. Mastodon is probably the most prominent service that uses ActivityPub to create a Twitter-like microblogging platform.

But there are other examples like PeerTube, a YouTube-like video platform which allows users to upload, view and share videos with each other. Pleroma allows users to create longer posts than Mastodon and Plume can be used to create whole blogs. PixelFed aims to recreate the Instagram experience and Prismo is a federated Reddit alternative.

But the best thing about ActivityPub: All those services federate not only per service, but only across each other. For instance, you can follow PeerTube creators from your Mastodon account!

And now the icing on the cake: You can now also follow this particular blog! It is traveling the fediverse under the handle

Matthias Pfefferle wrote a WordPress plugin, that teaches your WordPress blog to talk to other services using the ActivityPub protocol. That makes all my blog posts available in and a part of the fediverse. You can even comment on the posts from within Mastodon for example!

In my opinion, the internet is too heavily depending on centralized services. Having decentralized services that are united in federation is an awesome way to take back control.

by vanitasvitae at January 12, 2019 17:35

January 11, 2019

Ignite Realtime Blog

Openfire 4.3.0 Release

@akrherz wrote:

The Ignite Realtime Community is thrilled to announce the promotion of release version 4.3.0 of Openfire. A changelog denotes 130 Jira issues resolved with this release! There are a few gotchas / unresolved issues we would like to inform you of.

  • OF-1615 Openfire Preference Pane crashes on MacOS.
    If you are a Mac user and try to start Openfire via ‘Start Openfire’, it will fail. We are very much desperate for MacOS developers to help us figure out how to fix it.
  • OF-1647 Upgraded Openfire on Windows sometimes fails to start.
    Some users have been able to reproduce a bug that an upgraded Openfire to 4.3.0 release will fail to properly start. The workaround is to locate the plugins/admin/webapp/WEB-INF/lib, delete it, then start Openfire again.
  • OF-1432 meaning of property xmpp.pubsub.create.anyone is inverted.
    The release of Openfire 4.3.0 corrected the behavior of having that property set. Setting it now to true means that anybody can create pubsub nodes.
  • OF-1594 bookmarks are unexpectedly copied to other users.
    It is not clear this bug actually exists, but we wanted to make you aware of it as the Ignite Realtime Openfire host routinely reproduces the issue, but nobody else has :). The impact is that sometimes logged in users are given other users bookmarks. This will cause them to perhaps auto-join rooms with that user’s handle. We hope that this issue is some one-off that is only due to our usage of Ignite Realtime for testing development releases!
  • OF-1383 Support Java 11. (this ticket is not completed, there is no support for Java 10/11 yet, read more below)
    Openfire currently requires Java 8 to properly run. We are hoping to support newer JVMs, but need things like upstream releases of Apache MINA to happen.

Have the above issues scared you off yet from trying this release? We certainly hope not! We always recommend you have tested backups and a testing environment to see how this release works for you.

The release can be downloaded from our Downloads Page and the artifacts have the following sha1sums.

32e02876340404f36de93d1a8812f3e5a0eb3502  openfire-4.3.0-1.i686.rpm
6b1b960da879bd27e25365e214915cfe44b40c78  openfire-4.3.0-1.noarch.rpm
a588f28e8a5a043e6a02dfceb67256d5a4572b87  openfire-4.3.0-1.x86_64.rpm
40a44e444a2d91f7cd68f4bb97632bd3073e8928  openfire_4.3.0_all.deb
27846f2a9995394cae72df9597438da4e10a42c3  openfire_4_3_0_bundledJRE.exe
4fd7cee7fb4d372e12d193d54c0bc192880d8b8c  openfire_4_3_0_bundledJRE_x64.exe
41e3cbb6e2cd67f7d92b508be9fdff47bbdf537d  openfire_4_3_0.dmg
01c3a796ab6d6b741614f70f13187e0b11e1cb83  openfire_4_3_0.exe
962e161ac8b7c5e231016ce1f471d6a7e4762b41  openfire_4_3_0.tar.gz
10654ece9d6825e8430c9501ce0fe41518a9f4da  openfire_4_3_0_x64.exe
635c4e3cfa9193bbba6bac11698a01d5f5c59e92  openfire_src_4_3_0.tar.gz

A special recognition for this release goes to @guus and @gdt who did a tremendous amount of work in the area of Maven migration and improving how Openfire plugin development happens. Please remember that we are all volunteers here and very much looking for others to help develop, document, and test Openfire. Please stop by our open_chat to say “Hi” if you are interested in learning more!

Posts: 10

Participants: 5

Read full topic

by @akrherz daryl herzmann at January 11, 2019 20:57

Monal IM

Managing Keys on macOS

A quick glimpse at the key management screens and the new details screen on macOS. These will be in the next beta.

by Anu at January 11, 2019 04:12

January 10, 2019


Building a more Decentralized Web: Linking your Profiles Together

The Web is built by people. Authors are producing content that makes the web as it is. They write blog posts, microblog entries, share pictures and videos, etc. And people have typically profile pages to introduce themselves and showcase their work.

Consolidating online activity profiles

In the original vision of the web, the information sharing is decentralized. Anyone can generally read content on a web site without the need to have an account on that specific web site. Being decentralized, it means that people can have many facets of their life spread across different services. You can share your photos on some website, posts your video somewhere else and your blog posts on a third site.

However, even if those activities are spread, you may want to gather them under the same identity (if you want to, no one is forcing you to do so). This consolidation promotes a web that is centralized when implemented by services that are trying to be your primary identity provider. Facebook, Twitter, Google, etc. They are all trying to be the central point of convergence for your identity to lock users in. The problem is that it often comes with an invasion of your privacy as a result of this centralization.

However, if we stick to a vision of a web that is decentralized, you have standard ways to link your profiles together without the need to resort to a central authority. Web microformats define a way to link your various profiles online together. This is called, “identity consolidation” (or profile equivalency).

So, how does it work ?

The whole mechanism relies on the ability to add extra data on a link using the rel=”me” attribute. This attribute can be added to a standard HTML link. For example, Twitter supports this. On your Twitter profile, the link you have provided to Twitter links back to a page of your choice. That link includes the rel=”me” attribute. It means that the Twitter profile page and the link the page is pointing to forms the same identity.

For example, here is what is in the code of my @mickael Twitter profile page:

<a class="u-textUserColor" target="_blank" rel="me nofollow noopener" href="" title=""></a>

As you can see, there is a rel=”me” attribute on that link. It makes it possible to link the two profiles together. The url redirects to, which is my profile page at ProcessOne.

However, having a single link is not enough. Anyone could open a Twitter account, link to the same page and try to impersonate me on Twitter with a fake account.

That’s why rel=”me” needs to rely on a bidirectional relationship to build the trust. On my ProcessOne blog profile, I have a link to my Twitter profile.

The links looks as follows:

<a class="twitter" rel="me" href="" target="_blank">@mickael</a>

The fact that both pages link to each other with that rel=”me” attributes means that the profile on both pages are controlled by the same person.

As you are not limited to linking to a single page, it is possible to crawl the rel=”me” links and consolidate a group of profiles for the same person or identity.

That’s this simple. That’s the beauty of how the web is designed 1.

I have several more remarks to add:

  • Twitter is not doing everything right, as it is using URL shortener. I already wrote why we need to stop using URL shorteners.
  • LinkedIn is supposed to be an important profile page and does not support the rel=”me” attribute (at least I could not find it in the page This is really unfortunate given the role of those pages. Someone reading at Microsoft? :)
  • Github developer profiles properly support rel=”me” links.
  • The rel=”me” approach can link more than web pages. A link can point to a mail (mailto:) or an XMPP (xmpp:) address. Sharing that online is prone to spam, but that’s another story.

Finally, you should know that the rel=”me” attribute does not have to be visible on the page. You can put a link in the header of one profile page to other profile pages, using the link tag. For example, it would look like:

 <link rel="me" href="">

Calling to action

After ditching short URLs, you can help the decentralized Web easily by paying attention to profile consolidation. You can put it in place on your own code and you can favour services that using rel=”me” properly. Check the source code of your profile page on various online services and take actions!

You are not forced to use them, and you can still group your own identities as you wish, but rel=”me” adds value to the web when used properly.

Why am I writing on decentralized web ?

The decentralized Web today is simply a way to put emphasis on the web itself. This is the web as it was designed, that is a decentralized system.

Building the decentralized web is about breaking silos. By breaking silos, I also means breaking the protocols’ barriers to use standards on what they are good at and intended for. XMPP federation is a decentralized web but it is in some way living in its own domain. I think we can go further. We took several steps further in breaking protocols’ silos as we made ejabberd able to support XMPP, SIP, and MQTT. You can expect thus to read more from me on decentralized web on my journey to breaking those silos.

Further reading

Here are some interesting pages on rel=”me”:

  1. Ironically, tracking and assessing importance of web links is what helped made Google what it is, with their Pagerank algorithm. 

by Mickaël Rémond at January 10, 2019 10:20

Monal IM

New Betas

My nightly beta release continues. There are new Mac and iOS betas where I am trying to address issues with OMEMO device synch, duplicate recipients and in iOS I have added the ability to view your own keys (Settings->Accounts->your account->Keys)

by Anu at January 10, 2019 00:33

January 09, 2019

Prosodical Thoughts

Prosody 0.11.2 released

We are pleased to announce a new minor release from our stable branch.

This is a minor bugfix release. It fixes a handful of small but important issues.

by The Prosody Team at January 09, 2019 15:40

Monal IM

Handling decryption errors

A quick fix for decryption issues. If you have used earlier betas, after upgrading, remove your account on every device with monal (iOS and Mac) and re-add it. There was a bug in earlier betas that messed up the signal session and a clean slate should help a lot.

by Anu at January 09, 2019 00:06

January 08, 2019

Monal IM

New betas

There are new betas for Mac and iOS. This should resolve crashes on the iPad as well as any decryption issues seen on both platforms.

by Anu at January 08, 2019 03:58

January 07, 2019


Distributing prebuilt Go binaries on Github with Gox

Building command-line tools with Go is quite handy as it allows building standalone static binary. This is quite easy to build ready-to-use binaries for distribution.

While working on my Data Portability Kit, I wanted to be able to produce ready-made binaries to make the tools more accessible. Anyone should be able to use the software without deep technical knowledge.

In this article, I will show how I automated the build and distribution of the prebuilt tools for multiple platforms. I rely on Gox, a tool to easily cross-compile multiple version of a binary in parallel. I also used Ghr, a tool to upload multiple binary files as a Github release.

First of all, you need to install Gox and Ghr, with the following Go commands:

go get -u
go get -u

Building binary for multiple platforms

First of all, you will need to tag your Git repository before the release:

git tag -a v0.0.1 -m "Release description"
git push --tags

You can then use Gox to build the mget tool for Windows, MacOS and Linux, focusing on the 64bits architecture:

(cd cmd/mget/; ~/go/bin/gox -os="linux darwin windows" -arch="amd64" -output="../../dist/mget_{{.OS}}_{{.Arch}}")
(cd dist; gzip *)

You end up with a dist directory containing three gzipped executable files, one for each OS.

Uploading the binary files to Github

You can now upload them, with Ghr. You will need to generate a personal token on Github. You can do so at the following URL: Github Personal Access Token. For a private repository, you need repo scope and for a public repository, you need public_repo scope.

export GITHUB_TOKEN=mytoken
export TAG=v0.0.1
~/go/bin/ghr -t $GITHUB_TOKEN -u processone -r dpk --replace --draft  $TAG dist/

It will create a draft release on Github. You can edit the release and describe the release before actually publishing it.

Here is an example release: mget v0.0.1

That’s it! Your users can now enjoy prebuilt release of your tool.

by Mickaël Rémond at January 07, 2019 12:03

January 06, 2019

Monal IM

OMEMO device synch

There are new betas of the Mac and iOS clients up. I have tried to address issues with synching between your own devices. If you see and error instead of the message on synching, send a few messages back and forth. If it doesnt work for you, I recommend readding your account in Monal. This will create a new device in OMEMO, so you will need everything you contact to trust the new device. This should generally happen automatically with most apps.

by Anu at January 06, 2019 03:41

January 05, 2019

Monal IM

iOS Beta: OMEMO and Push

There is a new iOS beta with the current OMEMO code and UI enabled. I am still testing this and there are more UI elements that need to be added/adjusted. Please let me know how it works for you.

I have also worked on push support. I am moving towards improved push reliability at the expense of older servers that do not support it. This is largely a desire on my part to remove stale code and reduce complexity. Push has seen sufficient adoption that I believe this should not be a problem for most people.

by Anu at January 05, 2019 04:08

January 03, 2019

The XMPP Standards Foundation

The XMPP Newsletter, 4 January 2019

Happy 2019 and welcome to the XMPP newsletter.

If you have an article, tutorial or blog post you'd like us to include in the newsletter, please submit it on the XMPP wiki.


Today is Jabber's 20th anniversary! Jabber would later be standardized and renamed to XMPP.

If you'd like a trip down memory lane, have a look at this 2001 Linux Magazine interview with Jeremie Miller or the original Slashdot release announcement by him on 4 January 1999.

Linux Journal has published an article Lessons in Vendor Lock-in: Messaging, reflecting on the last 20 years of instant messaging and the fact that vendor lock-in is still as relevant an issue as ever.

The Prosody team has written a blog post welcoming 2019 where they look back at the progress made in 2018 and forward towards what can be expected in 2019. It also contains a community survey to help the developers guide their effort for the future.

Tumblr started blocking adult content on December 17th, which caused many users to complain of false positives and prompted some to look for alternatives. In response Timothée Jaussoin wrote a blog post suggesting that Tumblr users migrate to Movim. The post was subsequently discussed on Hacker News and was on its front page for a while.

Logitech's Harmony Hub home automation device uses XMPP and they apparently inadvertently allowed local access to customers. When a 3rd party cyber security firm found multiple vulnerabilities, Logitech made a firmware update that disabled XMPP access thereby angering many users who had added extra functionality via XMPP. In response Logitech has created a new XMPP beta program that will give users access to the local controls that were removed and they plan to release an official firmware update with XMPP controls this month.



ProcessOne have announced that they will shut down their free XMPP servers and


In episode S3E08 of Matrix Live, developer Half-Shot talks about bridging Matrix and XMPP with matrix-appservice-purple.

Recent Events

Maxime Buquet wrote a short summary of the XMPP meetup held at the recent Chaos Communication Congress in Leipzig, Germany.

Upcoming Events

Software releases


  • Ejabberd versions 18.12 and 18.12.1 which add support for XML compression in message archive storage and converting bookmarks from private XML to PEP.
  • Openfire version 4.3.0 beta
  • Jackal version 0.4.0 which adds cluster mode support.


  • BeagleIM version 1.1. A new lightweight XMPP client for MacOS.
  • ChatSecure version 4.3.6


by jcbrand at January 03, 2019 23:00

Monal IM

OMEMO Updates

As you may have noticed, I’ve bounced over to do more OMEMO work. I’ve been improving the UI and UX (mostly on iOS at the moment) as well as testing it with Conversations (and legacy) on my old HP touchpad. I have released a new Mac beta with a lot of OMEMO fixes under the hood. To the end user, things should just work, conversations should sync between devices and it should remember that a conversation should be encrypted now. I hope to work on the OSX UI some more this week and bring it up to parity with the iOS one. Let me know how this build works for you.

by Anu at January 03, 2019 15:04

Prosodical Thoughts

Welcoming 2019

Happy New Year!

It is my firm belief that it is the community, and not the code, that makes an open-source project what it is. With that in mind, I’d like to thank you, the community around Prosody for making the project what it is. Whether you contribute code, help test nightly builds, develop packages, support others in our chatroom and mailing lists, or simply report bugs so that we can fix them - you have helped shape the project, and helped make the project better for everyone. For that - thank you!

As well as reflecting on what we have to be grateful for, there is no better time than the start of a new year to look at the past and what we have achieved, the present, and of course look forward to the future. First, let’s start with our achievements over the past 12 months.

by The Prosody Team at January 03, 2019 11:05

December 31, 2018

Monal IM

Trusting Keys

A first take at this screen. I’ve tried to keep it as simple as possible. Establishing the circle of trust is important in cryptography and is one thing OMEMO does not actually address. While you should verify identities, how does someone do it? A simple way it to look at the strings side by side. Ideally this is something that can be done with a QR code to eliminate the manual process.

by Anu at December 31, 2018 05:30

Peter Saint-Andre

2018 Readings

Here's a list of the books I read in 2018 (including the complete works of Aristotle and a number of related scholarly books, along with a smattering of fiction):...

December 31, 2018 00:00

December 30, 2018

Monal IM

December 28, 2018


New Year Service Cleanup

After 11 years, we are going to sunset our free XMPP servers at and The shutdown will occur on Jan 14, 2019.

Since a decade ago, we offered free, open source and fully featured XMPP services to promote federated messaging across the world. Today, instant messaging is as common as email. Although IM services rely on different platforms, XMPP is the underlaying technology of many, and you have plenty options to choose from.

Therefore, we decided it is better to point you in the direction of such dedicated communication services instead of maintaining our free XMPP servers on the side.

We recommend visiting this Getting Started guide to choose the best server and client for your XMPP communications.

Happy chatting!

by Marek Foss at December 28, 2018 13:02

December 26, 2018


ejabberd 18.12.1

This new ejabberd 18.12.1 is a bugfix release optimizing several components. With this holiday release we would like to wish you a very Merry Christmas and a Happy New Year! We look forward to 2019 to keep delivering the world’s best real-time server.


Since ejabberd 18.12 you have an option to configure ejabberd to use port 5443 and secure TLS access. Version 18.12.1 is re-enabling the port 5280 in default config for web and admin access to make it faster and easier to log into the ejabberd dashboard.

Other changes include bug fixes to rebar3, message carbons, prosody imports and roster versioning.

Download and install ejabberd 18.12.1

The source package and binary installers are available at ProcessOne.

As usual, the release is tagged in the Git source code repository on Github. If you suspect that you’ve found a bug, please search or fill a bug report in Issues.

– Parse persistent and archiving room options importing from prosody
– Search also for _jid when importing room from prosody
– Fix PIEFXIS export of user when password is scrammed
– Fix compilation with rebar3 by updating xmpp dependency
– Fix issue with ordering of pkix and fast_tls startup
– Fix loosing info about enabling carbons after resuming old session
– Re-enable port 5280 in default config
– Don’t add ver attribute to roster result when roster versioning is not enabled

by Marek Foss at December 26, 2018 12:25

December 23, 2018

Monal IM

One More Thing…

There is a new iOS beta. With grouped notifications. Notifications are grouped by app as well as by conversation. If you get a lot of messages on a certain MUC, this should make life a lot easier. Merry Christmas.

by Anu at December 23, 2018 05:19