User:Moparisthebest/Council Candidacy 2023
- Name: Travis Burtrum
- Nickname: moparisthebest
- github: moparisthebest
- fediverse: firstname.lastname@example.org
- XMPP address: email@example.com
- Email address: firstname.lastname@example.org
I'm just your average programmer interested in open source, federation, e2e encryption, and running my own services to avoid reliance on 3rd parties.
I've served two terms on the council so far.
If I had to pick a goal/passion when it comes to XMPP, it would have to be connectivity. After all, if a user is faced with a "cannot connect" error, nothing else matters. A very close second is security, I won't accept any XEP with "Security Considerations" of "todo", not all XEPs require them, but all XEPs require they are at least considered.
here is a slides and a video of a talk I did on XMPP security and connectivity at FOSSY this year.
I sometimes find security problems in XMPP protocols or implementations:
- eatxmempp: CVE-2021-32918, and wrote xmpp-proxy to both mitigate that, and experiment with various XMPP transports, including QUIC, S2S-over-WebSocket, and more
- httppppppppppp-upload: Full drive exploit - affecting most HTTP-upload capable clients
- XEP-0156 _xmppconnect is vulnerable to MITM - affecting all websocket clients that used _xmppconnect, some had CVEs CVE-2022-26491 etc
Accept Early Accept Often: ProtoXEPs should be accepted as experimental if they solve a problem and are clearly written (ie, someone can read this and implement it). It doesn't matter if they solve a problem another XEP has already attempted to solve but in a different way. It's not council's job to decide which way is better, that decision should be left up to "running code" (ie implementations).
What follows from that is XEPs that have stood the test of time and are widely implemented need moved to Stable aggressively, and XEPs that have been abandoned need Deferred/Deprecated as appropriate.