[Members] Jabber Software Map

Richard Dobson richard at dobson-i.net
Fri Dec 2 09:34:07 CST 2005


> Well, if we speak of two to three years as short term, then yes, it is
> short term, at least it works and i want a working solution rather now
> than in two-three years. Anyway, it's not my head that counts. I just
> see that the JSF's mission status simply is becoming emphasized more and
> more on protocols and that we are forgetting the developers.
>
> "We showcase the work of such developers, whether they be open-source or
> commercial. We document our protocols in a clear, accessible fashion,
> and we show developers how our protocols can solve problems and help
> them innovate. But we do not market ready-made solutions to
> organizations or individuals: that is the job of the developers we
> serve." - http://www.jabber.org/jsf/
>
> We are a software foundation and we must by our mission goals enable
> developers to showcase their stuff. Of course that's put hard.
> Showcasing it now is better than showcasing something in two-three
> years. And a software map (be it the one we are discussing right now or
> not) is a perfect start for building a different leg, a more developer
> oriented web site. Couldn't we showcase developer's work better than now
> ? Can't we provide better news ? Can't we provide more interviews ?
> Can't we simply build a small team with editors that do interviews all
> two months with Open Source developers of the jabber domain ? Is there
> no use for presenting cool OS Jabber deployments ? Where is this ? We
> had interviews 3 years ago, but after 10 or 12 interviews the interviews
> were suddenly gone. I say we must make a start and not wait for another
> two-three years just to get something perfectly standardized. We can
> standardize a proper auth-checking mechanism, i know the JSF can do
> this, but what is it good for now, when the first jabber server
> implementation will be ready months later and we will have to switch our
> jabber server implementation before we can use it ?

When did I ever suggest the Jabber Software map was not a good thing? Its 
great, but you are making a real mountain out of a mole hill over the auth 
stuff, as I suggested all you need to do if you want to get it working 
quickly is just make it have its own user database just like JabberStudio 
does, simple job done and no need for futher argument over this.

> Returning to the technical argument, a http facade with read-only access 
> to the db
> is propably safer than enhancing a full fledged server with an http 
> interface.

Maybe so but using an HTTP mechanism that is yet another thing people will 
need to setup with their jabber servers which is only a stop gap measure 
until a proper jabber based protocol for this comes along is simply not 
workable, people will be reluctant to install it, its a security risk as its 
an extra point of attack for peoples jabber servers (good security means 
minimising your attack surface), and if people dont install it it makes it 
pointless as a basis for a distributed system.

There are also other security issues you dont seem to have considered such 
as revealing your jabber password to the web server, if the web server were 
compromised even if it was validating passwords without direct access to the 
db the passwords can still be exposed because when someone logs in via the 
website and the website gets a response saying the password is valid then a 
hacker could introduce code to log down all the valid passwords, so saying 
this is secure is not really very true.

Lets just either do as I suggested and have Jabber Software Map having its 
own user database that people have to register for, or go for the longer 
term option of a more secure jabber based solution where the passwords arnt 
being compromised.

Richard




More information about the Members mailing list