@daniel

Special thanks to @wikimediaDE, who were so kind to host us the second year in a row, and to both @xmpp and #Ammonit Measurement GmbH for sponsoring the event!

And thanks to all participants, of course!

#Jabber #XMPP #Berlin #sprint

I'm on my way back from the Berlin XMPP Sprint and had a fantastic time. Thank you so much @debacle for organizing it, and thank you to everyone who participated. It was especially cool to see some new faces; it's pretty amazing that the #XMPP developer community is still able to attract new talent.

I made good progress on finally being able to show full-size avatars (profile pictures) in #Conversations_im. Stay tuned to learn more about that towards the end of this week.

I want to get back to writing more long-form content. In the age of ChatGPT, that seems like a valuable skill to maintain.

However, my old website used handcrafted HTML and simply wasn’t up to the task, so I made a new one. Check it out: https://gultsch.de

»We’re going to build #Thunderbird for iOS with #JMAP support first and foremost.«¹

As someone who is developing a JMAP-only client for Android: That’s a bold move but good luck 🙂

Maybe you should make https://Ltt.rs your Thunderbird for Android.

¹: https://blog.thunderbird.net/2025/05/thunderbird-for-mobile-april-2025-progress-report/

@Polychrome #Conversations_im has this feature now. On restore you can opt to not restore the #OMEMO key material. (which will subsequently create new keys for that device)

@blake yes, jdev@muc.xmpp.org is the correct answer.
For spec related questions there is also xsf@muc.xmpp.org

See also: https://xmpp.org/community/chat/

@guusdk I think instant messaging services must associate accounts with phone numbers (and possibly somehow validate that with Russian mobile providers; presumably to associate accounts with actual identities)

To be clear the amount doesn't matter. Transferring any money to the Russian state is terrorism financing and illegal in Germany.

I guess it’s a good thing that the genocide in Ukraine has devalued your currency so much that 800,000 rubles isn’t actually that much money.

> By the ruling of the magistrate of judicial district No. 422 of the Tagansky district of Moscow, companies Threema GmbH and Pagebites Inc have been fined 1 million rubles each, and Gultsch & Weiss GbR has been fined 800 thousand rubles.

🇷🇺 https://www.interfax.ru/russia/1024302
🇬🇧 https://translate.kagi.com/translate/https://www.interfax.ru/russia/1024302

Google is on a mission to sell you larger and larger screens while showing you less and less information on them.

If this screenshot were satire, it would actually be pretty hilarious.

https://www.theverge.com/news/661483/google-leak-material-3-expressive-android-design

@c2d The notification has a button called 'hide notification' that lead you into an Android operating system setting that let's you disable the notification

The next #XMPP Developer Sprint is coming up.

📍 Wikimedia Offices, Berlin, Germany

📆 Friday, May 23rd - Sunday, May 25th 2025

❓ Sprints (aka Hackathons) are a great opportunity for interoperability testing, planning new features, meeting other XMPP developers and generally having a good time.

BYOP (Bring your own Project)

🌐 https://wiki.xmpp.org/web/Sprints

Conversations 2.18.2 is available on Google Play and has client side mitigations for a server side security issue that was recently discovered and fixed in #ejabberd¹ and #OpenFire²

Go update your server. But just in case that takes a minute Conversations has your back too!

This release also fixes an issue with restoring (importing) backups on recent Android versions.

¹: https://www.process-one.net/blog/ejabberd-25-04/
²: https://github.com/igniterealtime/Openfire/pull/2761

#XMPP #Conversations_im

#Conversations_im has the ability to fetch outage status information from an independent server and display that in case the regular #XMPP server can not be reached.

This is powered by XEP-0455 (https://xmpp.org/extensions/xep-0455.html).
TLDR: Server gives client a URL to a JSON file during normal connects, client will hold on to that URL and fetch the JSON file in case server is unreachable.

The "Open source developers don’t care about UI" trope is incredibly insulting.

It’s like telling the forth runner across the finish line at a marathon they clearly don’t care about winning.

Nobody wants their app to look bad. We can and do look at other apps and try to follow trends. Trends change rapidly and UI development is difficult and time consuming.

Security firm: We found XYZ. Here are steps to reproduce. Our customer wants a detailed timeline for when you expect to have this fixed.

Me: (That’s not how this works but) here is the commit.

Security firm: Please credit our researcher in the commit.

Me: I'd be more than happy to give you credit once you've published the audit.

Security firm: We can’t publish the audit

(later)

Please credit us.

Me: I'd be more than happy to give you credit once you've published the audit.

(repeat 10x)

Security audits are a funny thing. We lack the (financial) resources for regular, thorough penetration tests. However I’m aware that some of the higher profile users of #Conversations_im occasionally perform audits without my direct involvement and without publishing it afterwards. Those audits aren’t adversarial as indicated by them wanting me to fix what they find.

The funniest instances are when they want to be credited for finding an issue but refuse to make the audit public.

A big thank you to Radically Open Security for performing the audit and to @nlnet for funding it.

Radically Open Security has been a long term partner of #Conversations_im ever since they did the first #OMEMO audit back in 2016!

Recent audit: https://conversations.im/2025_audit_conversations.pdf
OMEMO audit: https://conversations.im/omemo/audit.pdf

A recent security audit of #Conversations_im¹ found that wildcard certificate handling didn’t fully comply with the spec.

Conversations was accepting *.a.example for c.b.a.example, even though wildcards are only meant to match a single label.

This issue has been fixed in version 2.18.0, now live on Google Play.

¹: https://conversations.im/2025_audit_conversations.pdf

#XMPP #Jabber

@samueljohnson Glad you asked. Signal is a centralized service run on Big Tech infrastructure. You can decide to trust Signal as your service provider; That’s absolutely fine and reasonable even. But they don’t allow federation or inter-op with anyone who wants to make different choices.

#XMPP gives you that choice. Don’t trust me to be your server operator? That’s fine: pick a different one.

Donations to Signal are directly funding Amazon, Google and Microsoft.¹

¹: https://projects.propublica.org/nonprofits/organizations/824506840