unofficial mirror of guile-user@gnu.org 
 help / color / mirror / Atom feed
* Diversification [ branched from Re: conflicts in the gnu project now affect guile]
@ 2019-10-20  6:10 Todor Kondić
  2019-10-20  6:14 ` John Cowan
                   ` (2 more replies)
  0 siblings, 3 replies; 75+ messages in thread
From: Todor Kondić @ 2019-10-20  6:10 UTC (permalink / raw)
  To: pelzflorian (Florian Pelz); +Cc: guile-user@gnu.org

On Friday, 18 October 2019 17:09, pelzflorian (Florian Pelz) <pelzflorian@pelzflorian.de> wrote:

> On Fri, Oct 18, 2019 at 11:29:35AM +0000, Todor Kondić wrote:
>
> > You know, there is a big IT department within our institution and telling them I will base some serious work on technologies such as GNU Guile and Guix did raise a few eyebrows (those not raised are probably the cause of their proprietors not being informed enough).
> > […]
> > Couple of notes:
> >
> > 1.  Are there any ladies on these lists? I am dying to hear from them
> > 2.  Related to (1) ... a brief look at the maintainers who signed the Joined Statement gives an impression that it leans heavily to the politically Western hemisphere; just a comment, maybe food for thought
> > 3.  The RMS scandal was brought to my attention by a female coder colleague who previously knew nothing of RMS's, or FSF's or GNU's work in the "Open Source Community"; another nibble for thought
>
> There have been few contributions from women,
> e.g. https://lists.gnu.org/archive/html/guile-devel/2017-03/msg00042.html
> (I do not know what its status is), but I believe bringing GNU Guile
> to professional use could help diversify. Thank you for that!
>
> Regards,
> Florian

Hi Florian,

Thanks for the kind words.

The problem of diversification goes way beyond the eccentric, or repugnant (choose at your leasure) views of certain prominent members of our "community".
I've set up my workflows around Guix, git(lab) and a customised Emacs installation (instead of R Studio). My small team of science students (majority female, various cultural backgrounds), never previously exposed to a GNU system to such an extent, managed to get a handle on it quite impressively.

But, I doubt any of them would find it natural to take a step further and participate in GNU itself (ugh, now I sound like a preacher of a new age religion). To my knowledge, interaction within GNU communities is still mostly mailing lists and IRC. This _not_ my students' natural digital habitat. I am probably not saying anything new, though ...





^ permalink raw reply	[flat|nested] 75+ messages in thread

* Re: Diversification [ branched from Re: conflicts in the gnu project now affect guile]
  2019-10-20  6:10 Diversification [ branched from Re: conflicts in the gnu project now affect guile] Todor Kondić
@ 2019-10-20  6:14 ` John Cowan
  2019-10-21  6:35   ` Arne Babenhauserheide
  2019-10-23  6:16   ` Amirouche Boubekki
  2019-10-20  8:07 ` pelzflorian (Florian Pelz)
  2019-10-22 18:47 ` Mark H Weaver
  2 siblings, 2 replies; 75+ messages in thread
From: John Cowan @ 2019-10-20  6:14 UTC (permalink / raw)
  To: Todor Kondić; +Cc: guile-user@gnu.org

On Sun, Oct 20, 2019 at 2:11 AM Todor Kondić <tk.code@protonmail.com> wrote:

> But, I doubt any of them would find it natural to take a step further and
> participate in GNU itself (ugh, now I sound like a preacher of a new age
> religion). To my knowledge, interaction within GNU communities is still
> mostly mailing lists and IRC. This _not_ my students' natural digital
> habitat.


The only natural digital habitat of human beings is their fingers.  All
else is learned, and more can be learned at any time.  There's no reason
why students ought to be so closed to new experiences.


 John Cowan          http://vrici.lojban.org/~cowan        cowan@ccil.org
Humpty Dump Dublin squeaks through his norse
                Humpty Dump Dublin hath a horrible vorse
But for all his kinks English / And his irismanx brogues
                Humpty Dump Dublin's grandada of all rogues.  --Cousin James


^ permalink raw reply	[flat|nested] 75+ messages in thread

* Re: Diversification [ branched from Re: conflicts in the gnu project now affect guile]
  2019-10-20  6:10 Diversification [ branched from Re: conflicts in the gnu project now affect guile] Todor Kondić
  2019-10-20  6:14 ` John Cowan
@ 2019-10-20  8:07 ` pelzflorian (Florian Pelz)
  2019-10-20  8:08   ` pelzflorian (Florian Pelz)
  2019-10-22 18:47 ` Mark H Weaver
  2 siblings, 1 reply; 75+ messages in thread
From: pelzflorian (Florian Pelz) @ 2019-10-20  8:07 UTC (permalink / raw)
  To: Todor Kondić; +Cc: guile-user@gnu.org

It is nice to read what you write about successful use of Guile.

On Sun, Oct 20, 2019 at 06:10:45AM +0000, Todor Kondić wrote:
> But, I doubt any of them would find it natural to take a step
> further and participate in GNU itself (ugh, now I sound like a
> preacher of a new age religion). To my knowledge, interaction within
> GNU communities is still mostly mailing lists and IRC. This _not_ my
> students' natural digital habitat. I am probably not saying anything
> new, though ...
> 
> 

In my experience an e-mail account is still something everyone has and
which friends of mine use at their jobs.  I do not think this is a big
obstacle.  I believe all other on-line communication media have bigger
issues.  I would not like this to change currently.

Anyway, it is good if people know about Scheme and Guix because IMHO
the concepts they stand for are right and most important, even though
in (only) some aspects contributions are still desperately needed for
Scheme/Guile to catch up with other frameworks.  Diversity not only
fits the mission of the GNU Project, GNU also needs people.  But of
course others need people too and non-GNU or non-Scheme projects are
not always wrong.

Regards,
Florian



^ permalink raw reply	[flat|nested] 75+ messages in thread

* Re: Diversification [ branched from Re: conflicts in the gnu project now affect guile]
  2019-10-20  8:07 ` pelzflorian (Florian Pelz)
@ 2019-10-20  8:08   ` pelzflorian (Florian Pelz)
  0 siblings, 0 replies; 75+ messages in thread
From: pelzflorian (Florian Pelz) @ 2019-10-20  8:08 UTC (permalink / raw)
  To: Todor Kondić; +Cc: guile-user@gnu.org

P.S. I still believe professional use of Guile is in general a good
and effective way to diversify.



^ permalink raw reply	[flat|nested] 75+ messages in thread

* Re: Diversification [ branched from Re: conflicts in the gnu project now affect guile]
  2019-10-20  6:14 ` John Cowan
@ 2019-10-21  6:35   ` Arne Babenhauserheide
  2019-10-21 13:45     ` Amirouche Boubekki
  2019-10-23  6:16   ` Amirouche Boubekki
  1 sibling, 1 reply; 75+ messages in thread
From: Arne Babenhauserheide @ 2019-10-21  6:35 UTC (permalink / raw)
  To: guile-user

[-- Attachment #1: Type: text/plain, Size: 974 bytes --]


John Cowan <cowan@ccil.org> writes:

> On Sun, Oct 20, 2019 at 2:11 AM Todor Kondić <tk.code@protonmail.com> wrote:
>
>> But, I doubt any of them would find it natural to take a step further and
>> participate in GNU itself (ugh, now I sound like a preacher of a new age
>> religion). To my knowledge, interaction within GNU communities is still
>> mostly mailing lists and IRC. This _not_ my students' natural digital
>> habitat.

> The only natural digital habitat of human beings is their fingers.  All
> else is learned, and more can be learned at any time.  There's no reason
> why students ought to be so closed to new experiences.

That’s true, but even though I prefer IRC to new protocols, there is
much it lacks. For example showing images inline.

That‘s a client-problem, but it’s real.

Basically this sais that we’re the ones who are closed (often for good
reason, but those reasons need to be explained).

Best wishes,
Arne

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 1076 bytes --]

^ permalink raw reply	[flat|nested] 75+ messages in thread

* Re: Diversification [ branched from Re: conflicts in the gnu project now affect guile]
  2019-10-21  6:35   ` Arne Babenhauserheide
@ 2019-10-21 13:45     ` Amirouche Boubekki
  0 siblings, 0 replies; 75+ messages in thread
From: Amirouche Boubekki @ 2019-10-21 13:45 UTC (permalink / raw)
  To: Arne Babenhauserheide; +Cc: Guile User

Le lun. 21 oct. 2019 à 08:35, Arne Babenhauserheide <arne_bab@web.de> a écrit :
>
>
> John Cowan <cowan@ccil.org> writes:
>
> > On Sun, Oct 20, 2019 at 2:11 AM Todor Kondić <tk.code@protonmail.com> wrote:
> >
> >> But, I doubt any of them would find it natural to take a step further and
> >> participate in GNU itself (ugh, now I sound like a preacher of a new age
> >> religion). To my knowledge, interaction within GNU communities is still
> >> mostly mailing lists and IRC. This _not_ my students' natural digital
> >> habitat.
>
> > The only natural digital habitat of human beings is their fingers.  All
> > else is learned, and more can be learned at any time.  There's no reason
> > why students ought to be so closed to new experiences.
>
> That’s true, but even though I prefer IRC to new protocols, there is
> much it lacks. For example showing images inline.
>
> That‘s a client-problem, but it’s real.
>
> Basically this sais that we’re the ones who are closed (often for good
> reason, but those reasons need to be explained).

They are new client that support IRC like riot.im via matrix

https://about.riot.im/



^ permalink raw reply	[flat|nested] 75+ messages in thread

* Re: Diversification [ branched from Re: conflicts in the gnu project now affect guile]
  2019-10-20  6:10 Diversification [ branched from Re: conflicts in the gnu project now affect guile] Todor Kondić
  2019-10-20  6:14 ` John Cowan
  2019-10-20  8:07 ` pelzflorian (Florian Pelz)
@ 2019-10-22 18:47 ` Mark H Weaver
  2019-10-22 19:23   ` Zelphir Kaltstahl
  2 siblings, 1 reply; 75+ messages in thread
From: Mark H Weaver @ 2019-10-22 18:47 UTC (permalink / raw)
  To: Todor Kondić; +Cc: guile-user

Hi Todor,

Todor Kondić <tk.code@protonmail.com> writes:

> [...]  I've set up my workflows around Guix, git(lab)
> and a customised Emacs installation (instead of R Studio). My small
> team of science students (majority female, various cultural
> backgrounds), never previously exposed to a GNU system to such an
> extent, managed to get a handle on it quite impressively.
>
> But, I doubt any of them would find it natural to take a step further
> and participate in GNU itself (ugh, now I sound like a preacher of a
> new age religion). To my knowledge, interaction within GNU communities
> is still mostly mailing lists and IRC. This _not_ my students' natural
> digital habitat. I am probably not saying anything new, though ...

You raise an important issue.  If we can improve the situation without
causing other problems, I think we should.  I don't know of any modern
replacement for mailing lists that has the properties we need, but I
*do* think there's a very promising alternative for live chat: Matrix.
Amirouche mentioned it elsewhere in this thread.

  https://matrix.org/

Matrix is supported by a very large and diverse set of free clients,
from modern Web-based interfaces to simple text programs, multiple
Emacs-based clients, and several gateways to other protocols such as
IRC, so that old-timers can use their preferred IRC client if they
prefer.

  https://matrix.org/clients/

Incidentally, there was recently an internal GNU project discussion
about how to better communicate with one another, and Matrix was
identified as an option that would meet our requirements.

The client that would likely be most attractive for the younger
generation is Riot.im:

  https://about.riot.im/

What do you think?

    Thanks,
      Mark



^ permalink raw reply	[flat|nested] 75+ messages in thread

* Re: Diversification [ branched from Re: conflicts in the gnu project now affect guile]
  2019-10-22 18:47 ` Mark H Weaver
@ 2019-10-22 19:23   ` Zelphir Kaltstahl
  2019-10-22 20:51     ` Arne Babenhauserheide
  2019-10-22 23:24     ` Chris Vine
  0 siblings, 2 replies; 75+ messages in thread
From: Zelphir Kaltstahl @ 2019-10-22 19:23 UTC (permalink / raw)
  To: guile-user

Hi!

I just want to share my experience with Riot.

I have used it before. In fact, I used it to communicate with only one
person so far for reasons I will mention below. Today there was a
strange thing, when Riot showed an error and warned, that it could be a
replay attack. This is not the first time something happened. If you
remember, that some time ago everyone had to upgrade their Riot.IM
client, because someone had intruded in the server system (Iirc it was
someone, who worked there before and still had access somehow. It was
linked on Hackernews. Let's see if I can find it … Probably one of the
search results of: https://hn.algolia.com/?q=riot.im).

We would have to ask ourselves, whether Riot is sufficiently independent
too. I believe it depends on the master server being up and running. If
we could have our own, that would of course be better.

The reason however, why I have only ever used Riot with one person is,
surprise surprise, that most people are not willing to sacrifice the
tiniest bit of comfort, for enhanced security. This one person I used it
with tried to get 2 more people on board, who were even less tech-savy
and whom I did not have the chance of helping directly, to get things
set up and so we remained 1-on-1 on Riot.IM.

Let me explain further:

To verify another person's device, one has to exchange information via a
second trusted channel. That information is a sequence of icons being
shown. If they are the same, that the other person sends you via the
second trusted channel, you can reasonably assume, that the device you
are communicating with is under their control.

When it comes to the step of exchanging information about what icons are
displayed, most people will close the app and say "it's too
complicated", because they do not understand it ("Huh? How strange! Why
I have to do that? Are icons secure?") or do not want to do anything in
order to have security. They are not willing to invest as much as 5min
of effort, to have encrypted chat. What makes matters worse is, that
when you use Riot.IM in the browser, it might happen, that every time
you log in, the other person has to re-verify your device. Guess what
people will do when facing that workflow …

As much as I like Riot.IM, it did have its share of problems and does
bring in some required effort for setting up communication. I would
personally still like to use it, however, I very much doubt, that
someone, who is not willing to use a mailing list, is willing to get
Riot.IM set up and keep it running, while being aware of the security
implications of trusting devices of other people, adhering to a good
security aware workflow. And we are not even using GPG on the mailing
list a lot, so people don't even have to deal with Enigmail yet, to post
and read on the mailing list.

Maybe offering Riot.IM as an alternative would still make sense, just to
see how it goes, but don't bet on many people joining Riot.IM. I am
willing to try!

Best regards,

Zelphir


On 10/22/19 8:47 PM, Mark H Weaver wrote:
> Hi Todor,
>
> Todor Kondić <tk.code@protonmail.com> writes:
>
>> [...]  I've set up my workflows around Guix, git(lab)
>> and a customised Emacs installation (instead of R Studio). My small
>> team of science students (majority female, various cultural
>> backgrounds), never previously exposed to a GNU system to such an
>> extent, managed to get a handle on it quite impressively.
>>
>> But, I doubt any of them would find it natural to take a step further
>> and participate in GNU itself (ugh, now I sound like a preacher of a
>> new age religion). To my knowledge, interaction within GNU communities
>> is still mostly mailing lists and IRC. This _not_ my students' natural
>> digital habitat. I am probably not saying anything new, though ...
> You raise an important issue.  If we can improve the situation without
> causing other problems, I think we should.  I don't know of any modern
> replacement for mailing lists that has the properties we need, but I
> *do* think there's a very promising alternative for live chat: Matrix.
> Amirouche mentioned it elsewhere in this thread.
>
>   https://matrix.org/
>
> Matrix is supported by a very large and diverse set of free clients,
> from modern Web-based interfaces to simple text programs, multiple
> Emacs-based clients, and several gateways to other protocols such as
> IRC, so that old-timers can use their preferred IRC client if they
> prefer.
>
>   https://matrix.org/clients/
>
> Incidentally, there was recently an internal GNU project discussion
> about how to better communicate with one another, and Matrix was
> identified as an option that would meet our requirements.
>
> The client that would likely be most attractive for the younger
> generation is Riot.im:
>
>   https://about.riot.im/
>
> What do you think?
>
>     Thanks,
>       Mark
>



^ permalink raw reply	[flat|nested] 75+ messages in thread

* Re: Diversification [ branched from Re: conflicts in the gnu project now affect guile]
  2019-10-22 19:23   ` Zelphir Kaltstahl
@ 2019-10-22 20:51     ` Arne Babenhauserheide
  2019-10-22 23:24     ` Chris Vine
  1 sibling, 0 replies; 75+ messages in thread
From: Arne Babenhauserheide @ 2019-10-22 20:51 UTC (permalink / raw)
  To: guile-user

[-- Attachment #1: Type: text/plain, Size: 1508 bytes --]


Zelphir Kaltstahl <zelphirkaltstahl@posteo.de> writes:
> To verify another person's device, one has to exchange information via a
> second trusted channel. That information is a sequence of icons being
> shown. If they are the same, that the other person sends you via the
> second trusted channel, you can reasonably assume, that the device you
> are communicating with is under their control.
>
> When it comes to the step of exchanging information about what icons are
> displayed, most people will close the app and say "it's too
> complicated", because they do not understand it ("Huh? How strange! Why
> I have to do that? Are icons secure?") or do not want to do anything in
> order to have security. They are not willing to invest as much as 5min

In Freenet we have the same problem. We once had someone start an app
that used tapping phones together to exchange references, but it did not
get developed further.

It nowadays lives under my account, but I don’t have the time to work on
it (or rather: other things have higher priority for me).

https://github.com/ArneBab/Icicle

Maybe someone can find a tool there to ease initial setup.

Also TOFU is something we desperately need more of. For example I
recently had two unrelated people writing to me by email and our
communication was encrypted automatically because they used enigmail
with autocrypt and pretty-easy-privacy.

Best wishes,
Arne
--
Unpolitisch sein
heißt politisch sein
ohne es zu merken

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 1076 bytes --]

^ permalink raw reply	[flat|nested] 75+ messages in thread

* Re: Diversification [ branched from Re: conflicts in the gnu project now affect guile]
  2019-10-22 19:23   ` Zelphir Kaltstahl
  2019-10-22 20:51     ` Arne Babenhauserheide
@ 2019-10-22 23:24     ` Chris Vine
  2019-10-23  0:57       ` Zelphir Kaltstahl
  1 sibling, 1 reply; 75+ messages in thread
From: Chris Vine @ 2019-10-22 23:24 UTC (permalink / raw)
  To: guile-user

On Tue, 22 Oct 2019 21:23:32 +0200
Zelphir Kaltstahl <zelphirkaltstahl@posteo.de> wrote:
[snip]
> The reason however, why I have only ever used Riot with one person is,
> surprise surprise, that most people are not willing to sacrifice the
> tiniest bit of comfort, for enhanced security. This one person I used it
> with tried to get 2 more people on board, who were even less tech-savy
> and whom I did not have the chance of helping directly, to get things
> set up and so we remained 1-on-1 on Riot.IM.
>
> Let me explain further:
> 
> To verify another person's device, one has to exchange information via a
> second trusted channel. That information is a sequence of icons being
> shown. If they are the same, that the other person sends you via the
> second trusted channel, you can reasonably assume, that the device you
> are communicating with is under their control.
> 
> When it comes to the step of exchanging information about what icons are
> displayed, most people will close the app and say "it's too
> complicated", because they do not understand it ("Huh? How strange! Why
> I have to do that? Are icons secure?") or do not want to do anything in
> order to have security. They are not willing to invest as much as 5min
> of effort, to have encrypted chat. What makes matters worse is, that
> when you use Riot.IM in the browser, it might happen, that every time
> you log in, the other person has to re-verify your device. Guess what
> people will do when facing that workflow …

This is a public mailing list, and any replacement of it is going to be
a mailing-list-alike.  Why do they (or chats) need to be encrypted or
have the sender verified?  No one should be posting sensitive personal
information here so I don't understand the point of it.  Lack of
understanding of (or disagreement with) the purpose may be what is
holding your idea back. If you want to set up private mailing lists or
chat servers, fair enough, but that's not what this is.

Discord seems a reasonably popular chat medium with a bridge to IRC and
discourse seems reasonably popular as a web based mailing-list-ish
medium with a somewhat more vibey feel than traditional mailing lists.



^ permalink raw reply	[flat|nested] 75+ messages in thread

* Re: Diversification [ branched from Re: conflicts in the gnu project now affect guile]
  2019-10-22 23:24     ` Chris Vine
@ 2019-10-23  0:57       ` Zelphir Kaltstahl
  2019-10-23  6:44         ` pelzflorian (Florian Pelz)
  0 siblings, 1 reply; 75+ messages in thread
From: Zelphir Kaltstahl @ 2019-10-23  0:57 UTC (permalink / raw)
  To: guile-user


On 10/23/19 1:24 AM, Chris Vine wrote:
> On Tue, 22 Oct 2019 21:23:32 +0200
> Zelphir Kaltstahl <zelphirkaltstahl@posteo.de> wrote:
> [snip]
>> The reason however, why I have only ever used Riot with one person is,
>> surprise surprise, that most people are not willing to sacrifice the
>> tiniest bit of comfort, for enhanced security. This one person I used it
>> with tried to get 2 more people on board, who were even less tech-savy
>> and whom I did not have the chance of helping directly, to get things
>> set up and so we remained 1-on-1 on Riot.IM.
>>
>> Let me explain further:
>>
>> To verify another person's device, one has to exchange information via a
>> second trusted channel. That information is a sequence of icons being
>> shown. If they are the same, that the other person sends you via the
>> second trusted channel, you can reasonably assume, that the device you
>> are communicating with is under their control.
>>
>> When it comes to the step of exchanging information about what icons are
>> displayed, most people will close the app and say "it's too
>> complicated", because they do not understand it ("Huh? How strange! Why
>> I have to do that? Are icons secure?") or do not want to do anything in
>> order to have security. They are not willing to invest as much as 5min
>> of effort, to have encrypted chat. What makes matters worse is, that
>> when you use Riot.IM in the browser, it might happen, that every time
>> you log in, the other person has to re-verify your device. Guess what
>> people will do when facing that workflow …
> This is a public mailing list, and any replacement of it is going to be
> a mailing-list-alike.  Why do they (or chats) need to be encrypted or
> have the sender verified?  No one should be posting sensitive personal
> information here so I don't understand the point of it.  Lack of
> understanding of (or disagreement with) the purpose may be what is
> holding your idea back. If you want to set up private mailing lists or
> chat servers, fair enough, but that's not what this is.
>
> Discord seems a reasonably popular chat medium with a bridge to IRC and
> discourse seems reasonably popular as a web based mailing-list-ish
> medium with a somewhat more vibey feel than traditional mailing lists.
>
Hi!

My example was about private conversation and a friend. So you are
right, that the example does not quite match the mailing list example.
Maybe we should clear up the question what kind of communication would
happen over such a new channel first, before making any decisions.

In Riot you will notice, that you see warning, when the devices are not
verified. That confuses users. Not sure what you can do about it in
terms of making settings default, as I have not used Riot in a public
communication scenario.

You did not address the other point I raised though: Dependency on a
third party server (and all the implications, when/if it gets hacked
again). Same goes for Discord. It would not be under our control whether
the server is running. In case of Discord: While we only need a mail
client for posting on a mailing list, using Discord requires to use a
bloated Electron app. When you start Discord and log in, the first thing
that happens is, that your CPU fan starts rotating, because of Discord
showing ads with videos. Do we really want to let people go through this
to interact with the rest of us?

There is also the problem of non-searchable content. You cannot, as far
as I know, search in a search engine through Discord or Riot messages.
If content by tendency of "quickly solving the problem in chat" moves to
non-searchable medium, it will mean, that searching in search engines
does not benefit from those solutions.

Another problem are the company policies of Discord. Not exactly a place
where you'd expect free software to happen.

However, like I said, I personally would be willing to try it, for sure!
Some communities already actively use Discord (Pharo community for example).

Best regards,

Zelphir




^ permalink raw reply	[flat|nested] 75+ messages in thread

* Re: Diversification [ branched from Re: conflicts in the gnu project now affect guile]
  2019-10-20  6:14 ` John Cowan
  2019-10-21  6:35   ` Arne Babenhauserheide
@ 2019-10-23  6:16   ` Amirouche Boubekki
  2019-10-23  6:27     ` Nala Ginrut
  2019-10-23  6:48     ` pelzflorian (Florian Pelz)
  1 sibling, 2 replies; 75+ messages in thread
From: Amirouche Boubekki @ 2019-10-23  6:16 UTC (permalink / raw)
  To: John Cowan; +Cc: guile-user@gnu.org

Le dim. 20 oct. 2019 à 08:14, John Cowan <cowan@ccil.org> a écrit :
>
> On Sun, Oct 20, 2019 at 2:11 AM Todor Kondić <tk.code@protonmail.com> wrote:
>
> > But, I doubt any of them would find it natural to take a step further and
> > participate in GNU itself (ugh, now I sound like a preacher of a new age
> > religion). To my knowledge, interaction within GNU communities is still
> > mostly mailing lists and IRC. This _not_ my students' natural digital
> > habitat.
>
>
> The only natural digital habitat of human beings is their fingers.  All
> else is learned, and more can be learned at any time.  There's no reason
> why students ought to be so closed to new experiences.


Regarding the mailling list, many projects (among GNOME) have or will
adopt https://www.discourse.org/. It has a per-user mailling list mode
but it can not bridge mailman. My guess is that a discourse instance
only for GNU Guile and Guix would be overkill, so maybe GNU might
consider using that software?



^ permalink raw reply	[flat|nested] 75+ messages in thread

* Re: Diversification [ branched from Re: conflicts in the gnu project now affect guile]
  2019-10-23  6:16   ` Amirouche Boubekki
@ 2019-10-23  6:27     ` Nala Ginrut
  2019-10-23  6:48     ` pelzflorian (Florian Pelz)
  1 sibling, 0 replies; 75+ messages in thread
From: Nala Ginrut @ 2019-10-23  6:27 UTC (permalink / raw)
  To: Amirouche Boubekki; +Cc: guile-user@gnu.org

On Wed, Oct 23, 2019 at 2:17 PM Amirouche Boubekki <
amirouche.boubekki@gmail.com> wrote:

> Regarding the mailling list, many projects (among GNOME) have or will
> adopt https://www.discourse.org/. It has a per-user mailling list mode
> but it can not bridge mailman. My guess is that a discourse instance
> only for GNU Guile and Guix would be overkill, so maybe GNU might
> consider using that software?
>

IIRC there's someone in GNU private mailing-list had mentioned GNOME
discourse, but the later suddenly happened RMS issue had interrupted the
discussion. So that I've no idea where it is now.
Maybe it's a good idea to raise it again.

Best regards.


^ permalink raw reply	[flat|nested] 75+ messages in thread

* Re: Diversification [ branched from Re: conflicts in the gnu project now affect guile]
  2019-10-23  0:57       ` Zelphir Kaltstahl
@ 2019-10-23  6:44         ` pelzflorian (Florian Pelz)
  0 siblings, 0 replies; 75+ messages in thread
From: pelzflorian (Florian Pelz) @ 2019-10-23  6:44 UTC (permalink / raw)
  To: Zelphir Kaltstahl; +Cc: guile-user

On Wed, Oct 23, 2019 at 02:57:03AM +0200, Zelphir Kaltstahl wrote:
> You did not address the other point I raised though: Dependency on a
> third party server (and all the implications, when/if it gets hacked
> again).

A matrix server and its coordination server could be hosted by anyone;
AFAIK it is simple HTTP.  Most projects would not host the
coordination server themselves though.

I do not know the legal implications from offering encrypted, private
communications which would AFAIK be offered implicitly when using
Matrix even though we do not need it.  It may be legally preferrable
to have a serverless communications medium that need not be hosted,
Gnunet-style (not to mention that supporting another GNU project fits
well).  My outdated impression is that the Gnunet project is far from
offering popular messaging apps though.

Additionally, few people have real security.  Most people download
software from all over the internets and run it.  At the very least,
people's operating system provider could be forced by law or by
crackers to push a trojan via update.  Claiming more security than
what can be offered seems dishonest.

> There is also the problem of non-searchable content. You cannot, as far
> as I know, search in a search engine through Discord or Riot messages.
> If content by tendency of "quickly solving the problem in chat" moves to
> non-searchable medium, it will mean, that searching in search engines
> does not benefit from those solutions.
>

There should be searchable logs.  I am confident searchable logs can
be implemented for Matrix like they can with IRC.

Matrix may be a step forward from IRC or it may not matter at all.
I do not know as I am not using synchronous communication personally.

Regards,
Florian



^ permalink raw reply	[flat|nested] 75+ messages in thread

* Re: Diversification [ branched from Re: conflicts in the gnu project now affect guile]
  2019-10-23  6:16   ` Amirouche Boubekki
  2019-10-23  6:27     ` Nala Ginrut
@ 2019-10-23  6:48     ` pelzflorian (Florian Pelz)
  2019-10-23 10:37       ` Chris Vine
  2019-10-23 13:45       ` tomas
  1 sibling, 2 replies; 75+ messages in thread
From: pelzflorian (Florian Pelz) @ 2019-10-23  6:48 UTC (permalink / raw)
  To: Amirouche Boubekki; +Cc: guile-user@gnu.org

On Wed, Oct 23, 2019 at 08:16:34AM +0200, Amirouche Boubekki wrote:
> Regarding the mailling list, many projects (among GNOME) have or will
> adopt https://www.discourse.org/. It has a per-user mailling list mode
> but it can not bridge mailman. My guess is that a discourse instance
> only for GNU Guile and Guix would be overkill, so maybe GNU might
> consider using that software?
> 

I only know that subscribing to GNOME Discourse required Javascript
and its mail headers are less pretty compared to mailman.

I would prefer eventually having a forum/bulletin board-like Web
interface to mailing lists in Guile and until then stick to pure
mailing lists.

Regardds,
Florian



^ permalink raw reply	[flat|nested] 75+ messages in thread

* Re: Diversification [ branched from Re: conflicts in the gnu project now affect guile]
  2019-10-23  6:48     ` pelzflorian (Florian Pelz)
@ 2019-10-23 10:37       ` Chris Vine
  2019-10-23 11:25         ` pelzflorian (Florian Pelz)
  2019-10-23 13:43         ` Diversification [ branched from Re: conflicts in the gnu project now affect guile] tomas
  2019-10-23 13:45       ` tomas
  1 sibling, 2 replies; 75+ messages in thread
From: Chris Vine @ 2019-10-23 10:37 UTC (permalink / raw)
  To: guile-user

On Wed, 23 Oct 2019 08:48:13 +0200
"pelzflorian (Florian Pelz)" <pelzflorian@pelzflorian.de> wrote:
> On Wed, Oct 23, 2019 at 08:16:34AM +0200, Amirouche Boubekki wrote:
> > Regarding the mailling list, many projects (among GNOME) have or will
> > adopt https://www.discourse.org/. It has a per-user mailling list mode
> > but it can not bridge mailman. My guess is that a discourse instance
> > only for GNU Guile and Guix would be overkill, so maybe GNU might
> > consider using that software?
> 
> I only know that subscribing to GNOME Discourse required Javascript
> and its mail headers are less pretty compared to mailman.
> 
> I would prefer eventually having a forum/bulletin board-like Web
> interface to mailing lists in Guile and until then stick to pure
> mailing lists.

That's pretty much what discourse is - an attractive web interface to
something like mailing lists, with the option to use a mail client
interface as well as the web interface if you want.

To be clear I am definitely not pushing for this kind of change
(I think I must be quite old-fashioned because it seems to me that
traditional mailing lists work fine), nor am I particularly against it.
I am not sure what it is that caused gnome to move from mailman to
discourse, but I suspect it was to get the more up-to-date feel of a web
interface.  I notice also that the ocaml "mailing list" also uses
discourse, should anyone want to ask them what they get out of it.



^ permalink raw reply	[flat|nested] 75+ messages in thread

* Re: Diversification [ branched from Re: conflicts in the gnu project now affect guile]
  2019-10-23 10:37       ` Chris Vine
@ 2019-10-23 11:25         ` pelzflorian (Florian Pelz)
  2019-10-23 12:33           ` pelzflorian (Florian Pelz)
  2019-10-23 13:43         ` Diversification [ branched from Re: conflicts in the gnu project now affect guile] tomas
  1 sibling, 1 reply; 75+ messages in thread
From: pelzflorian (Florian Pelz) @ 2019-10-23 11:25 UTC (permalink / raw)
  To: Chris Vine; +Cc: guile-user

On Wed, 23 Oct 2019 08:48:13 +0200
"pelzflorian (Florian Pelz)" <pelzflorian@pelzflorian.de> wrote:
> On Wed, Oct 23, 2019 at 08:16:34AM +0200, Amirouche Boubekki wrote:
> I only know that subscribing to GNOME Discourse required Javascript
> and its mail headers are less pretty compared to mailman.
> 

These are the reasons why I do not like Discourse.

> I am not sure what it is that caused gnome to move from mailman to
> discourse, but I suspect it was to get the more up-to-date feel of a web
> interface.

I quote Emmanuele Bassi, <https://mail.gnome.org/archives/gtk-devel-list/2019-February/msg00001.html>:
> Having a better archive search, a better moderation system, and a
> decent web UI are the major selling points for switching to
> Discourse.

Regards,
Florian



^ permalink raw reply	[flat|nested] 75+ messages in thread

* Re: Diversification [ branched from Re: conflicts in the gnu project now affect guile]
  2019-10-23 11:25         ` pelzflorian (Florian Pelz)
@ 2019-10-23 12:33           ` pelzflorian (Florian Pelz)
  2019-10-23 13:47             ` tomas
                               ` (2 more replies)
  0 siblings, 3 replies; 75+ messages in thread
From: pelzflorian (Florian Pelz) @ 2019-10-23 12:33 UTC (permalink / raw)
  To: Chris Vine; +Cc: guile-user

On Wed, Oct 23, 2019 at 01:25:44PM +0200, pelzflorian (Florian Pelz) wrote:
> On Wed, 23 Oct 2019 08:48:13 +0200
> "pelzflorian (Florian Pelz)" <pelzflorian@pelzflorian.de> wrote:
> > On Wed, Oct 23, 2019 at 08:16:34AM +0200, Amirouche Boubekki wrote:
> > I only know that subscribing to GNOME Discourse required Javascript
> > and its mail headers are less pretty compared to mailman.
> > 
> 
> These are the reasons why I do not like Discourse.
> 
> > I am not sure what it is that caused gnome to move from mailman to
> > discourse, but I suspect it was to get the more up-to-date feel of a web
> > interface.
> 
> I quote Emmanuele Bassi, <https://mail.gnome.org/archives/gtk-devel-list/2019-February/msg00001.html>:
> > Having a better archive search, a better moderation system, and a
> > decent web UI are the major selling points for switching to
> > Discourse.
> 

If there isn’t one already, then I would like to start working on a
written in Guile, free software, old-school bulletin board-like
interface, perhaps with a more modern UI design, next week.  I do not
like Discourse and will need something like this anyway for other
projects.  I see there already is guile-email and Mumi.  So far I had
no time looking at either.  I would start next week.

Regards,
Florian



^ permalink raw reply	[flat|nested] 75+ messages in thread

* Re: Diversification [ branched from Re: conflicts in the gnu project now affect guile]
  2019-10-23 10:37       ` Chris Vine
  2019-10-23 11:25         ` pelzflorian (Florian Pelz)
@ 2019-10-23 13:43         ` tomas
  2019-10-23 17:39           ` Chris Vine
  2019-10-23 20:02           ` Diversification [ branched from Re: conflicts in the gnu project now affect guile] pelzflorian (Florian Pelz)
  1 sibling, 2 replies; 75+ messages in thread
From: tomas @ 2019-10-23 13:43 UTC (permalink / raw)
  To: guile-user

[-- Attachment #1: Type: text/plain, Size: 1414 bytes --]

On Wed, Oct 23, 2019 at 11:37:24AM +0100, Chris Vine wrote:
> "pelzflorian (Florian Pelz)" <pelzflorian@pelzflorian.de> wrote:

[...]

> > I would prefer eventually having a forum/bulletin board-like Web
> > interface to mailing lists in Guile and until then stick to pure
> > mailing lists.
> 
> That's pretty much what discourse is - an attractive web interface to
> something like mailing lists, with the option to use a mail client
> interface as well as the web interface if you want.

I've some practical experience with Discourse and... I'd say it's
the other way around. Shiny GUI is the paradigm, mail is just a
let's-keep-those-old-goofs-happy afterthought.

If you're wired around mail, it's not enjoyable. Feels like
a second-class citizen to me.

This doesn't sound positive, I know -- but I think the "problem"
might lie at a deeper level and won't be solvable without deeper
analysis (instead of hacking together yet-another-forum).

Just watch the regular conflicts between top-posters and top-post
phobia on other mailing lists: those tensions are cultural, and
can't be addressed "just" by a tool. 

I'm not dismissing Todor's insighful initial post -- not in the
least! Actually I think he's very right. But perhaps we need
bridges between cultures and not just between tools. And that
takes deep thinking (and people instead of machines, maybe).

Cheers
-- t

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

^ permalink raw reply	[flat|nested] 75+ messages in thread

* Re: Diversification [ branched from Re: conflicts in the gnu project now affect guile]
  2019-10-23  6:48     ` pelzflorian (Florian Pelz)
  2019-10-23 10:37       ` Chris Vine
@ 2019-10-23 13:45       ` tomas
  1 sibling, 0 replies; 75+ messages in thread
From: tomas @ 2019-10-23 13:45 UTC (permalink / raw)
  To: guile-user

[-- Attachment #1: Type: text/plain, Size: 687 bytes --]

On Wed, Oct 23, 2019 at 08:48:13AM +0200, pelzflorian (Florian Pelz) wrote:
> On Wed, Oct 23, 2019 at 08:16:34AM +0200, Amirouche Boubekki wrote:
> > Regarding the mailling list, many projects (among GNOME) have or will
> > adopt https://www.discourse.org/ [...]

> I only know that subscribing to GNOME Discourse required Javascript
> and its mail headers are less pretty compared to mailman.

Yep. That's another antipattern. The platform dictates the client,
the protocol is whatever the client /du jour/ which you download
time and again happens to talk today to the server.

With Discourse, at least, there's a mail interface, although I
perceive it as less-than-nice.

Cheers
-- t

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

^ permalink raw reply	[flat|nested] 75+ messages in thread

* Re: Diversification [ branched from Re: conflicts in the gnu project now affect guile]
  2019-10-23 12:33           ` pelzflorian (Florian Pelz)
@ 2019-10-23 13:47             ` tomas
  2019-10-23 14:10               ` pelzflorian (Florian Pelz)
  2019-10-23 19:19             ` Zelphir Kaltstahl
  2019-10-28 11:04             ` mailman web interface (was: Diversification) pelzflorian (Florian Pelz)
  2 siblings, 1 reply; 75+ messages in thread
From: tomas @ 2019-10-23 13:47 UTC (permalink / raw)
  To: guile-user

[-- Attachment #1: Type: text/plain, Size: 249 bytes --]

On Wed, Oct 23, 2019 at 02:33:43PM +0200, pelzflorian (Florian Pelz) wrote:

[...]

> If there isn’t one already, then I would like to start working on a
> written in Guile [...]

Hmmm. I might be your first contributor :)

Cheers
-- t

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

^ permalink raw reply	[flat|nested] 75+ messages in thread

* Re: Diversification [ branched from Re: conflicts in the gnu project now affect guile]
  2019-10-23 13:47             ` tomas
@ 2019-10-23 14:10               ` pelzflorian (Florian Pelz)
  2019-10-23 19:09                 ` Mikael Djurfeldt
  0 siblings, 1 reply; 75+ messages in thread
From: pelzflorian (Florian Pelz) @ 2019-10-23 14:10 UTC (permalink / raw)
  To: tomas; +Cc: guile-user

On Wed, Oct 23, 2019 at 03:47:21PM +0200, tomas@tuxteam.de wrote:
> On Wed, Oct 23, 2019 at 02:33:43PM +0200, pelzflorian (Florian Pelz) wrote:
> 
> [...]
> 
> > If there isn’t one already, then I would like to start working on a
> > written in Guile [...]
> 
> Hmmm. I might be your first contributor :)
> 
> Cheers
> -- t

That would be welcome.  I will only start next week with looking at
other software
<https://en.wikipedia.org/wiki/Internet_forum_software>.

Regards,
Florian



^ permalink raw reply	[flat|nested] 75+ messages in thread

* Re: Diversification [ branched from Re: conflicts in the gnu project now affect guile]
  2019-10-23 13:43         ` Diversification [ branched from Re: conflicts in the gnu project now affect guile] tomas
@ 2019-10-23 17:39           ` Chris Vine
  2019-10-23 19:58             ` Mailman web interface [was: Re: Diversification] pelzflorian (Florian Pelz)
  2019-10-23 20:02           ` Diversification [ branched from Re: conflicts in the gnu project now affect guile] pelzflorian (Florian Pelz)
  1 sibling, 1 reply; 75+ messages in thread
From: Chris Vine @ 2019-10-23 17:39 UTC (permalink / raw)
  To: guile-user

On Wed, 23 Oct 2019 15:43:26 +0200
<tomas@tuxteam.de> wrote:
> On Wed, Oct 23, 2019 at 11:37:24AM +0100, Chris Vine wrote:
> > "pelzflorian (Florian Pelz)" <pelzflorian@pelzflorian.de> wrote:
> 
> [...]
> 
> > > I would prefer eventually having a forum/bulletin board-like Web
> > > interface to mailing lists in Guile and until then stick to pure
> > > mailing lists.
> > 
> > That's pretty much what discourse is - an attractive web interface to
> > something like mailing lists, with the option to use a mail client
> > interface as well as the web interface if you want.
> 
> I've some practical experience with Discourse and... I'd say it's
> the other way around. Shiny GUI is the paradigm, mail is just a
> let's-keep-those-old-goofs-happy afterthought.
> 
> If you're wired around mail, it's not enjoyable. Feels like
> a second-class citizen to me.
> 
> This doesn't sound positive, I know -- but I think the "problem"
> might lie at a deeper level and won't be solvable without deeper
> analysis (instead of hacking together yet-another-forum).

I think I have an in-built resistance to getting excited about the
format according to which someone's public text message is transferred
and/or displayed to me.  Using the expression "message list" as a
generic term, I use message lists which use mailman and message lists
which use discourse.  I still use usenet for some things.  All of these
seem OK and keep me happy.

There is only so much you can do right or wrong with such things.  I
certainly wouldn't be spending my time rewriting them.

If you want private mailing lists with privacy, verification and
encryption, then that's another kettle of fish.  There's plenty of room
for new thinking there for sure.



^ permalink raw reply	[flat|nested] 75+ messages in thread

* Re: Diversification [ branched from Re: conflicts in the gnu project now affect guile]
  2019-10-23 14:10               ` pelzflorian (Florian Pelz)
@ 2019-10-23 19:09                 ` Mikael Djurfeldt
  2019-10-23 19:26                   ` pelzflorian (Florian Pelz)
  0 siblings, 1 reply; 75+ messages in thread
From: Mikael Djurfeldt @ 2019-10-23 19:09 UTC (permalink / raw)
  To: pelzflorian (Florian Pelz); +Cc: guile-user

Florian, would Nala Ginrut's Artanis be a useful framework to base a
bulletin board system on?

https://web-artanis.com/

Den ons 23 okt. 2019 16:15pelzflorian (Florian Pelz) <
pelzflorian@pelzflorian.de> skrev:

> On Wed, Oct 23, 2019 at 03:47:21PM +0200, tomas@tuxteam.de wrote:
> > On Wed, Oct 23, 2019 at 02:33:43PM +0200, pelzflorian (Florian Pelz)
> wrote:
> >
> > [...]
> >
> > > If there isn’t one already, then I would like to start working on a
> > > written in Guile [...]
> >
> > Hmmm. I might be your first contributor :)
> >
> > Cheers
> > -- t
>
> That would be welcome.  I will only start next week with looking at
> other software
> <https://en.wikipedia.org/wiki/Internet_forum_software>.
>
> Regards,
> Florian
>
>


^ permalink raw reply	[flat|nested] 75+ messages in thread

* Re: Diversification [ branched from Re: conflicts in the gnu project now affect guile]
  2019-10-23 12:33           ` pelzflorian (Florian Pelz)
  2019-10-23 13:47             ` tomas
@ 2019-10-23 19:19             ` Zelphir Kaltstahl
  2019-10-24  1:01               ` Nala Ginrut
  2020-09-05  6:15               ` Diversification [ branched from Re: conflicts in the gnu project now affect guile] Joshua Branson via General Guile related discussions
  2019-10-28 11:04             ` mailman web interface (was: Diversification) pelzflorian (Florian Pelz)
  2 siblings, 2 replies; 75+ messages in thread
From: Zelphir Kaltstahl @ 2019-10-23 19:19 UTC (permalink / raw)
  To: guile-user


On 10/23/19 2:33 PM, pelzflorian (Florian Pelz) wrote:
> On Wed, Oct 23, 2019 at 01:25:44PM +0200, pelzflorian (Florian Pelz) wrote:
>> On Wed, 23 Oct 2019 08:48:13 +0200
>> "pelzflorian (Florian Pelz)" <pelzflorian@pelzflorian.de> wrote:
>>> On Wed, Oct 23, 2019 at 08:16:34AM +0200, Amirouche Boubekki wrote:
>>> I only know that subscribing to GNOME Discourse required Javascript
>>> and its mail headers are less pretty compared to mailman.
>>>
>> These are the reasons why I do not like Discourse.
>>
>>> I am not sure what it is that caused gnome to move from mailman to
>>> discourse, but I suspect it was to get the more up-to-date feel of a web
>>> interface.
>> I quote Emmanuele Bassi, <https://mail.gnome.org/archives/gtk-devel-list/2019-February/msg00001.html>:
>>> Having a better archive search, a better moderation system, and a
>>> decent web UI are the major selling points for switching to
>>> Discourse.
> If there isn’t one already, then I would like to start working on a
> written in Guile, free software, old-school bulletin board-like
> interface, perhaps with a more modern UI design, next week.  I do not
> like Discourse and will need something like this anyway for other
> projects.  I see there already is guile-email and Mumi.  So far I had
> no time looking at either.  I would start next week.
>
> Regards,
> Florian

It would be an interesting project, for an example of how to do a Guile
server side. What kind of library/framework/tool would you use for the
server side? I think the standard library webserver is still very bare
bones. So far I've not tried GNU Artanis. Would it be a good idea to use
that?

I've created some example code for the standard library web server:

https://gitlab.com/zelphir-kaltstahl-projects/guile-scheme-tutorials-and-examples/tree/dev/web-development/using-guile-webserver

But it has not progressed very far.

Regards,
Zelphir




^ permalink raw reply	[flat|nested] 75+ messages in thread

* Re: Diversification [ branched from Re: conflicts in the gnu project now affect guile]
  2019-10-23 19:09                 ` Mikael Djurfeldt
@ 2019-10-23 19:26                   ` pelzflorian (Florian Pelz)
  0 siblings, 0 replies; 75+ messages in thread
From: pelzflorian (Florian Pelz) @ 2019-10-23 19:26 UTC (permalink / raw)
  To: Mikael Djurfeldt; +Cc: guile-user

On Wed, Oct 23, 2019 at 09:09:46PM +0200, Mikael Djurfeldt wrote:
> Florian, would Nala Ginrut's Artanis be a useful framework to base a
> bulletin board system on?
> 
> https://web-artanis.com/
> 

Thank you for reminding me.  I had thought of Artanis, but only had a
cursory look at it before.  (Please do not overestimate my limited
experience here.)  Its functionality seems appropriate.  I will take a
more thorough look at its extensive features and documentation.

Regards,
Florian



^ permalink raw reply	[flat|nested] 75+ messages in thread

* Mailman web interface [was: Re: Diversification]
  2019-10-23 17:39           ` Chris Vine
@ 2019-10-23 19:58             ` pelzflorian (Florian Pelz)
  0 siblings, 0 replies; 75+ messages in thread
From: pelzflorian (Florian Pelz) @ 2019-10-23 19:58 UTC (permalink / raw)
  To: Chris Vine; +Cc: guile-user

I believe mailman 2 as used on lists.gnu.org is the backend we care
about here.  I would prefer it if the mailing list Web frontend would
work as a MUA producing messages that look good in plain text,
monospace e-mail clients.  The MBOX from selected GNU mailman lists
would be the “forum” threads prominently displayed; other mail would
be private messages.  Should every user be given a
@guile-forum.gnu.org mail address?

Regards,
Florian



^ permalink raw reply	[flat|nested] 75+ messages in thread

* Re: Diversification [ branched from Re: conflicts in the gnu project now affect guile]
  2019-10-23 13:43         ` Diversification [ branched from Re: conflicts in the gnu project now affect guile] tomas
  2019-10-23 17:39           ` Chris Vine
@ 2019-10-23 20:02           ` pelzflorian (Florian Pelz)
  2019-10-26  8:14             ` tomas
  1 sibling, 1 reply; 75+ messages in thread
From: pelzflorian (Florian Pelz) @ 2019-10-23 20:02 UTC (permalink / raw)
  To: tomas; +Cc: guile-user

On Wed, Oct 23, 2019 at 03:43:26PM +0200, tomas@tuxteam.de wrote:
> But perhaps we need
> bridges between cultures and not just between tools. And that
> takes deep thinking (and people instead of machines, maybe).
> 

I believe good mailing list etiquette is similar to good forum
etiquette.  Today’s culture is not a forum culture, of course.

Regards,
Florian



^ permalink raw reply	[flat|nested] 75+ messages in thread

* Re: Diversification [ branched from Re: conflicts in the gnu project now affect guile]
  2019-10-23 19:19             ` Zelphir Kaltstahl
@ 2019-10-24  1:01               ` Nala Ginrut
  2019-10-24  9:19                 ` pelzflorian (Florian Pelz)
  2019-10-24  9:35                 ` mailmam, web bridge, forum, p2p (was: Diversification) Amirouche Boubekki
  2020-09-05  6:15               ` Diversification [ branched from Re: conflicts in the gnu project now affect guile] Joshua Branson via General Guile related discussions
  1 sibling, 2 replies; 75+ messages in thread
From: Nala Ginrut @ 2019-10-24  1:01 UTC (permalink / raw)
  To: Zelphir Kaltstahl; +Cc: Guile User

Hi folks!
Artanis has been using in product, that is to say, working stable and keep
maintaining. Artanis aims for rapid development just like Ruby on Rails. So
that you may try your different ideas quickly.

If anyone is willing to try Artanis for the modern forum of Guile
community, I'd like to provide free technical support, free as in free
beer. :-)

Best regards.


Zelphir Kaltstahl <zelphirkaltstahl@posteo.de> 于 2019年10月24日周四 05:42写道:

>
> On 10/23/19 2:33 PM, pelzflorian (Florian Pelz) wrote:
> > On Wed, Oct 23, 2019 at 01:25:44PM +0200, pelzflorian (Florian Pelz)
> wrote:
> >> On Wed, 23 Oct 2019 08:48:13 +0200
> >> "pelzflorian (Florian Pelz)" <pelzflorian@pelzflorian.de> wrote:
> >>> On Wed, Oct 23, 2019 at 08:16:34AM +0200, Amirouche Boubekki wrote:
> >>> I only know that subscribing to GNOME Discourse required Javascript
> >>> and its mail headers are less pretty compared to mailman.
> >>>
> >> These are the reasons why I do not like Discourse.
> >>
> >>> I am not sure what it is that caused gnome to move from mailman to
> >>> discourse, but I suspect it was to get the more up-to-date feel of a
> web
> >>> interface.
> >> I quote Emmanuele Bassi, <
> https://mail.gnome.org/archives/gtk-devel-list/2019-February/msg00001.html
> >:
> >>> Having a better archive search, a better moderation system, and a
> >>> decent web UI are the major selling points for switching to
> >>> Discourse.
> > If there isn’t one already, then I would like to start working on a
> > written in Guile, free software, old-school bulletin board-like
> > interface, perhaps with a more modern UI design, next week.  I do not
> > like Discourse and will need something like this anyway for other
> > projects.  I see there already is guile-email and Mumi.  So far I had
> > no time looking at either.  I would start next week.
> >
> > Regards,
> > Florian
>
> It would be an interesting project, for an example of how to do a Guile
> server side. What kind of library/framework/tool would you use for the
> server side? I think the standard library webserver is still very bare
> bones. So far I've not tried GNU Artanis. Would it be a good idea to use
> that?
>
> I've created some example code for the standard library web server:
>
>
> https://gitlab.com/zelphir-kaltstahl-projects/guile-scheme-tutorials-and-examples/tree/dev/web-development/using-guile-webserver
>
> But it has not progressed very far.
>
> Regards,
> Zelphir
>
>
>


^ permalink raw reply	[flat|nested] 75+ messages in thread

* Re: Diversification [ branched from Re: conflicts in the gnu project now affect guile]
  2019-10-24  1:01               ` Nala Ginrut
@ 2019-10-24  9:19                 ` pelzflorian (Florian Pelz)
  2019-10-24  9:35                 ` mailmam, web bridge, forum, p2p (was: Diversification) Amirouche Boubekki
  1 sibling, 0 replies; 75+ messages in thread
From: pelzflorian (Florian Pelz) @ 2019-10-24  9:19 UTC (permalink / raw)
  To: Nala Ginrut; +Cc: Guile User

Thank you kindly to you for your offers and to Nala for your amazing
software and documentation.  I will get back to you.

Regards,
Florian



^ permalink raw reply	[flat|nested] 75+ messages in thread

* mailmam, web bridge, forum, p2p (was: Diversification)
  2019-10-24  1:01               ` Nala Ginrut
  2019-10-24  9:19                 ` pelzflorian (Florian Pelz)
@ 2019-10-24  9:35                 ` Amirouche Boubekki
  2019-10-24 12:30                   ` pelzflorian (Florian Pelz)
  2019-10-24 13:32                   ` mailmam, web bridge, forum, p2p (was: Diversification) tomas
  1 sibling, 2 replies; 75+ messages in thread
From: Amirouche Boubekki @ 2019-10-24  9:35 UTC (permalink / raw)
  To: Nala Ginrut; +Cc: Guile User

Le jeu. 24 oct. 2019 à 03:01, Nala Ginrut <nalaginrut@gmail.com> a écrit :
>
> Hi folks!
> Artanis has been using in product, that is to say, working stable and keep
> maintaining. Artanis aims for rapid development just like Ruby on Rails. So
> that you may try your different ideas quickly.
>
> If anyone is willing to try Artanis for the modern forum of Guile
> community, I'd like to provide free technical support, free as in free
> beer. :-)
>
> Best regards.
>
>
> Zelphir Kaltstahl <zelphirkaltstahl@posteo.de> 于 2019年10月24日周四 05:42写道:
>
> >
> > On 10/23/19 2:33 PM, pelzflorian (Florian Pelz) wrote:
> > > On Wed, Oct 23, 2019 at 01:25:44PM +0200, pelzflorian (Florian Pelz)
> > wrote:
> > >> On Wed, 23 Oct 2019 08:48:13 +0200
> > >> "pelzflorian (Florian Pelz)" <pelzflorian@pelzflorian.de> wrote:
> > >>> On Wed, Oct 23, 2019 at 08:16:34AM +0200, Amirouche Boubekki wrote:
> > >>> I only know that subscribing to GNOME Discourse required Javascript
> > >>> and its mail headers are less pretty compared to mailman.
> > >>>
> > >> These are the reasons why I do not like Discourse.
> > >>
> > >>> I am not sure what it is that caused gnome to move from mailman to
> > >>> discourse, but I suspect it was to get the more up-to-date feel of a
> > web
> > >>> interface.
> > >> I quote Emmanuele Bassi, <
> > https://mail.gnome.org/archives/gtk-devel-list/2019-February/msg00001.html
> > >:
> > >>> Having a better archive search, a better moderation system, and a
> > >>> decent web UI are the major selling points for switching to
> > >>> Discourse.
> > > If there isn’t one already, then I would like to start working on a
> > > written in Guile, free software, old-school bulletin board-like
> > > interface, perhaps with a more modern UI design, next week.  I do not
> > > like Discourse and will need something like this anyway for other
> > > projects.  I see there already is guile-email and Mumi.  So far I had
> > > no time looking at either.  I would start next week.
> > >
> > > Regards,
> > > Florian
> >
> > It would be an interesting project, for an example of how to do a Guile
> > server side. What kind of library/framework/tool would you use for the
> > server side? I think the standard library webserver is still very bare
> > bones. So far I've not tried GNU Artanis. Would it be a good idea to use
> > that?
> >
> > I've created some example code for the standard library web server:
> >
> >
> > https://gitlab.com/zelphir-kaltstahl-projects/guile-scheme-tutorials-and-examples/tree/dev/web-development/using-guile-webserver
> >
> > But it has not progressed very far.
> >
> > Regards,
> > Zelphir
> >
> >
> >

Last time I checked the security requirements for web application that
do not rely on JavaScript was too complicated. I preferred to forget
about it.

See https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html

The easiest path is (was?) to rely on a token sent by JavaScript.
Meanwhile JavaScript brings other problems... It seems to me the
browser paradigm with the _JavaScript_ wanna be sandbox is the wrong
way forward. I would much prefer the modern approach where a peer
expose an API and people build clients.

There is proof of concept bulletin board using gnunet
https://git.gnunet.org/gnunet-guile2.git/tree/prototypes/c3b2

-- 
Amirouche ~ https://hyper.dev



^ permalink raw reply	[flat|nested] 75+ messages in thread

* Re: mailmam, web bridge, forum, p2p (was: Diversification)
  2019-10-24  9:35                 ` mailmam, web bridge, forum, p2p (was: Diversification) Amirouche Boubekki
@ 2019-10-24 12:30                   ` pelzflorian (Florian Pelz)
  2019-10-24 14:15                     ` Nala Ginrut
                                       ` (2 more replies)
  2019-10-24 13:32                   ` mailmam, web bridge, forum, p2p (was: Diversification) tomas
  1 sibling, 3 replies; 75+ messages in thread
From: pelzflorian (Florian Pelz) @ 2019-10-24 12:30 UTC (permalink / raw)
  To: Amirouche Boubekki; +Cc: Guile User

[-- Attachment #1: Type: text/plain, Size: 3749 bytes --]

On Thu, Oct 24, 2019 at 11:35:52AM +0200, Amirouche Boubekki wrote:
> Last time I checked the security requirements for web application that
> do not rely on JavaScript was too complicated. I preferred to forget
> about it.
> 
> See https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html
> 
> The easiest path is (was?) to rely on a token sent by JavaScript.
> Meanwhile JavaScript brings other problems...


I refuse to believe Javascript is in any way necessary.  The link you
provided contains all information I previously had of tokens and more;
it is a good reference.  I did not know login CSRF before, it is very
relevant, thank you.  My current impression of best practice fits what
is described at the site you linked under “Disclosure of Token in
URL”:

Ordinary HTTP cookies are bad practice for session tokens because of
CSRF.  If you want a normal link to another page on your site but
retain the login session, you should not use cookies for that.
Session tokens must therefore be supplied in HTTP parameters (GET or
POST).  So when a logged in user makes a request, all hyperlinks in
the HTML response (except logout) need to have their HTML code
rewritten by the dynamic web server to contain the session token in
the GET parameters.  Similarly, all POST forms should contain the
session token as a parameter value.  Thus the session token is only
supplied in GET or POST requests from the same site and same session
and no CSRF is possible anymore.  Since the URL used in a GET request
will be exposed to the user, the session token should be invalidated
after verification and the response should contain a new session token
in its HTML code for hyperlinks and forms.  The downside is that URLs
are less pretty but meh…

Invalidating tokens requires the server to store for each registered
user the current session id and the timestamp until which the session
id is valid.  The same user could not be logged in simultaneously from
multiple browsers.  To enable multiple simultaneous logins by the same
user, the server could instead store more sessions than it has users,
but this might enable denial of service.  Or the server could instead
use what the site you linked describes as “Encryption based Token
Pattern” to not have this problem.  But then no token invalidation is
possible, so instead of GET requests we would need to use HTTP POST
for every hyperlink which is sometimes bad for the browser to deal
with.

Because of login CSRF the Referer header should also be verified for
all links internal to the website (external links should strip the
Referer header via redirect pages similar to what the code attached to
this mail does).

I do not know what Artanis does currently.  I will check next week.


> It seems to me the
> browser paradigm with the _JavaScript_ wanna be sandbox is the wrong
> way forward.

A sandbox does not guarantee security from hardware bugs like
Rowhammer or Spectre (but neither do multi user setups).  Also a
sandbox does not protect your computer from mining bitcoins for
someone else in a sandboxed environment.  It also permits bad,
battery-draining code.  Perhaps more importantly, JavaScript has all
kinds of privacy implications and encourages users to run nonfree
code.

> I would much prefer the modern approach where a peer
> expose an API and people build clients.
>

Many enterprises offer not APIs but non-downloadable JavaScript
service as a software substitute.

> There is proof of concept bulletin board using gnunet
> https://git.gnunet.org/gnunet-guile2.git/tree/prototypes/c3b2
>

That is interesting.  I will check.

Regards,
Florian

[-- Attachment #2: web-redirector.scm --]
[-- Type: application/vnd.lotus-screencam, Size: 3631 bytes --]

^ permalink raw reply	[flat|nested] 75+ messages in thread

* Re: mailmam, web bridge, forum, p2p (was: Diversification)
  2019-10-24  9:35                 ` mailmam, web bridge, forum, p2p (was: Diversification) Amirouche Boubekki
  2019-10-24 12:30                   ` pelzflorian (Florian Pelz)
@ 2019-10-24 13:32                   ` tomas
  2019-10-24 15:03                     ` Nala Ginrut
  1 sibling, 1 reply; 75+ messages in thread
From: tomas @ 2019-10-24 13:32 UTC (permalink / raw)
  To: Guile User

[-- Attachment #1: Type: text/plain, Size: 673 bytes --]

On Thu, Oct 24, 2019 at 11:35:52AM +0200, Amirouche Boubekki wrote:
> Le jeu. 24 oct. 2019 à 03:01, Nala Ginrut <nalaginrut@gmail.com> a écrit :

[...]

> Last time I checked the security requirements for web application that
> do not rely on JavaScript was too complicated. I preferred to forget
> about it.
> 
> See https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html

Now this is interesting. I still dream of an "application"
which is viable (perhaps with some restrictions) without
any javascript (as Wikipedia and relatives do, BTW). So
I'm interested in such things as above...

Cheers
-- tomás

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

^ permalink raw reply	[flat|nested] 75+ messages in thread

* Re: mailmam, web bridge, forum, p2p (was: Diversification)
  2019-10-24 12:30                   ` pelzflorian (Florian Pelz)
@ 2019-10-24 14:15                     ` Nala Ginrut
  2019-10-24 16:39                       ` Zelphir Kaltstahl
  2019-10-25  1:39                     ` mailmam, web bridge, forum, p2p Mike Gerwitz
  2019-10-25  6:08                     ` mailmam, web bridge, forum, p2p (was: Diversification) pelzflorian (Florian Pelz)
  2 siblings, 1 reply; 75+ messages in thread
From: Nala Ginrut @ 2019-10-24 14:15 UTC (permalink / raw)
  To: pelzflorian (Florian Pelz); +Cc: Guile User

On Thu, Oct 24, 2019 at 8:30 PM pelzflorian (Florian Pelz) <
pelzflorian@pelzflorian.de> wrote:

> Because of login CSRF the Referer header should also be verified for
> all links internal to the website (external links should strip the
> Referer header via redirect pages similar to what the code attached to
> this mail does).
>
> I do not know what Artanis does currently.  I will check next week.
>
>
The current Artanis will check both session token (from cookies) and the
client IP.
This method was blamed to be overkilled because some users may be in the
same LAN with a unique external IP.
But I think IPv6 will cover this world finally, so I think this would be
the best way to go.
Of course, there's no conflict to add extra verification token. Patches or
proposals are welcome. ;-)

Best regards.


^ permalink raw reply	[flat|nested] 75+ messages in thread

* Re: mailmam, web bridge, forum, p2p (was: Diversification)
  2019-10-24 13:32                   ` mailmam, web bridge, forum, p2p (was: Diversification) tomas
@ 2019-10-24 15:03                     ` Nala Ginrut
  2019-10-24 15:12                       ` tomas
  2019-10-25 11:30                       ` Mikael Djurfeldt
  0 siblings, 2 replies; 75+ messages in thread
From: Nala Ginrut @ 2019-10-24 15:03 UTC (permalink / raw)
  To: tomas; +Cc: Guile User

I've ever tried to write a site for our local community without any JS
code, all auxiliary features include simple animation are implemented with
CSS.
However, I have to say it's painful to write a more complex site. I don't
know if there's any framework for that. I'm too lazy to write all things
manually. But I recommend you try it if you never did. It's interesting.

Best regards.


<tomas@tuxteam.de> 于 2019年10月24日周四 22:58写道:

> On Thu, Oct 24, 2019 at 11:35:52AM +0200, Amirouche Boubekki wrote:
> > Le jeu. 24 oct. 2019 à 03:01, Nala Ginrut <nalaginrut@gmail.com> a
> écrit :
>
> [...]
>
> > Last time I checked the security requirements for web application that
> > do not rely on JavaScript was too complicated. I preferred to forget
> > about it.
> >
> > See
> https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html
>
> Now this is interesting. I still dream of an "application"
> which is viable (perhaps with some restrictions) without
> any javascript (as Wikipedia and relatives do, BTW). So
> I'm interested in such things as above...
>
> Cheers
> -- tomás
>


^ permalink raw reply	[flat|nested] 75+ messages in thread

* Re: mailmam, web bridge, forum, p2p (was: Diversification)
  2019-10-24 15:03                     ` Nala Ginrut
@ 2019-10-24 15:12                       ` tomas
  2019-10-24 16:35                         ` Zelphir Kaltstahl
  2019-10-25 11:30                       ` Mikael Djurfeldt
  1 sibling, 1 reply; 75+ messages in thread
From: tomas @ 2019-10-24 15:12 UTC (permalink / raw)
  To: Nala Ginrut; +Cc: Guile User

[-- Attachment #1: Type: text/plain, Size: 674 bytes --]

On Thu, Oct 24, 2019 at 11:03:07PM +0800, Nala Ginrut wrote:
> I've ever tried to write a site for our local community without any JS
> code, all auxiliary features include simple animation are implemented with
> CSS.
> However, I have to say it's painful to write a more complex site. I don't
> know if there's any framework for that. I'm too lazy to write all things
> manually. But I recommend you try it if you never did. It's interesting.

I once did. Long time ago. A simple shop -- no javascript.

All state was coded in the URL. You wouldn't do that these days (at least
not without thinking hard) -- but it worked acceptably. People ordered
things :-)

Cheers
-- t

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

^ permalink raw reply	[flat|nested] 75+ messages in thread

* Re: mailmam, web bridge, forum, p2p (was: Diversification)
  2019-10-24 15:12                       ` tomas
@ 2019-10-24 16:35                         ` Zelphir Kaltstahl
  2019-10-26  8:04                           ` tomas
  0 siblings, 1 reply; 75+ messages in thread
From: Zelphir Kaltstahl @ 2019-10-24 16:35 UTC (permalink / raw)
  To: guile-user

Hi Tomas!

Do you still remember some of the issues you came across when making
such a shop?

If I am not mistaken, Racket's continuation based webserver does
something like this. It also stores state in the URL, which then looks a
bit strange. I think that state even encodes the continuation.

Regards,

Zelphir


On 10/24/19 5:12 PM, tomas@tuxteam.de wrote:
> On Thu, Oct 24, 2019 at 11:03:07PM +0800, Nala Ginrut wrote:
>> I've ever tried to write a site for our local community without any JS
>> code, all auxiliary features include simple animation are implemented with
>> CSS.
>> However, I have to say it's painful to write a more complex site. I don't
>> know if there's any framework for that. I'm too lazy to write all things
>> manually. But I recommend you try it if you never did. It's interesting.
> I once did. Long time ago. A simple shop -- no javascript.
>
> All state was coded in the URL. You wouldn't do that these days (at least
> not without thinking hard) -- but it worked acceptably. People ordered
> things :-)
>
> Cheers
> -- t



^ permalink raw reply	[flat|nested] 75+ messages in thread

* Re: mailmam, web bridge, forum, p2p (was: Diversification)
  2019-10-24 14:15                     ` Nala Ginrut
@ 2019-10-24 16:39                       ` Zelphir Kaltstahl
  2019-10-24 23:42                         ` Nala Ginrut
  0 siblings, 1 reply; 75+ messages in thread
From: Zelphir Kaltstahl @ 2019-10-24 16:39 UTC (permalink / raw)
  To: guile-user

Hi Nala!

I have a question regarding this IP check.

Does this mean that both, the IP address and (logical and) the cookie
need to be correct, or is it an inclusive logical or?

I sometimes find myself switching location of the server of the VPN I am
using. In such a case, would I still be logged in, based on the correct
cookie, or would I be logged out, because my IP address does not match
my previous address?

Regards,

Zelphir

On 10/24/19 4:15 PM, Nala Ginrut wrote:
> On Thu, Oct 24, 2019 at 8:30 PM pelzflorian (Florian Pelz) <
> pelzflorian@pelzflorian.de> wrote:
>
>> Because of login CSRF the Referer header should also be verified for
>> all links internal to the website (external links should strip the
>> Referer header via redirect pages similar to what the code attached to
>> this mail does).
>>
>> I do not know what Artanis does currently.  I will check next week.
>>
>>
> The current Artanis will check both session token (from cookies) and the
> client IP.
> This method was blamed to be overkilled because some users may be in the
> same LAN with a unique external IP.
> But I think IPv6 will cover this world finally, so I think this would be
> the best way to go.
> Of course, there's no conflict to add extra verification token. Patches or
> proposals are welcome. ;-)
>
> Best regards.



^ permalink raw reply	[flat|nested] 75+ messages in thread

* Re: mailmam, web bridge, forum, p2p (was: Diversification)
  2019-10-24 16:39                       ` Zelphir Kaltstahl
@ 2019-10-24 23:42                         ` Nala Ginrut
  0 siblings, 0 replies; 75+ messages in thread
From: Nala Ginrut @ 2019-10-24 23:42 UTC (permalink / raw)
  To: Zelphir Kaltstahl; +Cc: Guile User

Yes, you need to login if you change IP, but the last IP keeps session.
BTW, encoding token in URL is bad for SEO.

Zelphir Kaltstahl <zelphirkaltstahl@posteo.de> 于 2019年10月25日周五 01:44写道:

> Hi Nala!
>
> I have a question regarding this IP check.
>
> Does this mean that both, the IP address and (logical and) the cookie
> need to be correct, or is it an inclusive logical or?
>
> I sometimes find myself switching location of the server of the VPN I am
> using. In such a case, would I still be logged in, based on the correct
> cookie, or would I be logged out, because my IP address does not match
> my previous address?
>
> Regards,
>
> Zelphir
>
> On 10/24/19 4:15 PM, Nala Ginrut wrote:
> > On Thu, Oct 24, 2019 at 8:30 PM pelzflorian (Florian Pelz) <
> > pelzflorian@pelzflorian.de> wrote:
> >
> >> Because of login CSRF the Referer header should also be verified for
> >> all links internal to the website (external links should strip the
> >> Referer header via redirect pages similar to what the code attached to
> >> this mail does).
> >>
> >> I do not know what Artanis does currently.  I will check next week.
> >>
> >>
> > The current Artanis will check both session token (from cookies) and the
> > client IP.
> > This method was blamed to be overkilled because some users may be in the
> > same LAN with a unique external IP.
> > But I think IPv6 will cover this world finally, so I think this would be
> > the best way to go.
> > Of course, there's no conflict to add extra verification token. Patches
> or
> > proposals are welcome. ;-)
> >
> > Best regards.
>
>


^ permalink raw reply	[flat|nested] 75+ messages in thread

* Re: mailmam, web bridge, forum, p2p
  2019-10-24 12:30                   ` pelzflorian (Florian Pelz)
  2019-10-24 14:15                     ` Nala Ginrut
@ 2019-10-25  1:39                     ` Mike Gerwitz
  2019-10-26  7:48                       ` tomas
  2019-10-25  6:08                     ` mailmam, web bridge, forum, p2p (was: Diversification) pelzflorian (Florian Pelz)
  2 siblings, 1 reply; 75+ messages in thread
From: Mike Gerwitz @ 2019-10-25  1:39 UTC (permalink / raw)
  To: pelzflorian (Florian Pelz); +Cc: Guile User

[-- Attachment #1: Type: text/plain, Size: 2237 bytes --]

On Thu, Oct 24, 2019 at 14:30:23 +0200, pelzflorian (Florian Pelz) wrote:
> Ordinary HTTP cookies are bad practice for session tokens because of
> CSRF.  If you want a normal link to another page on your site but
> retain the login session, you should not use cookies for that.
> Session tokens must therefore be supplied in HTTP parameters (GET or
> POST).  So when a logged in user makes a request, all hyperlinks in
> the HTML response (except logout) need to have their HTML code
> rewritten by the dynamic web server to contain the session token in
> the GET parameters.  Similarly, all POST forms should contain the
> session token as a parameter value.  Thus the session token is only
> supplied in GET or POST requests from the same site and same session
> and no CSRF is possible anymore.  Since the URL used in a GET request
> will be exposed to the user, the session token should be invalidated
> after verification and the response should contain a new session token
> in its HTML code for hyperlinks and forms.  The downside is that URLs
> are less pretty but meh…

CSRF mitigation and session tokens are separate concerns.  You can mix
them, but that leads to complexity.  The typical mitigation is to just
to use nonces for sensitive requests (e.g. place the nonce in a hidden
form field to be posted with the form itself).  If you're using nonces,
there's nothing wrong with cookies.

Passing session tokens via GET requests is a bad idea, because that
leaks the token.  You can change the session token after every single
request, but that leads to a host of other issues: you can't have
multiple tabs open to the same site, you have to deal with synchronizing
the new token potentially across multiple systems which complicates load
balancing and SSO, etc.

Checking the referrer isn't a good security measure.  For example, if
the legitimate referrer were vulnerable to XSS, open redirects, or a
host of other vulnerabilities, then an attacker could circumvent it by
having the CSRF attack originate from that website.

-- 
Mike Gerwitz
Free Software Hacker+Activist | GNU Maintainer & Volunteer
GPG: D6E9 B930 028A 6C38 F43B  2388 FEF6 3574 5E6F 6D05
https://mikegerwitz.com

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 818 bytes --]

^ permalink raw reply	[flat|nested] 75+ messages in thread

* Re: mailmam, web bridge, forum, p2p (was: Diversification)
  2019-10-24 12:30                   ` pelzflorian (Florian Pelz)
  2019-10-24 14:15                     ` Nala Ginrut
  2019-10-25  1:39                     ` mailmam, web bridge, forum, p2p Mike Gerwitz
@ 2019-10-25  6:08                     ` pelzflorian (Florian Pelz)
  2019-10-25  6:23                       ` Nala Ginrut
  2019-10-26  4:31                       ` mailmam, web bridge, forum, p2p Mike Gerwitz
  2 siblings, 2 replies; 75+ messages in thread
From: pelzflorian (Florian Pelz) @ 2019-10-25  6:08 UTC (permalink / raw)
  To: Amirouche Boubekki, Nala Ginrut, Mike Gerwitz, Zelphir Kaltstahl
  Cc: Guile User

On Fri, Oct 25, 2019 at 07:42:41AM +0800, Nala Ginrut wrote:
> Yes, you need to login if you change IP, but the last IP keeps session.

Does checking the IP enhance security in any way?  There are some
(few) reasons IPs may change.

> BTW, encoding token in URL is bad for SEO.
> 

That is interesting, I did not think of that.  Then again, browsing
the mailing list would be possible without login, i.e. without token,
so URLs would be clean for a search engine crawler.  I do not know if
crawlers should ever have a session on other Artanis sites.


On Thu, Oct 24, 2019 at 09:39:04PM -0400, Mike Gerwitz wrote:
> CSRF mitigation and session tokens are separate concerns.  You can mix
> them, but that leads to complexity.  The typical mitigation is to just
> to use nonces for sensitive requests (e.g. place the nonce in a hidden
> form field to be posted with the form itself).  If you're using nonces,
> there's nothing wrong with cookies.
> 
> Passing session tokens via GET requests is a bad idea, because that
> leaks the token.  You can change the session token after every single
> request, but that leads to a host of other issues: you can't have
> multiple tabs open to the same site, you have to deal with synchronizing
> the new token potentially across multiple systems which complicates load
> balancing and SSO, etc.
> 

So you would use both a cookie to retain login state and then only for
sensitive requests additionally use nonces to prevent CSRF.  Would you
use POST for all (sensitive) requests after login?

I had not even thought of SSO.  Do we want that?  Can we hope for
using that?


> Checking the referrer isn't a good security measure.  For example, if
> the legitimate referrer were vulnerable to XSS, open redirects, or a
> host of other vulnerabilities, then an attacker could circumvent it by
> having the CSRF attack originate from that website.
> 

I read Amirouche’s owasp link which describes checking the referer
only as an additional “Defense in Depth” security measure in the hope
of preventing what it calls login CSRF, i.e. giving someone a login
from someone else without them noticing (if I understand correctly).
A cookie would prevent that anyway, I suppose.

Regards,
Florian



^ permalink raw reply	[flat|nested] 75+ messages in thread

* Re: mailmam, web bridge, forum, p2p (was: Diversification)
  2019-10-25  6:08                     ` mailmam, web bridge, forum, p2p (was: Diversification) pelzflorian (Florian Pelz)
@ 2019-10-25  6:23                       ` Nala Ginrut
  2019-10-26  4:31                       ` mailmam, web bridge, forum, p2p Mike Gerwitz
  1 sibling, 0 replies; 75+ messages in thread
From: Nala Ginrut @ 2019-10-25  6:23 UTC (permalink / raw)
  To: pelzflorian (Florian Pelz); +Cc: Guile User

On Fri, Oct 25, 2019 at 2:08 PM pelzflorian (Florian Pelz) <
pelzflorian@pelzflorian.de> wrote:

> On Fri, Oct 25, 2019 at 07:42:41AM +0800, Nala Ginrut wrote:
> > Yes, you need to login if you change IP, but the last IP keeps session.
>
> Does checking the IP enhance security in any way?  There are some
> (few) reasons IPs may change.
>

We don't chase the effect that one policy solves all problems.
Checking IP can only solve certain general problems. For example, the
stolen token can not be used to login from another machine.


> That is interesting, I did not think of that.  Then again, browsing
> the mailing list would be possible without login, i.e. without token,
> so URLs would be clean for a search engine crawler.  I do not know if
> crawlers should ever have a session on other Artanis sites.
>
>
I'm talking about the general cases since Artanis is not only for
mailing-list browsing.
The purpose is to explain why Artanis choose the policy.
In Artanis, you may use a customized method for that.

Best regards.


^ permalink raw reply	[flat|nested] 75+ messages in thread

* Re: mailmam, web bridge, forum, p2p (was: Diversification)
  2019-10-24 15:03                     ` Nala Ginrut
  2019-10-24 15:12                       ` tomas
@ 2019-10-25 11:30                       ` Mikael Djurfeldt
  2019-10-25 12:53                         ` Nala Ginrut
  1 sibling, 1 reply; 75+ messages in thread
From: Mikael Djurfeldt @ 2019-10-25 11:30 UTC (permalink / raw)
  To: Nala Ginrut; +Cc: Andy Wingo, guile-user

It would be nice to be able to run scheme code in the client:

https://github.com/google/schism

They mention "the Webassembly GC proposal". :)

Maybe some day, the Guile compiler could emit WASM? That would mean
supporting multiple VMs.

Mikael

Den tors 24 okt. 2019 18:16Nala Ginrut <nalaginrut@gmail.com> skrev:

> I've ever tried to write a site for our local community without any JS
> code, all auxiliary features include simple animation are implemented with
> CSS.
> However, I have to say it's painful to write a more complex site. I don't
> know if there's any framework for that. I'm too lazy to write all things
> manually. But I recommend you try it if you never did. It's interesting.
>
> Best regards.
>
>
> <tomas@tuxteam.de> 于 2019年10月24日周四 22:58写道:
>
> > On Thu, Oct 24, 2019 at 11:35:52AM +0200, Amirouche Boubekki wrote:
> > > Le jeu. 24 oct. 2019 à 03:01, Nala Ginrut <nalaginrut@gmail.com> a
> > écrit :
> >
> > [...]
> >
> > > Last time I checked the security requirements for web application that
> > > do not rely on JavaScript was too complicated. I preferred to forget
> > > about it.
> > >
> > > See
> >
> https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html
> >
> > Now this is interesting. I still dream of an "application"
> > which is viable (perhaps with some restrictions) without
> > any javascript (as Wikipedia and relatives do, BTW). So
> > I'm interested in such things as above...
> >
> > Cheers
> > -- tomás
> >
>


^ permalink raw reply	[flat|nested] 75+ messages in thread

* Re: mailmam, web bridge, forum, p2p (was: Diversification)
  2019-10-25 11:30                       ` Mikael Djurfeldt
@ 2019-10-25 12:53                         ` Nala Ginrut
  0 siblings, 0 replies; 75+ messages in thread
From: Nala Ginrut @ 2019-10-25 12:53 UTC (permalink / raw)
  To: mikael; +Cc: Andy Wingo, Guile User

Mikael Djurfeldt <mikael@djurfeldt.com> 于 2019年10月25日周五 19:30写道:

> It would be nice to be able to run scheme code in the client:
>
> https://github.com/google/schism
>
> They mention "the Webassembly GC proposal". :)
>
> Maybe some day, the Guile compiler could emit WASM? That would mean
> supporting multiple VMs.
>

That's my dream for years, fortunately, it will come true, just the matter
of time. Thanks WASM.
Schism generates WASM binary directly. But actually, we may just generate
standard WAT format which is s-expr, and can be convert to WASM by wat2wasm.
And fortunately, WASM has standard low-level system API spec now, which is
called WASI.
I haven't figured out the continuation in WASM. But I saw somebody raised
the topic.

Best regards.



> Mikael
>
> Den tors 24 okt. 2019 18:16Nala Ginrut <nalaginrut@gmail.com> skrev:
>
>> I've ever tried to write a site for our local community without any JS
>> code, all auxiliary features include simple animation are implemented with
>> CSS.
>> However, I have to say it's painful to write a more complex site. I don't
>> know if there's any framework for that. I'm too lazy to write all things
>> manually. But I recommend you try it if you never did. It's interesting.
>>
>> Best regards.
>>
>>
>> <tomas@tuxteam.de> 于 2019年10月24日周四 22:58写道:
>>
>> > On Thu, Oct 24, 2019 at 11:35:52AM +0200, Amirouche Boubekki wrote:
>> > > Le jeu. 24 oct. 2019 à 03:01, Nala Ginrut <nalaginrut@gmail.com> a
>> > écrit :
>> >
>> > [...]
>> >
>> > > Last time I checked the security requirements for web application that
>> > > do not rely on JavaScript was too complicated. I preferred to forget
>> > > about it.
>> > >
>> > > See
>> >
>> https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html
>> >
>> > Now this is interesting. I still dream of an "application"
>> > which is viable (perhaps with some restrictions) without
>> > any javascript (as Wikipedia and relatives do, BTW). So
>> > I'm interested in such things as above...
>> >
>> > Cheers
>> > -- tomás
>> >
>>
>


^ permalink raw reply	[flat|nested] 75+ messages in thread

* Re: mailmam, web bridge, forum, p2p
  2019-10-25  6:08                     ` mailmam, web bridge, forum, p2p (was: Diversification) pelzflorian (Florian Pelz)
  2019-10-25  6:23                       ` Nala Ginrut
@ 2019-10-26  4:31                       ` Mike Gerwitz
  2019-10-26  9:35                         ` pelzflorian (Florian Pelz)
  1 sibling, 1 reply; 75+ messages in thread
From: Mike Gerwitz @ 2019-10-26  4:31 UTC (permalink / raw)
  To: pelzflorian (Florian Pelz); +Cc: Guile User

[-- Attachment #1: Type: text/plain, Size: 3391 bytes --]

On Fri, Oct 25, 2019 at 08:08:45 +0200, pelzflorian (Florian Pelz) wrote:
> On Thu, Oct 24, 2019 at 09:39:04PM -0400, Mike Gerwitz wrote:
>> CSRF mitigation and session tokens are separate concerns.  You can mix
>> them, but that leads to complexity.  The typical mitigation is to just
>> to use nonces for sensitive requests (e.g. place the nonce in a hidden
>> form field to be posted with the form itself).  If you're using nonces,
>> there's nothing wrong with cookies.
>> 
>> Passing session tokens via GET requests is a bad idea, because that
>> leaks the token.  You can change the session token after every single
>> request, but that leads to a host of other issues: you can't have
>> multiple tabs open to the same site, you have to deal with synchronizing
>> the new token potentially across multiple systems which complicates load
>> balancing and SSO, etc.
>> 
>
> So you would use both a cookie to retain login state and then only for
> sensitive requests additionally use nonces to prevent CSRF.  Would you
> use POST for all (sensitive) requests after login?

GET requests are supposed to retrieve information, not modify it, and
should be indempotent.  Since they should have no meaningful
side-effects, CSRF shouldn't have any meaningful action to
exploit.  Whether or not that's true in practice of course depends on
how the site was developed.  If a GET request does have some meaningful
side-effect (e.g. maybe it logs the action and that event can influence
some other part of the system), then it may need to be mitigated by
including a nonce.

GET requests shouldn't contain sensitive data because they will appear
in browser history; server logs; referral headers; etc.

> I had not even thought of SSO.  Do we want that?  Can we hope for
> using that?

I don't know, in the context of Guile; I haven't fully followed the
conversation; you just happened to say something that I wanted to chime
in on. :)  I was providing a general example in my experience as a
professional web developer.  There are other reasons as well.

>> Checking the referrer isn't a good security measure.  For example, if
>> the legitimate referrer were vulnerable to XSS, open redirects, or a
>> host of other vulnerabilities, then an attacker could circumvent it by
>> having the CSRF attack originate from that website.
>> 
>
> I read Amirouche’s owasp link which describes checking the referer
> only as an additional “Defense in Depth” security measure in the hope
> of preventing what it calls login CSRF, i.e. giving someone a login
> from someone else without them noticing (if I understand correctly).
> A cookie would prevent that anyway, I suppose.

It's a potentially valid defense-in-depth strategy, but isn't sufficient
on its own.  I personally don't see much value in it.  If a
properly-implemented nonce-based mitigation strategy fails, then the
attacker is likely in a situation where the referrer is no longer a
barrier (e.g. they have access to the page and can inject scripts or
just hijack the session).  Mitigating session hijacking is extremely
difficult in this scenario---you can't perform IP-based checks because
users often change IPs (e.g. on mobile networks, VPN, Tor, etc).  You
can't rely on any information sent by the client because it can be
spoofed by the attacker.

-- 
Mike Gerwitz

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 818 bytes --]

^ permalink raw reply	[flat|nested] 75+ messages in thread

* Re: mailmam, web bridge, forum, p2p
  2019-10-25  1:39                     ` mailmam, web bridge, forum, p2p Mike Gerwitz
@ 2019-10-26  7:48                       ` tomas
  2019-10-26 10:35                         ` Nala Ginrut
  2019-10-27  4:50                         ` Mike Gerwitz
  0 siblings, 2 replies; 75+ messages in thread
From: tomas @ 2019-10-26  7:48 UTC (permalink / raw)
  To: guile-user

[-- Attachment #1: Type: text/plain, Size: 226 bytes --]

On Thu, Oct 24, 2019 at 09:39:04PM -0400, Mike Gerwitz wrote:

thanks for your good overview... a question

> Passing session tokens via GET requests is a bad idea, because that
> leaks the token.

Even in https?

Cheers
-- t

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

^ permalink raw reply	[flat|nested] 75+ messages in thread

* Re: mailmam, web bridge, forum, p2p (was: Diversification)
  2019-10-24 16:35                         ` Zelphir Kaltstahl
@ 2019-10-26  8:04                           ` tomas
  2019-10-26  9:42                             ` pelzflorian (Florian Pelz)
  0 siblings, 1 reply; 75+ messages in thread
From: tomas @ 2019-10-26  8:04 UTC (permalink / raw)
  To: Zelphir Kaltstahl; +Cc: guile-user

[-- Attachment #1: Type: text/plain, Size: 1949 bytes --]

On Thu, Oct 24, 2019 at 06:35:50PM +0200, Zelphir Kaltstahl wrote:
> Hi Tomas!
> 
> Do you still remember some of the issues you came across when making
> such a shop?

As I said, it was a pretty simplistic thing:

 - low volume (both customers and inventory)
 - no interest whatsoever in SEO and other things

but it worked pretty well. As basic design principles...

 - I postponed creating session to the last possible
   moment: so the user was browsing the inventory
   basically as a static page, no state encoded;

 - once I had to carry status related to the session
   (i.e. the user dropped the first item into the
   tray), a random session token was generated and
   inserted into the URL. A HTTP redirect then let
   the browser "know" our new common basis.

   I remember chosing an "early" spot at the URL to
   leverage the browser's relative addressing, which
   saves a lot of template substitution in the pages.

   Tokens were expired to avoid abandoned sessions
   piling up

User's feedback was fairly positive: the page felt quick (back
then, the scripts weren't the huge monsters of today, but the
browser's javascript engines weren't as streamlined as today's
either, and the usual bandwidth was a fraction of what is common
these days).

> If I am not mistaken, Racket's continuation based webserver does
> something like this. It also stores state in the URL, which then looks a
> bit strange. I think that state even encodes the continuation.

This is a thing I considered: not to have a per-session
token, but a per-transaction token -- the continuation
idea is pretty cool, because the user can have several
different "histories" of their session running in parallel.

OTOH I tried to imagine the poor webshop user confronted
with that. It sure would confuse the hell out of me ;-)

I think it would take some thinking to tame the less intuitive
parts.

Cheers
-- t

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

^ permalink raw reply	[flat|nested] 75+ messages in thread

* Re: Diversification [ branched from Re: conflicts in the gnu project now affect guile]
  2019-10-23 20:02           ` Diversification [ branched from Re: conflicts in the gnu project now affect guile] pelzflorian (Florian Pelz)
@ 2019-10-26  8:14             ` tomas
  2019-10-26  9:03               ` pelzflorian (Florian Pelz)
  0 siblings, 1 reply; 75+ messages in thread
From: tomas @ 2019-10-26  8:14 UTC (permalink / raw)
  To: pelzflorian (Florian Pelz); +Cc: guile-user

[-- Attachment #1: Type: text/plain, Size: 1712 bytes --]

On Wed, Oct 23, 2019 at 10:02:11PM +0200, pelzflorian (Florian Pelz) wrote:
> On Wed, Oct 23, 2019 at 03:43:26PM +0200, tomas@tuxteam.de wrote:
> > But perhaps we need
> > bridges between cultures and not just between tools. And that
> > takes deep thinking (and people instead of machines, maybe).
> > 
> 
> I believe good mailing list etiquette is similar to good forum
> etiquette.  Today’s culture is not a forum culture, of course.

I'm talking of a more implicit culture.

I've taken part in more than one of those "split medium" situations,
the most common that one where the whole company had Outlook as their
UI whereas I had mutt. Issues like "top posting" were typical (top
posting being confusing for me, in-quote posting for most of the
rest of the world) and many other such subtleties.

If someone tries to explain something to someone else about one
of the exchanged messages, it is often in terms of the GUI. You
only become aware of that when you try to live at the rift.

Think "semantic markup" (which doesn't really exist). People think
in terms of "bold", "italic", "top left" etc, because that's how
they /read/ -- those markup's "semantic" varies just so slightly
depending on context. Then academicians come and say "no, no,
you have to think "semantically", i.e. in terms of "strong",
"emphasised", "important", etc -- and they are right, but then
they're not, because they are just peeling the onion off its
999th skin. When they finish, there's no onion :-)

At the end, the medium is (at least part of) the message, to steal
a well-known word.

Sorry for the rambling -- I hope you understand now what I
meant by "culture".

Cheers
-- tomás

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

^ permalink raw reply	[flat|nested] 75+ messages in thread

* Re: Diversification [ branched from Re: conflicts in the gnu project now affect guile]
  2019-10-26  8:14             ` tomas
@ 2019-10-26  9:03               ` pelzflorian (Florian Pelz)
  2019-10-26 11:26                 ` tomas
  0 siblings, 1 reply; 75+ messages in thread
From: pelzflorian (Florian Pelz) @ 2019-10-26  9:03 UTC (permalink / raw)
  To: tomas; +Cc: guile-user

On Sat, Oct 26, 2019 at 10:14:22AM +0200, tomas@tuxteam.de wrote:
> If someone tries to explain something to someone else about one
> of the exchanged messages, it is often in terms of the GUI. You
> only become aware of that when you try to live at the rift.
> 

Yes, this is something we should keep in mind.  IMHO the medium should
remain a mailing list and this should be clear.  Top posting is
useless and undesirable with both e-mail and forums though, I believe.

Since I use mutt too, I think plain text compatibility is important.

As for the formatting, I think for plain text e-mail compatibility,
when there are stars around a word, it should *not* be highlighted as
italic.

Regards,
Florian



^ permalink raw reply	[flat|nested] 75+ messages in thread

* Re: mailmam, web bridge, forum, p2p
  2019-10-26  4:31                       ` mailmam, web bridge, forum, p2p Mike Gerwitz
@ 2019-10-26  9:35                         ` pelzflorian (Florian Pelz)
  2019-10-26 11:31                           ` tomas
  0 siblings, 1 reply; 75+ messages in thread
From: pelzflorian (Florian Pelz) @ 2019-10-26  9:35 UTC (permalink / raw)
  To: Mike Gerwitz; +Cc: Guile User

On Sat, Oct 26, 2019 at 12:31:34AM -0400, Mike Gerwitz wrote:
> On Fri, Oct 25, 2019 at 08:08:45 +0200, pelzflorian (Florian Pelz) wrote:
> > So you would use both a cookie to retain login state and then only for
> > sensitive requests additionally use nonces to prevent CSRF.  Would you
> > use POST for all (sensitive) requests after login?
> 
> GET requests are supposed to retrieve information, not modify it, and
> should be indempotent.  Since they should have no meaningful
> side-effects, CSRF shouldn't have any meaningful action to
> exploit.

You are right.  That makes sense.  We need not abstain from cookies
and with cookies we can have GET requests retain session state and
then for anything sensitive use a nonce, whether GET or POST,
i.e. write code for links to include a nonce and verify nonces.
Thank you!



> Whether or not that's true in practice of course depends on
> how the site was developed.  If a GET request does have some meaningful
> side-effect (e.g. maybe it logs the action and that event can influence
> some other part of the system), then it may need to be mitigated by
> including a nonce.
> 

Probably for a mailing list interface, there should not be such a log annyway.
We will have to remember session cookies are fine, so we can have all
the nice things like multiple tabs, but making a sensitive request
means using a nonce



> >> Checking the referrer isn't a good security measure.  For example, if
> >> the legitimate referrer were vulnerable to XSS, open redirects, or a
> >> host of other vulnerabilities, then an attacker could circumvent it by
> >> having the CSRF attack originate from that website.
> >> 
> >
> > I read Amirouche’s owasp link which describes checking the referer
> > only as an additional “Defense in Depth” security measure in the hope
> > of preventing what it calls login CSRF, i.e. giving someone a login
> > from someone else without them noticing (if I understand correctly).
> > A cookie would prevent that anyway, I suppose.
> 
> It's a potentially valid defense-in-depth strategy, but isn't sufficient
> on its own.  I personally don't see much value in it.  If a
> properly-implemented nonce-based mitigation strategy fails, then the
> attacker is likely in a situation where the referrer is no longer a
> barrier (e.g. they have access to the page and can inject scripts or
> just hijack the session).  Mitigating session hijacking is extremely
> difficult in this scenario---you can't perform IP-based checks because
> users often change IPs (e.g. on mobile networks, VPN, Tor, etc).  You
> can't rely on any information sent by the client because it can be
> spoofed by the attacker.
>

As I understand it, checking the referer should defend against the
attacker sending a user a link where the user is logged in as someone
else.  Cookies prevent that anyway, so if we avoid XSS (which is easy
in Scheme’s SHTML) and do not let others host web workers on the same
domain and such things, no further measures are needed, I think.  In
particular, IP checking would not be needed, but I will think about
that again once I actually have studied Artanis.

Regards,
Florian



^ permalink raw reply	[flat|nested] 75+ messages in thread

* Re: mailmam, web bridge, forum, p2p (was: Diversification)
  2019-10-26  8:04                           ` tomas
@ 2019-10-26  9:42                             ` pelzflorian (Florian Pelz)
  2019-10-26 11:31                               ` tomas
  0 siblings, 1 reply; 75+ messages in thread
From: pelzflorian (Florian Pelz) @ 2019-10-26  9:42 UTC (permalink / raw)
  To: tomas; +Cc: guile-user

On Sat, Oct 26, 2019 at 10:04:14AM +0200, tomas@tuxteam.de wrote:
>    I remember chosing an "early" spot at the URL to
>    leverage the browser's relative addressing, which
>    saves a lot of template substitution in the pages.
> 

So you encoded the session token not in the GET parameter, but similar
to

https://your-shop.com/<session token>/the/place/on/the/site

?

Regards,
Florian



^ permalink raw reply	[flat|nested] 75+ messages in thread

* Re: mailmam, web bridge, forum, p2p
  2019-10-26  7:48                       ` tomas
@ 2019-10-26 10:35                         ` Nala Ginrut
  2019-10-26 11:34                           ` tomas
  2019-10-27  4:50                         ` Mike Gerwitz
  1 sibling, 1 reply; 75+ messages in thread
From: Nala Ginrut @ 2019-10-26 10:35 UTC (permalink / raw)
  To: tomas; +Cc: Guile User

On Sat, Oct 26, 2019 at 3:49 PM <tomas@tuxteam.de> wrote:

> On Thu, Oct 24, 2019 at 09:39:04PM -0400, Mike Gerwitz wrote:
>
> thanks for your good overview... a question
>
> > Passing session tokens via GET requests is a bad idea, because that
> > leaks the token.
>
> Even in https?
>

I guess he mean query-string with GET.


>
> Cheers
> -- t
>


^ permalink raw reply	[flat|nested] 75+ messages in thread

* Re: Diversification [ branched from Re: conflicts in the gnu project now affect guile]
  2019-10-26  9:03               ` pelzflorian (Florian Pelz)
@ 2019-10-26 11:26                 ` tomas
  2019-10-26 13:02                   ` Zelphir Kaltstahl
  0 siblings, 1 reply; 75+ messages in thread
From: tomas @ 2019-10-26 11:26 UTC (permalink / raw)
  To: pelzflorian (Florian Pelz); +Cc: guile-user

[-- Attachment #1: Type: text/plain, Size: 1320 bytes --]

On Sat, Oct 26, 2019 at 11:03:12AM +0200, pelzflorian (Florian Pelz) wrote:
> On Sat, Oct 26, 2019 at 10:14:22AM +0200, tomas@tuxteam.de wrote:

[...]

> > only become aware of that when you try to live at the rift.
> 
> Yes, this is something we should keep in mind.  IMHO the medium should
> remain a mailing list and this should be clear.  Top posting is
> useless and undesirable with both e-mail and forums though, I believe.
> 
> Since I use mutt too, I think plain text compatibility is important.

See? There lies the problem. I'm firmly in your "camp", and still I
learnt to realise that the other "cultures" do have as difficult a
time to adapt to "our" camp as the other way around.

That's why I believe that we need serious thinking (beyond the "easy"
technical things) and lots of tolerance.

To me, Wikipedia is a wonderful inspirational example for a web site
which succeds in bridging an astonishly broad swath of those "cultures"
(and still doesn't cover all of them, it has a distinct academic and
"liberal", in the broadest sense, "smell" to it).

> As for the formatting, I think for plain text e-mail compatibility,
> when there are stars around a word, it should *not* be highlighted as
> italic.

Uh -- isn't the star reserved for *strong*? ;-)

Cheers
-- tomás

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

^ permalink raw reply	[flat|nested] 75+ messages in thread

* Re: mailmam, web bridge, forum, p2p
  2019-10-26  9:35                         ` pelzflorian (Florian Pelz)
@ 2019-10-26 11:31                           ` tomas
  0 siblings, 0 replies; 75+ messages in thread
From: tomas @ 2019-10-26 11:31 UTC (permalink / raw)
  To: guile-user

[-- Attachment #1: Type: text/plain, Size: 1128 bytes --]

On Sat, Oct 26, 2019 at 11:35:06AM +0200, pelzflorian (Florian Pelz) wrote:
> On Sat, Oct 26, 2019 at 12:31:34AM -0400, Mike Gerwitz wrote:
> > On Fri, Oct 25, 2019 at 08:08:45 +0200, pelzflorian (Florian Pelz) wrote:
> > > So you would use both a cookie to retain login state and then only for
> > > sensitive requests additionally use nonces to prevent CSRF.  Would you
> > > use POST for all (sensitive) requests after login?
> > 
> > GET requests are supposed to retrieve information, not modify it, and
> > should be indempotent.  Since they should have no meaningful
> > side-effects, CSRF shouldn't have any meaningful action to
> > exploit.
> 
> You are right.  That makes sense.  We need not abstain from cookies
> and with cookies we can have GET requests retain session state and
> then for anything sensitive use a nonce, whether GET or POST,
> i.e. write code for links to include a nonce and verify nonces.
> Thank you!

You can still have session state in the URL and keep GET idempotent
(there might be other reasons to use cookies, though: I've yet to be
convinced ;-)

Cheers
-- tomás

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

^ permalink raw reply	[flat|nested] 75+ messages in thread

* Re: mailmam, web bridge, forum, p2p (was: Diversification)
  2019-10-26  9:42                             ` pelzflorian (Florian Pelz)
@ 2019-10-26 11:31                               ` tomas
  0 siblings, 0 replies; 75+ messages in thread
From: tomas @ 2019-10-26 11:31 UTC (permalink / raw)
  To: pelzflorian (Florian Pelz); +Cc: guile-user

[-- Attachment #1: Type: text/plain, Size: 515 bytes --]

On Sat, Oct 26, 2019 at 11:42:47AM +0200, pelzflorian (Florian Pelz) wrote:
> On Sat, Oct 26, 2019 at 10:04:14AM +0200, tomas@tuxteam.de wrote:
> >    I remember chosing an "early" spot at the URL to
> >    leverage the browser's relative addressing, which
> >    saves a lot of template substitution in the pages.
> > 
> 
> So you encoded the session token not in the GET parameter, but similar
> to
> 
> https://your-shop.com/<session token>/the/place/on/the/site

Yes, exactly.

Cheers
-- tomás

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

^ permalink raw reply	[flat|nested] 75+ messages in thread

* Re: mailmam, web bridge, forum, p2p
  2019-10-26 10:35                         ` Nala Ginrut
@ 2019-10-26 11:34                           ` tomas
  0 siblings, 0 replies; 75+ messages in thread
From: tomas @ 2019-10-26 11:34 UTC (permalink / raw)
  To: Nala Ginrut; +Cc: Guile User

[-- Attachment #1: Type: text/plain, Size: 654 bytes --]

On Sat, Oct 26, 2019 at 06:35:18PM +0800, Nala Ginrut wrote:
> On Sat, Oct 26, 2019 at 3:49 PM <tomas@tuxteam.de> wrote:
> 
> > On Thu, Oct 24, 2019 at 09:39:04PM -0400, Mike Gerwitz wrote:
> >
> > thanks for your good overview... a question
> >
> > > Passing session tokens via GET requests is a bad idea, because that
> > > leaks the token.
> >
> > Even in https?
> >
> 
> I guess he mean query-string with GET.

That's another possibility. Both of them end up encrypted in HTTPS
anyway. I decided against query string at that time because that
saved me quite a bit of template substitution (use relative links).

Cheers
-- tomás

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

^ permalink raw reply	[flat|nested] 75+ messages in thread

* Re: Diversification [ branched from Re: conflicts in the gnu project now affect guile]
  2019-10-26 11:26                 ` tomas
@ 2019-10-26 13:02                   ` Zelphir Kaltstahl
  2019-10-26 15:23                     ` tomas
  2019-10-26 16:47                     ` pelzflorian (Florian Pelz)
  0 siblings, 2 replies; 75+ messages in thread
From: Zelphir Kaltstahl @ 2019-10-26 13:02 UTC (permalink / raw)
  To: guile-user, tomas

On 10/26/19 1:26 PM, tomas@tuxteam.de wrote:
> On Sat, Oct 26, 2019 at 11:03:12AM +0200, pelzflorian (Florian Pelz) wrote:
>> On Sat, Oct 26, 2019 at 10:14:22AM +0200, tomas@tuxteam.de wrote:
> [...]
>
>>> only become aware of that when you try to live at the rift.
>> Yes, this is something we should keep in mind.  IMHO the medium should
>> remain a mailing list and this should be clear.  Top posting is
>> useless and undesirable with both e-mail and forums though, I believe.
>>
>> Since I use mutt too, I think plain text compatibility is important.
> See? There lies the problem. I'm firmly in your "camp", and still I
> learnt to realise that the other "cultures" do have as difficult a
> time to adapt to "our" camp as the other way around.
>
> That's why I believe that we need serious thinking (beyond the "easy"
> technical things) and lots of tolerance.
>
> To me, Wikipedia is a wonderful inspirational example for a web site
> which succeds in bridging an astonishly broad swath of those "cultures"
> (and still doesn't cover all of them, it has a distinct academic and
> "liberal", in the broadest sense, "smell" to it).
>
>> As for the formatting, I think for plain text e-mail compatibility,
>> when there are stars around a word, it should *not* be highlighted as
>> italic.
> Uh -- isn't the star reserved for *strong*? ;-)
>
> Cheers
> -- tomás

Hi!

Well, I hope that such tolerance does not lead us to accept usage of
mini-uglyfied proprietary JavaScript or other bad things, just to please
people, who in the majority most likely …

(1) … would never consider switching away from _their_ medium of choice,
because most people use it, so it must be right
(2) … have never even thought about the consequences of their choice of
technology (examples here are the web engine monoculture threat and
human interaction via Whatsapp and FB messenger, Skype)

I just want to point that out. While I find it to be a good idea to be
open to alternatives, I do not find it acceptable to not stay true to
our principles as a community of free software developers.

I also often see a very heavy imbalance between the amount of thought
some people in the free software world have put into their choice of
technology and the amount of thought the mainstream user has put into
their choice (usually zero, besides an "Oh it works!" or "It does not
cost me money!"). So we should not give up our principles, in order to
win some people over, because then we are actually the ones "won over"
(or lost) to the proprietary non-free world. It would not be a
diversification, but a disintegration of our community.

That said, I am open to trying out any community communication
technology, that follows the principles of free software and is run in
an ethically acceptable way.

I am highly skeptical of discourse, because:

* https://www.discourse.org/ tries to load Google Analytics and
fontawesome, 2 tools to spy on users. They already do not seem to care
about privacy.
* It is very JavaScript heavy.
* In my experience slow and sluggish.
* WYSIWYG-Editor – These tend to not produce plain text well readable
documents. Just give me some simple editor, Markdown maybe, not mandatory.

That is, why I like the idea of having a good old (newly written in
Guile) forum software. I would like and welcome such a forum software,
because some of my best memories of community interaction happened in
such a good old forum with a great community. It is also a great
structured long term memory. Whether the "other cultures" would use it
is on a different sheet of paper.

One more thing we should very much look out for, when choosing some
technology or when making our own software is:

* Can we actually get all our content out of that software if needed?
Can we export it to some JSON or other useful format?

Otherwise we will lock ourselves in.

Best regards,

Zelphir




^ permalink raw reply	[flat|nested] 75+ messages in thread

* Re: Diversification [ branched from Re: conflicts in the gnu project now affect guile]
  2019-10-26 13:02                   ` Zelphir Kaltstahl
@ 2019-10-26 15:23                     ` tomas
  2019-10-26 16:47                     ` pelzflorian (Florian Pelz)
  1 sibling, 0 replies; 75+ messages in thread
From: tomas @ 2019-10-26 15:23 UTC (permalink / raw)
  To: Zelphir Kaltstahl; +Cc: guile-user

[-- Attachment #1: Type: text/plain, Size: 696 bytes --]

On Sat, Oct 26, 2019 at 03:02:57PM +0200, Zelphir Kaltstahl wrote:
> Hi!

Hi :)

> Well, I hope that such tolerance does not lead us to accept usage of
> mini-uglyfied proprietary JavaScript or other bad things, just to please
> people, who in the majority most likely …

[...]

Lemme digest your long mail for a while. In the meantime just a
short answer:

 - from experience I acknowledge that the issue raised by
   Todor Kondić exists. The tools used for communications
   may pose a barrier to some;
 - I don't like barriers :-)
 - I think the problem is beyond a problem of "tools", and
   to make that plausible here

More on your post later.

Cheers
-- tomás

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

^ permalink raw reply	[flat|nested] 75+ messages in thread

* Re: Diversification [ branched from Re: conflicts in the gnu project now affect guile]
  2019-10-26 13:02                   ` Zelphir Kaltstahl
  2019-10-26 15:23                     ` tomas
@ 2019-10-26 16:47                     ` pelzflorian (Florian Pelz)
  2019-10-26 17:09                       ` pelzflorian (Florian Pelz)
  1 sibling, 1 reply; 75+ messages in thread
From: pelzflorian (Florian Pelz) @ 2019-10-26 16:47 UTC (permalink / raw)
  To: Zelphir Kaltstahl; +Cc: guile-user

On Sat, Oct 26, 2019 at 03:02:57PM +0200, Zelphir Kaltstahl wrote:
> Whether the "other cultures" would use it
> is on a different sheet of paper.
>

Perhaps single-use should be simplified, so that if someone cares only
about asking one question, they need not register or not for the
entire list.  I am unsure though.  I wonder what moderation would look
like.

Regards,
Florian



^ permalink raw reply	[flat|nested] 75+ messages in thread

* Re: Diversification [ branched from Re: conflicts in the gnu project now affect guile]
  2019-10-26 16:47                     ` pelzflorian (Florian Pelz)
@ 2019-10-26 17:09                       ` pelzflorian (Florian Pelz)
       [not found]                         ` <874kzslwq0.fsf@elephly.net>
  0 siblings, 1 reply; 75+ messages in thread
From: pelzflorian (Florian Pelz) @ 2019-10-26 17:09 UTC (permalink / raw)
  To: Zelphir Kaltstahl; +Cc: guile-user

Another aspect is that many popular e-mail providers and applications
are problematic.  For example, I have experienced Microsoft’s e-mail
services reformatting e-mails sent via Microsoft.  This breaks code
sent by them in e-mail, even in text attachments.

Also, many e-mail providers are not using monospace fonts or otherwise
disrupt how others expect their e-mail look when received.

A mailing list web interface may help these users.

Regards,
Florian



^ permalink raw reply	[flat|nested] 75+ messages in thread

* Re: mailmam, web bridge, forum, p2p
  2019-10-26  7:48                       ` tomas
  2019-10-26 10:35                         ` Nala Ginrut
@ 2019-10-27  4:50                         ` Mike Gerwitz
  2019-10-27  5:32                           ` Mike Gerwitz
                                             ` (2 more replies)
  1 sibling, 3 replies; 75+ messages in thread
From: Mike Gerwitz @ 2019-10-27  4:50 UTC (permalink / raw)
  To: tomas; +Cc: guile-user

[-- Attachment #1: Type: text/plain, Size: 1546 bytes --]

To make sure I see replies, please include me in the recipient list (not
just the mailing list).  I missed this at first.

On Sat, Oct 26, 2019 at 09:48:37 +0200, tomas@tuxteam.de wrote:
>> Passing session tokens via GET requests is a bad idea, because that
>> leaks the token.
>
> Even in https?

Transport is only part of the problem.  Query parameters are also leaked
to webserver access logs; they can leak to 3rd party logs via the
referrer header (I sometimes see sensitive data in my webserver logs
from other domains); they're retained in browser history and written to
disk; may show up in proxy logs (e.g. when passing through load
balancers); could be easily pasted unwittingly to third parties (e.g. a
user sharing a link with someone else); etc.

Back in what feels like a previous lifetime by now, I used to do a lot
of work with phpBB2, which had an option to either store sessions in
cookies or place PHPSESSID in the URL.  It modified every link to
include a session id.  It tried to mitigate the issue by checking the
source IP address, but if you were logged on the same network (e.g. in
the same place of employment; school; library; etc), then sharing a link
would lead to session hijacking.

Such link rewriting schemes also cause other types of problems.  For
example, you may be able to cache most of the generated HTML (except for
e.g. the header) regardless of what user is logged in.  But if you have
to inject tokens into all links, that type of caching isn't useful.

-- 
Mike Gerwitz

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 818 bytes --]

^ permalink raw reply	[flat|nested] 75+ messages in thread

* Re: mailmam, web bridge, forum, p2p
  2019-10-27  4:50                         ` Mike Gerwitz
@ 2019-10-27  5:32                           ` Mike Gerwitz
  2019-10-27  8:50                             ` tomas
  2019-10-27  8:36                           ` tomas
  2019-10-27 14:26                           ` Keith Wright
  2 siblings, 1 reply; 75+ messages in thread
From: Mike Gerwitz @ 2019-10-27  5:32 UTC (permalink / raw)
  To: tomas; +Cc: guile-user

[-- Attachment #1: Type: text/plain, Size: 1529 bytes --]

On Sun, Oct 27, 2019 at 00:50:17 -0400, Mike Gerwitz wrote:
> On Sat, Oct 26, 2019 at 09:48:37 +0200, tomas@tuxteam.de wrote:
>>> Passing session tokens via GET requests is a bad idea, because that
>>> leaks the token.
>>
>> Even in https?

[...]

> Back in what feels like a previous lifetime by now, I used to do a lot
> of work with phpBB2, which had an option to either store sessions in
> cookies or place PHPSESSID in the URL.  It modified every link to
> include a session id.  It tried to mitigate the issue by checking the
> source IP address, but if you were logged on the same network (e.g. in
> the same place of employment; school; library; etc), then sharing a link
> would lead to session hijacking.

Since I was in the mindset of leaking information, I forgot to mention
another negative side-effect of including tokens as query strings: it
can turn link sharing into a weapon using session fixation.  E.g. I
could create an account, send a link to you with my session token, and
you may then be logged into my account.  The user may then perform an
action that may benefit the attacker (or the action could be part of the
URL).

This is sometimes used as a poor-man's SSO. :x  It can also work with
POSTs: direct the user to an auto-submitting form.

Cookies are better suited for storing session tokens---you cannot set
cookie values for other domains without some other type of exploit
(e.g. XSS, but your cookies best be set to HTTP-only to mitigate that).

-- 
Mike Gerwitz

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 818 bytes --]

^ permalink raw reply	[flat|nested] 75+ messages in thread

* Re: mailmam, web bridge, forum, p2p
  2019-10-27  4:50                         ` Mike Gerwitz
  2019-10-27  5:32                           ` Mike Gerwitz
@ 2019-10-27  8:36                           ` tomas
  2019-10-27 14:26                           ` Keith Wright
  2 siblings, 0 replies; 75+ messages in thread
From: tomas @ 2019-10-27  8:36 UTC (permalink / raw)
  To: Mike Gerwitz; +Cc: guile-user

[-- Attachment #1: Type: text/plain, Size: 2767 bytes --]

On Sun, Oct 27, 2019 at 12:50:17AM -0400, Mike Gerwitz wrote:
> To make sure I see replies, please include me in the recipient list (not
> just the mailing list).  I missed this at first.
> 
> On Sat, Oct 26, 2019 at 09:48:37 +0200, tomas@tuxteam.de wrote:
> >> Passing session tokens via GET requests is a bad idea, because that
> >> leaks the token.
> >
> > Even in https?

Thanks for this complete account. I appreciate it very much!

> Transport is only part of the problem.
> Query parameters are also leaked to webserver access logs;

That's true -- but I'd call that "category B". The server realm
is full with sensitive data, and the logs are part of that.

> they can leak to 3rd party logs via the referrer header (I
> sometimes see sensitive data in my webserver logs from other
> domains);

That's more serious ("category A") -- third parties get to look
into sensitive data. The application has to take care of links
pointing to the "outside".

If we're trying to pull off this, we'll have to think hard
about this one.

> they're retained in browser history and written to disk;

Again "category B". The browser's cookie jar is, after all,
also there for all to see. As a forensics analyst or a data
"thieve", I'd take with me the whole browser subdir, anyway.

> may show up in proxy logs (e.g. when passing through load
> balancers); could be easily pasted unwittingly to third parties (e.g. a
> user sharing a link with someone else); etc.

Only for plain http (unless it's one of those corporate proxies
with an "open-all" root certificate, that is).

> Back in what feels like a previous lifetime by now, I used to do a lot
> of work with phpBB2, which had an option to either store sessions in
> cookies or place PHPSESSID in the URL.  It modified every link to
> include a session id.  It tried to mitigate the issue by checking the
> source IP address, but if you were logged on the same network (e.g. in
> the same place of employment; school; library; etc), then sharing a link
> would lead to session hijacking.

This all is in the context of plain http, I guess.

> Such link rewriting schemes also cause other types of problems.  For
> example, you may be able to cache most of the generated HTML (except for
> e.g. the header) regardless of what user is logged in.  But if you have
> to inject tokens into all links, that type of caching isn't useful.

Yes. But this has lost most of its bite in the last decade or
so. Machines have increased in power (speed, RAM) faster than
the network. Apart from really high-volume sites, where you
start thinking about load balancers, CDNs, etc. I think a bit
of server-side template substitution will drown in the noise.

Cheers
-- t

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

^ permalink raw reply	[flat|nested] 75+ messages in thread

* Re: mailmam, web bridge, forum, p2p
  2019-10-27  5:32                           ` Mike Gerwitz
@ 2019-10-27  8:50                             ` tomas
  0 siblings, 0 replies; 75+ messages in thread
From: tomas @ 2019-10-27  8:50 UTC (permalink / raw)
  To: Mike Gerwitz; +Cc: guile-user

[-- Attachment #1: Type: text/plain, Size: 2200 bytes --]

On Sun, Oct 27, 2019 at 01:32:54AM -0400, Mike Gerwitz wrote:

[...]

> > Back in what feels like a previous lifetime by now, I used to do a lot
> > of work with phpBB2, which had an option to either store sessions in
> > cookies or place PHPSESSID in the URL.  It modified every link to
> > include a session id [...]

> Since I was in the mindset of leaking information, I forgot to mention
> another negative side-effect of including tokens as query strings: it
> can turn link sharing into a weapon using session fixation.  E.g. I
> could create an account, send a link to you with my session token, and
> you may then be logged into my account.

Actually there are two scenarios: User A (say Alice) "has" the session
and passes a link to B (Bob), session token included.

This could be negligence, and now Bob might do something nasty with
Alice's session (e.g. go into a shopping spree)...

>                                          The user may then perform an
> action that may benefit the attacker (or the action could be part of the
> URL).

...but you seem to imply that there's a reverse scenario, where Alice
does something nasty to Bob?

> This is sometimes used as a poor-man's SSO. :x  It can also work with
> POSTs: direct the user to an auto-submitting form.

Yes, you could take your "session token" with you, to another computer,
but this seems somewhat fragile [1].

> Cookies are better suited for storing session tokens---you cannot set
> cookie values for other domains without some other type of exploit
> (e.g. XSS, but your cookies best be set to HTTP-only to mitigate that).

Cookies are, after all, client-side data. The browser might not allow
you to do something, but you can engineer all sort of HTTP requests:
that means the server has to do its own sanity checks anyway.

Cheers

[1] That's why I'd go for a fairly strict session expiry; perhaps
   (but I haven't played with it in practice!) you'd need transaction
   tokens instead (as those continuation based thingies use), which
   can be even more short-lived. Perhaps even some correlation
   between token and client profile (IP address, etc.).

-- tomás

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

^ permalink raw reply	[flat|nested] 75+ messages in thread

* Re: mailmam, web bridge, forum, p2p
  2019-10-27  4:50                         ` Mike Gerwitz
  2019-10-27  5:32                           ` Mike Gerwitz
  2019-10-27  8:36                           ` tomas
@ 2019-10-27 14:26                           ` Keith Wright
  2019-10-27 19:28                             ` Zelphir Kaltstahl
  2 siblings, 1 reply; 75+ messages in thread
From: Keith Wright @ 2019-10-27 14:26 UTC (permalink / raw)
  To: Mike Gerwitz; +Cc: guile-user

Mike Gerwitz <mtg@gnu.org> writes:

> To make sure I see replies, please include me in the recipient list (not
> just the mailing list).  I missed this at first.
>
> On Sat, Oct 26, 2019 at 09:48:37 +0200, tomas@tuxteam.de wrote:
>>> Passing session tokens via GET requests is a bad idea, because that
>>> leaks the token.

Actually, if you are going to have an extended conversation
between two people that has little to do with Guile,
consider taking it off the mailing list entirely.

   -- Keith 



^ permalink raw reply	[flat|nested] 75+ messages in thread

* Re: mailmam, web bridge, forum, p2p
  2019-10-27 14:26                           ` Keith Wright
@ 2019-10-27 19:28                             ` Zelphir Kaltstahl
  0 siblings, 0 replies; 75+ messages in thread
From: Zelphir Kaltstahl @ 2019-10-27 19:28 UTC (permalink / raw)
  To: guile-user, Keith Wright

On 10/27/19 3:26 PM, Keith Wright wrote:
> Mike Gerwitz <mtg@gnu.org> writes:
>
>> To make sure I see replies, please include me in the recipient list (not
>> just the mailing list).  I missed this at first.
>>
>> On Sat, Oct 26, 2019 at 09:48:37 +0200, tomas@tuxteam.de wrote:
>>>> Passing session tokens via GET requests is a bad idea, because that
>>>> leaks the token.
> Actually, if you are going to have an extended conversation
> between two people that has little to do with Guile,
> consider taking it off the mailing list entirely.
>
>    -- Keith 
>
Hi Keith,

I understand your point (everyone gets emails …), but at the same time I
find this quite educational. It would be great, if at the end there was
some documentation why one approach was chosen, with all the up- and
downsides of the approaches discussed, if this is not available on the
mailing list : )

Regards,

Zelphir




^ permalink raw reply	[flat|nested] 75+ messages in thread

* mailman web interface (was: Diversification)
  2019-10-23 12:33           ` pelzflorian (Florian Pelz)
  2019-10-23 13:47             ` tomas
  2019-10-23 19:19             ` Zelphir Kaltstahl
@ 2019-10-28 11:04             ` pelzflorian (Florian Pelz)
  2020-07-08 12:32               ` pelzflorian (Florian Pelz)
  2 siblings, 1 reply; 75+ messages in thread
From: pelzflorian (Florian Pelz) @ 2019-10-28 11:04 UTC (permalink / raw)
  Cc: guile-user

On Wed, Oct 23, 2019 at 02:33:43PM +0200, pelzflorian (Florian Pelz) wrote:
> If there isn’t one already, then I would like to start working on a
> written in Guile, free software, old-school bulletin board-like
> interface, perhaps with a more modern UI design, next week.  I do not
> like Discourse and will need something like this anyway for other
> projects.  I see there already is guile-email and Mumi.  So far I had
> no time looking at either.  I would start next week.
> 

I have rented a domain mailbaby.de (I hope the name is fine) and am in
the process of writing a Guix mailman 2 service, so we can move the
discussion on a new mailman web interface there.  Will report back
when it’s done.

Regards,
Florian



^ permalink raw reply	[flat|nested] 75+ messages in thread

* Re: Diversification [ branched from Re: conflicts in the gnu project now affect guile]
       [not found]                         ` <874kzslwq0.fsf@elephly.net>
@ 2019-10-28 15:41                           ` pelzflorian (Florian Pelz)
  0 siblings, 0 replies; 75+ messages in thread
From: pelzflorian (Florian Pelz) @ 2019-10-28 15:41 UTC (permalink / raw)
  To: Ricardo Wurmus; +Cc: guile-user

On Mon, Oct 28, 2019 at 04:24:07PM +0100, Ricardo Wurmus wrote:
> Hi Florian,
> 
> > A mailing list web interface may help these users.
> 
> I probably missed something in this discussion, but here goes: have you
> looked at Mailman 3 and its web interface?
> 
> Here’s a demo:
> 
>     https://lists.fedoraproject.org/archives/
> 
> I think that’s really forum-like.  For some reason this newer version of
> Mailman is not in use within the GNU project.  (I’m guessing that’s due
> to a lack of GNU volunteers who could spare the time to upgrade while
> making sure nothing breaks.)
> 
> Is there something missing from Mailman 3 that your new project would
> provide?  I’m all for writing things in Guile, but I don’t see the
> urgent need for a mailing list web interface when there is Mailman.
> 

I frankly had never tried Hyperkitty yet.  It looks really good and is
very forum-like.  However, it also fundamentally relies on Javascript
and I would prefer browsing the archives without Javascript.  I will
look at it later and think some more.  Thank you!

Regards,
Florian



^ permalink raw reply	[flat|nested] 75+ messages in thread

* Re: mailman web interface (was: Diversification)
  2019-10-28 11:04             ` mailman web interface (was: Diversification) pelzflorian (Florian Pelz)
@ 2020-07-08 12:32               ` pelzflorian (Florian Pelz)
  2020-09-05  6:21                 ` mailman web interface Joshua Branson via General Guile related discussions
  0 siblings, 1 reply; 75+ messages in thread
From: pelzflorian (Florian Pelz) @ 2020-07-08 12:32 UTC (permalink / raw)
  To: guile-user

On Mon, Oct 28, 2019 at 12:04:36PM +0100, pelzflorian (Florian Pelz) wrote:
> On Wed, Oct 23, 2019 at 02:33:43PM +0200, pelzflorian (Florian Pelz) wrote:
> > If there isn’t one already, then I would like to start working on a
> > written in Guile, free software, old-school bulletin board-like
> > interface, perhaps with a more modern UI design, next week.  I do not
> > like Discourse and will need something like this anyway for other
> > projects.  I see there already is guile-email and Mumi.  So far I had
> > no time looking at either.  I would start next week.
> > 
> 
> I have rented a domain mailbaby.de (I hope the name is fine) and am in
> the process of writing a Guix mailman 2 service, so we can move the
> discussion on a new mailman web interface there.  Will report back
> when it’s done.

I am sorry to say I will not have the time to do a mailman Web
interface.  I am sorry to disappoint you.

Regards,
Florian



^ permalink raw reply	[flat|nested] 75+ messages in thread

* Re: Diversification [ branched from Re: conflicts in the gnu project now affect guile]
  2019-10-23 19:19             ` Zelphir Kaltstahl
  2019-10-24  1:01               ` Nala Ginrut
@ 2020-09-05  6:15               ` Joshua Branson via General Guile related discussions
  2020-09-05 11:50                 ` Web development Zelphir Kaltstahl
  1 sibling, 1 reply; 75+ messages in thread
From: Joshua Branson via General Guile related discussions @ 2020-09-05  6:15 UTC (permalink / raw)
  To: guile-user


You will probably want to borrow this code about how to decode byte
vectors in case you ever need to do any processing of POST requests:

https://notabug.org/jbranso/autoassign/src/master/decode.scm


It should probably be included in the guile src.

Thanks,

Joshua

P.S.  I did not create that file.  I just found it elsewhere.

-- 
Joshua Branson
Sent from Emacs and Gnus




^ permalink raw reply	[flat|nested] 75+ messages in thread

* Re: mailman web interface
  2020-07-08 12:32               ` pelzflorian (Florian Pelz)
@ 2020-09-05  6:21                 ` Joshua Branson via General Guile related discussions
  2020-09-05  7:53                   ` pelzflorian (Florian Pelz)
  0 siblings, 1 reply; 75+ messages in thread
From: Joshua Branson via General Guile related discussions @ 2020-09-05  6:21 UTC (permalink / raw)
  To: guile-user


This certainly sounds like an awesome project...doesn't Drew Devault
have a similar functionality with his lists project?  I believe that one
can have an account on his git repo, and make commits via git and/or the
web interface.

-- 
Joshua Branson
Sent from Emacs and Gnus




^ permalink raw reply	[flat|nested] 75+ messages in thread

* Re: mailman web interface
  2020-09-05  6:21                 ` mailman web interface Joshua Branson via General Guile related discussions
@ 2020-09-05  7:53                   ` pelzflorian (Florian Pelz)
  2020-09-05 13:32                     ` Joshua Branson
  0 siblings, 1 reply; 75+ messages in thread
From: pelzflorian (Florian Pelz) @ 2020-09-05  7:53 UTC (permalink / raw)
  To: Joshua Branson; +Cc: guile-user

On Sat, Sep 05, 2020 at 02:21:31AM -0400, Joshua Branson via General Guile related discussions wrote:
> This certainly sounds like an awesome project...doesn't Drew Devault
> have a similar functionality with his lists project?  I believe that one
> can have an account on his git repo, and make commits via git and/or the
> web interface.

<https://sr.ht/~sircmpwn/sourcehut/lists> at first glance looks nice
to use and its setup.py says it is AGPL licensed.  It does not appear
to be an interface to non-sr.ht projects’ mailing lists.  Actually I
think email is still the best way to write to mailing lists of the
current Internet, only a JavaScript-free Web interface for reading and
searching was a good idea, though I can’t do it and old mailman2
already allows Web-based reading.

Regards,
Florian



^ permalink raw reply	[flat|nested] 75+ messages in thread

* Re: Web development
  2020-09-05  6:15               ` Diversification [ branched from Re: conflicts in the gnu project now affect guile] Joshua Branson via General Guile related discussions
@ 2020-09-05 11:50                 ` Zelphir Kaltstahl
  2020-09-05 13:09                   ` Ricardo Wurmus
  0 siblings, 1 reply; 75+ messages in thread
From: Zelphir Kaltstahl @ 2020-09-05 11:50 UTC (permalink / raw)
  To: guile-user

(If I understand correctly, this is "Re: Web development"? Changed the
subject.)

Hi Joshua!

On 05.09.20 08:15, Joshua Branson via General Guile related discussions
wrote:
> You will probably want to borrow this code about how to decode byte
> vectors in case you ever need to do any processing of POST requests:
>
> https://notabug.org/jbranso/autoassign/src/master/decode.scm
>
>
> It should probably be included in the guile src.
>
> Thanks,
>
> Joshua
>
> P.S.  I did not create that file.  I just found it elsewhere.

Thanks for that code, it can be quite useful!

I am trying to create some examples for web development currently.
Perhaps I can get that far, that I decode byte vectors in query
parameter values.

-- 
repositories: https://notabug.org/ZelphirKaltstahl




^ permalink raw reply	[flat|nested] 75+ messages in thread

* Re: Web development
  2020-09-05 11:50                 ` Web development Zelphir Kaltstahl
@ 2020-09-05 13:09                   ` Ricardo Wurmus
  0 siblings, 0 replies; 75+ messages in thread
From: Ricardo Wurmus @ 2020-09-05 13:09 UTC (permalink / raw)
  To: Zelphir Kaltstahl; +Cc: guile-user


Zelphir Kaltstahl <zelphirkaltstahl@posteo.de> writes:

> On 05.09.20 08:15, Joshua Branson via General Guile related discussions
> wrote:
>> You will probably want to borrow this code about how to decode byte
>> vectors in case you ever need to do any processing of POST requests:
>>
>> https://notabug.org/jbranso/autoassign/src/master/decode.scm
>>
>>
>> It should probably be included in the guile src.
>>
>> Thanks,
>>
>> Joshua
>>
>> P.S.  I did not create that file.  I just found it elsewhere.
>
> Thanks for that code, it can be quite useful!
>
> I am trying to create some examples for web development currently.
> Perhaps I can get that far, that I decode byte vectors in query
> parameter values.

Also see https://notabug.org/cwebber/guile-webutils/

-- 
Ricardo



^ permalink raw reply	[flat|nested] 75+ messages in thread

* Re: mailman web interface
  2020-09-05  7:53                   ` pelzflorian (Florian Pelz)
@ 2020-09-05 13:32                     ` Joshua Branson
  0 siblings, 0 replies; 75+ messages in thread
From: Joshua Branson @ 2020-09-05 13:32 UTC (permalink / raw)
  To: guile-user


Ok.  Thanks for the response.  Maybe the admin guys at the FSF could
migrate all their stuff to sourcehut and use it's list.  People could
still use an email workflow, and others that perfer a web based one
could use that too.

--
Joshua Branson
Sent from Emacs and Gnus



^ permalink raw reply	[flat|nested] 75+ messages in thread

end of thread, other threads:[~2020-09-05 13:32 UTC | newest]

Thread overview: 75+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-10-20  6:10 Diversification [ branched from Re: conflicts in the gnu project now affect guile] Todor Kondić
2019-10-20  6:14 ` John Cowan
2019-10-21  6:35   ` Arne Babenhauserheide
2019-10-21 13:45     ` Amirouche Boubekki
2019-10-23  6:16   ` Amirouche Boubekki
2019-10-23  6:27     ` Nala Ginrut
2019-10-23  6:48     ` pelzflorian (Florian Pelz)
2019-10-23 10:37       ` Chris Vine
2019-10-23 11:25         ` pelzflorian (Florian Pelz)
2019-10-23 12:33           ` pelzflorian (Florian Pelz)
2019-10-23 13:47             ` tomas
2019-10-23 14:10               ` pelzflorian (Florian Pelz)
2019-10-23 19:09                 ` Mikael Djurfeldt
2019-10-23 19:26                   ` pelzflorian (Florian Pelz)
2019-10-23 19:19             ` Zelphir Kaltstahl
2019-10-24  1:01               ` Nala Ginrut
2019-10-24  9:19                 ` pelzflorian (Florian Pelz)
2019-10-24  9:35                 ` mailmam, web bridge, forum, p2p (was: Diversification) Amirouche Boubekki
2019-10-24 12:30                   ` pelzflorian (Florian Pelz)
2019-10-24 14:15                     ` Nala Ginrut
2019-10-24 16:39                       ` Zelphir Kaltstahl
2019-10-24 23:42                         ` Nala Ginrut
2019-10-25  1:39                     ` mailmam, web bridge, forum, p2p Mike Gerwitz
2019-10-26  7:48                       ` tomas
2019-10-26 10:35                         ` Nala Ginrut
2019-10-26 11:34                           ` tomas
2019-10-27  4:50                         ` Mike Gerwitz
2019-10-27  5:32                           ` Mike Gerwitz
2019-10-27  8:50                             ` tomas
2019-10-27  8:36                           ` tomas
2019-10-27 14:26                           ` Keith Wright
2019-10-27 19:28                             ` Zelphir Kaltstahl
2019-10-25  6:08                     ` mailmam, web bridge, forum, p2p (was: Diversification) pelzflorian (Florian Pelz)
2019-10-25  6:23                       ` Nala Ginrut
2019-10-26  4:31                       ` mailmam, web bridge, forum, p2p Mike Gerwitz
2019-10-26  9:35                         ` pelzflorian (Florian Pelz)
2019-10-26 11:31                           ` tomas
2019-10-24 13:32                   ` mailmam, web bridge, forum, p2p (was: Diversification) tomas
2019-10-24 15:03                     ` Nala Ginrut
2019-10-24 15:12                       ` tomas
2019-10-24 16:35                         ` Zelphir Kaltstahl
2019-10-26  8:04                           ` tomas
2019-10-26  9:42                             ` pelzflorian (Florian Pelz)
2019-10-26 11:31                               ` tomas
2019-10-25 11:30                       ` Mikael Djurfeldt
2019-10-25 12:53                         ` Nala Ginrut
2020-09-05  6:15               ` Diversification [ branched from Re: conflicts in the gnu project now affect guile] Joshua Branson via General Guile related discussions
2020-09-05 11:50                 ` Web development Zelphir Kaltstahl
2020-09-05 13:09                   ` Ricardo Wurmus
2019-10-28 11:04             ` mailman web interface (was: Diversification) pelzflorian (Florian Pelz)
2020-07-08 12:32               ` pelzflorian (Florian Pelz)
2020-09-05  6:21                 ` mailman web interface Joshua Branson via General Guile related discussions
2020-09-05  7:53                   ` pelzflorian (Florian Pelz)
2020-09-05 13:32                     ` Joshua Branson
2019-10-23 13:43         ` Diversification [ branched from Re: conflicts in the gnu project now affect guile] tomas
2019-10-23 17:39           ` Chris Vine
2019-10-23 19:58             ` Mailman web interface [was: Re: Diversification] pelzflorian (Florian Pelz)
2019-10-23 20:02           ` Diversification [ branched from Re: conflicts in the gnu project now affect guile] pelzflorian (Florian Pelz)
2019-10-26  8:14             ` tomas
2019-10-26  9:03               ` pelzflorian (Florian Pelz)
2019-10-26 11:26                 ` tomas
2019-10-26 13:02                   ` Zelphir Kaltstahl
2019-10-26 15:23                     ` tomas
2019-10-26 16:47                     ` pelzflorian (Florian Pelz)
2019-10-26 17:09                       ` pelzflorian (Florian Pelz)
     [not found]                         ` <874kzslwq0.fsf@elephly.net>
2019-10-28 15:41                           ` pelzflorian (Florian Pelz)
2019-10-23 13:45       ` tomas
2019-10-20  8:07 ` pelzflorian (Florian Pelz)
2019-10-20  8:08   ` pelzflorian (Florian Pelz)
2019-10-22 18:47 ` Mark H Weaver
2019-10-22 19:23   ` Zelphir Kaltstahl
2019-10-22 20:51     ` Arne Babenhauserheide
2019-10-22 23:24     ` Chris Vine
2019-10-23  0:57       ` Zelphir Kaltstahl
2019-10-23  6:44         ` pelzflorian (Florian Pelz)

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).