Agregador de noticias

Florian Schmaus: XMPP IoT Anti-Patterns

Planet Jabber - 4 July, 2016 - 00:00
Posted on July 4, 2016 Tags: xmpp

The recent issue (2016-14 page 78 ff.) of the German computer magazine c’t has an interesting article about security issues in alarm systems. I was a bit surprised that in 2016 we still have systems online which are vulnerable because of a default password or passwords like ‘1234’. The c’t had articles about similar issues before. Obviously the industry has much to learn about securing the Internet of Things (IoT).

What caught my attention was an XMPP message that is, according to the article, used by the alarm system to confirm the user PIN with a central server in order to disarm the system. The article describes a security flaw where sending the same message without the PIN would erroneously disarm the system. The message stanza looks like this

<message id="n0000-000000" to="<unique-id-of-alarm-system-central>@climax-home-portal" type="chat" from="security_ admin@climax-home-portal/Smack"> <body> 4150795OqiESNX2RCHC/ :;MODA:1,0, 1234 </body> </message>

This demonstrates nicely a few XMPP-for-IoT Anti-Patterns I’d like to discuss.

The Anti-Patterns
  1. Using XMPP without properly secured TLS. What made it easy to have a direct look at the used XMPP stanzas, was that the alarm system used an unencrypted connection. This revealed the PIN position and made it possible to inject spoofed stanzas.

  2. Abusing <body/> to carry machine data. RFC 6121 § 5.2.3 defines the <body/> content as “human-readable XML character data”. I guess this contributed a bit to the security flaw, where a message stanza without the PIN would disarm the system, because parsing that particular body content format doesn’t seem easy. But even if my guess is wrong, abusing the <body/> element in such a way will eventually snap back to you once your IoT environment grows.

  3. Allowing the client to determine the resource. Depending on the services policy on resource conflicts, this could lead to reconnect loops until the old connection using the same resource finally timeouts. Hardcoded resource strings also make it easy for an attacker to guess a resource. If the client does not protect itself against unsolicited stanzas send, e.g. by using XEP-0016 Privacy Lists, then this could at least allow an attacker to drain a mobile clients battery or allow him to access unprotected IQ interfaces.

  4. Using ‘chat’ type messages. Often done because “we don’t know better”. OK, I’m just guessing that ‘chat’ was used because of this reason. But I see it often that people just use ‘chat’ for no obvious reason, ‘normal’ would be the better choice in this case. And since it is the default type, you can omit it, saving a few bytes over the wire.

The Correct Patterns
  1. Use proper TLS for god’s sake. But “enabling” TLS is not enough. There is an intolerably large amount of implementations using TLS with an “accept all certificates” policy in order to be able to connect to hosts with self-signed certificates. That is a very bad approach in every aspect. Instead, use Certificate Pinning. With Java Pinning and Smack, TLS Certificate Pinning is as easy as:

    SSLContext sc = Java7Pinning .forPin("SHA256:e3b1812d945da1a2a2c5fa28029d2fe34c7c..."); XMPPTCPConnectionConfiguration conf = XMPPTCPConnectionConfiguration .builder() .setUsernameAndPassword("user", "pass") .setXmppDomain("example.org") .setCustomSSLContext(sc) .build();
  2. Use a custom extension element for your data. After all, extensibility is one of the strong arguments for XMPP. All XMPP libraries provide APIs to handle (create, process, serialize, deserialize) custom extension elements. The message above could for example look like this if they had used a custom <disarm xmlns='namespace:of:vendor'/> extension element:

    <message id="n0000-000000" to="<unique-id-of-alarm-system-central>@climax-home-portal" from="security_ admin@climax-home-portal/ba7971ca-a887-404b-8c48"> <disarm xmlns='namespace:of:vendor'> <data>4150795OqiESNX2RCHC/</data> <mode foo='true' bare='false'>MODA</mode> <pin>1234</pin> </disarm> </message>
  3. Let the server assign a resource. You usually want to do this independently of your use-case for XMPP (e.g. also when using XMPP for Instant Messaging). Since this is not IoT specific, but true for general XMPP usage, the XMPP Wiki also mentions this as guideline for IM developers also providing a rationale.

  4. Use a fitting message type. XMPP provides a variety of message types, each with different semantics. Sadly those types are named after their common use-case and not after their semantic, so people assume that they are just useful for that. For example ‘chat’ for chatting purposes and ‘headline’ for headlines. But in the end, you should choose the message type depending on your use-case. Primarily the message type affects the routing rules of the message stanzas. There is no reason you would want to use ‘chat’ in IoT. Use ‘normal’ and omit the ‘type’ attribute completely, since ‘normal’ is the default. Messages of type ‘headline’ also provide some nice properties for the IoT use-case (fan-out to all available resources of the recipient).

Remark

Note that this list of patterns is not comprehensive. Also some points are not exclusive to XMPP-for-IoT, but apply to XMPP usage in general.

Get in touch with the XMPP Community

I really encourage vendors to discuss their ideas, designs and approaches build upon XMPP with the XMPP community. I have encountered a lot of IoT specifications and implementations using XMPP which had, not only minor, but also serious design flaws. Fixing the ones which are already in production is an enormous effort. Thus I can only strongly recommend to get a peer review for your design early.

The XMPP community is very friendly, especially when it comes to supporting open standards and potentially subsequent open-source implementations. Usually you will find people willing to help you design and review your XMPP usage. Just join the xsf@muc.xmpp.org chat or post your XMPP related questions to the standards@mail.jabber.org mailing list.

Monal IM: HTTP upload errors

Planet Jabber - 28 June, 2016 - 04:29

There have been many people who had problems with HTTP upload in the most recent versions. It appears the vast majority of connection issues with http uploads appear to be related to one of the following:
1. Monal requires HTTPS
2. iOS requires a valid certificate
3. iOS requires a certain set of ciphers (anurodhp/Monal#35 (comment))

Monal IM: Media Portal App for Apple TV

Planet Jabber - 27 June, 2016 - 13:52

I am making a free Media Portal client for Apple TV. At the moment I’m calling this guy TVPortal.  This is mostly driven by my desire to watch my recorded tv shows on Appletv.

Phase 1 will be to to watch recorded content.

Phase 2 epg and record scheduling from appletv.

Phase 3 will be live streaming tv.

For me personally this will be the holy grail for Appletv. A single box that can handle all of my media needs including OTA free TV.  Of course the DVR component would require a separate box as Media portal is an open source Windows dvr. If you are interested, please email me (info@monal.im). I would like to test this a lot before we go live in the App Store.

The backend code for phase 1 is nearly complete, once I have a basic ui, we will begin testing. I will update this post With further details as the app progresses.

ProcessOne: Managing ejabberd Platforms with Docker – ejabberd Workshop #1

Planet Jabber - 27 June, 2016 - 09:35

In this video, Christophe Romain introduces Docker and ProcessOne work in progress to support Docker-based ejabberd deployments.

The video was recorded at ejabberd Advanced Erlang Workshop in Paris.

You can watch the full talk online:

You can also browse the slides:

ProcessOne: Real time messaging client with Go – Paris Meetup video

Planet Jabber - 24 June, 2016 - 17:09

Here is the video of my talk at Golang Paris Meetup in June (In French). Topic is about writing messaging applications in Go.

Enjoy !

Here are the slides:

ProcessOne: Elixir Paris Meetup: July 5, 2016

Planet Jabber - 24 June, 2016 - 16:09

Elixir Paris Meetup will happen on July 5th in downtown Paris, at Remix Coworking.

The programme includes the following talks (in French):

  • Lessons learned by rewriting a SaaS application in RubyOnRails in Elixir (Thibaut Barrère)
  • Sidekiq and Exq (Bryan Frimin)
  • Phoenix Presence: Phoenix 1.2 realtime service (Mickaël Rémond)

You can register to attend on Paris.ex meetup page: Elixir Paris Meetup #8

ProcessOne: XMPP Radar Newsletter #11

Planet Jabber - 23 June, 2016 - 15:41

Welcome to the 11th issue of our newsletter. You can subscribe to the XMPP Radar newsletter and receive it in your inbox at the end of each month. Here are the links we found interesting in May:

What 671 million push notifications say about how people spend their day

Push notifications are a cornerstone of every mobile app’s engagement and retention strategy, yet we know so little about them.

Personalized push notifications can increase open rates up to 800%

Apps that blast out push notifications are missing out on an opportunity to encourage engagement, with personalized notifications driving significantly higher results across the 1.5 billion messages analyzed for a new report from Leanplum.

Is instant messaging the next innovation for online learning?

The Economist magazine published recently an article titled “The Slack Generation”, highlighting the growing importance of messaging software in the workplace. The article pointed out three main workplace changes that have led to Slack’s rise.

XyBot, an XMPP bot that allows users to interact with Asterisk

Another feature that I believe can improve the user experience is the possibility of interact with your telephone system (Asterisk) directly from your IM client.

Native web push notifications with Angular 2

The Notifications API has been available for some browsers for a while now. Alex Castillo is bringing this powerful API to the Angular world in the form of a library, making it more accessible and reusable for developers.

Is this the end of decentralisation?

Signal, which is developed by Moxie and Open Whisper Systems, is a tool for secure messaging between mobile devices. It has faced criticism since Signal is built on a centralised platform. The criticism was fueled even further by an idea that LibreSignal, an independent build of Signal, would not be able to federate and talk to the Signal servers.

Daniel Pocock: WebRTC and communications projects in GSoC 2016

Planet Jabber - 20 June, 2016 - 15:02

This year a significant number of students are working on RTC-related projects as part of Google Summer of Code, under the umbrella of the Debian Project. You may have already encountered some of them blogging on Planet or participating in mailing lists and IRC.

WebRTC plugins for popular CMS and web frameworks

There are already a range of pseudo-WebRTC plugins available for CMS and blogging platforms like WordPress, unfortunately, many of them are either not releasing all their source code, locking users into their own servers or requiring the users to download potentially untrustworthy browser plugins (also without any source code) to use them.

Mesut is making plugins for genuinely free WebRTC with open standards like SIP. He has recently created the WPCall plugin for WordPress, based on the highly successful DruCall plugin for WebRTC in Drupal.

Keerthana has started creating a similar plugin for MediaWiki.

What is great about these plugins is that they don't require any browser plugins and they work with any server-side SIP infrastructure that you choose. Whether you are routing calls into a call center or simply using them on a personal blog, they are quick and convenient to install. Hopefully they will be made available as packages, like the DruCall packages for Debian and Ubuntu, enabling even faster installation with all dependencies.

Would you like to try running these plugins yourself and provide feedback to the students? Would you like to help deploy them for online communities using Drupal, WordPress or MediaWiki to power their web sites? Please come and discuss them with us in the Free-RTC mailing list.

You can read more about how to run your own SIP proxy for WebRTC in the RTC Quick Start Guide.

Finding all the phone numbers and ham radio callsigns in old emails

Do you have phone numbers and other contact details such as ham radio callsigns in old emails? Would you like a quick way to data-mine your inbox to find them and help migrate them to your address book?

Jaminy is working on Python scripts to do just that. Her project takes some inspiration from the Telify plugin for Firefox, which detects phone numbers in web pages and converts them to hyperlinks for click-to-dial. The popular libphonenumber from Google, used to format numbers on Android phones, is being used to help normalize any numbers found. If you would like to test the code against your own mailbox and address book, please make contact in the #debian-data channel on IRC.

A truly peer-to-peer alternative to SIP, XMPP and WebRTC

The team at Savoir Faire Linux has been busy building the Ring softphone, a truly peer-to-peer solution based on the OpenDHT distribution hash table technology.

Several students (Simon, Olivier, Nicolas and Alok) are actively collaborating on this project, some of them have been fortunate enough to participate at SFL's offices in Montreal, Canada. These GSoC projects have also provided a great opportunity to raise Debian's profile in Montreal ahead of DebConf17 next year.

Linux Desktop Telepathy framework and reSIProcate

Another group of students, Mateus, Udit and Balram have been busy working on C++ projects involving the Telepathy framework and the reSIProcate SIP stack. Telepathy is the framework behind popular softphones such as GNOME Empathy that are installed by default on the GNU/Linux desktop.

I previously wrote about starting a new SIP-based connection manager for Telepathy based on reSIProcate. Using reSIProcate means more comprehensive support for all the features of SIP, better NAT traversal, IPv6 support, NAPTR support and TLS support. The combined impact of all these features is much greater connectivity and much greater convenience.

The students are extending that work, completing the buddy list functionality, improving error handling and looking at interaction with XMPP.

Streamlining provisioning of SIP accounts

Currently there is some manual effort for each user to take the SIP account settings from their Internet Telephony Service Provider (ITSP) and transpose these into the account settings required by their softphone.

Pranav has been working to close that gap, creating a JAR that can be embedded in Java softphones such as Jitsi, Lumicall and CSipSimple to automate as much of the provisioning process as possible. ITSPs are encouraged to test this client against their services and will be able to add details specific to their service through Github pull requests.

The project also hopes to provide streamlined provisioning mechanisms for privately operated SIP PBXes, such as the Asterisk and FreeSWITCH servers used in small businesses.

Improving SIP support in Apache Camel and the Jitsi softphone

Apache Camel's SIP component and the widely known Jitsi softphone both use the JAIN SIP library for Java.

Nik has been looking at issues faced by SIP users in both projects, adding support for the MESSAGE method in camel-sip and looking at why users sometimes see multiple password prompts for SIP accounts in Jitsi.

If you are trying either of these projects, you are very welcome to come and discuss them on the mailing lists, Camel users and Jitsi users.

GSoC students at DebConf16 and DebConf17 and other events

Many of us have been lucky to meet GSoC students attending DebConf, FOSDEM and other events in the past. From this year, Google now expects the students to complete GSoC before they become eligible for any travel assistance. Some of the students will still be at DebConf16 next month, assisted by the regular travel budget and the diversity funding initiative. Nik and Mesut were already able to travel to Vienna for the recent MiniDebConf / LinuxWochen.at

As mentioned earlier, several of the students and the mentors at Savoir Faire Linux are based in Montreal, Canada, the destination for DebConf17 next year and it is great to see the momentum already building for an event that promises to be very big.

Explore the world of Free Real-Time Communications (RTC)

If you are interesting in knowing more about the Free RTC topic, you may find the following resources helpful:

RTC mentoring team 2016

We have been very fortunate to build a large team of mentors around the RTC-themed projects for 2016. Many of them are first time GSoC mentors and/or new to the Debian community. Some have successfully completed GSoC as students in the past. Each of them brings unique experience and leadership in their domain.

Helping GSoC projects in 2016 and beyond

Not everybody wants to commit to being a dedicated mentor for a GSoC student. In fact, there are many ways to help without being a mentor and many benefits of doing so.

Simply looking out for potential applicants for future rounds of GSoC and referring them to the debian-outreach mailing list or an existing mentor helps ensure we can identify talented students early and design projects around their capabilities and interests.

Testing the projects on an ad-hoc basis, greeting the students at DebConf and reading over the student wikis to find out where they are and introduce them to other developers in their area are all possible ways to help the projects succeed and foster long term engagement.

Google gives Debian a USD $500 grant for each student who completes a project successfully this year. If all 2016 students pass, that is over $10,000 to support Debian's mission.

Daniel Pocock: WebRTC and communications projects in GSoC 2016

Planet Jabber - 20 June, 2016 - 15:02

This year a significant number of students are working on RTC-related projects as part of Google Summer of Code, under the umbrella of the Debian Project. You may have already encountered some of them blogging on Planet or participating in mailing lists and IRC.

WebRTC plugins for popular CMS and web frameworks

There are already a range of pseudo-WebRTC plugins available for CMS and blogging platforms like WordPress, unfortunately, many of them are either not releasing all their source code, locking users into their own servers or requiring the users to download potentially untrustworthy browser plugins (also without any source code) to use them.

Mesut is making plugins for genuinely free WebRTC with open standards like SIP. He has recently created the WPCall plugin for WordPress, based on the highly successful DruCall plugin for WebRTC in Drupal.

Keerthana has started creating a similar plugin for MediaWiki.

What is great about these plugins is that they don't require any browser plugins and they work with any server-side SIP infrastructure that you choose. Whether you are routing calls into a call center or simply using them on a personal blog, they are quick and convenient to install. Hopefully they will be made available as packages, like the DruCall packages for Debian and Ubuntu, enabling even faster installation with all dependencies.

Would you like to try running these plugins yourself and provide feedback to the students? Would you like to help deploy them for online communities using Drupal, WordPress or MediaWiki to power their web sites? Please come and discuss them with us in the Free-RTC mailing list.

You can read more about how to run your own SIP proxy for WebRTC in the RTC Quick Start Guide.

Finding all the phone numbers and ham radio callsigns in old emails

Do you have phone numbers and other contact details such as ham radio callsigns in old emails? Would you like a quick way to data-mine your inbox to find them and help migrate them to your address book?

Jaminy is working on Python scripts to do just that. Her project takes some inspiration from the Telify plugin for Firefox, which detects phone numbers in web pages and converts them to hyperlinks for click-to-dial. The popular libphonenumber from Google, used to format numbers on Android phones, is being used to help normalize any numbers found. If you would like to test the code against your own mailbox and address book, please make contact in the #debian-data channel on IRC.

A truly peer-to-peer alternative to SIP, XMPP and WebRTC

The team at Savoir Faire Linux has been busy building the Ring softphone, a truly peer-to-peer solution based on the OpenDHT distribution hash table technology.

Several students (Simon, Olivier, Nicolas and Alok) are actively collaborating on this project, some of them have been fortunate enough to participate at SFL's offices in Montreal, Canada. These GSoC projects have also provided a great opportunity to raise Debian's profile in Montreal ahead of DebConf17 next year.

Linux Desktop Telepathy framework and reSIProcate

Another group of students, Mateus, Udit and Balram have been busy working on C++ projects involving the Telepathy framework and the reSIProcate SIP stack. Telepathy is the framework behind popular softphones such as GNOME Empathy that are installed by default on the GNU/Linux desktop.

I previously wrote about starting a new SIP-based connection manager for Telepathy based on reSIProcate. Using reSIProcate means more comprehensive support for all the features of SIP, better NAT traversal, IPv6 support, NAPTR support and TLS support. The combined impact of all these features is much greater connectivity and much greater convenience.

The students are extending that work, completing the buddy list functionality, improving error handling and looking at interaction with XMPP.

Streamlining provisioning of SIP accounts

Currently there is some manual effort for each user to take the SIP account settings from their Internet Telephony Service Provider (ITSP) and transpose these into the account settings required by their softphone.

Pranav has been working to close that gap, creating a JAR that can be embedded in Java softphones such as Jitsi, Lumicall and CSipSimple to automate as much of the provisioning process as possible. ITSPs are encouraged to test this client against their services and will be able to add details specific to their service through Github pull requests.

The project also hopes to provide streamlined provisioning mechanisms for privately operated SIP PBXes, such as the Asterisk and FreeSWITCH servers used in small businesses.

Improving SIP support in Apache Camel and the Jitsi softphone

Apache Camel's SIP component and the widely known Jitsi softphone both use the JAIN SIP library for Java.

Nik has been looking at issues faced by SIP users in both projects, adding support for the MESSAGE method in camel-sip and looking at why users sometimes see multiple password prompts for SIP accounts in Jitsi.

If you are trying either of these projects, you are very welcome to come and discuss them on the mailing lists, Camel users and Jitsi users.

GSoC students at DebConf16 and DebConf17 and other events

Many of us have been lucky to meet GSoC students attending DebConf, FOSDEM and other events in the past. From this year, Google now expects the students to complete GSoC before they become eligible for any travel assistance. Some of the students will still be at DebConf16 next month, assisted by the regular travel budget and the diversity funding initiative. Nik and Mesut were already able to travel to Vienna for the recent MiniDebConf / LinuxWochen.at

As mentioned earlier, several of the students and the mentors at Savoir Faire Linux are based in Montreal, Canada, the destination for DebConf17 next year and it is great to see the momentum already building for an event that promises to be very big.

Explore the world of Free Real-Time Communications (RTC)

If you are interesting in knowing more about the Free RTC topic, you may find the following resources helpful:

RTC mentoring team 2016

We have been very fortunate to build a large team of mentors around the RTC-themed projects for 2016. Many of them are first time GSoC mentors and/or new to the Debian community. Some have successfully completed GSoC as students in the past. Each of them brings unique experience and leadership in their domain.

Helping GSoC projects in 2016 and beyond

Not everybody wants to commit to being a dedicated mentor for a GSoC student. In fact, there are many ways to help without being a mentor and many benefits of doing so.

Simply looking out for potential applicants for future rounds of GSoC and referring them to the debian-outreach mailing list or an existing mentor helps ensure we can identify talented students early and design projects around their capabilities and interests.

Testing the projects on an ad-hoc basis, greeting the students at DebConf and reading over the student wikis to find out where they are and introduce them to other developers in their area are all possible ways to help the projects succeed and foster long term engagement.

Google gives Debian a USD $500 grant for each student who completes a project successfully this year. If all 2016 students pass, that is over $10,000 to support Debian's mission.

Fanout Blog: hack.guides() Tutorial Contest

Planet Jabber - 16 June, 2016 - 22:12

Are you all about realtime apps? Well, now you can be famous and win $500 to teach the Internet. Fanout is excited to team up with the hack.guides() 2016 Tutorial Contest. Any realtime app submitted to the contest that uses Pushpin or Fanout Cloud will qualify for a chance to win a $500 prize.

See the contest here: http://tutorials.pluralsight.com/contest

...

Peter Saint-Andre: Philanthropic Philosophy

Planet Jabber - 12 June, 2016 - 00:00
One of the few investment writers I still read is John Hussman. His deeply rational, evidence-based approach to the markets is something I very much appreciate in this world of breathless hype and cynical salesmanship.

Daniel Pocock: Working to pass GSoC

Planet Jabber - 8 June, 2016 - 17:11

GSoC students have officially been coding since 23 May (about 2.5 weeks) and are almost half-way to the mid-summer evaluation (20 - 27 June). Students who haven't completed some meaningful work before that deadline don't receive payment and in such a large program, there is no possibility to give students extensions or let them try and catch up later.

Every project and every student are different, some are still getting to know their environment while others have already done enough to pass the mid-summer evaluation.

I'd like to share a few tips to help students ensure they don't inadvertently fail the mid-summer evaluation

Kill electronic distractions

As a developer of real-time communications projects, many people will find it ironic or hypocritical that this is at the top of my list.

Switch off the mobile phone or put it in silent mode so it doesn't even vibrate. Research has suggested that physically turning it off and putting it out of sight has significant benefits. Disabling the voicemail service can be an effective way of making sure no time is lost listening to a bunch of messages later. Some people may grumble at first but if they respect you, they'll get into the habit of emailing you and waiting for you to respond when you are not working.

Get out a piece of paper and make a list of all the desktop notifications on your computer, whether they are from incoming emails, social media, automatic updates, security alerts or whatever else. Then figure out how to disable them all one-by-one.

Use email to schedule fixed times for meetings with mentors. Some teams/projects also have fixed daily or weekly times for IRC chat. For a development project like GSoC, it is not necessary or productive to be constantly on call for 3 straight months.

Commit every day

Habits are a powerful thing. Successful students have a habit of making at least one commit every day. The "C" in GSoC is for Code and commits are a good way to prove that coding is taking place.

GSoC is not a job, it is like a freelance project. There is no safety-net for students who get sick or have an accident and mentors are not bosses, each student is expected to be their own boss. Although Google has started recommending students work full time, 40 hours per week, it is unlikely any mentors have any way to validate these hours. Mentors can look for a commit log, however, and simply won't be able to pass a student if there isn't code.

There may be one day per week where a student writes a blog or investigates a particularly difficult bug and puts a detailed report in the bug tracker but by the time we reach the second or third week of GSoC, most students are making at least one commit in 3 days out of every 5.

Consider working away from home/family/friends

Can you work without anybody interrupting you for at least five or six hours every day?

Do you feel pressure to help with housework, cooking, siblings or other relatives? Even if there is no pressure to do these things, do you find yourself wandering away from the computer to deal with them anyway?

Do family, friends or housemates engage in social activities, games or other things in close proximity to where you work?

All these things can make a difference between passing and failing.

Maybe these things were tolerable during high school or university. GSoC, however, is a stepping stone into professional life and that means making a conscious decision to shut those things out and focus. Some students have the ability to manage these distractions well, but it is not for everybody. Think about how leading sports stars or musicians find a time and space to be "in the zone" when training or rehearsing, this is where great developers need to be too.

Some students find the right space in a public library or campus computer lab. Some students have been working in hacker spaces or at empty desks in local IT companies. These environments can also provide great networking opportunities.

Managing another summer job concurrently with GSoC

It is no secret that some GSoC students have another job as well. Sometimes the mentor is aware of it, sometimes it has not been disclosed.

The fact is, some students have passed GSoC while doing a summer job or internship concurrently but some have also failed badly in both GSoC and their summer job. Choosing one or the other is the best way to succeed, get the best results and maximize the quality of learning and community interaction. For students in this situation, now it is not too late to make the decision to withdraw from GSoC or the other job.

If doing a summer job concurrently with GSoC is unavoidable, the chance of success can be greatly increased by doing the GSoC work in the mornings, before starting the other job. Some students have found that they actually finish more quickly and produce better work when GSoC is constrained to a period of 4 or 5 hours each morning and their other job is only in the afternoon. On the other hand, if a student doesn't have the motivation or energy to get up and work on GSoC before the other job then this is a strong sign that it is better to withdraw from GSoC now.

Daniel Pocock: Working to pass GSoC

Planet Jabber - 8 June, 2016 - 17:11

GSoC students have officially been coding since 23 May (about 2.5 weeks) and are almost half-way to the mid-summer evaluation (20 - 27 June). Students who haven't completed some meaningful work before that deadline don't receive payment and in such a large program, there is no possibility to give students extensions or let them try and catch up later.

Every project and every student are different, some are still getting to know their environment while others have already done enough to pass the mid-summer evaluation.

I'd like to share a few tips to help students ensure they don't inadvertently fail the mid-summer evaluation

Kill electronic distractions

As a developer of real-time communications projects, many people will find it ironic or hypocritical that this is at the top of my list.

Switch off the mobile phone or put it in silent mode so it doesn't even vibrate. Research has suggested that physically turning it off and putting it out of sight has significant benefits. Disabling the voicemail service can be an effective way of making sure no time is lost listening to a bunch of messages later. Some people may grumble at first but if they respect you, they'll get into the habit of emailing you and waiting for you to respond when you are not working.

Get out a piece of paper and make a list of all the desktop notifications on your computer, whether they are from incoming emails, social media, automatic updates, security alerts or whatever else. Then figure out how to disable them all one-by-one.

Use email to schedule fixed times for meetings with mentors. Some teams/projects also have fixed daily or weekly times for IRC chat. For a development project like GSoC, it is not necessary or productive to be constantly on call for 3 straight months.

Commit every day

Habits are a powerful thing. Successful students have a habit of making at least one commit every day. The "C" in GSoC is for Code and commits are a good way to prove that coding is taking place.

GSoC is not a job, it is like a freelance project. There is no safety-net for students who get sick or have an accident and mentors are not bosses, each student is expected to be their own boss. Although Google has started recommending students work full time, 40 hours per week, it is unlikely any mentors have any way to validate these hours. Mentors can look for a commit log, however, and simply won't be able to pass a student if there isn't code.

There may be one day per week where a student writes a blog or investigates a particularly difficult bug and puts a detailed report in the bug tracker but by the time we reach the second or third week of GSoC, most students are making at least one commit in 3 days out of every 5.

Consider working away from home/family/friends

Can you work without anybody interrupting you for at least five or six hours every day?

Do you feel pressure to help with housework, cooking, siblings or other relatives? Even if there is no pressure to do these things, do you find yourself wandering away from the computer to deal with them anyway?

Do family, friends or housemates engage in social activities, games or other things in close proximity to where you work?

All these things can make a difference between passing and failing.

Maybe these things were tolerable during high school or university. GSoC, however, is a stepping stone into professional life and that means making a conscious decision to shut those things out and focus. Some students have the ability to manage these distractions well, but it is not for everybody. Think about how leading sports stars or musicians find a time and space to be "in the zone" when training or rehearsing, this is where great developers need to be too.

Some students find the right space in a public library or campus computer lab. Some students have been working in hacker spaces or at empty desks in local IT companies. These environments can also provide great networking opportunities.

Managing another summer job concurrently with GSoC

It is no secret that some GSoC students have another job as well. Sometimes the mentor is aware of it, sometimes it has not been disclosed.

The fact is, some students have passed GSoC while doing a summer job or internship concurrently but some have also failed badly in both GSoC and their summer job. Choosing one or the other is the best way to succeed, get the best results and maximize the quality of learning and community interaction. For students in this situation, now it is not too late to make the decision to withdraw from GSoC or the other job.

If doing a summer job concurrently with GSoC is unavoidable, the chance of success can be greatly increased by doing the GSoC work in the mornings, before starting the other job. Some students have found that they actually finish more quickly and produce better work when GSoC is constrained to a period of 4 or 5 hours each morning and their other job is only in the afternoon. On the other hand, if a student doesn't have the motivation or energy to get up and work on GSoC before the other job then this is a strong sign that it is better to withdraw from GSoC now.

Nicolas Vérité: The true awakening of XMPP

Planet Jabber - 7 June, 2016 - 16:14

2016 is definitely the year of the awakening of XMPP. It is already mid-year, but here is what happened already, and what we can do next.

Matthew Wild: non-tech requirements

At the FOSDEM 2016 and XMPP Summit 19, Matthew Wild, lead developer of Prosody, pushed the XMPP community into « Exploring the non-technical requirements of open communication« , which lead to the creation of a very small website (although unmaintained), but still a very strong initiative: modernxmpp.org. As an XSF Council member, Matthew opened up minds with this thinking out of the box.

Nicolas Vérité: 3 generations of IM

I did my part, by contributing to the wake up call, with « The state of XMPP and instant messaging, The awakening« , followed by « Welcome to the third generation of Instant Messaging! » part 1 (1st and 2nd gen of IM) and part 2 (3rd gen of IM, synthesis matrix), and « 3 gens of IM, next steps for XMPP« . I believe this had its positive effects as well, as some items were actively discussed forward at the XMPP Summit 20 (hosted by Atlassian, makers of the 3rd gen IM HipChat, based on XMPP), and the feedback from the nice guys of Tigase said: « The most prevalent topic at the summit was the future of XMPP communication, and how it can fit into the third generation of instant messaging. ».

Daniel Gultsch: mobile XMPP

Daniel Gultsch, lead developer of Conversations.im Android client, has written a thought-provoking piece on « The State of Mobile XMPP in 2016« , pointing at strengths and weaknesses, and debunking some misunderstanding.

Georg Lukas: easy XMPP

Today, it is Georg Lukas, pointing out « Easy XMPP« , with « Easy Onboarding » and « Easy Roster Invitations« . To quote Georg, « After reflecting upon all these things though I must say that I am surprised how much low-hanging fruit we’ve ignored over the last decade or so ».

Outcome?

It is clear that these many wake up calls have echoed with each other. We have quite a clear path, that may need a little refinement. Now it is a matter of priorities and formalisation, given the limited resources we have…

Is it time we start to write a vision statement and a roadmap for the next 6 to 12 months?


Christian Schudt: Babbler Version 0.7.0 Released

Planet Jabber - 5 June, 2016 - 16:58
Version 0.7.0 of the XMPP Java library has just been released!

As always you can find the artifacts in Maven Central:

<dependency>
<groupId>rocks.xmpp</groupId>
<artifactId>xmpp-core-client</artifactId>
<version>0.7.0</version>
</dependency>
<dependency>
<groupId>rocks.xmpp</groupId>
<artifactId>xmpp-extensions-client</artifactId>
<version>0.7.0</version>
</dependency>

Release highlights are support for WebSocket connection, the new XMPP Address Format (RFC 7395), asynchronous API for IQ queries and XEP-0198: Stream Management (which is still a bit experimental).

Some API has also been revised for less ambigious and easier usage, e.g. timeouts are now represented by java.time.Duration instead of a int/long (which somtimes were seconds, sometimes milliseconds) and the xml:lang attribute is now represented by java.util.Locale instead of String to prevent improper usage.

Here's a more complete list of changes:
  • Add support for XEP-0198: Stream Management
  • Add support for WebSocket connection method (RFC 7395).
  • Update Jid class to the new XMPP Address Format (RFC 7622)
  • IQ queries can now be executed asynchronously (non-blocking) using Java 8’s java.util.concurrent.CompletableFuture API.
  • Represent xml:lang attributes as java.util.Locale, not as String.
  • Represent timeouts as java.time.Duration instead of int/long for better clearness.
  • Add a very minimalistic DNS resolver for resolving SRV and TXT records in order to remove the dependency to com.sun.* classes.
  • Add more ReconnectionStrategy implementations.
  • Check connected state of socket before connecting (to prevent SocketException when a SocketFactory provides a connected socket)
  • Add XmppSession#isAuthenticated() method.
  • Add static XmppSession#addCreationListener() method to allow to listen for newly created sessions.
  • Update XEP-0080 to version 1.9 (add altaccuracy element).
  • Add API to destroy a MUC room without a reason.
  • More documentation, e.g. clarify the use of ConnectionConfiguration#secure()
  • Don’t include an empty body in Message Delivery Receipts.
  • Add correct XML names to component namespace stanzas.
  • Eagerly release unused port to prevent ports-leaks due to delayed GC
  • Improve thread-safety during connect() and login()
  • Fix encoding issues, caused by missing UTF-8 encoding, mainly in the debugger.
  • XEP-0033: Address should have extensions.
  • Add workaround for a JDK bug causing memory issues and high CPU.
  • Add documentation for custom SASL authentication.

Tigase Blog: XEP-0334 Support in AMP

Planet Jabber - 28 May, 2016 - 05:52

Tigase's Advanced Message Plugin now supports XEP-0334 Message Storage Hints. Now offline messages can contain hints as to what to do with offline messages.

Peter Saint-Andre: Investing for the Rest of Us

Planet Jabber - 28 May, 2016 - 00:00
Back in 2009, I wrote a blog post entitled Financial Thinking, in which I summarized the results of six months' research on investment strategies after the 2008-2009 market crash (informed both by practical experience and by my grounding in economics, history, psychology, and philosophy). Since then I've done a lot more thinking and research; more pointedly, of late a few friends have asked for my thoughts on the topic. Thus I figure it's time to provide a more complete report on my thinking about finance and investing.

Swift Blog: Swift 3.0: File Transfer and Keyword Highlighting

Planet Jabber - 26 May, 2016 - 00:00

Swift 3.0 was released a couple of months ago and we’ve had lots of feedback from users, so we’d like to start off this blog post by thanking you all for this, we never tire of hearing how great Swift is!

Many new features were introduced in 3.0, a list of which can be found in the changelog, but today we would like to bring your attention to two of those: File Transfe r and Keyword Highlighting.

File Transfer

Swift can now transfer files via the ‘Jingle File Transfer’ protocol. We’ve made it nice and east to start transferring files to your contacts, simply drag the required file onto an open chat and voilà.

Keyword Highlighting

Keyword highlighting is now supported in Swift, this allows users to setup Swift to alert them to activity that matches their configured highlighting rules. This was described in a previous blog post. To get started use the “Edit Highlight Rules” menu item and set your required rules.

Tigase Blog: XMPP Summit reflections

Planet Jabber - 25 May, 2016 - 04:37

A brief overview of XMPP Summit 20

Distribuir contenido