| 13 Jan 2023 |
 pj | whyyy is my session still unverified ffs | 15:03:05 |
 Porkepix | Eh, I also have one unverified that fails pretty much everytime on phone :D | 15:04:24 |
| pj | * whyyy is my session still unverified ffs (ok, i fix) | 15:04:26 |
 welteam | Yeah and let's not talk about the quality of Element when it's supposed to be the reference implementation, I believe | 15:04:27 |
| Porkepix | The perfect communication tool doesn't exist anyway, needs to consider the best deal and strike a balance with the most important needs | 15:04:52 |
| pj | I verified new Element session from unverified Cinny session, I don't think that should be possible hmmmmmm | 15:05:19 |
| Porkepix | welteam: There's an org I'm part of and that pushes a lot for Matrix, but I'm still doing some resistance and only accessing legacy (bridged) channels from irc, and can't access the others. The org have its own matrix server where members have an account. Problem: the reference clients, Element, is still unable to manage multiple accounts after all these years.
And on a more personal needs, I want and needs my personal, local logs I can grep though. | 15:06:54 |
| pj | The only viable option of using Matrix is when not federating | 15:07:42 |
| pj | Like a locked-down completely defederated instance, will be fine (the clients still suck although Cinny is somewhat ok) | 15:08:42 |
| Porkepix | That's particularly a problem when a solution is pushed for a corporate use besides the personal one. People don't want to mix corporate and personal use from a single account. | 15:08:54 |
| Porkepix | Heard of Cinny, installed and launched it, saw all these icons to connect with facebook, google OAuths and others; didn't take the time yet to see if it was done cleanly or if data is sent to them so I didn't connected with it. | 15:10:04 |
| pj | In reply to@Porkepix:matrix.org
Heard of Cinny, installed and launched it, saw all these icons to connect with facebook, google OAuths and others; didn't take the time yet to see if it was done cleanly or if data is sent to them so I didn't connected with it. I don't understand the concern | 15:13:05 |
| pj | 
Download image.png | 15:13:12 |
| pj | OAuth is OAuth | 15:13:12 |
| Porkepix | Yup, but the same way there were issues with the "share" buttons, such as the facebook thumb and so on, depending on how it was implemented, only displaying those icons can already lead to sending data to these OAuth providers. And I'd rather not sending them anything. But as I said I didn't checked if anything is sent/shared or not before any login through them happens. | 15:15:22 |
| pj | share buttons are different because they were done by embedding custom JS from service | 15:17:00 |
| welteam | Yes, OAuth and tracking beacons, while they may look similar, aren't implemented the same way. OAuth is just a link | 15:18:27 |
| pj | what you could do is implement OAuth in insecure way (which would leak critical info to public) | 15:19:13 |
| pj | or idk, send whatever data to OAuth endpoint but it would just bounce with 5xx error | 15:19:37 |
| pj | OAuth is nice in a way that it has very strict information that you need to send (which is usually API key, nonce, etc.) and nothing else | 15:20:36 |
| pj | OAuth is bad because it allows for deviation from spec and some services implement it in own way (shakes fist at Tumblr) | 15:21:17 |
| welteam | In reply to @panekj:matrix.org
OAuth is bad because it allows for deviation from spec and some services implement it in own way (shakes fist at Tumblr) Shakes fist at adfs | 15:22:03 |
| pj | but it's always good to verify source code anyway :) | 15:22:14 |
| Porkepix | And also because it serves as an excuse for a fake choice in some situations. I've got a couple of cases for FLOSS gitlabs for example where you have the choice of OAuth (I don't want to depend on a third-party for my auth, especially for FLOSS) or regular register… through Google's reCAPTCHA: purely illegal in Europe if done without user consent for data collection, and not very ethical for FLOSS projects, imho | 15:23:26 |
| Porkepix | pj: Problem is, it's probably pulled from some dependencies and you gotta search this a lot, as searchs in the source code for oauth or some of the provider's name bring no results | 15:24:18 |
| pj | I'm usually wary of people who are interested in FLOSS, quite often they are not mentally stable or not open to difference in opinions (: | 15:30:05 |
| welteam | In reply to @panekj:matrix.org
I'm usually wary of people who are interested in FLOSS, quite often they are not mentally stable or not open to difference in opinions (: Too true | 15:30:42 |
| Porkepix | That's maybe generalizing a little too much :p ; but you sure could find people like that, and not only around FLOSS topic but among many other ones | 15:32:24 |
| pj | I'm not disagreeing | 15:32:51 |
| pj | Unfortunately (at least in topics adjacent to Linux) they are quite loud | 15:34:04 |
