Newer posts are loading.
You are at the newest post.
Click here to check if anything new just came in.

February 21 2017

The XMPP Standards Foundation: XMPP Summit 21

This year, the XMPP Standards Foundation again gathered in force to attend the summit, that traditionally precedes the FOSDEM event in Brussels, Belgium. Barely fitting in the (rather sizable) room that was made available to us by Cisco, the XSF members had a fruitful two-day meeting.

The attending members, skillfully herded by Kev, addressed an impressive number of topics, including:

  • BIND2, improving the data exchange that occurs when an XMPP entity initially connects to a server.
  • MIX, the XEP that intends to be a replacement for the existing MUC protocol, bringing an up-to-date feature set and better extensibility.
  • Addressing the annoyance of instant-messaging-based spam.
  • The application of existing, or to be developed XMPP standards, to facilitate the growing world of Internet-of-Things.
  • The XSF intention to take part in this years Google Summer of Code.
  • Improvements to the existing end-to-end encryption, as defined in the OMEMO XEP.

The full minutes are made available in the XSF wiki. If any of these topics (or others for that matter) interest you, we'd love to hear from you. Please find us at, use the mailinglists to contact us, or find us in one of the dedicated MUCs.

Many thanks to everyone involved in making the summit happen, including Cisco Belgium, Surevine, AG Software, Isode, Prosody, Erlang Solutions and Clayster for providing much appreciated sponsoring for the event, as well as the traditional XSF Member dinner!

Apart from the discussions, the summit proved to be an excellent opportunity for some of the newer members amongst us, myself included, to make acquaintance with the others. I, for one, am grateful to have been there, and am looking forward to the next meetup!

February 20 2017

Tigase Blog: Maven repositories URL changes

For quite some time we were using the basic mean to provide access to our Maven artifacts - simply serving them as a directory view. Recently we made some changes in that area to help with the maintenance and also provide a single access point to our repositories.

This resulted in deploying Apache Archiva under new URL:, from where you can access both final and snapshot repositories.

Ignite Realtime Blog: Request for Comments: Mavenizing Spark

Most of our projects have a long history. This certainly goes for Spark, which was created over ten years ago. Although many of you are actively using Spark today, it is beginning to show its age. This is something that we have been planning to address for a while now.


Spark was created around the same time that the Kyoto protocol went into effect, Pluto got demoted to the status of 'dwarf planet' and Italy won the FIFA world cup in Germany. Thereabouts.


Comment.jpgSince then, source code development tooling has improved a lot. Today, the Spark project is struggling to find active contributors. We believe that one of the reasons for this is that it's pretty hard for developers (especially those that are used to work with modern tooling) to get started with our project. We have been working on that. First, we moved all of our projects from our old Subversion repository to Github. We have noticed that this dramatically improved the accessibility of our code. Second, Smack 4 happened, bringing the backbone of Spark back up-to-date.


Now, we are addressing the structure of the project itself. We will restructure the project as a Apache Maven project. This will bring a good deal of predictable structure to the project, which has many benefits. One of these is that the project will integrate easily with various development tools.


Moving Spark from its existent Ant-based structure to a Maven structure is no small task. There is no one right way of doing this. We have given it a shot, and have created a structure that we think is very workable. Before committing to this structure, we would very much invite others to have a look, and comment on what we've done. The reasoning behind this is simple: once we've committed to a particular structure, it will be disruptive to change it. If we want to apply improvements, we should do so now.


Please, review our new project structure, and let us know what you think. You can find the new structure in the SPARK-1791_Maven branch on Github.


Ask yourselves: does this structure help me? Is it easier to compile the source code? Can I integrate it with my IDE of choice without too much trouble? Can I create new plugins? Does the new structure introduce a problem that needs to be addressed before committing? Can it be improved? We welcome all feedback!

February 19 2017

Peter Saint-Andre: Going Deep

Three months ago, in a post entitled "Below the Surface", I started a habit of posting in my weblog at least once a week. Although it's been a good run, I've cleared out my backlog of topics to write about. More importantly, I have a big project to finish (The Upland Farm, my forthcoming book on Thoreau) and another one to restart (more on that in the coming weeks), not to mention the need to focus intently on building the team at Filament and bringing our products to market. Because all of these initiatives will require a lot of deep work, my weblog will likely be fairly quiet until mid-summer. See you then....

February 18 2017

Ignite Realtime Blog: Openfire 4.1.2 Release

The Ignite Realtime Community is pleased to announce the availability of version 4.1.2 of Openfire. This release signifies our ongoing effort to produce a stable 4.1 series while effort is made on new features and functionality in Openfire 4.2.  You can find a release changelog denoting the 13 Jira issues resolved in this release.  If you had issues with inconsistent appearance of groups, do please test this release to see if those issues are now resolved. You can download the release from our website here and the sha1sum's for the available artifacts are as follows.


OS sha1sum Filename Version 4.1.1 Downloads [1] Linux RPM (32bit JRE bundled) c2f12c3ec6ba2f64388279f106f2749272c9504c openfire-4.1.2-1.i686.rpm 1290 Linux RPM (no JRE) 226a7f1138fda7c456523bf80e6140e020fd5a74 openfire-4.1.2-1.noarch.rpm 965 Linux RPM (64bit JRE bundled) 6892ec82e1435b6cbf23da1ba1efb9d94122d8a6 openfire-4.1.2-1.x86_64.rpm 3805 Linux .deb c205eefe136fe0481e498668f258a0bc724a7080 openfire_4.1.2_all.deb 7311 Mac OS dmg b9570c78854c226714c23001997119e503e0aaab openfire_4_1_2.dmg 1207 Windows EXE dba34e78456f03bbd0de5a5cf94730c433d75c20 openfire_4_1_2.exe 19798 Binary (tar.tgz) cf4676f1e8c8a04999f6e9c97d859c8bbff35c4e openfire_4_1_2.tar.gz 2622 Binary (zip) 0f4624f2c387c00373c717a52ed442741ceb0e93 3058 Source (tar.gz) 9b1efd5090ff37e4faca6d460b20ec40a4c40a53 openfire_src_4_1_2.tar.gz 408 Source (zip) b32c39ec84ad04acf46881b682919ef41fab3be4 1371


[1] We recently migrated to storing our release artifacts on Github and thanks to their API, we can get metrics on how many times the artifact was downloaded.


As a reminder, our development of Openfire happens on Github and we have an active MUC development chat hosted at . We are always looking for more folks interested in helping out, so please consider pitching in!


As always, please report any issues in the Community Forums and thanks for using Openfire!

February 12 2017

Peter Saint-Andre: Forever Jung

Recently I got to talking with a friend about personality assessments, especially in relation to hiring and talent development. It took me awhile to figure out why we were not in agreement: he was thinking about the Myers-Briggs Type Indicator (MBTI) whereas I was thinking about assessments based on the five-factor model (also called the "big five") of personality traits....

Peter Saint-Andre: Limited Liability

Someone I know who is an avowed socialist told me he'd be much more sympathetic to libertarian views if we didn't need big government to protect us from big business....

February 11 2017

Christian Schudt: Babbler Version 0.7.3 released

I've released version 0.7.3 of the Java XMPP library. This is primarily a "bug fix and improvements" release and is compatible with previous 0.7.x releases. Here's the changelog:
  • Use single equals sign (“=”) for zero-length data in SASL, as per RFC 6120 § 6.4.2
  • Allow configuring a custom stream host and skip proxy discovery then for SI file transfer.
  • Implement WebSocket pings/pongs.
  • Fix WebSocket’s proxy URI construction.
  • Use connect timeout for WebSocket connections.
  • XEP-0198: Send an ack right before gracefully closing the stream (i.e. update to version 1.5.2).
  • MUC Room “enter” events should fire for oneself entering the room as well.
  • Use java.text.Collator for String-based default comparison.
  • XEP-0066: Use URI instead of URL.
  • Fix XMPP Ping in External Components, which broke the connection.
  • Jid.asBareJid returns this if it is already bare, reducing GC pressure.
  • connect() method should not throw CancellationException
  • Check if the connection has been secured (if configured) before starting to authenticate.

Maven coordinates


Ignite Realtime Blog: Smack 4.2.0-rc3 released

I've just released Smack 4.2.0-rc3 to Maven Central. Smack 4.2.0 is scheduled to be released early Q2 2017, according to Smack's release life cycle. And right now, it looks like the train is right on time.

Peter Saint-Andre: Why Do I Think What I Think?

Most people seem to believe that their thoughts are right, and that this is so because they are righteous people. Those who disagree with them are wrong and have bad intentions; those who agree with them have the truth on their side and have good intentions....

February 09 2017

Arnaud Joset: Authentication without password using XMPP on a Django website

This article describes the authentication with XMPP on a Django powered website.

Authentication without password

When you authenticate on a website, the domain validate your identity before letting you access confidential information. They are several ways perform this validation and the use of passwords is the most popular. Another method is the use of a token generator i.e. a small device that generate a secret passphrase that you copy on a website. Today I will present you another authentication method without password using XMPP.

XMPP authentication

XMPP has a nice authentication mechanism. It is normalized in the XMPP extension XEP-0070. It may be used on website. There are 4 steps.

  1. The user visits its favorite website and go to the login section.
  2. The user enter its jid (XMPP address) in a form and click on a button to authenticate.
  3. The website send a XMPP request to the user asking if he wants to login on the website. The request display also a code that must be identical on the website and the XMPP client in order to validate the request.
  4. The user validate the request on its XMPP client and therefore he is login on the website.

There are plenty XMPP clients: Gajim, Salut-à-toi, Movim, Conversation, Poezio, Pidgin, Psi etc. Several of them work on mobile, on webpage or on Desktop. Therefore, it is possible to authenticate easily on a website using your smartphone, Desktop or another platform easily without password.

Note: if the client does not support the XEP-0070, there is a fallback mechanism where the user send back the validation code in a chat window. Therefore, it is possible to authenticate with all XMPP clients.



Gajim XEP-0070

Salut à toi (Primitivus)

Primitivus XEP-0070

The following section presents the implementation of this mechanism on a Django website.

Use XMPP authentification mechanism with Django

Make it easy with HTTPAuthenticationOverXMPP

In this section, the XMPP part is managed by a component written by "Chteufleur‎". This component is easy to use. It manage the XMPP session and the web developeur just have to make a request to the component and it sends a return code:

  • 200 : User accepts the request
  • 400 : One or more mandatory parameter(s) is missing
  • 401 : User denies the request or timeout
  • 520 : Unknown error appends
  • 523 : Server is unreachable

The installation procedure is described in the Readme file of the project (

Django files

The view manage the form fields and send the jid and validation code (transaction_id) to a module called XmppBackend. The transaction_id is generated when the form is accessed. Its value is kept in memory by using the session mechanism of Django (see section

Several files are needed to obtained the desired result. The following sections describes them.

from django import forms

class AuthForm(forms.Form):
    username = forms.CharField(max_length=100, help_text="(XMPP jid)")

HTML template

{% extends "base.html" %}

{% block content %}

{% if form.errors %}
<p>Your username is invalid. Please try again.</p>
{% endif %}

<form method="post" action="{% url 'login' %}">
   {% csrf_token %}
    <input type="submit" value="Login" id="Login" name="login"/>
Your validation code: {{ transaction_id|linebreaks }}
<strong>{{ status_msg|linebreaks }}</strong>
{% endblock %} reads the content of the POST and sends the result to xmpp_auth. It also handles the session and the transaction_id generation.

from django.shortcuts import render
from django.contrib.auth import login
from django.http import HttpResponse
from . import xmpp_auth
from .forms import AuthForm

def index(request):
    return render(request, 'index.html')

def xmpp_authentification(request):
    xb = xmpp_auth.XmppBackend()
    transaction_id = None
    status_msg = ""
    if request.method == 'POST':
            transaction_id = request.session.get('transaction_id')
        except KeyError:
            request.session['user_logged_in'] = False
            return render(request, 'fail.html')
        form = AuthForm(request.POST)
        # check whether it's valid:
        if form.is_valid():
            username = form.cleaned_data['username']
            user, status_code = xb.authenticate(username=username, password=None, transaction_id=transaction_id)
            if user is not None:
                login(request, user)
                # Redirect to a success page.
                request.session['user_logged_in'] = True
                return render(request, 'success.html')
            if status_code == 401:
                request.session['user_logged_in'] = False
                status_msg = "User {} refused to authenticate.".format(username)
            request.session['user_logged_in'] = False
            return render(request, 'fail.html')
        request.session['user_logged_in'] = False
        transaction_id = xb.id_generator(6)
        request.session['transaction_id'] = transaction_id
        form = AuthForm()

    return render(request, 'registration/login.html', {'form': form , 'transaction_id' : transaction_id,
                                                       'status_msg': status_msg})

This module makes the following request to the component:

GET /auth?jid=user%40host%2fresource;;method=POST;transaction_id=what_you_want;timeout=120 HTTP/1.1

The component send back a return code. In case of success, the system try to find the user in the database. If this user does not exist, it is created. The system described here is simple and the code must be adapted for more complex website (profile creation, additionnal data etc).

id_generator is called by and by default, it send a code made of 8 characters (both letters and digits) but it is possible to adapt easily this behavior.

import sys
import requests
import string
import random
from django.contrib.auth.models import User

class XmppBackend(object):
    Authenticate with the XMPP 00-70 XEP
    def __init__(self):
        self.transaction_id = None

    def get_transaction_id(self):
        return self.transaction_id
    def set_transaction_id(self, transaction_id):
        self.transaction_id = transaction_id

    def authenticate(self, username=None, password=None, transaction_id = None):
        # Check the token and return a user.
        timeout = 300
        payload = {'jid': username, 'domain': '', 'method': 'POST', 'timeout': timeout,
                   'transaction_id': transaction_id}
        r = requests.get('', params=payload)
        if r.status_code == 200:
                user = User.objects.get(username=username)
            except User.DoesNotExist:
                # Create a new user. There's no need to set a password
                user = User(username=username)
                user.is_staff = False
                user.is_superuser = False
            return user, r.status_code
        if r.status_code == 401:
            print("User {} refused to authenticate".format(username), file=sys.stdout)
            return None, r.status_code
        return None, r.status_code

    def id_generator(self, size=8, chars=string.ascii_letters + string.digits):
        self.transaction_id = ''.join(random.choice(chars) for _ in range(size))
        return self.transaction_id

The setting of the website must be adapted to your needs. In this simple example, the sessions must be enabled (it is the case by default). Our example use cached session but you can use cookies or even databases. See the excellent documentation of Django for additional information.

LOGIN_URL = '/path/to/login/'

    'default': {
        'BACKEND': 'django.core.cache.backends.memcached.MemcachedCache',
        'LOCATION': 'unix:/tmp/memcached.sock',



  • The image comes from the post on Linuxfr (by Chteufleur).
  • The description of the XMPP component coms from its repository (by Chteufleur).

February 06 2017

Tigase Blog: Tigase JaXMPP Client v3.1.5 Release

A small bugfix has been published with the following fixes & changes included below.

Ignite Realtime Blog: Revival of the Asterisk-IM project!

I am happy to announce that we are bringing back one of our older projects from the grave: the Asterisk-IM project! This project was started in 2005 by Jive Software, and can be used to integrate the Asterisk platform in Openfire. Due to a lack of manpower over the last few years, development stalled. No longer!


We have found the most excellent Marcelo Terres willing and able to take on the reigns as project lead for the project! Simultaneously a code contribution by Ron Arts brought back compatibility of the Asterisk-IM source code with both recent versions of Openfire, as well as Asterisk 13 - but more on that later, from Marcelo.


I am more than confident that the project is in good hands with Marcelo. Not only has Marcelo been a active manager of the primarily Brazilian-based Openfire community, he is heavily involved in the Asterisk project, going as far as to speaking on AstriCon 2016.


As of now, we restored references to the project in our Ignite Realtime community. There is some more work to be done: downloads still point to an older release, and we might be lacking a bit of project infrastructure (such as an issue tracker, dedicated community forum, etc), but I'll leave that to Marcelo to put in place as he sees fit.


Marcelo, thanks for doing this! I'm excited to have you on board (as far as you weren't already)!

February 05 2017

The XMPP Standards Foundation: Google Summer of Code 2017

As before, the XSF has applied to this year's Google Summer of Code.

The XSF is intending to act as an umbrella organisation for any XMPP-related project that wishes to join the GSoC. If you are a member of such a project and would like your project to be involved, get in touch!

A fresh page of project ideas has been created on the XSF wiki. If you'd like to mentor for your project, please get in touch with us in the XSF GSoC MUC Room.

Stefan Strigler: Dockered kaiwa image

Kaiwa is a modern web based client for XMPP, forked from the original O-Talk project and rebranded. I’ve created a docker image from the fork at which is used at amongst others.

The docker image can be found at

I’ve also created a docker image of the node-xmpp-bosh component that can easily be bundled with kaiwa to create a standalone application. You can use docker-compose and a docker-compose.yml like this:

version: '2'
image: sstrigler/node-xmpp-bosh
- 5280:5280
restart: always

image: sstrigler/kaiwa
- bosh
- 8000:8000
restart: always

The existing images for node-xmpp-bosh are based on rather large images, that’s why I created my own and based it on node:alpine to save a bit of disc space.

Flattr this!

February 04 2017

Peter Saint-Andre: Thoreau on Genius

Someone who knows that I'm writing a book on Thoreau sent me a link from about Thoreau's views on the topic of genius. Drawing on the "Thursday" and "Friday" chapters of A Week on the Concord and Merrimack Rivers, the author focuses her brief essay on the difference between an artisan, an artist, and a genius....

February 02 2017

Peter Saint-Andre: HTTPS No More

One unfortunate byproduct of shutting down my VPS and moving my websites to GitHub Pages is that I'm no longer hosting the domain via HTTPS. Although I'm not overjoyed about this, I'm also not deeply disturbed by it given that my personal website isn't exactly the kind of information that needs to be encrypted in transit (and someone could retrieve it over HTTPS from if they really wanted to). Mike Linksvayer helpfully pointed out to me that there are some solutions, and I'll look into those soon. In the meantime I've modified all the cross-links within my websites so that they use http instead of https URLs....

February 01 2017

ProcessOne: XMPP Radar Newsletter #19: Privacy, Security and Encryption of Instant Messaging

Welcome to 2017! As crazy as this year begins, let’s start with hot topics: privacy, security, encryption and XMPP. We look into clients, configurations, servers and spam like it’s 1984. Or 2049?

ejabberd 17.01 Released!

We’re pleased to announce the first version of ejabberd for 2017. This new ejabberd 17.01 follows closely the previous release. It includes mostly bug fixes over all the previous refactors. ejabberd 17.01 is a rock-solid stable base for upcoming improvements. It will give you the best experience you ever had with ejabberd.

DreamFlasher/encrypted-instant-messaging-recommendations-january-2017-711c03af02cc">Encrypted Instant Messaging Recommendations for January 2017

Encrypt all your online (IM) communication, there is no good reason anymore to not doing it. Use a XMPP+Omemo client (Conversations on Android and ChatSecure on iOS) or a Matrix+Olm client (Riot).

Jackline: a Secure Terminal-based XMPP Client

The goal was from the beginning to write a “minimalistic graphical user interface for a secure (fail hard) and trustworthy XMPP client”. Fail hard means exactly that: if it can’t authenticate the server, don’t send the password. If there is no end-to-end encrypted session, don’t send the message.

XSender: The Source of All the Recent XMPP Spam

In recent months, security researchers, hackers, and other dwellers of the cyber-criminal underground have noticed an uptick in XMPP (formerly Jabber) spam. At the bottom of the vast majority of these messages is a service named XSender (XSNDR) that provides rentable XMPP spam slots for anyone looking to peddle legal or illegal products.

Configure ejabberd with Modern XMPP and TLS Features

Admins of recently put some effort into enabling many modern XMPP and TLS features on their ejabberd server, for example making it fully compatible with Conversations client. Now they are sharing their config publicly!

DuckDuckGo Public XMPP Server

Did you know that DuckDuckGo, the decentralized non-tracking search engine, operates its own public XMPP server?

List of XMPP Servers on the Onion Network

Here’s a list of XMPP servers available as hidden services for use with the Prosody server and mod_onions.

Daniel Pocock: Going to FOSDEM, Brussels this weekend

This weekend I'm going to FOSDEM, one of the largest gatherings of free software developers in the world. It is an extraordinary event, also preceded by the XSF / XMPP Summit

For those who haven't been to FOSDEM before and haven't yet made travel plans, it is not too late. FOSDEM is a free event and no registration is required. Many Brussels hotels don't get a lot of bookings on weekends during the winter so there are plenty of last minute offers available, often cheaper than what is available on AirBNB. I was speaking to somebody in London on Sunday who commutes through St Pancras (the Eurostar terminal) every day and didn't realize it goes to Brussels and only takes 2 hours to get there. One year I booked a mini-van at the last minute and made the drive from the UK with a stop in Lille for dinner on the way back, for 5 people that was a lot cheaper than the train. In other years I've taken trains from Switzerland through Paris or Luxembourg.

Real-time Communication (RTC) dev-room on Saturday, 4 February

On Saturday, we have a series of 23 talks about RTC topics in the RTC dev-room, including SIP, XMPP, WebRTC, peer-to-peer (with Ring) and presentations from previous GSoC students and developers coming from far and wide.

The possibilities of RTC with free software will also be demonstrated and discussed at the RTC lounge in the K building, near the dev-room, over both Saturday and Sunday. Please come and say hello.

Please come and subscribe to the Free-RTC-Announce mailing list for important announcements on the RTC theme and join the Free-RTC discussion list if you have any questions about the activities at FOSDEM, dinners for RTC developers on Saturday night or RTC in general.

Software Defined Radio (SDR) and the Debian Hams project

At 11:30 on Saturday I'll be over at the SDR dev-room to meet other developers of SDR projects such as GNU Radio and give a brief talk about the Debian Hams project and the relationship between our diverse communities. Debian Hams (also on the Debian Ham wiki) provides a ready-to-run solution for ham radio and SDR is just one of its many capabilities.

If you've ever wondered about trying the RTL-SDR dongle or similar projects Debian Hams provides a great way to get started quickly.

I've previously given talks on this topic at the Vienna and Cambridge mini-DebConfs (video).

Ham Radio (also known as amateur radio) offers the possibility to gain exposure to every aspect of technology from the physical antennas and power systems through to software for a range of analog and digital communications purposes. Ham Radio and the huge community around it is a great fit with the principles and philosophy of free software development. In a world where hardware vendors are constantly exploring ways to limit their users with closed and proprietary architectures, such as DRM, a broad-based awareness of the entire technology stack empowers society to remain in control of the technology we are increasingly coming to depend on in our every day lives.

Peter Saint-Andre: VPS No More

A few weeks ago I spent most of a Sunday trying, and failing, to upgrade the Debian Linux distribution on my virtual private server (VPS). After the Linux experts at my hosting company also failed after 90 minutes of fighting with the thing, I realized that the time had come to shut down my VPS and find simpler solutions. For me, that turned out to be FastMail for my email addresses and GitHub Pages for my websites (I was also hosting a few WordPress sites for friends, which I've moved to The only things I miss at this point are HTTPS for one of my websites, and the personal XMPP server I was running. Yet the HTTPS wasn't really all that critical (I know, HTTPS Everywhere and all that, but in practice I'm not running transactional websites and in fact all of my sites are even free of JavaScript - I guess I'm a Web 1.0 kind of person). And although the XMPP server was a fine thing, I do run and I've had a few addresses there forever, so I might as well use them. Simplify, simplify!...
Older posts are this way If this message doesn't go away, click anywhere on the page to continue loading posts.
Could not load more posts
Maybe Soup is currently being updated? I'll try again automatically in a few seconds...
Just a second, loading more posts...
You've reached the end.

Don't be the product, buy the product!