Re: Diversification [ branched from Re: conflicts in the gnu project now affect guile]

[Zelphir Kaltstahl]

Hi!

I just want to share my experience with Riot.

I have used it before. In fact, I used it to communicate with only one
person so far for reasons I will mention below. Today there was a
strange thing, when Riot showed an error and warned, that it could be a
replay attack. This is not the first time something happened. If you
remember, that some time ago everyone had to upgrade their Riot.IM
client, because someone had intruded in the server system (Iirc it was
someone, who worked there before and still had access somehow. It was
linked on Hackernews. Let's see if I can find it … Probably one of the
search results of: https://hn.algolia.com/?q=riot.im).

We would have to ask ourselves, whether Riot is sufficiently independent
too. I believe it depends on the master server being up and running. If
we could have our own, that would of course be better.

The reason however, why I have only ever used Riot with one person is,
surprise surprise, that most people are not willing to sacrifice the
tiniest bit of comfort, for enhanced security. This one person I used it
with tried to get 2 more people on board, who were even less tech-savy
and whom I did not have the chance of helping directly, to get things
set up and so we remained 1-on-1 on Riot.IM.

Let me explain further:

To verify another person's device, one has to exchange information via a
second trusted channel. That information is a sequence of icons being
shown. If they are the same, that the other person sends you via the
second trusted channel, you can reasonably assume, that the device you
are communicating with is under their control.

When it comes to the step of exchanging information about what icons are
displayed, most people will close the app and say "it's too
complicated", because they do not understand it ("Huh? How strange! Why
I have to do that? Are icons secure?") or do not want to do anything in
order to have security. They are not willing to invest as much as 5min
of effort, to have encrypted chat. What makes matters worse is, that
when you use Riot.IM in the browser, it might happen, that every time
you log in, the other person has to re-verify your device. Guess what
people will do when facing that workflow …

As much as I like Riot.IM, it did have its share of problems and does
bring in some required effort for setting up communication. I would
personally still like to use it, however, I very much doubt, that
someone, who is not willing to use a mailing list, is willing to get
Riot.IM set up and keep it running, while being aware of the security
implications of trusting devices of other people, adhering to a good
security aware workflow. And we are not even using GPG on the mailing
list a lot, so people don't even have to deal with Enigmail yet, to post
and read on the mailing list.

Maybe offering Riot.IM as an alternative would still make sense, just to
see how it goes, but don't bet on many people joining Riot.IM. I am
willing to try!

Best regards,

Zelphir


On 10/22/19 8:47 PM, Mark H Weaver wrote:
> Hi Todor,
>
> Todor Kondić <address@hidden> writes:
>
>> [...]  I've set up my workflows around Guix, git(lab)
>> and a customised Emacs installation (instead of R Studio). My small
>> team of science students (majority female, various cultural
>> backgrounds), never previously exposed to a GNU system to such an
>> extent, managed to get a handle on it quite impressively.
>>
>> But, I doubt any of them would find it natural to take a step further
>> and participate in GNU itself (ugh, now I sound like a preacher of a
>> new age religion). To my knowledge, interaction within GNU communities
>> is still mostly mailing lists and IRC. This _not_ my students' natural
>> digital habitat. I am probably not saying anything new, though ...
> You raise an important issue.  If we can improve the situation without
> causing other problems, I think we should.  I don't know of any modern
> replacement for mailing lists that has the properties we need, but I
> *do* think there's a very promising alternative for live chat: Matrix.
> Amirouche mentioned it elsewhere in this thread.
>
>   https://matrix.org/
>
> Matrix is supported by a very large and diverse set of free clients,
> from modern Web-based interfaces to simple text programs, multiple
> Emacs-based clients, and several gateways to other protocols such as
> IRC, so that old-timers can use their preferred IRC client if they
> prefer.
>
>   https://matrix.org/clients/
>
> Incidentally, there was recently an internal GNU project discussion
> about how to better communicate with one another, and Matrix was
> identified as an option that would meet our requirements.
>
> The client that would likely be most attractive for the younger
> generation is Riot.im:
>
>   https://about.riot.im/
>
> What do you think?
>
>     Thanks,
>       Mark
>