I don't get how people consider Stoat an alternative to Matrix/XMPP/etc when:- It does not support E2EE at all.- It does not support Federation at all.- It does not support video calls (but it's in dev tbf)
-
@bunch_of_dergs It seems to be "the one" to me, and XMPP doesn't have features like hosted history at all to begin with, so if you switch devices you lose all old messages (which a lot of people used to discord/telegram/etc will hate).
It has its share of issues, but I do think they're fixable, or have workarounds. For now the most obvious parts I could think of is to not use the matrix.org server as it's often overloaded, and if you want more features, try other clients like Schildichat (Next)
@anthropy I guess my question is... Are the issues that it has inherent to fundamental decisions in the protocol?
Or are they, like, fixable? And we need to just suck it up and put in the work?
-
@anthropy I guess my question is... Are the issues that it has inherent to fundamental decisions in the protocol?
Or are they, like, fixable? And we need to just suck it up and put in the work?
@anthropy Hosted history is an essential core feature to me.
XMPP has that... to an extent... But it's janky, and it seems every modern feature is stuck in XEP hell
-
@anthropy Hosted history is an essential core feature to me.
XMPP has that... to an extent... But it's janky, and it seems every modern feature is stuck in XEP hell
@bunch_of_dergs If by inherent you mean that XMPP doesn't have any history related problems due to not having this feature at all, and Matrix does, then sure that's hard to "fix".
Personally the main issues I see is that they aren't on top of important issues like Element vs Element X, semi 'deprecated' systems and libraries, security issues not always being addressed timely, etc. These are fixable, but it'll take more than just good faith, like funding and core team cultural changes. We'll see
-
@bunch_of_dergs If by inherent you mean that XMPP doesn't have any history related problems due to not having this feature at all, and Matrix does, then sure that's hard to "fix".
Personally the main issues I see is that they aren't on top of important issues like Element vs Element X, semi 'deprecated' systems and libraries, security issues not always being addressed timely, etc. These are fixable, but it'll take more than just good faith, like funding and core team cultural changes. We'll see
@bunch_of_dergs In that sense, XMPP's XEPs and Matrix's MSCs are similar, though the MSCs are optional addons whereas XEPs are appear to sometimes be core changes I guess? But in both cases you end up with an ecosystem with some features being split out. I do think Matrix having a lot of features already part of its core (E2EE, history, etc etc) puts it at an advantage compared to XMPP though.
-
@bunch_of_dergs In that sense, XMPP's XEPs and Matrix's MSCs are similar, though the MSCs are optional addons whereas XEPs are appear to sometimes be core changes I guess? But in both cases you end up with an ecosystem with some features being split out. I do think Matrix having a lot of features already part of its core (E2EE, history, etc etc) puts it at an advantage compared to XMPP though.
@anthropy There's XEPs for message carbons and message archiving - those are a thing. If there's no hosted history, I as a user hadn't noticed yet. It's just... always an endless list of janky XEPs for every feature.
It'd be a fundamental advantage, I think, if there's an effort to pull as much functionality as possible in larger core feature sets as opposed to being stuck in hundreds of tiny modules that sometimes compete.
Funding will probably happen now that there's even some government services and companies adopting Matrix for internal communication (haha... ha... makes it more likely, at least.)
Governance... I guess you could semi-realistically maintain a fork? You'd be building off of a solid foundation instead of a blank slate, and could have some good cross-talk between the fork and the official one for compatibility? Maybe pulling features from one into the other?
I find it funny that the issues you cite are very much not the ones I've heard about
-
@anthropy There's XEPs for message carbons and message archiving - those are a thing. If there's no hosted history, I as a user hadn't noticed yet. It's just... always an endless list of janky XEPs for every feature.
It'd be a fundamental advantage, I think, if there's an effort to pull as much functionality as possible in larger core feature sets as opposed to being stuck in hundreds of tiny modules that sometimes compete.
Funding will probably happen now that there's even some government services and companies adopting Matrix for internal communication (haha... ha... makes it more likely, at least.)
Governance... I guess you could semi-realistically maintain a fork? You'd be building off of a solid foundation instead of a blank slate, and could have some good cross-talk between the fork and the official one for compatibility? Maybe pulling features from one into the other?
I find it funny that the issues you cite are very much not the ones I've heard about
@bunch_of_dergs The problems you've heard about are likely the result of some of the issues I've mentioned.
For instance, if you hear "unable to decrypt message", the underlying reason is often overloaded servers and issues in the libraries and clients, like I mentioned.
And well, funding is one part of the equation, but it's going to take focused work from willing developers to properly flesh out these new core systems, rather than chase exciting visible features like yet another client UI.
-
@bunch_of_dergs The problems you've heard about are likely the result of some of the issues I've mentioned.
For instance, if you hear "unable to decrypt message", the underlying reason is often overloaded servers and issues in the libraries and clients, like I mentioned.
And well, funding is one part of the equation, but it's going to take focused work from willing developers to properly flesh out these new core systems, rather than chase exciting visible features like yet another client UI.
@anthropy My first experience with Matrix was Element very strongly pushing you to "verify" your connection.
The client fundamentally did not explain that that had to be done out-of-band. I did not, at the time, understand the very concept of verifying an e2ee connection.
And like... how does an overloaded server prevent a message from being decrypted? If it can't serve up the keys immediately that's fine, I can wait, but like... There's no guarantee in the protocol that it'll happen eventually?
-
@anthropy My first experience with Matrix was Element very strongly pushing you to "verify" your connection.
The client fundamentally did not explain that that had to be done out-of-band. I did not, at the time, understand the very concept of verifying an e2ee connection.
And like... how does an overloaded server prevent a message from being decrypted? If it can't serve up the keys immediately that's fine, I can wait, but like... There's no guarantee in the protocol that it'll happen eventually?
@bunch_of_dergs it will happen eventually if server being overloaded is the reason for it. There are also other reasons for it, like the client not properly fetching older keys for encryption. New messages will load fine in that case. But it just goes to show building a client can be counterintuitive for security reasons.
Security in general is tough, and while there could be a lot done to improve the UI/UX around it in Matrix and associated clients, the user will always be the weakest link tbh
-
@bunch_of_dergs it will happen eventually if server being overloaded is the reason for it. There are also other reasons for it, like the client not properly fetching older keys for encryption. New messages will load fine in that case. But it just goes to show building a client can be counterintuitive for security reasons.
Security in general is tough, and while there could be a lot done to improve the UI/UX around it in Matrix and associated clients, the user will always be the weakest link tbh
@anthropy An "reattempt to fetch keys" button would work, then?
So how does that work? There's an encrypted store on the server that stores the receiving keys for e2ee messages? And the clients sync the keys through there? What the client is missing is it not trying to sync older keys when it should?
As for security UX, I mean... It could've just said: "If you have another way to reach this user, you may send them this string (of emojis, even?) and ask them to check if it's the same on their side. This way you know you are speaking to the same person. This is most secure if done in-person."
There. That'd have solved my issue at the time, instead of pushing me to do some mystery thing that doesn't work
-
@anthropy An "reattempt to fetch keys" button would work, then?
So how does that work? There's an encrypted store on the server that stores the receiving keys for e2ee messages? And the clients sync the keys through there? What the client is missing is it not trying to sync older keys when it should?
As for security UX, I mean... It could've just said: "If you have another way to reach this user, you may send them this string (of emojis, even?) and ask them to check if it's the same on their side. This way you know you are speaking to the same person. This is most secure if done in-person."
There. That'd have solved my issue at the time, instead of pushing me to do some mystery thing that doesn't work
@bunch_of_dergs I don't know the exact details, but I do know that Matrix rotates the keys both for private and group E2EE chats once in a while, and if you miss a key then you won't be able to decrypt those obviously. Every client implements this differently; Element and derivatives (like Schildichat) seem to handle it fairly well.
And yea again, I think Element and many other clients could improve their UI/UX by a lot in many ways also beyond this. It won't fix everything, but it will help.
-
@bunch_of_dergs I don't know the exact details, but I do know that Matrix rotates the keys both for private and group E2EE chats once in a while, and if you miss a key then you won't be able to decrypt those obviously. Every client implements this differently; Element and derivatives (like Schildichat) seem to handle it fairly well.
And yea again, I think Element and many other clients could improve their UI/UX by a lot in many ways also beyond this. It won't fix everything, but it will help.
@anthropy I'd have been such a simple fix UI-wise even... Or just ignore e2ee verification entirely for users who won't understand the need or purpose for such a feature. Just go for blind trust and have verification be optional - the chance they actually got MITMd is kinda low anyway.
So... key syncing is a client-specific thing? There's no main protocol for it? I'll admit, the notion of sending something like decryption keys over the network is a very spicy notion, but I'm also getting the impression it may be unavoidable.
-
I don't get how people consider Stoat an alternative to Matrix/XMPP/etc when:
- It does not support E2EE at all.
- It does not support Federation at all.
- It does not support video calls (but it's in dev tbf)Building such a chat server is extremely easy compared to the challenges Matrix/XMPP/etc face. Anyone can build it with NodeJS and SocketIO tbh.
It's got a pretty UI I'll give them that, and as far as no-federation no-encryption selfhosted chat it IS neat, but it's not a competitor IMHO.
@anthropy Unfortunately, being basically a discord clone is a much better selling point for the friends I have even a remote chance of convincing to switch off discord than having robust security features. And in comparison to matrix, stoat is more hassle-free I must admit.
I also don't have a way to host my own matrix server *with enough uptime* for them to consider it a good option, and without having a selfhosted server there's no discord bridging.
The whole situation kinda stinks, discord shouldn't have become what it is, because now it's just entirely too hard to replace with just *one* other thing, but that's the expectation. -
@anthropy Unfortunately, being basically a discord clone is a much better selling point for the friends I have even a remote chance of convincing to switch off discord than having robust security features. And in comparison to matrix, stoat is more hassle-free I must admit.
I also don't have a way to host my own matrix server *with enough uptime* for them to consider it a good option, and without having a selfhosted server there's no discord bridging.
The whole situation kinda stinks, discord shouldn't have become what it is, because now it's just entirely too hard to replace with just *one* other thing, but that's the expectation.@ItsFunkyCaptain I understand, but my problem is:
- if hassle free and discord-like are the only expectation then there are better alternatives ( see https://mastodon.derg.nz/@anthropy/116079655246734772 )
- If you actually care about not repeating the issues that plague Discord, federation is not optional
- If you actually care about privacy and security, E2EE is not optional, and if you don't care, you can disable that in Matrix/XMPP too and get a more mature and federated alternative.People don't seem to think this thru
-
@ItsFunkyCaptain I understand, but my problem is:
- if hassle free and discord-like are the only expectation then there are better alternatives ( see https://mastodon.derg.nz/@anthropy/116079655246734772 )
- If you actually care about not repeating the issues that plague Discord, federation is not optional
- If you actually care about privacy and security, E2EE is not optional, and if you don't care, you can disable that in Matrix/XMPP too and get a more mature and federated alternative.People don't seem to think this thru
@anthropy No, in theory you *are* right, yes. But what do I do when I'm met with a "I don't want to set up a million options, and preferably I don't want to install a new app at all, because I'm used to being here, so if yall leave we probably won't talk anymore" kinda response?
As for my opinion on the alternatives, I've never heard of those except rocketchat. While I'm not against trying out lesser known options, popularity matters a lot to most people, if Stoat or something else gets enough movement it'll be much easier to convince people to switch. -
@anthropy No, in theory you *are* right, yes. But what do I do when I'm met with a "I don't want to set up a million options, and preferably I don't want to install a new app at all, because I'm used to being here, so if yall leave we probably won't talk anymore" kinda response?
As for my opinion on the alternatives, I've never heard of those except rocketchat. While I'm not against trying out lesser known options, popularity matters a lot to most people, if Stoat or something else gets enough movement it'll be much easier to convince people to switch.@ItsFunkyCaptain I have a few options I use, among which even Discord and Telegram because of that exact reason, but I refuse to use them for private matters, and I always offer people better alternatives.
I also think it's easy to overestimate Stoat's popularity because it appears popular within the Fedi bubble, but e.g Mattermost is absolutely far more widely used, and Stoat is already creaking under it's popularity gains, wasn't made for this.
-
@ItsFunkyCaptain I have a few options I use, among which even Discord and Telegram because of that exact reason, but I refuse to use them for private matters, and I always offer people better alternatives.
I also think it's easy to overestimate Stoat's popularity because it appears popular within the Fedi bubble, but e.g Mattermost is absolutely far more widely used, and Stoat is already creaking under it's popularity gains, wasn't made for this.
@anthropy I kinda feel stuck between a rock and a hard place with this whole situation tbh. Either i get scoffed at and called a problem by the privacy community, or I get in verbal fights and ultimately lose my friends trying to force them into using objectively better options. Don't get me wrong, I *know* there are better things, I just can't get through to all the people I need to be able to utilize them.
That is to say, I myself don't just use Discord, the only reason I still have it at all *is* because of my tiny private "server" for me and friends. -
@anthropy I kinda feel stuck between a rock and a hard place with this whole situation tbh. Either i get scoffed at and called a problem by the privacy community, or I get in verbal fights and ultimately lose my friends trying to force them into using objectively better options. Don't get me wrong, I *know* there are better things, I just can't get through to all the people I need to be able to utilize them.
That is to say, I myself don't just use Discord, the only reason I still have it at all *is* because of my tiny private "server" for me and friends.@ItsFunkyCaptain I do empathize there, and honestly same especially with my strong opinions on what actually constitutes as a healthy alternative.
Personally the workaround for me is to just use multiple things, running them all from my browser as much as possible to still deduplicate things a little.
I don't try to force anyone to do anything, but I am quite vocal about what I think makes sense, because otherwise we'll be running around in circles forever, as this isn't exactly the first time
