[JDEV] Re: jabber; what would you like to see?

Ulrich B. Staudinger us at die-horde.de
Thu Sep 25 08:52:21 CDT 2003 

Dear Bernino,
i agree with your point of view in many ways - developers have 
complained very often about this error in the DTD, for obvious reasons.

However i don't understand why you don't use iq-set with an embedded 
x-tag. it's maybe semantically not the same (get / set), however it is 
exactly what you are looking for .... imo


ulrich


Bernino Lind wrote:

>Dear Richard,
>
>I agree very much - it is always a distinction between features and
>flexibility vs. potential exploits etc. : who said java, javascript, word
>macros etc...
>
>However I do not agree with your point that jabber is already flexible
>enough due to its reliance on XML.
>
>XML is just a protocol for metatyping data structures. XML does not
>contain any logics, loop constructs nor control statements and certainly
>not any sort of mathematical manipulation.
>
>This results in a rigid framework where one has to create external
>components for every damn little service one wishes to create ontop of the
>jabber server.
>
>Thats what Im searching for with respect to a solution - I dont care if it
>is  a scripting solution, a backend solution or something third; but
>adding some middleware (perl, python, ..., other high level language) to
>jabber would be really nice.
>
>Let me give just one more example, DJ Adams coffee machine check. Say Mr.
>Adams would like to get a statistical analysis of whom uses his external
>component.
>
>What is required would be that his external component puts a flag in a
>database. Then he should add a namespace via xdb in order to retrieve the
>stats and have an external component that catches this packet and does a
>SQL statement.
>
>Lets assume this works so that I can say:
>
><iq type="get">
><query xmlns="coffee:stats"/>
></iq>
>
>And the result being a top10 (its just bogus packets, which cant be used...):
>
><iq type="result">
><item>
><username>blabla</username>
><visits>10</visits>
></item>
><item>
><username>blabla</username>
><visits>5</visits>
></item>
><item>
><username>blabla</username>
><visits>3</visits>
></item>
>....etc.
></iq>
>
>Ok, lets say that now I want a top 20.
>
>In jabber what I must do now is to create a new namespace that expands to
>a SQL stament that fetches the 20 best.
>
>Now I want a top 100. Same story.
>
>What is missing? a method for passing data along with a iq-get packet:
>
><iq type="get">
><query xmlns="coffee:stats">
><top>20</top>
></query>
></iq>
>
>Such a packet is not allowed. The <top> section is simply chopped off...!
>Why? Because jabber was appearently not intended to anything but instant
>messenger.
>
>In the game I have done which uses jabber as XML socket server, I have
>some +20 different namespaces many of which have exactly the same function
>just different parameters.
>
>It might be me who is lame and doesnt understand how to use JEP 004 but I
>think many many developers out there have had similar problems - I know
>since I have had private questions from some 10 different persons asking
>how I have done the external component.
>
>best regards,
>Bernino Lind
>
>
>
>  
>
>>>What I picture is that one could have a scripting languague within the
>>>packets, for example:
>>>
>>><iq type="get">
>>><query xmlns="bla bla">
>>><script>
>>>@users=fetchroster(1,2,3);
>>>for ($i=0; $i<$@#users) {
>>>   echo "<message to=@user[$i]> In my new roster bla bla ";
>>>}
>>>createrostergroup(@users, "newrostergroup");
>>>return @users;
>>></script>
>>></query>
>>></iq>
>>>      
>>>
>>Sorry but to me anyone doing something like this should be shot, having
>>scripting send inside packets to be processed by the endpoint like this
>>is a security hole of an enormous magnetude, and we definately should
>>not be doing anything like this. This is kind of like word macros, it
>>can have some benefits but the potential for abuse is massive, it would
>>require all sorts of extra security stuff to even attempt to secure it.
>>Overall I think the downsides are far more than the benefit of the
>>convenience, the best thing is to continue doing what we have been doing
>>and creating protocols for set purposes. We don't need the flexibility
>>of a scripting system as we already have the flexibility/extensibility
>>of XML and the jabber protocol to do things like this without creating
>>massive security holes.
>>
>>Richard
>>
>>_______________________________________________
>>jdev mailing list
>>jdev at jabber.org
>>http://mailman.jabber.org/listinfo/jdev
>>    
>>
>
>
>
>_______________________________________________
>jdev mailing list
>jdev at jabber.org
>http://mailman.jabber.org/listinfo/jdev
>
>  
>


-- 
Ulrich B. Staudinger
http://www.die-horde.de
email: us at die-horde.de
jid: uls at jabber.org

current project: REDHORN
http://redhorn.sourceforge.net

Blog: http://jabber.linux.it/jogger/user.php?jid=uls@jabber.org

More information about the JDev mailing list