blog for the day

doc/design/assistant/blog/day_123__xmpp_insanity.mdwn

@@ -0,0 +1,49 @@
+Spent about 5 hours the other night in XMPP hell. At every turn Google Talk
+exhibited behavior that may meet the letter of the XMPP spec (or not), but
+varies between highly annoying and insane.
+
+By "insane", I mean this: If a presence message is directed from one client
+to another client belonging to that same user, randomly leaking that message
+out to other users who are subscribed is just a security hole waiting to
+happen. 
+
+Anyway, I came out of that with a collection of hacks that worked, but I
+didn't like. I was using directed presence for buddy-to-buddy pairing, and
+an IQ message hack for client-to-client pairing. 
+
+Today I got chat messages working instead, for both sorts of pairing. These
+chat messages have an empty body, which *should* prevent clients from
+displaying them, but they're sent directed to only git-annex clients
+anyway.
+
+----
+
+And XMPP pairing 100% works now! Of course, it doesn't know how to git pull
+over XMPP yet, but everything else works.
+
+Here's a real `.git/config` generated by the assistant after XMPP pairing.
+
+	[remote "joey"]
+	        url = 
+	        fetch = +refs/heads/*:refs/remotes/joey/*
+	        annex-uuid = 14f5e93e-1ed0-11e2-aa1c-f7a45e662d39
+	        annex-xmppaddress = joey@kitenet.net 
+
+----
+
+Fixed a typo that led to an infinite loop when adding a ssh git repo with the
+assistant. Only occurred when an absolute directory was specified, which 
+is why I didn't notice it before.
+
+----
+
+Security fix: Added a `GIT_ANNEX_SHELL_DIRECTORY` environment variable that
+locks down git-annex-shell to operating in only a single directory. The
+assistant sets that in ssh `authorized_keys` lines it creates. This
+prevents someone you pair with from being able to access any other git or
+git-annex repositories you may have.
+
+----
+
+Next up, more craziness. But tomorrow is Nov 6th, so you in the US already
+knew that..