Tox.im
Dāvis Mosāns
davispuh at gmail.com
Mon Jul 7 11:19:03 PDT 2014
sounds great :) well, about frameworks I've tried really a lot of them over
years and I was satisfied only with FuelPHP <http://fuelphp.com/> which I
think is the best one IMO, but I haven't heard about Laravel, seems to be
really new. About FuelPHP I really like idea of HMVC and it's very useful.
But as I said I haven't done anything with PHP for few years now. But
generally you've to choose framework when starting a project as it's
usually not easy to change it later. Yeah I forgot to mention that it's
really good that you're using Composer and have good object orientated code
structure.
About internationalization it depends which parts you want to cover. If
translated strings then look at transifex.com <http://www.transifex.com>
and crowdin.net they both offer free solutions to open source projects and
are quite good. If you want localized date and time formats then use CLDR
<http://cldr.unicode.org/> you can either write a script to directly get
data from them or use some already made libraries for PHP, I don't know for
PHP, but for Ruby there's ruby-cldr <https://github.com/svenfuchs/ruby-cldr>
and twitter-cldr-rb <https://github.com/twitter/twitter-cldr-rb>, for
example ruby-cldr can export CLDR data to yaml files and then you could
parse and use those in PHP. (twitter-cldr also uses that same exported data
from ruby-cldr)
2014-07-07 20:44 GMT+03:00 edhelas <edhelas at movim.eu>:
> Hi Davis,
>
> Thank you very much for this awesome feedback, having constructives
> criticizes like this helps me a lot :) I'll try to explain my choices for
> some of them.
>
> I agree with your first comment, there's clearly a lack of communication.
> But, I'm currently working on the 0.8 release and on a fundraising (on
> Kickstarter) before the end of summer. I'll create a thread on Reddit and
> talk about it theses next couple of weeks ;)
>
> For the video, I don't have skills to do a nice looking one. But if you
> have tips, do not hesitate to share them with me.
>
> For PHP, the choice was made a couple of years ago and the aim was to
> install Movim on quite all the servers (I love Ruby on Rails but deploying
> a RoR application can be quite difficult for some administrators). We also
> tried to built Movim on top of differents PHP frameworks (Zend, Symfony and
> more recently Laravel).
> The thing is that Movim works in a really special way (the connexion is
> kept open with the XMPP server using BOSH threw long polling requests so I
> have to do session synchronisation en prevent session-lock… all in PHP) so
> it cannot be ported easily on a "classical MVC" framework. We also use our
> own internal widget system with event handling (when a specific XMPP stanza
> is handled).
>
> I'll take a look at the sanitizer.rb file and try to find a proper way to
> sanitize the strings, maybe use an external library for that ;)
>
> Having a public/ folder is also planned for the 1.0 version but I need to
> refactor a couple of stuffs in the app to make it works properly.
>
> I'm also using the PSR standard (http://www.php-fig.org/) especially for
> the library loading (using composer) and the logger. I've already moved
> parts of Movim to independant libraries to modularize the project ;)
>
> I'm trying to move from Bazaar to Git but I mave a couple of issues when I
> convert the commit-history tree. Also I'm looking for a proper way to
> handle the internationalisation (Launchpad has a ship-in system for that).
>
> We are also one of the most advanced XMPP client, with a really nice
> implementation of the standard (all the currently implemented XEP are
> listed here : http://wiki.movim.eu/en:dev:protocol_implementations). I'm
> working with the XMPP Standard Fundation to standardise and improve the
> XMPP protocol.
>
> Thanks again !
>
> edhelas
>
>
> On lun., juil. 7, 2014 at 7:18 , Dāvis Mosāns <davispuh at gmail.com> wrote:
>
> 2014-07-07 10:11 GMT+03:00 edhelas <edhelas at movim.eu>:
>
>> Hi everyone,
>>
>> I'm working on the Movim project since 2008, our aim is to create a full
>> social network on top of the XMPP protocol. As I see again, the guys of the
>> Tox project are trying to reinvent the wheel… again. Now, to do IM, we have
>> Skype, BBM, Line, WhatsApp, MSN, QQ, AIM, ICQ, IRC, XMPP, Facebook
>> Messenger…
>>
>> Same for the social networks as Davis said (PumpIO, TentIO…)
>>
>> I really think that we need to focus on an existent standard and improve
>> it, and for me XMPP seem to be the perfect protocol for all theses things :
>> - Standard IM + chatroom
>> - Video/Audio conferencing (with Jingle, we are using it with WebRTC on
>> Movim)
>> - Pubsub (for newsfeeds, blogging)
>> - Geolocation
>> - Vcard4 support
>> - SASL2 authentication
>> - OTR support
>> - Full encryption between the servers (https://xmpp.net/list.php)
>> - and so on…
>>
>> XMPP can do a lot more than just IM, it's a full social-communication
>> protocol it just need to be implemented, tested and debugged :)
>>
>> Tim
>>
>> On lun., juil. 7, 2014 at 6:00 , Dāvis Mosāns <davispuh at gmail.com> wrote:
>>
>> 2014-07-06 23:28 GMT+03:00 rysiek <rysiek at hackerspace.pl>:
>>
>>> Dnia niedziela, 6 lipca 2014 22:25:59 piszesz:
>>> > hmm, I wonder are there any such open protocol specification created? I
>>> > know about XMPP, but nothing more...
>>>
>>> Well, there's the Diaspora protocol:
>>> https://wiki.diasporafoundation.org/Federation_protocol_overview
>>>
>>> And... StatusNet/OStatus, PumpIO, TentIO, ActivityStreams, BuddyCloud
>>> (XMPP-
>>> based, I guess), and quite a few others I don't really remember. Some of
>>> them
>>> are related, all are incompatible. And all the devs are showing strong
>>> symptoms of the NIH syndrome.
>>>
>>> Which is absurd.
>>>
>>> --
>>> Pozdr
>>> rysiek
>>
>>
>> that indeed is stupid and so no one have solved it yet... for social
>> network or basically any IM/chat/etc to be usable it must have majority of
>> people (eg. your friends) users there, otherwise without people they are
>> totally useless so currently we're stuck with no-so-great
>> applications/protocols only because everyone already are on them like
>> Facebook and Skype. On that mailing list there were discussion about a
>> polyglot protocol/application which could support all networks so users
>> wouldn't be forced to migrate which I think is essential because a lot of
>> people won't bother. There was mention to Sockethub
>> <http://sockethub.org/>which seems quite cool, only for a bit different
>> use case I would say.
>> Another thing I would like to mention is BitlBee <http://bitlbee.org> it
>> is a gateway between various IM/chat networks and IRC so you can chat with
>> friends on Facebook using your favorite IRC client, or post a tweet on your
>> Twitter and use various other protocols. It even supports OTR.
>>
>> okay so I've quickly reviewed Movim, idea is really good and it seems to
> be nice, but I haven't yet tried to run it, will do that someday. It looks
> like you haven't really marketed it good enough because this is first time
> I hear about it despite it being an somewhat old project. For example Tox
> is pretty new but it's already quite popular and I keep hearing about it
> every few months. I would suggest to post more on various social sites,
> forums and just let people know it exists (eg. post to Reddit) Another
> thing I would suggest is add a video to website of example usage so people
> could see how it is actually used, explain various features and such as
> users might not immediately discover some features.
>
> Now I'll tell a few things, but that's only my personal opinion and most
> likely a lot of people won't agree with it. So anyway firstly I'm not a fan
> of PHP, it's just generally awful language (see http://phpsadness.com/
> and look at PHP src :D), I know it because I've been writing it for like 7+
> years but now 2-3 years I'm PHP-less and happy about it :) Next it looks
> like you aren't using any PHP framework but self-developed one which gives
> you more work than is needed and obviously it's less battletested. But
> overall code itself is nice and pretty, correctly uses MVC pattern. Bad
> things are that you don't have separate public directory for frontend and
> anyone can access PHP files directly, view templates for example (
> https://pod.movim.eu/app/views/admin.tpl) it's not a big deal, but still
> not good idea (running version https://pod.movim.eu/VERSION). Then in
> some places HTML tags and entities are used directly rather than proper
> Unicode which isn't a good idea and it means that string isn't later
> escaped and if it gets mixed together with user-input or translation
> strings there's a place for XSS. The worse thing probably is that
> sanitization is based on regexp blacklists/filters, I'm talking about StringHelper.php,
> I didn't look how it's actually used, but still even without trying I'm
> pretty sure it would be possible to find XSS there, why? because Rails
> framework over 5 years have had ~20 XSS vulnerabilities and it's extremely
> good framework used by dozens of projects and reviewed regularly, and it's
> even based on whitelists, but still uses regexps for that which isn't good
> and I wonder why no one does proper SGML parsing which they should. Just
> take a look at sanitizer.rb
> <https://github.com/rails/rails/blob/master/actionview/lib/action_view/vendor/html-scanner/html/sanitizer.rb#L72>
> to see how non-trivial it is. Anyway the whole idea of sanitization is
> wrong, you should just escape all text and don't try to guess which tags
> you should render. I suggest any web developer to read OWASP
> <https://www.owasp.org> from A to Z it's a must for any web developer.
> Then there's `?>` PHP end tags used at end of various files which are
> useless and can introduce problems like famous "headers already sent"
> warning. So seems that's about it with my quick look, but I might have
> forgotten to mention some things. Another thing I don't like is that AGPL
> is used, I really dislike all GPL family, but that's just me and I rather
> prefer copyfree <http://copyfree.org> so if there's similar projects then
> I'll rather contribute to MIT than any GPL variant :P And I'm not a fan of
> Bazaar nor LaunchPad but that's not the worst thing (someone should ban CVS
> and SVN :D)
>
> So to sum up about Movim, good parts:
>
> - Good idea
> - Quite decent code, MVC used correctly
> - Localization support
> - Pretty website
> - Open Source
> - Active development
> - SCM is used
>
> and bad:
>
> - Not enough known, marketed
> - PHP is used
> - No PHP framework used but self-developed one
> - Some questionable and potentially vulnerable code in some places
> - Scripts and files accessible directly
> - Not my favorite (un)license
>
>
> But yeah keep it up and continue developing it ;) I might use it some
> day...
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 13728 bytes
Desc: not available
URL: <http://lists.cpunks.org/pipermail/cypherpunks/attachments/20140707/0f26a1ec/attachment-0001.txt>
More information about the cypherpunks
mailing list