Hi Davis,
Thank you very much for this awesome feedback, having constructives
criticizes like this helps me a lot :) I'll try to explain my choices
for some of them.
I agree with your first comment, there's clearly a lack of
communication. But, I'm currently working on the 0.8 release and on a
fundraising (on Kickstarter) before the end of summer. I'll create a
thread on Reddit and talk about it theses next couple of weeks ;)
For the video, I don't have skills to do a nice looking one. But if you
have tips, do not hesitate to share them with me.
For PHP, the choice was made a couple of years ago and the aim was to
install Movim on quite all the servers (I love Ruby on Rails but
deploying a RoR application can be quite difficult for some
administrators). We also tried to built Movim on top of differents PHP
frameworks (Zend, Symfony and more recently Laravel).
The thing is that Movim works in a really special way (the connexion is
kept open with the XMPP server using BOSH threw long polling requests
so I have to do session synchronisation en prevent session-lock… all
in PHP) so it cannot be ported easily on a "classical MVC" framework.
We also use our own internal widget system with event handling (when a
specific XMPP stanza is handled).
I'll take a look at the sanitizer.rb file and try to find a proper way
to sanitize the strings, maybe use an external library for that ;)
Having a public/ folder is also planned for the 1.0 version but I need
to refactor a couple of stuffs in the app to make it works properly.
I'm also using the PSR standard (http://www.php-fig.org/) especially
for the library loading (using composer) and the logger. I've already
moved parts of Movim to independant libraries to modularize the project
;)
I'm trying to move from Bazaar to Git but I mave a couple of issues
when I convert the commit-history tree. Also I'm looking for a proper
way to handle the internationalisation (Launchpad has a ship-in system
for that).
We are also one of the most advanced XMPP client, with a really nice
implementation of the standard (all the currently implemented XEP are
listed here : http://wiki.movim.eu/en:dev:protocol_implementations).
I'm working with the XMPP Standard Fundation to standardise and improve
the XMPP protocol.
Thanks again !
edhelas
On lun., juil. 7, 2014 at 7:18 , Dāvis Mosāns <[email protected]>
wrote:
2014-07-07 10:11 GMT+03:00 edhelas <[email protected]>:
Hi everyone,
I'm working on the Movim project since 2008, our aim is to create a
full social network on top of the XMPP protocol. As I see again, the
guys of the Tox project are trying to reinvent the wheel… again.
Now, to do IM, we have Skype, BBM, Line, WhatsApp, MSN, QQ, AIM,
ICQ, IRC, XMPP, Facebook Messenger…
Same for the social networks as Davis said (PumpIO, TentIO…)
I really think that we need to focus on an existent standard and
improve it, and for me XMPP seem to be the perfect protocol for all
theses things :
- Standard IM + chatroom
- Video/Audio conferencing (with Jingle, we are using it with WebRTC
on Movim)
- Pubsub (for newsfeeds, blogging)
- Geolocation
- Vcard4 support
- SASL2 authentication
- OTR support
- Full encryption between the servers (https://xmpp.net/list.php)
- and so on…
XMPP can do a lot more than just IM, it's a full
social-communication protocol it just need to be implemented, tested
and debugged :)
Tim
On lun., juil. 7, 2014 at 6:00 , Dāvis Mosāns <[email protected]>
wrote:
2014-07-06 23:28 GMT+03:00 rysiek <[email protected]>:
Dnia niedziela, 6 lipca 2014 22:25:59 piszesz:
> hmm, I wonder are there any such open protocol specification
created? I
> know about XMPP, but nothing more...
Well, there's the Diaspora protocol:
https://wiki.diasporafoundation.org/Federation_protocol_overview
And... StatusNet/OStatus, PumpIO, TentIO, ActivityStreams,
BuddyCloud (XMPP-
based, I guess), and quite a few others I don't really remember.
Some of them
are related, all are incompatible. And all the devs are showing
strong
symptoms of the NIH syndrome.
Which is absurd.
--
Pozdr
rysiek
that indeed is stupid and so no one have solved it yet... for
social network or basically any IM/chat/etc to be usable it must
have majority of people (eg. your friends) users there, otherwise
without people they are totally useless so currently we're stuck
with no-so-great applications/protocols only because everyone
already are on them like Facebook and Skype. On that mailing list
there were discussion about a polyglot protocol/application which
could support all networks so users wouldn't be forced to migrate
which I think is essential because a lot of people won't bother.
There was mention to Sockethub which seems quite cool, only for a
bit different use case I would say.
Another thing I would like to mention is BitlBee it is a gateway
between various IM/chat networks and IRC so you can chat with
friends on Facebook using your favorite IRC client, or post a tweet
on your Twitter and use various other protocols. It even supports
OTR.
okay so I've quickly reviewed Movim, idea is really good and it seems
to be nice, but I haven't yet tried to run it, will do that someday.
It looks like you haven't really marketed it good enough because this
is first time I hear about it despite it being an somewhat old
project. For example Tox is pretty new but it's already quite popular
and I keep hearing about it every few months. I would suggest to post
more on various social sites, forums and just let people know it
exists (eg. post to Reddit) Another thing I would suggest is add a
video to website of example usage so people could see how it is
actually used, explain various features and such as users might not
immediately discover some features.
Now I'll tell a few things, but that's only my personal opinion and
most likely a lot of people won't agree with it. So anyway firstly
I'm not a fan of PHP, it's just generally awful language (see
http://phpsadness.com/ and look at PHP src :D), I know it because
I've been writing it for like 7+ years but now 2-3 years I'm PHP-less
and happy about it :) Next it looks like you aren't using any PHP
framework but self-developed one which gives you more work than is
needed and obviously it's less battletested. But overall code itself
is nice and pretty, correctly uses MVC pattern. Bad things are that
you don't have separate public directory for frontend and anyone can
access PHP files directly, view templates for example
(https://pod.movim.eu/app/views/admin.tpl) it's not a big deal, but
still not good idea (running version https://pod.movim.eu/VERSION).
Then in some places HTML tags and entities are used directly rather
than proper Unicode which isn't a good idea and it means that string
isn't later escaped and if it gets mixed together with user-input or
translation strings there's a place for XSS. The worse thing probably
is that sanitization is based on regexp blacklists/filters, I'm
talking about StringHelper.php, I didn't look how it's actually used,
but still even without trying I'm pretty sure it would be possible to
find XSS there, why? because Rails framework over 5 years have had
~20 XSS vulnerabilities and it's extremely good framework used by
dozens of projects and reviewed regularly, and it's even based on
whitelists, but still uses regexps for that which isn't good and I
wonder why no one does proper SGML parsing which they should. Just
take a look at sanitizer.rb to see how non-trivial it is. Anyway the
whole idea of sanitization is wrong, you should just escape all text
and don't try to guess which tags you should render. I suggest any
web developer to read OWASP from A to Z it's a must for any web
developer. Then there's `?>` PHP end tags used at end of various
files which are useless and can introduce problems like famous
"headers already sent" warning. So seems that's about it with my
quick look, but I might have forgotten to mention some things.
Another thing I don't like is that AGPL is used, I really dislike all
GPL family, but that's just me and I rather prefer copyfree so if
there's similar projects then I'll rather contribute to MIT than any
GPL variant :P And I'm not a fan of Bazaar nor LaunchPad but that's
not the worst thing (someone should ban CVS and SVN :D)
So to sum up about Movim, good parts:
Good idea
Quite decent code, MVC used correctly
Localization support
Pretty website
Open Source
Active development
SCM is used
and bad:
Not enough known, marketed
PHP is used
No PHP framework used but self-developed one
Some questionable and potentially vulnerable code in some places
Scripts and files accessible directly
Not my favorite (un)license
But yeah keep it up and continue developing it ;) I might use it some
day...
