#indiewebcamp 2014-04-08

2014-04-08 UTC
benprew, JasonO and paulcp joined the channel
scottros and grantmacken joined the channel
#
pdurbin
KevinMarks_: yep. love it. starting to use it in integration tests of the API I'm working on
#
KevinMarks_
like a specialised version of python comprehensions
#
pdurbin
sure. "like sed for JSON data" works for me though :)
#
KevinMarks_
I've written JSON-munging things like that in python before
#
pdurbin
heh. I'm even starting to post on mailing lists some unix commands with jq in the pipeline: http://lucene.472066.n3.nabble.com/document-level-security-filter-solution-for-Solr-td4126992.html#a4127576
#
pdurbin
squished between curl and head :)
#
pdurbin
oh, and available from both `yum install jq` and `brew install jq` which is handy
scottros, emmak, snarfed, grantmacken, caseorganic, caseorga_ and scor joined the channel
#
@sjkmcnally
@jasoncavnar @mashable we’ll also google ways Glass looks ridiculous while granting access to our current location using gMaps #OwnYourData
(twitter.com/_/status/453381885478322176)
fmarier and OPoppy joined the channel
#
OPoppy
hey all, any programmers here?
#
kylewm
hi OPoppy, welcome
#
kylewm
and yes usually lots
#
OPoppy
ah nice. I am a game designer and in need of a progrmmer to collaborate on some projects
#
OPoppy
a lot of art assets and game design are done, animations, etc. but can't do it all
#
kylewm
we mostly discuss indieweb projects around here, but who knows, someone may be interested :)
#
OPoppy
indieweb projects? i am new here, like what kind of projects?
#
GWG
Hello, kylewm
#
kylewm
hi GWG, how's it going?
#
GWG
Playing with Wordpress again
#
OPoppy
looks interesting
#
GWG
There was one major category I hadn't styled.
#
GWG
Image
#
kylewm
as in posts that are primarily an image?
#
GWG
Yes.
#
GWG
Wordpress is the basis for my Indieweb site.
#
GWG
I've gotten into a feature I've never played with, called Post Formats.
#
kylewm
hey, it looks quite good already
#
OPoppy
so getting started with domain? a domain i have already?
#
GWG
Post formats allow for styling different types differently.
#
GWG
OPoppy: What do you want to do?
#
GWG
OPoppy: The first part of it is to have a site, then to adopt standards.
#
OPoppy
ah ok
#
kylewm
OPoppy, it can be a domain you own or a new one that you purchase .. a place to be your personally identifiable corner of the web
#
kylewm
GWG, what are you using to POSSE photos?
#
GWG
I'm posting it to the domain, then using a Wordpress plugin to POSSE to Facebook and Twitter. G+ is a bit harder due to no write API.
#
kylewm
oh right on, it looks quite good
#
kylewm
I might be wrong but I don't think a lot of folks are posseing photos this way yet
#
GWG
Which way?
#
kylewm
(i.e., using the silo APIs to send them)
#
GWG
Why not?
KevinMarks_ joined the channel
#
KevinMarks_
can anyone recommend a simple cheap VPS?
#
kylewm
KevinMarks_, DigitalOcean?
#
GWG
KevinMarks_: I have a site for you
#
GWG
Lots of cheap ones
#
KevinMarks_
I want something to sit indiecreddit on so there's a remote machien to sync with, wiht a public IP
#
GWG
Do you need 99.9% uptime?
#
KevinMarks_
not really, as this is still an overextended April Fool joke
#
KevinMarks_
but it would be nice to have someone other than me able to join in
#
GWG
Well, try ChicagoVPS
#
GWG
They have a 128mb $12/year VPS
#
kylewm
(for comparison, DigitalOcean is 512MB $5/month)
#
GWG
I'm paying $19/yr for 1GB
#
GWG
Black Friday special
#
kylewm
awesome! from lowendbox?
#
GWG
kylewm: That is where I found it. It is just a posting site for finding deals
#
GWG
Still not happy with the formatting for links.
#
KevinMarks_
do I care which linux variant its running?
#
GWG
KevinMarks_: If you are comfortable with one, I suppose.
#
GWG
I'm an old Red Hat user, so I go CentOS
#
KevinMarks_
I'm not bother really
#
KevinMarks_
it claims the server is up but I can't ping it
zaal and eschnou joined the channel
#
GWG
Well, I must head to bed. I need sleep
#
kylewm
g'night
#
KevinMarks_
ah, it was booting
#
KevinMarks_
switches to debian for apt-get
#
kylewm
thumbs up
KartikPrabhu and melvster joined the channel
#
KevinMarks_
is that Tony's piece?
#
KevinMarks_
watches apt-get install the universe
jsilvestre, cweiske, Jihaisse, LauraJ, friedcell and eschnou joined the channel
#
KevinMarks_
yay, after all that apt-get stuff I'm getting internal compiler errors
basal, tobiastom, pfenwick and krendil joined the channel
#
KevinMarks_
anyone know how to stop debian from saying "g++: internal compiler error: Killed (program cc1plus)"
#
KevinMarks_
hm, out of RAM?
Sebastien-L joined the channel
#
KevinMarks_
fuckin' dependencies. building stuff in C again is making me so happy about Python and node
friedcell, netweb, joshjuran, bnvk, adactio, heath, yobj, ryana, nslater, glennjones, acegiak, sdboyer, smcgregor, benward, JonathanNeal, jancborchardt, hadleybeeman, tommorris, drags, bear, bret, hober, eternicode, pavelz_, wagle, pfenwick, realzies, jacus, kylewm, ireheart, sparverius, mko, LauraJ, Garbee, onewheelskyward, Jeena, XgF, jtzl, pavelz, KartikPrabhu and fmarier joined the channel
#
@MasdelaBarque
#indieweb| Move the web in a new direction | Keep it open and decentralized || http://decentralizecamp.com/ || 21.05.2014 #Düsseldorf, Germany
(twitter.com/_/status/453478361273495552)
#
@fdevillamil
@rtaibah I unfortunately don’t, I learnt at school when I was 4-5, didn’t speak since 1987. And yes, I’m http://indiewebcamp.com/User:T37.net
(twitter.com/_/status/453515518809743360)
Loqi joined the channel
#
kbs
haha :-)
#
barnabywalters
or maybe paternity leave
#
barnabywalters
Loqi: are you a guy or a girl?
#
Loqi
i am a guy
#
cweiske
I always thought otherwise
#
ben_thatmustbeme
Loqi: why do you build me up, buttercup?
#
Loqi
who, me?
#
ben_thatmustbeme
just patching openssl on my servers now
pfefferle joined the channel
#
Loqi
bear has 3 karma
KartikPrabhu and KevinMarks joined the channel
#
kbs
changed passwords on all your 'usual' sites too? :)
#
kbs
[or, don't login until they've patched the server - already code out in the wild that's grabbing the server memory
#
kbs
which in many cases appears to contain plaintext passwords for recently logged in users]
#
GWG
Morning
scottros joined the channel
#
ben_thatmustbeme
yeah, just not logging in for now
#
kylewm
huh, anyone else get ssl_error_bad_cert_domain for stackoverflow.com?
gRegor` joined the channel
#
kylewm
seems like an honest mistake? i don't know security stuff well enough to know
#
kbs
hm.. would it even be possible that the root certs also need to change? *thinks*
#
icco
kylewm, I remember someone complaining about chrome being stricter on ssl certs recently, but i too do not know security well enough
tommorris, ben_thatmustbeme, edrex, eschnou, zaal, JasonO, reidab and bret joined the channel
#
kbs
[stackoverflow - just seems like a bad cert
#
kbs
it's issued for stackexchange rather than stackoverflow]
eternicode, jsilvestre, michel_v, friedcell, iangreenleaf and kylewm joined the channel
#
aaronpk
looks like they messed up and installed their stackexchange cert on stackoverflow.com
#
kbs
wonder if pinned certificates from apps would also need to change
#
bnvk
aaronpk: I'm not sure if I have something configured wonky, but webmention.io does not seem to be recording my mentions sent from Bridgy
#
barnabywalters
bnvk: RE the webmention.io thing: it might also be something to do with short URL usage
#
aaronpk
bnvk: hm i fixed the ssl error that was stopping it before. does bridgy show logs?
the_merlin joined the channel
#
aaronpk
looks like 3 of them were sent a few hours ago https://www.brid.gy/twitter/brennannovak
#
aaronpk
and it got a success message on the last one
#
bnvk
you're seeing the success on your end?
#
barnabywalters
aaronpk: does webmention.io have an endpoint listing all recent webmentions for a particular domain?
#
barnabywalters
that might be handy, not only for mentions feeds but for debugging URL issues
#
aaronpk
yeah i think it's in the docs
#
aaronpk
oh but it needs that token
#
aaronpk
domain=brennannovak.com
#
aaronpk
if you don't care if it's private I can share the token here
jacus and scottros joined the channel
#
bnvk
hrm, that is empty
#
aaronpk
walking to the office, back in a bit!
#
bnvk
okie
LauraJ, scottros, tilgovi, pfefferle and eschnou joined the channel
#
ben_thatmustbeme
sweet. In theory I can receive webmentions now
#
ben_thatmustbeme
not that i do anything with them yet. Or have a method to approve them.
#
gRegor`
Baby steps, ben_thatmustbeme. :) Congrats!
#
ben_thatmustbeme
thanks gRegor`
#
kbs
nice :)
#
barnabywalters
nice work ben_thatmustbeme!
#
ben_thatmustbeme
feel free to test it. I'm going to just add a stream of generic mentions probably tomorrow
#
ben_thatmustbeme
i may also turn off moderation until I have an easy view for it.
#
ben_thatmustbeme
morso might want to curl that to see the headers, only useful thing thus far
#
ben_thatmustbeme
i have a cronjob that runs every 5 minutes (or should) so lets see if it parses
snarfed and jsilvestre joined the channel
#
ben_thatmustbeme
damn, getting an error
caseorganic, tilgovi, dgw and vf5761 joined the channel
pasevin, benprew, _6a68, pfefferle and paulcp joined the channel
KevinMarks and snarfed joined the channel
#
aaronpk
oh hey bradfitz!
#
snarfed
:P my fault, i'm dragging him and a few others to hwc on wed
#
snarfed
btw aaronpk, on that note, is it intentional that indieauth is sensitive to trailing slashes on rel-me links?
#
snarfed
(that bit brad at first)
#
aaronpk
hm no i think that is unintentional
#
aaronpk
oh that's different
paulcp joined the channel
#
aaronpk
or is that what you mean?
#
snarfed
that's what i mean. same issue except github instead of twitter
#
aaronpk
yes that comment accurately describes the problem
pasevin_ joined the channel
#
aaronpk
if a site serves the same profile from two different URLs, that's a problem
#
aaronpk
"trailing slash" is not really a thing, the URLs are different
#
snarfed
yes, true, but it'd be reasonable to treat the same url with and without trailing slash as identical
#
aaronpk
that involves hard-coding stuff to providers, which I could do but that's annoyiung
paulcp_ joined the channel
#
snarfed
annoying for you, yes, but friendly for users :P
#
aaronpk
i can't just assume all links with a trailing slash are identical to the non-slash version
tantek joined the channel
#
snarfed
i guess. the provider list is already hard-coded, though (right?), so blacklisting or whitelisting doesn't seem too hard...?
#
snarfed
anyway. just a thought. let me know if you want me to file an issue
#
aaronpk
sure go ahead, would be good to have a list of providers which have this behavior
#
aaronpk
what github and twitter should be doing is sending a 301 redirect from twitter.com/aaronpk/ to twitter.com/aaronpk and then everything would be working fine
#
snarfed
definitely! agreed. but they don't. :/ ah well.
#
tantek
good morning #indiewebcamp!
#
tantek
I'm at the HTMLWG meeting all day in San Jose.
#
tantek
catches up on logs
#
tantek
aaronpk, loving the stream of comments on http://aaronparecki.com/replies/2014/03/07/3/oscars
_6a68 and bnvk joined the channel
#
kbs
snarfed: for the four remaining people who actually use pgp for contact info :) think its worth removing old email addresses from https://snarfed.org/pubkey.txt ?
#
aaronpk
tantek: ha wow that's getting long
#
snarfed
kbs: hah. maybe! looking now.
#
gRegor`
4.5. I plan to start using PGP :)
#
snarfed
kbs: ah. the google one? probably yes
#
kylewm
aaronpk, it's really testing your facepile arrangement :) looks good
#
tantek
kbs, snarfed which reminds me, how does one *obsolete* an email address (or other contact info) in the context of PGP contact info (or frankly any contact info) ?
#
kbs
snarfed: oh, and if you link to it from your home page
#
kbs
will make it easier for me to discover ;) just a <link rel="key" href=""> or something similar...
#
tantek
like - "I am no longer using this phone # ..."
#
tantek
the use case being - "dear friends, please delete this number you have for me from your contacts/addressbook"
#
snarfed
kbs: thanks! will do
#
snarfed
tantek: no clue!
#
tantek
would be useful for when leaving a company, or burning a phone #
#
snarfed
kbs: searched quickly, the only place i see rel="key" is http://microformats.org/wiki/key-examples#Brainstorming . is that where you got it?
#
kbs
tantek: unfortunately - it ends up being (in practice) what any given client does. In theory, a client with a pgp key ought to be checking the keyservers for updated (or revoked) information
#
kbs
and you can update (or obsolete) information by revoking an earlier signature
glennjones joined the channel
#
tantek
kbs - so you revoke a signature and that revokes *all* the information as part of that signature?
#
kbs
snarfed: yes
#
kbs
pretty much. [You could also use u-key in your hcard, if you want to make it visible in the html as well]
#
tantek
snarfed - I thought rel="key" was derived from links on the web
ttepasse joined the channel
#
kbs
tantek: you can choose to revoke a specific portion of the key file. Each uid (== a particular email address) has its own signature in the key. You could just revoke that one signature alone
#
tantek
snarfed, n.m. looks like none of the examples actually use rel=key - but could
#
tantek
hence brainstorming
#
tantek
kbs - interesting. is revoking the counterpart of signing?
#
kbs
tantek: yep, pretty much. It's just another signature that revokes the previous signature :)
#
tantek
so that's a whole set of use-cases then
catsup joined the channel
#
ben_thatmustbeme
haha, fixed my logical error, now It works, I get webmentions!
#
snarfed
ben_thatmustbeme++
#
Loqi
ben_thatmustbeme has 1 karma
#
kbs
the PGP keyfile really wants to be a database
#
kbs
so it's big and painfully complicated. There are internal references to information like bits of text (like an email) or subkeys that are validated by signing each reference (more or less)
#
kbs
and finally, the revoking mechanism allows you to tell a keyserver to delete a prior reference - perhaphs it's easier to think of it like a version controlled system, where the end result is the result of combining all the intermediate 'changes' to the repository
#
snarfed
kbs: added both rel-key and u-key
#
kbs
cool :) *tests his little experiment*
KevinMarks joined the channel
#
tantek
congrats ben_thatmustbeme on getting webmention receiving working!
#
kbs
snarfed: yay :)
chloeweil, rknLA and squeakytoy joined the channel
#
ben_thatmustbeme
eh, turned off moderation, and it just posts the link to recent mentions, nothing too fancy now
#
ben_thatmustbeme
but it works
#
snarfed
ben_thatmustbeme: interesting. minor point:, you return 200 for urls that don't exist and serve the home page, e.g. http://ben.thatmustbe.me/asdf
#
ben_thatmustbeme
yeah, i haven't dealt with that yet. I noticed that
#
ben_thatmustbeme
for the site I had originally hacked this up for, they wanted that (much older crowd was the user base, so basically just assume that typos are probable)
#
snarfed
heh. you can return status code 404 and still render the home page
#
snarfed
regardless, minor point
ttepasse joined the channel
#
bnvk
is it just me or does it feel like parts of the internet are broken today?
#
aaronpk
heartbleed
#
kbs
[random tidbit - mail.yahoo.com was unpatched for most of the morning... hope nobody logged in earlier :)]
#
tantek
aaronpk - agreed about slash / no-slash being different in URLs
#
tantek
whitelisting domains seems to be the only short term solution :/
#
aaronpk
tantek: good, but i'm now thinking it's probably not unreasonable to hard-code some stuff for specific providers
#
kylewm.com
edited /Instagram (-1) "/* API */ markdown link format -> mediawiki"
(view diff)
#
tantek
that's what I mean by "whitelisting domains"
#
aaronpk
right yes, you beat me to it :)
tilgovi joined the channel
#
tantek
I remember having to do this in the PHP relmauth code
#
tantek
I think I put something in like a "strip-trailing-slash" boolean in the provider data structure
#
tantek
so when canonicalizing profile URLs from a paticular provider, if that bit was set, the could would check and drop trailing slashes on profile URLs of that provider (regardless of source)
#
tantek
so regarding this SSL exploit - does this mean stop using various websites for a while?
#
aaronpk
all I know is that the exploit can allow attackers to dump parts of the system memory
#
aaronpk
how that affects me feeling safe about signing in somewhere I am not sure
#
tantek
how do we know which providers have upgraded their SSL?
#
kbs
by running the exploit itself, more or less
#
tantek
which implies there are groups out there "validating" various providers right?
#
tantek
checks krebs on security
#
aaronpk
kbs: fun fact: it can be a criminal offense to do that
#
kbs
The potential issue is also whether someone has logged into a site over the last day or so - what's also happening is that the credentials of people who've logged into a given server is available in the dump.
#
aaronpk
oh hah wow
#
kbs
s/logged/recently logged/
#
Loqi
kbs meant to say: The potential issue is also whether someone has recently logged into a site over the last day or so - what's also happening is that the credentials of people who've recently logged into a given server is available in the dump.
#
tantek
aaronpk - that doesn't look suspicious at all :P
#
aaronpk
they link to all good sources
#
aaronpk
"VULNERABLE - indieweb.org:443 has the heartbeat extension enabled and is vulnerable to CVE-2014-0160"
#
kbs
yes
#
aaronpk
you can compile yourself, but they have binaries at http://gobuild.io/download/github.com/titanous/heartbleeder if you trust them :)
friedcell joined the channel
#
kbs
just so you know - that code runs the exploit ;-)
#
aaronpk
i'm only running it on my own servers :)
#
kbs
ah, ok
#
aaronpk
i learned that lesson once the hard way
#
kbs
aaronpk: :/ ah well. [for better or worse, I had my lesson back in the 1990s, fortunately when the internet was a more innocent place...]
#
aaronpk
heh yes, mine was much later
#
kbs
old-fart-anecdote - I was running a crawler for my thesis that would ping random SunRPC services on the internet to determine their uptimes. Bug in some of the services caused their computers to crash, hacking suspicions - much drama. fortunately was able to deflect most of it to my advisor...
_skinny joined the channel
#
kbs
oh, the times when there was no such thing as a "firewall" :)
ireheart, sparverius and pasevin joined the channel
#
aaronpk
rebooting the server real quick with new openssl
#
tantek
thanks aaronpk!
#
aaronpk
wow yeah running the exploit dumps a bunch of the nginx config file from memory :/
#
aaronpk
and fixed!
#
Loqi
giggles
#
kbs
aaronpk++ wohoo
#
Loqi
aaronpk has 418 karma
vt0 joined the channel
#
aaronpk
that covered indieweb.org, indiewebcamp.com, webmention.io and indieauth.com
#
bnvk
ooo what are the plans for indieweb.org ?
tahnok and KevinMarks joined the channel
#
aaronpk
can't remember at the moment, it came up during indiewebcampsf
#
aaronpk
tantek: I just got an iPod for testing stuff at work, I hadn't actually seen one of the new ones yet! Is that the one you have? the 4" retina one?
#
bnvk
always good to have domains on hand :)
#
ben.thatmustbe.me
edited /webmention (+609) "Adding notes on my Implementation"
(view diff)
#
bnvk
mmmm, I loves me some DOGFOOD :D
#
aaronpk
I'm gonna call it champagne now http://aaron.pk/n4V23
grantmacken joined the channel
#
bnvk
hehe aaronpk that's a good point ;)
#
ben_thatmustbeme
!tell damn you barnabywalters, by asking me a question in your webmention you are fueling my desire to have sending working that much more.
#
Loqi
Ok, I'll tell them that when I see them next
#
ben_thatmustbeme
yeah, thats not going to go to the right person
#
bnvk
ben_thatmustbeme: I know the feeling :P
#
ben_thatmustbeme
at least people can see that I know they mentioned me. I just know I'm going to have a ton of stuff to try and strip out any javascript or funky html to make sure its safe before i show it on my site at all
#
aaronpk
ben_thatmustbeme: you could start with just showing the plaintext version
#
ben_thatmustbeme
strip out any tags, that should be all i'd need i suppose right
#
ben_thatmustbeme
but yeah, i will start with that
#
aaronpk
I mean use the plaintext version that comes back from the mf2 parser
#
ben_thatmustbeme
i hadn't dug in to the guts of it yet, wasn't sure if it would strip everything out or now
#
ben_thatmustbeme
thats excellent that it does. that takes care of most of my concerns. XSS would be possible I suppose still though
#
kbs
!tell bear just wondering - https://bear.im/pubkey.txt has both the expired and the new key, deliberate decision?
#
Loqi
Ok, I'll tell them that when I see them next
#
aaronpk
ben_thatmustbeme: you're welcome to try to craft an attack and send me a webmention
#
ben_thatmustbeme
it would be an attack on someone else that mentioned you already, and resubmitting that mention on my own with a URL extended to include JS, Its very unlikely to find someone that has a site like that, but I may set one up just to test feasibility
#
kbs
you might be able to just use paste.debian.net I think
#
aaronpk
we should make a webmention vulnerability test suite, hehe
#
aaronpk
webpwn.com/hack/my/site?me=aaronparecki.com <-- generates an attacker page linking to a post on my site so I can send webmentions from that URL to test what happens
#
kbs
ah, nice
#
ben_thatmustbeme
hmmm, actually, thinking about it, the vulnerability would then be on the other person's site, not mine
#
ben_thatmustbeme
so i would be attacking another site but using yours to host the link
#
ben_thatmustbeme
I don't see it as much of an issue really, other than it give the link some legitimacy
benprew, vf5761, scottros_ and scottros joined the channel
#
aaronpk
oh god
#
@patio11
@theycallmemorty Because clients have the heartbeat protocol too, so any server you connect to via embedded HTTP library can heartbleed you.
(twitter.com/_/status/453618444408086528)
#
aaronpk
can someone with more knowledge of openssl than me confirm this?
#
tantek
scrolls up
#
tantek
aaronpk I have the iPod 5 touch. Retina display. not sure what you mean by "one of the new ones"
#
aaronpk
uh I mean one of the ones after the 3.5" one that I have from like 4 years ago :)
#
kbs
aaronpk: would it be ok to run one or two more test webmentions against your test page at https://aaronparecki.com/notes/2013/10/12/2/indieweb?
#
aaronpk
please do!
caseorganic joined the channel
#
kbs
thanks :)
yaf joined the channel
#
tantek
aaronpk, where's that pushup counting app you developed?
#
aaronpk
uses indieauth for sign-in and micropub for posting
scor joined the channel
#
kbs
one more done... probably better to have done it in a test-case :(
pfefferle and pasevin joined the channel
#
ben_thatmustbeme
snarfed, invalid URL now returns 404, but still the home page
#
snarfed
ben_thatmustbeme: nice! good step
#
ben_thatmustbeme
i forgot I was using the same controller for both cases
pauloppenheim joined the channel
#
tantek
aaronpk - pushup counter app works with using your nose to touch the display of the iPod/iPhone right?
#
aaronpk
yep! I set the phone on the floor then do pushups on to it
#
tantek
is there a video demo?
#
ben_thatmustbeme
so you slap your face in to the phone?
#
aaronpk
heh not of mine
#
ben_thatmustbeme
when you get tired that is
#
tantek
does it "ding" when you touch it to confirm the touch?
#
aaronpk
but danny did pushups onto his android phone at the 2012 indiewebcamp here
#
aaronpk
demoing realtime PESOS with beeminder
#
@bmndr
Beeminder founders @dreev and @thatgirl at #indiewebcamp today, about to show off our realtime PESOS with assistance from @pjf
(twitter.com/_/status/348500981945860096)
#
aaronpk
i thought they had a video or photo, but I can't find it
#
kbs
haha :) nice
#
tantek
aaronpk ^^^ ding?
#
aaronpk
no sound, but the giant number increments pretty obviously
#
aaronpk
i suppose I should add sound, but I haven't really needed it
#
aaronpk
also the volume on my phone is off 99% of the time
#
tantek
sound would be nice when you're struggling so much that you close your eyes
scottros and krendil joined the channel
#
kylewm
snarfed, were you guys brainstorming recently about bridgy original post discovery if there's no backlink in the post (e.g., on instagram)?
#
snarfed
kylewm: lightly, yeah
#
snarfed
aaronpk proposed querying his site (somehow) with the instagram picture url
#
snarfed
s/his/the user's/
#
Loqi
snarfed meant to say: aaronpk proposed querying the user's site (somehow) with the instagram picture url
indie-visitor joined the channel
#
kylewm
ah exactly what i was wondering
#
aaronpk
probably via the micropub endpoint
#
snarfed
ah, micropub supports this?
#
aaronpk
not yet :)
barnabywalters joined the channel
#
kylewm
like if there were a generic endpoint kylewm.com/original_post?tweet=twitter-url
#
kylewm
that could be the target
#
aaronpk
or yeah like that
#
kylewm
oh, how does it fit into micropub?
#
aaronpk
it may not fit into micropub since micropub assumes it'll be creating content...
#
kylewm
so actually would there be any advantage of sending source=bridgy-url&target=kylewm.com/original_post%3Fsyndication%3Dtwitter_url as opposed to just notifying the user's homepage
#
snarfed
let's see
#
kylewm
i.e., source=bridgy.com/etc/&target=kylewm.com
curiousjohn joined the channel
#
snarfed
specific target is nice since you can do some validation before attempting to fetch at all
#
snarfed
and also useful when there are multiple links to a given domain in a post, which would each trigger a separate WM
#
kylewm
are you thinking bridgy would actually do the query first and then (if it exists) send the mention to the post's actual permalink?
#
snarfed
honestly i hadn't thought through it much at all yet
warden joined the channel
#
snarfed
i'm open to questions, proposals, and pull requests!
#
kylewm
is it like... something worth making an issue for to put discussion/ideas there?
#
snarfed
sure, go for it!
#
snarfed
i'd defer to you all to drive, since it's not an itch for me personally
#
snarfed
but i can chime in
warden joined the channel
#
kylewm
is it generally felt that using/having to use permalinks/citations on twitter are a feature and not a bug? :)
#
snarfed
i don't follow, sorry
#
kylewm
that's what's driving me to think about it...haven't come up with a way to cite original posts that i'm happy with
#
kylewm
i wouldn't do it at all, but i want that sweet sweet bridgy backfeed
#
snarfed
you mean, when you're mentioning a tweet but not replying to it?
#
kylewm
sorry i need to clarify
#
kylewm
having a (link) at the end of the POSSEd tweet is good in that it { cites original content, serves as micro-evangelism } and bad in that it { is a little distracting, uses up characters }
#
kylewm
do folks generally feel like the benefits outweigh the costs
#
snarfed
ahhhhh i see
#
snarfed
i hadn't thought much about how to preserve backfeed. query endpoint, extra "syndicated" webmention param, searching h-feed entries for rel-syndication are all possibilities
#
barnabywalters
good evening
#
kylewm
snarfed, ha!
#
barnabywalters
tantek: RE pushup counting utilities, I have a really simple single-HTML-page one here: http://waterpigs.co.uk/pushups/
#
snarfed
evening barnabywalters
#
barnabywalters
no sound but it could be trivially added
#
gRegor`
kylewm: I haven't implemented POSSE yet, but I've not been a big fan of adding the short link at the end of the tweets. I think I would definitely like an alternative.
#
aaronpk
keep in mind there are also human benefits to having the link, like if visitors can click it to find your site where there is a *better* experience than on twitter
#
brennannovak.com
created /Mailpile (+669) "Created page with "[https://mailpile.is Mailpile] is a webmail client with user-friendly encryption and privacy features. Mailpile is free software. [http://en.wikipedia.org/wiki/Mailpile read more...""
(view diff)
#
aaronpk
easier to navigate between posts, see the full list of comments since it'll include twitter+facebook+instagram comments, etc
caseorganic joined the channel
#
gRegor`
True
#
gRegor`
Though I feel like it would be obnoxious to click through and see nothing additional / new. E.g. no interactions.
#
kylewm
aaronpk, have you had anyone complain about the close ) being included in the URL when they click it? I dont know if it's tweetdeck or what that does that
#
aaronpk
i haven't heard that, no
#
aaronpk
gRegor`: that is the negative feedback tantek got, which is totally justified if there is no additional content
#
aaronpk
s/got/talks about
#
Loqi
aaronpk meant to say: gRegor`: that is the negative feedback tantek talks about, which is totally justified if there is no additional content
#
kylewm
somebody mentioned that to me but i didn't get details
#
gRegor`
I feel like it also might lessen interest in clicking my non-permashortlinks. Like when I'm sharing a link to an external site I find interesting.
#
kylewm
gRegor`, yeah I totally have that concern too, or at least make it confusing which link they should click on
#
gRegor`
I guess a youtu.be link would be obviously different from my own shortlink, but wonder if people would get used to overlooking my links. :)
#
gRegor`
I'll worry about that once I get POSSE going, though. Heh
#
kylewm
i've noticed barnabywalters does \n(shortlink) ... that's pretty inobstrusive
#
gRegor`
!tell KartikPrabhu Still on for tomorrow night?
#
Loqi
Ok, I'll tell them that when I see them next
#
gRegor`
No Portland location for tomorrow, aaronpk? :) http://indiewebcamp.com/events/2014-04-09-homebrew-website-club
#
aaronpk
crap did it not get marked?
#
aaronpk
dietrich said he'd host again
LauraJ joined the channel
#
gRegor`
Sorry, I thought I pinged you when I set up the page. I wasn't sure.
smcgregor, warden, KevinMarks, wagle, ttepasse and pasevin joined the channel
#
barnabywalters
argh I hate server management
#
barnabywalters
a friend and I rebooted my machine after trying to install a fix for heartbleed, and now my server has no network interfaces
#
barnabywalters
FOR SOME REASON
#
dietrich
oops, thanks for updating the wiki aaronpk
#
aaronpk
barnabywalters: the beeminder guys have been fighting with their servers all morning too after a bad reboot
#
barnabywalters
aaronpk: oh dear :(
#
tantek
barnabywalters: was just about to say waterpigs.co.uk/pushups/ is not loading for me and then I saw last several lines - sorry to hear about that.
#
tantek
is it on github? I'll file the same feature request issues that I did with aaronpk
#
barnabywalters
tantek: not on gh yet, I can put it there if there’s interest
#
tantek
barnabywalters - yes! definitely. I'd love to see a webapp version of a pushups app
#
tantek
and happy to use github issues to send you feature requests too
pfenwick joined the channel
#
barnabywalters
note especially the weird appcache hacks
#
barnabywalters
for figuring out if there’s a network connection or not
#
tantek
wonders if there's a way to copy gh issues from one project to another
#
tantek
beyond just copy/paste
#
tantek
e.g. clone a whole set of issues
#
aaronpk
i think someone has made some scripts to do it via the API
#
kbs
aaronpk: fyi, couple more test-cases added - mostly around href parsing I guess
#
aaronpk
test cases?
#
aaronpk
er, added to what?
#
aaronpk
are you collecting these into a doc somewhere?
#
tantek
barnabywalters - feature requests added! https://github.com/barnabywalters/pushups/issues
#
kbs
aaronpk: not other than random pastebins - is there a preferred way to send you links to them?
#
aaronpk
you could collect them into a section or page on the wiki
pasevin joined the channel
#
kbs
aaronpk: tantek sure - I'll add it there [guess it might be more about xss cleanup than authorship, though]
#
aaronpk
yeah some of those things are xss hacks (javascript:alert, nice
pasevin_ joined the channel
#
tantek
kbs - go ahead and start http://indiewebcamp.com/xss :)
#
kbs
okay
scottros joined the channel
#
pauloppenheim
kbs - reading logs from... 7am?!? root certs, if online (which they shouldn't be) would need to be changed. Most are offline though (i dearly hope that's a req of having a root cert)
#
kbs
pauloppenheim: makes sense - (think cweiske also indicated as much)
#
pauloppenheim
kbs: i run an intranet CA, and the private key is offline and on a machine that has never connected to the internet.
#
pauloppenheim
i think that's standard practice
#
kbs
pauloppenheim: nice. Yes, I was just wondering aloud - as you say, would only matter if the private key was ever actually directly used on a server and that'd be rather terrible for a root CA to do.
#
pauloppenheim
kbs: well, they all have child CAs for doing the actual signing work, which possibly *are* online, so that'll probably wobble over the next few days
#
kbsriram.com
created /xss (+1344) "start xss test cases"
(view diff)
KevinMarks_ joined the channel
#
pauloppenheim
gah, sorry
#
kbs
pauloppenheim: ah
#
kbs
didn't think of that. Interesting day all in all...
#
pauloppenheim
for instance:
#
pauloppenheim
- DigiCert High Assurance EV Root CA
#
pauloppenheim
- DigiCert High Assurance CA-3
#
pauloppenheim
- *.wikipedia.org
#
kbs
yep.
#
KevinMarks_
so cert pinning is going to make this harder?
#
KevinMarks_
so I have a server up for indiecreddit mining, a week later
gRegor` joined the channel
#
kbs
cool :) taking the april 1 hack all the way
ttepasse and _6a68 joined the channel
#
pauloppenheim
KevinMarks_: cert pinning helps other problems, but AFAICT not heartbleed. If the server is using openSSL 1.0.1 and has a TLS heartbeat, it was vulnerable to having memory contents read, which would include any private key.
#
KevinMarks_
right, I meant that cert pinning is going to make it harder to replace all the certs everyehere
#
pauloppenheim
hence the server needs to make a new private key, and you need to get it to pin it.
#
pauloppenheim
oh, possibly, depending on how one pins their certs
pasevin joined the channel
#
tantek
hey anyone know if https://www.w3.org/ has been updated?
#
tantek
those of you that have such tools to check such things (aaronpk?)
#
aaronpk
looks ok
pfenwick joined the channel
#
tantek
great. that's the bubble I'm in this week ;)
#
aaronpk
luckily(?) most of my other servers are so old they're not even running openssl 1.0.1 so I'm fine there :)
#
snarfed
aaronpk: heh, that saved me too
#
tantek
aaronpk, snarfed: interesting, that's a (perhaps unintentional) argument for delaying version upgrades
#
tantek
or are your servers not running openssl - any version?
#
aaronpk
older than 1.0.1
#
snarfed
tantek: eh, not really. net, old versions of software usually have more holes, not fewer
#
snarfed
(mine, both 1.0.0 and not)
#
tantek
snarfed, from a risk management perspective, I've had mixed experiences
#
tantek
and in general have benefited (saved time) from skipping various upgrades
#
tantek
at this point I have to assume that most releases are premature and being beta tested with actual users
#
snarfed
well, sysadmin time and effort is a different argument
#
snarfed
yeah, understood. as long as you keep up with patches on a supported branch, i can understand waiting to jump to the latest one
#
snarfed
staying on an unsupported branch is asking to be exploited, but it sounds like that's not what you meant
#
aaronpk
that's why I use ubuntu 12.04
#
gregorlove.com
edited /User:Gregorlove.com (+17) "/* Contributions */ +Interests"
(view diff)
#
tantek
hmm - 90+ in IRC - is that recent?
#
aaronpk
yeah! past week or so
#
aaronpk
wish I had been graphing it
#
gregorlove.com
edited /User:Gregorlove.com (+462) "/* Interests */"
(view diff)
#
gregorlove.com
edited /User:Gregorlove.com (+41) "/* Interests */"
(view diff)
scottros joined the channel
#
barnabywalters
the real lesson from all this server crap is that I need to back up my stuff more often
#
aaronpk
that's another reason I like git-backed flat file storage so much, built in backups!
benprew joined the channel
#
barnabywalters
aaronpk: yeah, I have my personal site backed up like that locally, but there’s a bunch of other stuff there which isn’t
#
barnabywalters
last resort is to wipe and reinstall, then restore my personal site
#
barnabywalters
stupid thing is I have an emergency ssh connection, but it won’t let me scp things
#
barnabywalters
I can’t even cat the output of a ssh session in which I cat the backup file into a local file :(
#
barnabywalters
apparently I also need to switch providers
#
aaronpk
you should try Linode
#
barnabywalters
to one which isn’t awful
#
aaronpk
assuming you want a VPS
#
Loqi
I agree
fmarier joined the channel
#
tantek
so this heartbleed thing is pretty bad - even if you don' t have a certificate explicitly for your domain, you may be vulnerable!
#
aaronpk
and if you make any HTTPS calls in your code you may be vulnerable
#
aaronpk
from your code to any external services
#
aaronpk
such as... all our reply context fetching code
#
tantek
how are you vulnerable on a get?
#
aaronpk
if a server is acting maliciously
#
aaronpk
it can do the same thing to https clients
#
tantek
it opens a new connection to you?
#
aaronpk
no, same connection
#
aaronpk
it's part of the heartbeat negotiation
#
snarfed
yeah, the bidirectional part is a huge kicker
caseorga_, ttepasse and grantmacken joined the channel
#
gRegor`
Sounds like fun, aaronpk ;)
#
aaronpk
indeed :/