#indieweb 2022-11-08

2022-11-08 UTC
gRegorLove_, lanodan, jacky, Seirdy, geoffo, cygnoir, webmind and [aciccarello] joined the channel
#
[tantek]1
what are stories
#
Loqi
A story is a singular (one per profile) time stream collection post, that consists of ephemeral photo and video posts that are shown in sequence one at a time and disappear from the collection some time after being added, usually 24 hours https://indieweb.org/stories
gerben and krjst joined the channel
#
@signalapp
Don’t want stories? That’s fine. You can turn off stories entirely by going to Settings → Stories. https://pbs.twimg.com/media/Fg-vEu5WAAUxsaY.jpg
(twitter.com/_/status/1589681755443073024)
timdream, [aciccarello]1, geoffo, mro, Nuve and cambridgeport90 joined the channel
odnes and mro joined the channel
#
[tantek]1
welcome to hotel #indieweb cambridgeport90
[MiaCrow], jonnybarnes, barnaby, gRegorLove_, n8chz, [pfefferle], [Murray], bterry1, jacky, [Murray]1, AramZS and geoffo joined the channel
#
GWG
My first public venue autocreated this morning....need to tweak presentation and some other stuff, but progress
#
[tantek]1
apparently I setup a xoxo.zone Mastodon account and by the likes of the email notifications, it's getting followers. how do I after the fact set it up to "forward" to my personal site @-@ account so those folks trying to follow me follow my @-@ personal site account instead?
#
[tantek]1
(I think I set this xoxo account up years ago)
#
[snarfed]
You could try the account migration/redirect thing in Mastodon settings, but it may be Mastodon specific
#
aaronpk
yeah there's a setting in the mastodon UI somewhere, i think i did that for my own xoxo.zone account too
#
[tantek]1
that's probably worth writing up on the wiki as a how to for folks who setup their personal sites with Bridgy Fed
#
[snarfed]
Let's see if it works first
#
[tantek]1
presumably aaronpk did it and it works for him?
#
aaronpk
i don't think we need to duplicate the documentation https://docs.joinmastodon.org/user/moving/#migration
#
[snarfed]
Could document that BF doesn't (yet) support the Move activity
#
[tantek]1
snarfed, do you mean moving *from* BF?
#
[tantek]1
or receiving of forwards?
#
[tantek]1
aaronpk, that's a good resource to link to. may be worth documenting Bridgy Fed specific aspects
#
[tantek]1
I'll chat what I'm doing here
#
[tantek]1
After logging in, I clicked on "⚙ Preferences" which took me to https://xoxo.zone/settings/preferences/appearance
jacky joined the channel
#
[snarfed]
Evidently there's a specific Move AP activity that maybe Mastodon invented. See aaronpk's link ^
#
[tantek]1
in the left column I clicked on "🔒 Account" which took me to https://xoxo.zone/auth/edit
#
[tantek]1
under the heading "Move to a different account" I clicked on "configure it here." which took me to https://xoxo.zone/settings/migration
#
[tantek]1
(note: this is already different from the instructions on docs.joinmastodon)
#
[tantek]1
(this is why I'm doing it explicitly and taking notes)
mro joined the channel
#
[tantek]1
in the form field "Handle of the new account *" I typed in my domain@domain, and Mastodon pw in the "Current password *" field, and clicked the ( MOVE FOLLOWERS ) button
#
[tantek]1
I got the red error message: " Something isn't quite right yet! Please review the error below ", the input label "Handle of the new account *" turned red with a red message under the field "is not an alias of this account"
#
[tantek]1
I took a screenshot
#
[snarfed]
yeah this may be the Mastodon-specific part
#
[tantek]1
looks like I have to first tell Bridgy Fed (somehow) to "back-reference" this account. Per the instruction: "The new account must first be configured to back-reference this one"
#
[tantek]1
and there you go, currently it doesn't work
#
[tantek]1
so at a minimum we can document that you can't (yet) migrate from a Mastodon account to a Bridgy Fed setup, so if you plan to "eventually" use your own site, you should just do that up front, rather than creating a Mastodon account first.
#
[campegg]1
[tantek] I had the same thing happen with mastodon.social and indieweb.social, so just ended up setting my indieweb.social account to redirect to mastodon.social
#
[tantek]1
I clicked the "only put up a redirect on your profile." which took me to https://xoxo.zone/settings/migration/redirect/new
#
[campegg]1
So even migrating between Mastodon instances is broken, not just Bridgy Fed
#
[tantek]1
in the form field "Handle of the new account *" I typed in my domain@domain, and Mastodon pw in the "Current password *" field, and clicked the ( SET REDIRECT ) button
#
[tantek]1
and got an error page saying "We're sorry, but something went wrong on our end." with an animated cartoon elephant pounding on a desk with a computer with ERROR on its display
#
[tantek]1
Thus ends that attempt to setup redirecting from an existing Mastodon Account to Bridgy Fed.
#
[tantek]1
(also there's no link or way to "escape" that error page back to your home page or preferences or anything)
#
[tantek]1
(it's a navigational deadend)
#
[snarfed]
[campegg] migrating between Mastodon instances works, I did it recently, worked fine
#
[tantek]1
I manually went back to https://xoxo.zone/settings/
#
[snarfed]
you have to set up an alias on the destination account first
#
[snarfed]
but yeah the alias thing seems maybe Mastodon-specific
#
[tantek]1
[snarfed] the "only put up a redirect on your profile" should work without setting up the alias on the destination, odd that that's broken too
#
[tantek]1
LMK if you saw anything 'weird' on your end in Bridgy Fed logs
#
[snarfed]
yeah needing the destination alias is a UX question, I'm guessing they had reasons, would be nice to find those
#
aaronpk
i think the theory is that you want the bidirectional verification like RelMeAuth
#
aaronpk
i'm sure it was discussed
#
aaronpk
one attack vector of not having the bidirectional link is i could set up an account on some shady instance and redirect it to your account, then go around telling people "look tantek had an account at X see?"
#
[snarfed]
Alex Stamos has been looking at related account migration concerns, eg https://twitter.com/alexstamos/status/1589695471425294336
#
@alexstamos
One of the interesting security issues with the federated namespace is that you can force your followers to come over to a new server you control. I seem to be running into a caching issue with http://mastodon.social but we'll see if I can surprise folks. https://pbs.twimg.com/media/Fg-7dQJVIAUVE63.jpg
(twitter.com/_/status/1589695471425294336)
#
aaronpk
that's... misleading
#
aaronpk
"come over to" is doing a lot of heavy lifting there
#
Loqi
[hach-que] #177 Support account migration
#
[campegg]1
[snarfed] 🤔 I went through much the same process as Tantek did above, with much the same result
#
barnaby
it’s a complicated problem
#
[tantek]1
I edited my "Bio" field of my profile to put: "t has moved to tantek.com@tantek.com / Or follow https://tantek.com/ in your Social Reader", added a "Website" metadata item with link https://tantek.com/ and clicked ( SAVE CHANGES )
#
Loqi
Tantek Çelik
#
[tantek]1
I posted "Follow my real account at @tantek.com@tantek.com"
#
[snarfed]
[campegg] did you set up the alias on the destination account?
#
Loqi
[Tantek Çelik] Follow my real account at @tantek.com
#
[tantek]1
note the difference in previews ^
#
[tantek]1
it changed the text "@tantek.com@tantek.com" to "@tantek.com" and auto-linked it to https://fed.brid.gy/r/http://tantek.com/
#
[tantek]1
however, clicking on "@tantek.com" in that toot then takes you to https://xoxo.zone/web/@tantek.com@tantek.com
#
Loqi
Tantek Çelik
#
[snarfed]
after a few seconds/minutes, that URL ^ starts redirecting to tantek.com
#
[snarfed]
as it does now
#
[snarfed]
(Mastodon behavior I don't fully understand yet)
#
[tantek]1
[snarfed], maybe minutes? haven't seen it redirect yet. at the bottom of that page it links "Browse more on the original profile" to https://fed.brid.gy/r/http://tantek.com/ which then redirects to http://tantek.com/. Any chance of setting that up to redirect to https://tantek.com/ instead? I don't think I did anything on Bridgy Fed to pick http: explicitly.
#
[campegg]1
[snarfed] Yep, did all that. Might try again later, but for now, am just going to settle for the redirect
#
[tantek]1
also looks like my reply to myself was not "federated" to that profile, will have to check my code
#
Loqi
Tantek Çelik
#
[snarfed]
the https://fed.brid.gy/r/http://tantek.com/ link includes http scheme in it. I think I generate that from AP activites that only have @-@, which doesn't have scheme, so I have to default to http
#
[tantek]1
hmm, looks like I did include the Bridgy Fed link and webmentioned it from my most recent post https://tantek.com/2022/311/t1/sf-ca-election-issues-update
#
[snarfed]
can look more
#
Loqi
[Tantek Çelik] SF&CA 2022 election issues update Voting no on M, poorly structured vacancy tax, we need a better one. See @SPUR_Urbanist analysis: https://www.spur.org/voter-guide/2022-11/sf-prop-m-vacant-homes Also SF Chronicle: https://www.sfchronicle.com/opini...
#
[tantek]1
[snarfed] I'm still not seeing the redirect, e.g. at https://xoxo.zone/web/@tantek.com@tantek.com/with_replies
#
Loqi
Tantek Çelik
#
aaronpk
it redirects for me
#
[tantek]1
still, I setup the rel-me verification thing: https://xoxo.zone/web/@t — I think I've done about as much as I can there to "forward" people to my own site for following
#
[snarfed]
I am with curl
#
Loqi
Tantek Çelik
#
[tantek]1
aaronpk, perhaps because I'm logged in
#
[tantek]1
yup that was it
#
[tantek]1
aaronpk, are you logged into xoxo.zone? Try logging in and seeing if it still redirects or not
#
aaronpk
yep still redirects
#
[tantek]1
fascinating. perhaps only because I am logged in as the account owner it doesn't redirect
#
[tantek]1
alright this is about as "migrated" as I can make it look: https://xoxo.zone/@t
#
Loqi
Tantek Çelik
#
[tantek]1
suggestions for improvements welcome
#
[tantek]1
[snarfed] since the @-@ scheme came after LetsEncrypt, WDYT of defaulting @-@ ids to https?
#
[tantek]1
the "downside" of having the link "break" or not be able to authenticate if the destination server lacks https seems like not a horrible thing to give users a heads-up about
#
[tantek]1
since @-@ assumes account ownership, login, etc. all things that really should be behind https
#
[tantek]1
assumptions we can't make about "naked" domains like example.com
#
[snarfed]
maybe? I don't know? https sites often/usually redirect http to https, but that's not true of http sites, so I'd mildly worry about UX
#
[snarfed]
there's no real authentication or creds in band anywhere in Bridgy Fed's interactions specifically, and just linking to http vs https isn't a vulnerability, so I'm not really worried security wise
ShoesNSocks joined the channel
#
[snarfed]
(s/that's not true of http sites/the reverse isn't true of http sites/)
jgee118 joined the channel
#
[tantek]1
I meant semantically, @-@ implies more (identity, ownership, login forms) than a plain domain, and thus it's appropriate to use a different default
#
barnaby
does bridgy fetch the domain from the @-@ at any point in the process? if so it could check the effective URL scheme and use that. If not, it’d be one extra request
#
[KevinMarks]1
I remember the #177 issue conversation as it started when they were still using websub so 301 redirection would work, but you still needed a 2 way commit (which I think was part of the original rel=me conversation there)
[benatwork] joined the channel
#
@davewiner
That, and http://micro.blog should be getting some ❤️ here too. They have a feature I wish Masto had too — inbound RSS.
(twitter.com/_/status/1590060187700035584)
#
[KevinMarks]1
Weirdly, the Daily Mail had a pretty good factual coverage of Mastodon today. I assume that condemning it as woke will be in a follow up.
t0nic joined the channel
#
[snarfed]
[tantek] I don't actually see that BF @-@ accounts imply identity or login, at least not on the domain itself. eg fully static sites work
#
[snarfed]
barnaby yes! BF could remember each site's scheme. I just haven't seen it as high priority, esp since https sites generally redirect http
CrimsonKinda joined the channel
#
[snarfed]
ok I looked through most of the BF users and haven't found any sites that are still live and http-only. so maybe based on that I can switch to https default
AramZS and [benatwork] joined the channel; CrimsonKinda left the channel
#
[tantek]1
yay! thanks for looking into that [snarfed]++
#
Loqi
[snarfed] has 21 karma in this channel over the last year (61 in all channels)
#
sebbu
[snarfed], remember to check how many use outdated browsers and/or os, which means they might only support old versions of tls, and might not support the latest crypto algorithms
#
[snarfed]
true! that varies per site though. definitely more user research and data collection than I can justify personally here
AramZS joined the channel
#
sebbu
i remember trying to get an A+ on my localhost, then i tried to access it from my NAS and it didn't worked, so i had to switch back to a more permissive cipherlist
#
sebbu
iirc, you can't get anything better than C on sslabs test if you want to keep compatibility with some old os/browsers
#
[snarfed]
maybe! this is largely out of my control here though. it's the SSL on user's own sites, not Bridgy Fed's SSL, and they already pretty much all redirect http to https
#
barnaby
yeah, there’s not a lot BF could/should do about specific TLS ciphers in this case
#
barnaby
(also this is veering into -dev territory :P)
#
barnaby
I’m surprised Loqi didn’t pick up on all the SSL/TLS/cipher talk already
#
Loqi
hey barnaby, it looks like this conversation is getting pretty technical (TLS), can you take it to #indieweb-dev?
geoffo joined the channel
#
Loqi
[indienews] New post: "New IndieAuth Client PHP Release" https://gregorlove.com/2022/11/new-indieauth-client-php-release/
[jacky] joined the channel
#
[KevinMarks]1
Interesting silo quit https://evanp.me/2022/10/29/enough-with-twitter/
barnaby joined the channel
#
[Murray]1
Might be a Slack thing, but what's with the missing words in the article preview above ^ e.g. "a Web service called . It was..."
geoffo joined the channel
#
[snarfed]
slack unfurling bug, evidently missing his links