#indieweb 2022-11-08

2022-11-08 UTC
gRegorLove_, lanodan, jacky, Seirdy, geoffo, cygnoir, webmind and [aciccarello] joined the channel
# 04:59 
[tantek]1 what are stories
# 04:59 
Loqi A story is a singular (one per profile) time stream collection post, that consists of ephemeral photo and video posts that are shown in sequence one at a time and disappear from the collection some time after being added, usually 24 hours https://indieweb.org/stories
gerben and krjst joined the channel
# 05:04 
[tantek]1 stories << Silo Example: https://twitter.com/signalapp/status/1589681755443073024
# 05:04 
@signalapp Don’t want stories? That’s fine. You can turn off stories entirely by going to Settings → Stories. https://pbs.twimg.com/media/Fg-vEu5WAAUxsaY.jpg (twitter.com/_/status/1589681755443073024)
# 05:04 
Loqi ok, I added "Silo Example: https://twitter.com/signalapp/status/1589681755443073024" to the "See Also" section of /story https://indieweb.org/wiki/index.php?diff=84286&oldid=82836 
timdream, [aciccarello]1, geoffo, mro, Nuve and cambridgeport90 joined the channel
# 08:23 
cambridgeport90 logout
odnes and mro joined the channel
# 09:21 
[tantek]1 welcome to hotel #indieweb cambridgeport90
[MiaCrow], jonnybarnes, barnaby, gRegorLove_, n8chz, [pfefferle], [Murray], bterry1, jacky, [Murray]1, AramZS and geoffo joined the channel
# 15:23 
GWG My first public venue autocreated this morning....need to tweak presentation and some other stuff, but progress
# 15:37 
[tantek]1 apparently I setup a xoxo.zone Mastodon account and by the likes of the email notifications, it's getting followers. how do I after the fact set it up to "forward" to my personal site @-@ account so those folks trying to follow me follow my @-@ personal site account instead?
# 15:38 
[tantek]1 (I think I set this xoxo account up years ago)
# 15:44 
[snarfed] You could try the account migration/redirect thing in Mastodon settings, but it may be Mastodon specific
# 15:55 
aaronpk yeah there's a setting in the mastodon UI somewhere, i think i did that for my own xoxo.zone account too
# 16:11 
[tantek]1 that's probably worth writing up on the wiki as a how to for folks who setup their personal sites with Bridgy Fed
# 16:18 
[snarfed] Let's see if it works first
# 16:19 
[tantek]1 presumably aaronpk did it and it works for him?
# 16:19 
aaronpk yeah https://xoxo.zone/@aaronpk
# 16:20 
aaronpk i don't think we need to duplicate the documentation https://docs.joinmastodon.org/user/moving/#migration
# 16:23 
[snarfed] Could document that BF doesn't (yet) support the Move activity
# 16:25 
[tantek]1 snarfed, do you mean moving *from* BF?
# 16:25 
[tantek]1 or receiving of forwards?
# 16:26 
[tantek]1 aaronpk, that's a good resource to link to. may be worth documenting Bridgy Fed specific aspects
# 16:26 
[tantek]1 I'll chat what I'm doing here
# 16:27 
[tantek]1 After logging in, I clicked on "⚙ Preferences" which took me to https://xoxo.zone/settings/preferences/appearance
jacky joined the channel
# 16:27 
[snarfed] Evidently there's a specific Move AP activity that maybe Mastodon invented. See aaronpk's link ^
# 16:27 
[tantek]1 in the left column I clicked on "🔒 Account" which took me to https://xoxo.zone/auth/edit
# 16:28 
[tantek]1 under the heading "Move to a different account" I clicked on "configure it here." which took me to https://xoxo.zone/settings/migration
# 16:29 
[tantek]1 (note: this is already different from the instructions on docs.joinmastodon)
# 16:29 
[tantek]1 (this is why I'm doing it explicitly and taking notes)
mro joined the channel
# 16:33 
[tantek]1 in the form field "Handle of the new account *" I typed in my domain@domain, and Mastodon pw in the "Current password *" field, and clicked the ( MOVE FOLLOWERS ) button
# 16:34 
[tantek]1 I got the red error message: " Something isn't quite right yet! Please review the error below ", the input label "Handle of the new account *" turned red with a red message under the field "is not an alias of this account"
# 16:35 
[tantek]1 I took a screenshot
# 16:35 
[snarfed] yeah this may be the Mastodon-specific part
# 16:35 
[tantek]1 looks like I have to first tell Bridgy Fed (somehow) to "back-reference" this account. Per the instruction: "The new account must first be configured to back-reference this one"
# 16:36 
[tantek]1 and there you go, currently it doesn't work
# 16:36 
[tantek]1 so at a minimum we can document that you can't (yet) migrate from a Mastodon account to a Bridgy Fed setup, so if you plan to "eventually" use your own site, you should just do that up front, rather than creating a Mastodon account first.
# 16:37 
[campegg]1 [tantek] I had the same thing happen with mastodon.social and indieweb.social, so just ended up setting my indieweb.social account to redirect to mastodon.social
# 16:38 
[tantek]1 I clicked the "only put up a redirect on your profile." which took me to https://xoxo.zone/settings/migration/redirect/new
# 16:38 
[campegg]1 So even migrating between Mastodon instances is broken, not just Bridgy Fed
# 16:39 
[tantek]1 in the form field "Handle of the new account *" I typed in my domain@domain, and Mastodon pw in the "Current password *" field, and clicked the ( SET REDIRECT ) button
# 16:40 
[tantek]1 and got an error page saying "We're sorry, but something went wrong on our end." with an animated cartoon elephant pounding on a desk with a computer with ERROR on its display
# 16:41 
[tantek]1 Thus ends that attempt to setup redirecting from an existing Mastodon Account to Bridgy Fed.
# 16:44 
[tantek]1 (also there's no link or way to "escape" that error page back to your home page or preferences or anything)
# 16:44 
[tantek]1 (it's a navigational deadend)
# 16:44 
[snarfed] [campegg] migrating between Mastodon instances works, I did it recently, worked fine
# 16:44 
[tantek]1 I manually went back to https://xoxo.zone/settings/
# 16:44 
[snarfed] you have to set up an alias on the destination account first
# 16:44 
[snarfed] but yeah the alias thing seems maybe Mastodon-specific
# 16:45 
[tantek]1 [snarfed] the "only put up a redirect on your profile" should work without setting up the alias on the destination, odd that that's broken too
# 16:45 
[tantek]1 LMK if you saw anything 'weird' on your end in Bridgy Fed logs
# 16:46 
[snarfed] yeah needing the destination alias is a UX question, I'm guessing they had reasons, would be nice to find those
# 16:46 
aaronpk i think the theory is that you want the bidirectional verification like RelMeAuth
# 16:46 
aaronpk i'm sure it was discussed
# 16:48 
aaronpk one attack vector of not having the bidirectional link is i could set up an account on some shady instance and redirect it to your account, then go around telling people "look tantek had an account at X see?"
# 16:50 
[snarfed] Alex Stamos has been looking at related account migration concerns, eg https://twitter.com/alexstamos/status/1589695471425294336
# 16:50 
@alexstamos One of the interesting security issues with the federated namespace is that you can force your followers to come over to a new server you control. I seem to be running into a caching issue with http://mastodon.social but we'll see if I can surprise folks. https://pbs.twimg.com/media/Fg-7dQJVIAUVE63.jpg (twitter.com/_/status/1589695471425294336)
# 16:50 
aaronpk that's... misleading
# 16:51 
aaronpk "come over to" is doing a lot of heavy lifting there
# 16:51 
aaronpk wow this thread is *extremely* long https://github.com/mastodon/mastodon/issues/177
# 16:51 
Loqi [hach-que] #177 Support account migration
# 16:53 
[campegg]1 [snarfed] 🤔 I went through much the same process as Tantek did above, with much the same result
# 16:54 
barnaby it’s a complicated problem
# 16:54 
[tantek]1 I edited my "Bio" field of my profile to put: "t has moved to tantek.com@tantek.com / Or follow https://tantek.com/ in your Social Reader", added a "Website" metadata item with link https://tantek.com/ and clicked ( SAVE CHANGES )
# 16:55 
Loqi Tantek Çelik
# 16:55 
[tantek]1 I posted "Follow my real account at @tantek.com@tantek.com"
# 16:55 
[snarfed] [campegg] did you set up the alias on the destination account?
# 16:56 
[tantek]1 and it posted this: https://xoxo.zone/web/@t/109309233202170184
# 16:56 
Loqi [Tantek Çelik] Follow my real account at @tantek.com
# 16:56 
[tantek]1 note the difference in previews ^
# 16:57 
[tantek]1 it changed the text "@tantek.com@tantek.com" to "@tantek.com" and auto-linked it to https://fed.brid.gy/r/http://tantek.com/
# 16:57 
[tantek]1 however, clicking on "@tantek.com" in that toot then takes you to https://xoxo.zone/web/@tantek.com@tantek.com
# 16:58 
Loqi Tantek Çelik
# 16:58 
[snarfed] after a few seconds/minutes, that URL ^ starts redirecting to tantek.com
# 16:58 
[snarfed] as it does now
# 16:58 
[snarfed] (Mastodon behavior I don't fully understand yet)
# 16:59 
[tantek]1 [snarfed], maybe minutes? haven't seen it redirect yet. at the bottom of that page it links "Browse more on the original profile" to https://fed.brid.gy/r/http://tantek.com/ which then redirects to http://tantek.com/. Any chance of setting that up to redirect to https://tantek.com/ instead? I don't think I did anything on Bridgy Fed to pick http: explicitly.
# 17:00 
[campegg]1 [snarfed] Yep, did all that. Might try again later, but for now, am just going to settle for the redirect
# 17:01 
[tantek]1 also looks like my reply to myself was not "federated" to that profile, will have to check my code
# 17:04 
[snarfed] curl https://xoxo.zone/web/@tantek.com@tantek.com shows a redirect now
# 17:04 
Loqi Tantek Çelik
# 17:05 
[snarfed] the https://fed.brid.gy/r/http://tantek.com/ link includes http scheme in it. I think I generate that from AP activites that only have @-@, which doesn't have scheme, so I have to default to http
# 17:06 
[tantek]1 hmm, looks like I did include the Bridgy Fed link and webmentioned it from my most recent post https://tantek.com/2022/311/t1/sf-ca-election-issues-update
# 17:07 
[snarfed] can look more
# 17:07 
Loqi [Tantek Çelik] SF&CA 2022 election issues update
Voting no on M, poorly structured vacancy tax, we need a better one. 
See @SPUR_Urbanist analysis: https://www.spur.org/voter-guide/2022-11/sf-prop-m-vacant-homes
Also SF Chronicle: https://www.sfchronicle.com/opini...
# 17:11 
[tantek]1 [snarfed] I'm still not seeing the redirect, e.g. at https://xoxo.zone/web/@tantek.com@tantek.com/with_replies
# 17:11 
Loqi Tantek Çelik
# 17:12 
aaronpk it redirects for me
# 17:12 
[tantek]1 still, I setup the rel-me verification thing: https://xoxo.zone/web/@t — I think I've done about as much as I can there to "forward" people to my own site for following
# 17:12 
[snarfed] I am with curl
# 17:13 
Loqi Tantek Çelik
# 17:13 
[tantek]1 aaronpk, perhaps because I'm logged in
# 17:13 
[tantek]1 yup that was it
# 17:13 
[tantek]1 aaronpk, are you logged into xoxo.zone? Try logging in and seeing if it still redirects or not
# 17:14 
aaronpk yep still redirects
# 17:14 
[tantek]1 fascinating. perhaps only because I am logged in as the account owner it doesn't redirect
# 17:15 
[tantek]1 alright this is about as "migrated" as I can make it look: https://xoxo.zone/@t
# 17:15 
Loqi Tantek Çelik
# 17:16 
[tantek]1 suggestions for improvements welcome
# 17:28 
[tantek]1 [snarfed] since the @-@ scheme came after LetsEncrypt, WDYT of defaulting @-@ ids to https?
# 17:29 
[tantek]1 the "downside" of having the link "break" or not be able to authenticate if the destination server lacks https seems like not a horrible thing to give users a heads-up about
# 17:30 
[tantek]1 since @-@ assumes account ownership, login, etc. all things that really should be behind https
# 17:30 
[tantek]1 assumptions we can't make about "naked" domains like example.com
# 17:39 
[snarfed] maybe? I don't know? https sites often/usually redirect http to https, but that's not true of http sites, so I'd mildly worry about UX
# 17:39 
[snarfed] there's no real authentication or creds in band anywhere in Bridgy Fed's interactions specifically, and just linking to http vs https isn't a vulnerability, so I'm not really worried security wise
ShoesNSocks joined the channel
# 17:46 
[snarfed] (s/that's not true of http sites/the reverse isn't true of http sites/)
jgee118 joined the channel
# 18:54 
[tantek]1 I meant semantically, @-@ implies more (identity, ownership, login forms) than a plain domain, and thus it's appropriate to use a different default
# 18:57 
barnaby does bridgy fetch the domain from the @-@ at any point in the process? if so it could check the effective URL scheme and use that. If not, it’d be one extra request
# 19:10 
[KevinMarks]1 I remember the #177 issue conversation as it started when they were still using websub so 301 redirection would work, but you still needed a 2 way commit (which I think was part of the original rel=me conversation there)
[benatwork] joined the channel
# 19:15 
[timothy_chambe] https://twitter.com/davewiner/status/1590060187700035584
# 19:15 
@davewiner That, and http://micro.blog should be getting some ❤️ here too. They have a feature I wish Masto had too — inbound RSS. (twitter.com/_/status/1590060187700035584)
# 19:16 
[KevinMarks]1 Weirdly, the Daily Mail had a pretty good factual coverage of Mastodon today. I assume that condemning it as woke will be in a follow up.
# 19:17 
[timothy_chambe] https://simonwillison.net/2022/Nov/8/mastodon-is-just-blogs/
t0nic joined the channel
# 19:23 
[snarfed] [tantek] I don't actually see that BF @-@ accounts imply identity or login, at least not on the domain itself. eg fully static sites work
# 19:24 
[snarfed] barnaby yes! BF could remember each site's scheme. I just haven't seen it as high priority, esp since https sites generally redirect http
CrimsonKinda joined the channel
# 19:43 
[snarfed] ok I looked through most of the BF users and haven't found any sites that are still live and http-only. so maybe based on that I can switch to https default
AramZS and [benatwork] joined the channel; CrimsonKinda left the channel
# 20:35 
[tantek]1 yay! thanks for looking into that [snarfed]++
# 20:35 
Loqi [snarfed] has 21 karma in this channel over the last year (61 in all channels)
# 20:36 
Loqi :D
# 20:41 
sebbu [snarfed], remember to check how many use outdated browsers and/or os, which means they might only support old versions of tls, and might not support the latest crypto algorithms
# 20:47 
[snarfed] true! that varies per site though. definitely more user research and data collection than I can justify personally here
AramZS joined the channel
# 20:53 
sebbu i remember trying to get an A+ on my localhost, then i tried to access it from my NAS and it didn't worked, so i had to switch back to a more permissive cipherlist
# 20:54 
sebbu iirc, you can't get anything better than C on sslabs test if you want to keep compatibility with some old os/browsers
# 20:57 
[snarfed] maybe! this is largely out of my control here though. it's the SSL on user's own sites, not Bridgy Fed's SSL, and they already pretty much all redirect http to https
# 20:58 
barnaby yeah, there’s not a lot BF could/should do about specific TLS ciphers in this case
# 20:59 
barnaby (also this is veering into -dev territory :P)
# 20:59 
barnaby I’m surprised Loqi didn’t pick up on all the SSL/TLS/cipher talk already
# 20:59 
Loqi hey barnaby, it looks like this conversation is getting pretty technical (TLS), can you take it to #indieweb-dev?
# 20:59 
barnaby xD
geoffo joined the channel
# 21:53 
Loqi [indienews] New post: "New IndieAuth Client PHP Release" https://gregorlove.com/2022/11/new-indieauth-client-php-release/
[jacky] joined the channel
# 23:25 
[KevinMarks]1 Interesting silo quit https://evanp.me/2022/10/29/enough-with-twitter/
barnaby joined the channel
# 23:48 
[Murray]1 Might be a Slack thing, but what's with the missing words in the article preview above ^ e.g. "a Web service called . It was..."
geoffo joined the channel
# 23:52 
[snarfed] slack unfurling bug, evidently missing his links