#dev 2016-09-08

2016-09-08 UTC
singpolyma, cmal, KevinMarks and KevinMarks_ joined the channel
#
staceydepolo.com
created /Template:StaceyDePolo (+40) "Created page with "[http://StaceyDePolo.com Stacey De Polo]""
(view diff)
loicm_, gRegorLove, miklb, AngeloGladding and loicm__ joined the channel
KevinMarks joined the channel
#
Zegnat
KevinMarks, will you put The verify me extension on github?
cweiske, AngeloGladding and loicm__ joined the channel
#
KevinMarks
Oh, sure. It's just the code from yesterday wrapped with a manifest
#
Zegnat
Oh, alright, I thought you may have itterated on it, KevinMarks. I would like to see if it can be packaged for Firefox.
loicm__ joined the channel
#
freekurt.com
edited /Known (+50) "/* IndieWeb Examples */"
(view diff)
#
freekurt.com
edited /2016/MIT/Guest_List (+285) "/* Participants */"
(view diff)
#
freekurt.com
edited /2016/MIT/Guest_List (+8) "/* Participants */"
(view diff)
#
freekurt.com
edited /2016/MIT/Guest_List (+49) "/* Participants */"
(view diff)
KevinMarks_ joined the channel
#
freekurt.com
edited /IRC_People (+128) "/* Nicknames */"
(view diff)
#
freekurt.com
created /User:Freekurt.com (+119) "Created page with "== Personal Domains == * https://freekurt.com/ (powered by [https://withknown.com]) ** Wiki user: [[User:Freekurt.com]]""
(view diff)
#
freekurt.com
edited /2015/Cambridge/Guest_List (+19) "/* Participants */"
(view diff)
#
freekurt.com
edited /2015/Cambridge/Guest_List (+5) "/* Participants */"
(view diff)
#
freekurt.com
edited /2015/Cambridge/Guest_List (-10) "/* Participants */"
(view diff)
#
freekurt.com
edited /2015/Cambridge/Guest_List (-3) "/* Participants */"
(view diff)
#
freekurt.com
edited /2015/Cambridge/Guest_List (+16) "/* Participants */"
(view diff)
#
@nndmlsvc
@ipubme Hey, how can I enable Webmentions? Thanks.
(twitter.com/_/status/773801564804878337)
gRegorLove and cmal joined the channel
#
gregorlove.com
edited /Main_Page (+365) "/* Homebrew Website Club */ next two hwc"
(view diff)
#
gregorlove.com
edited /events/2016-09-21-homebrew-website-club (+92) "/* Bellingham, WA */ rsvp, indie event"
(view diff)
#
cweiske
ben_thatmustbeme, I replied to https://ben.thatmustbe.me/note/2016/9/7/2/ but the comment is not showing up on your page
#
Loqi
[Ben Roberts] Successful posting from the new app!
#
cweiske
webmention endpoint says "200 OK" with no content
#
cweiske
do you have to manually approve comments?
Zegnat joined the channel
#
GWG
cweiske: Does the spec say you have to return content with a 200? I don't remember seeing that.
#
cweiske
webmention spec says "Any 2xx response code must be considered a success.
#
GWG
cweiske: Yes, but it doesn't say what constitutes a success.
#
GWG
The receiver doesn't have to display it.
#
Loqi
[Aaron Parecki] Webmention
#
GWG
Just accept it.
#
cweiske
I just wondered why a) it did not show up and b) was a 200 and not 204
#
GWG
So, if someone manually approves comments, or just stores webmentions for statistical data, they would still return success.
#
GWG
cweiske: I don't think 204 is appropriate
#
cweiske
"204 No Content" is not appropriate for "all fine, but I have nothing to say"?
#
cweiske
yes, 201 or 202 would be better
#
GWG
I think there is no expectation by the sender that the receiver will display content.
#
GWG
That is why 204 isn't appropriate.
#
cweiske
I don't think the HTTP spec says anything about /expectations/
#
cweiske
oh, it does
#
GWG
I'm referring to the Webmention spec.
#
cweiske
"However, folding of header lines is not expected by some applications"
#
cweiske
"204 No Content: The server has fulfilled the request but there is no new information to send back."
#
GWG
Again, still think that the webmention specification doesn't require new information sent back. It requires either to alert that it was accepted, or accepted but queued.
#
cweiske
which is 201 or 202
#
GWG
Exactly
#
cweiske
so ben_thatmustbeme's 200 response is semantically incorrect
#
GWG
cweiske: If ben_thatmustbeme is processing synchronously, then it would be correct according to the spec.
#
@WebDeveloper1
followers - … eswc2015 (11); sparql (11); profiles (10); advertising (10); webmention (10) … annotation (7); fe... http://futurewavewebdevelopment.com/triangle_news/2016/09/08/followers/
(twitter.com/_/status/773858972151508992)
#
@brucemwhealton
followers - … eswc2015 (11); sparql (11); profiles (10); advertising (10); webmention (10) … annotation (7); fe... http://futurewavewebdevelopment.com/triangle_news/2016/09/08/followers/
(twitter.com/_/status/773860660115562496)
#
Zegnat
I never bothered to check the HTTP headers on my own receiver. I should do that when I get home. My implantation should be giving 202, but I expect I am doing 200...
#
@familylineage
followers - … eswc2015 (11); sparql (11); profiles (10); advertising (10); webmention (10) … annotation (7); fe... http://futurewavewebdevelopment.com/triangle_news/2016/09/08/followers/
(twitter.com/_/status/773869976210051073)
#
@familylineage
followers - … eswc2015 (11); sparql (11); profiles (10); advertising (10); webmention (10) … annotation (7);... http://futurewavewebdevelopment.com/triangle_news/2016/09/08/followers/
(twitter.com/_/status/773870064852283392)
#
myfreeweb
hey aaronpk please fix https://github.com/aaronpk/Quill/issues/54
#
voxpelli
myfreeweb: if you have time for a PR, then that usually speeds things up. I guess a concern for aaronpk is also that there might be a need for some backwards compatibility
#
aaronpk
I will have to think about the backwards compatibility of that. I've been doing those kinds of changes in quill with a backwards compatibility flag and a notice where you can opt in to the change when you're ready
#
aaronpk
Oh dear my SSL cert expired a few minutes ago. For some reason my auto renew failed!
#
GWG
Another glorious Indieweb day for all?
#
myfreeweb
it's just weird that your client is not compliant with your spec
#
myfreeweb
it's unlikely that anyone implemented an endpoint that only responds to GET /micropub with the config, but not GET /micropub?q=config
#
GWG
The specification was still partially undefined when several implementations came out.
#
GWG
It means that I am not sure what constitutes a reference implementation/client.
#
aaronpk
oh! i wasn't using letsencrypt for my cert!
#
aaronpk
there we go, fixed it and put it into the rotation
#
aaronpk
yes, quill is meant to be a reference implementation but i am behind on it since i've been making faster progress on the micropub spec lately since it's been in the w3c
#
GWG
aaronpk, I appreciate you. I do not think I am alone.
#
voxpelli
myfreeweb: my endpoint is more likely to respond to /micropub than /micropub?q=config as it was constructed fairly early
#
myfreeweb
aren't unknown query params usually ignored?
#
myfreeweb
i guess it could check "q=" for other things and return an error for an unknown one though, yeah
#
voxpelli
that's what mine does
#
GWG
I think last night I figured out Indieauth for WordPress REST infrastructure
doesntgolf joined the channel
#
myfreeweb
implemented mine according to the spec over a month ago. still can't post images.
#
cweiske
myfreeweb, is your code public?
#
myfreeweb
yeah i could make it work with a one line fix. but this is still incredibly frustrating. i want to follow the spec, not the client's implementation
#
voxpelli
I'm happy that aaronpk has such a great client and that he values to stay compatible with us early adopters – everyone can write their own clients if they want or contribute to the ones that exists
#
voxpelli
it's that atmosphere of mutual contributions that I find so appealing with the IndieWeb
#
ben_thatmustbeme
cweiske: your comment was queued for approval as it wasn't whitelisted and didn't have a vouch
#
voxpelli
ben_thatmustbeme++
#
Loqi
ben_thatmustbeme has 167 karma (1 in this channel)
#
voxpelli
nice setup :)
#
cweiske
nobody will vouch anonymous users :)
#
myfreeweb
staying compatible with literally everything is how you become microsoft
#
cweiske
so myfreeweb you have a media endpoint?
#
cweiske
that's like the first I see
#
myfreeweb
i haven't ever seen getting the config without ?q=config in the draft
#
ben_thatmustbeme
also, it should have responded 202, not 200
#
myfreeweb
yeah i have a media endpoint
#
cweiske
apart from aaronpk's private one
#
myfreeweb
yeah exactly
#
myfreeweb
so i wonder who needs backwards compatibility for THAT
#
cweiske
nobody.
#
aaronpk
myfreeweb: normally what i do is i check my logs to see who is using a particular feature and if there are people then i will create a feature flag for the change and let them opt in to the change when ready
#
aaronpk
new users get the new behavior by default
#
myfreeweb
was the old media endpoint discovery behavior (no q=config) *ever* in the spec?
#
myfreeweb
oh i guess you could also query *both* urls
#
aaronpk
hm looks like the first w3c draft only had q=syndicate-to but didn't mention no q parameter
#
voxpelli
there were talks about using no q as a way to verify log in success, but that warped into ?q=config
#
aaronpk
checked some old versions of the spec before w3c
#
myfreeweb
my endpoint returns auth info for no q
#
aaronpk
looks like it never mentioned anything about a GET request to the endpoint with authentication and no query parameters
#
aaronpk
looking at Quill, it actually expects all the config info to come back in a single request which is probably why I made my endpoint return both the syndicate-to list as well as the media endpoint on an empty GET request
#
aaronpk
that is now described as q=config here https://www.w3.org/TR/micropub/#configuration
#
Loqi
[Aaron Parecki] Micropub
#
myfreeweb
yep and i put that on q=config
#
voxpelli
such iterative evolving is key to the momentum – waiting for a full spec before implementations kills any momentum
#
cweiske
I wonder why the media endpoint is in that config at all, and not at the same place as the micropub server link
#
aaronpk
cweiske: that was a tricky one, I wasn't totally sure about which way to go with it
#
voxpelli
as it's an instruction to the micropub client
#
aaronpk
I figured that for the most part, the media endpoint is an implementation detail of the micropub endpoint, so users shouldn't be bothered with it
#
ben_thatmustbeme
btw, cweiske, yeah, that tool isn't done yet, i was just testing its ability to post
#
aaronpk
(assuming the user is at least aware of the html tags that go into their home page)
#
ben_thatmustbeme
i have a lot of work still ahead of me
#
cweiske
aaronpk, same could be said of the token endpoint
#
aaronpk
yeah that is true
#
voxpelli
token endpoint is connected to a domain identity, media endpoint is connected to a content destination
#
aaronpk
really the user should only have to specify their authorization endpoint and their micropub endpoint
#
cweiske
voxpelli, token endpoint is actually determined by the micropub endpoint
#
voxpelli
cweiske: my micropub endpoint supports plenty of token endpoints
#
cweiske
because the micropub endpoint has to verify the token against the token server, without knowing which user the token sent
#
cweiske
voxpelli, then I'm curious how you determine which token endpoint to query
#
cweiske
you query all of them?
#
cweiske
aaronpk, that's a weak point in the spec
#
voxpelli
if a token returns a valid "me" from any of the supported token endpoints, then success
#
cweiske
I don't doubt that this works. it's just not good idea to have a spec that requires you to do this
#
voxpelli
of course it wouldn't scale to thousands of users, but if I were to have thousands of users I would instead implement my own token endpoint
#
voxpelli
I see no problem at all with doing what I'm doing
#
voxpelli
and I don't think the spec is flawed because of it
#
cweiske
voxpelli, then all people would be required to list your token endpoint on their page
#
aaronpk
"all of them"?
#
cweiske
voxpelli stores a list of all his user's token endpoints
#
voxpelli
cweiske: if I were to have thousands of users of my endpoint, then it would probably be because I was running a small indieweb friendly social network or similar and then I would be in control of all those social network profiles as well
#
cweiske
and then queries all of them
#
aaronpk
oh that's bad...
#
aaronpk
because that means your'e sending tokens all over the place
#
cweiske
oooooooooh
#
cweiske
i haven't thought about that
#
cweiske
that's awesome
#
cweiske
free tokens for all!
#
cweiske
access to everyone's private admin accounts!
#
voxpelli
aaronpk: it's a list of trusted places to query – it's something that's hard coded into an environment variable
#
voxpelli
I'm sending a nuke to the server location right away – not
#
aaronpk
If it's hard coded then you haven't really made it work with arbitrary token endpoints
#
cweiske
but all generic micropub endpoints will have this problem
#
cweiske
they get a request with a token, but don't know which token server to query
#
voxpelli
aaronpk: it's an environemtn variable right now but could be loaded from the database just as well
#
voxpelli
well, they know which token services that are allowed to provide access, but they don't know which one of those a token is from if there are more than one
#
voxpelli
that issue comes from the fact that micropub has primarily been designed with a single user in mind – but if one has a multi-user site, then the problem will arise – especially if people of that multi-user site will log in with their personal sites
#
cweiske
so when mr. malicious X logs into such a generic micropub server, his token endpoint will be added to the list of potential token endpoints
#
cweiske
and thus will in future get all tokens handed to him
#
voxpelli
cweiske: the generic micropub server would give Mr X his own micropub endpoint
#
cweiske
that'd be a way to circumvent that issue indeed
#
voxpelli
and if Mr X doesn't add anyone else to his own micropub endpoint, then no other token endpoints than his will be checked for access
#
voxpelli
that's the way I do it
#
voxpelli
I do allow multiple identities to access my endpoints though – I support independent discovery of user identity and micropub destination
#
voxpelli
(which is a reason why token endpoint should be discoverable separately from the micropub one)
#
unrelenting.technology
edited /XML (+179) "security / defusedxml"
(view diff)
#
aaronpk
voxpelli: what do you mean "his own micropub endpoint"?
#
aaronpk
is that like example.com/username/micropub or something?
#
voxpelli
aaronpk: yes
#
aaronpk
what list of token endpoints do you check?
#
voxpelli
especially since a single identity can be used to publish to multiple destinations so every destination needs it's own endpoint
#
aaronpk
i'm not sure i understand
#
voxpelli
so basically a JSON array like: [{"endpoint":"https://tokens.indieauth.com/token","me":"http://micropub-test-blog.voxpelli.com/"}]
#
aaronpk
what happens when I log in and my token endpoint is https://aaronparecki.com/auth/token?
#
voxpelli
aaronpk: then I'll check your token against the ones configured for that specific endpoint and since the token isn't recognized by any of them it will fail
singpolyma joined the channel
#
aaronpk
voxpelli: i'm just confused about what the config file is for. you have to be discovering token endpoints dynamically
#
voxpelli
aaronpk: no, my endpoint isn't dynamic yet, this version is manually configured – in the future I will probably launch a dynamic hosted version that will discover token endpoints automatically and save to a db
#
voxpelli
people still have to self host and manually configure this version
#
aaronpk
ah okay
#
voxpelli
(and my main focus now with my little time is to complete that SWAT0 thing finally :P )
#
www.boffosocko.com
uploaded /File:Homebrew_Website_Club_LA_20160907.jpg "Chris Aldrich and Angelo Gladding at Homebrew Website Club Los Angeles"
#
rhiaro
hmm aaronpk: indieauth doesn't do discovery on auth endpoints with a HEAD first?
#
aaronpk
i thought it did?
#
rhiaro
If it is doing, it shouldn't be rejecting the response based on content type, should it?
#
rhiaro
I just got Unknown error retrieving http://rhiaro.co.uk/: The URL http://rhiaro.co.uk/ returned an invalid content-type: 'application/ld+json'
#
rhiaro
Which means indieauth.com either sent */* or no Accept header
#
aaronpk
it probably sent no accept header
#
rhiaro
but if it's just checking Link headers it shouldn't care what the content-type is?
#
aaronpk
true, could be bad defaults of the ruby http client
#
rhiaro
(and sending no accept header implies the same as */* if my http spec reading memory is correct, so rejecting anything I think is wrong)
#
rhiaro
or at least, dishonest
#
aaronpk
oh i remember, it doesn't do a HEAD request because most of the URLs it needs the body of the response anyway
#
aaronpk
(it doesn't know whether something is an authorization endpoint until after it checks)
#
aaronpk
derp i am wrong again
#
aaronpk
that is actually making a head request
cweiske joined the channel
#
cweiske
does micropub allow upload of multiple photos?
#
cweiske
http://micropub.net/draft/#uploading-files says that the name has to be "photo", and known fails with "photo[]" as name
#
Loqi
[Aaron Parecki] Micropub
#
voxpelli
I support multiple values for both "photo" and "photo[]": https://github.com/voxpelli/node-micropub-express/blob/master/index.js#L149
#
voxpelli
It should certainly be supported
#
cweiske
the spec certainly says nothing about it
#
voxpelli
"To specify multiple values for a property, such as multiple categories of an h-entry, use array bracket notation for the property name." – seems to be the generic suggestion?
#
cweiske
hm. yes.
#
cweiske
then it's a bug in known
#
martymcgui.re
edited /User:Martymcgui.re (+205) "/* Working On */ add notes about bridgy publish POSSE for wehavetoask.com"
(view diff)
#
cweiske
aaronpk, does micropub officially allow "photo[]" as file name?
#
aaronpk
yes, according to the sentence voxpelli quoted
#
cweiske
I wonder how to make curl cli tool to give a name to the uploaded file
#
aaronpk
good question. if you figure it out, plz document on /micropub
#
aaronpk
it'd be great to have a collection of curl commands there to use for testing
#
cweiske
aaronpk, shpub outputs a curl command when passing the --debug option
#
cweiske
verrry useful for debugging
#
voxpelli
cweiske: docs say: curl -F "file=@localfile;filename=nameinpost"
#
@jgmac1106
@dshanske @sdepolo Thanks. I have all plug-ins but need to tweak my theme a bit so webmentions display. Need to tweak Wordpress theme
(twitter.com/_/status/773912766159749120)
#
www.boffosocko.com
edited /Template:photosrcalt (+1) "fix alt text on photos which was not showing up"
(view diff)
gRegorLove joined the channel
#
cmal
is it safe to say the debate over TLS or plaintext will be over soon? https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html
#
aaronpk
hopefully this helps encourage hosting providers to make SSL free and easy to enable without lots of work
#
cmal
I think it's going to happen anyway, or they're going to lose *a lot* of clients ^^
#
aaronpk
sure hope so!
#
cmal
yeah so we can finally stop having this plumbering argument and focus on how to implement proper security protocols on top of it (the necessity of TLS changes MUCH in this regard)
#
Loqi
Is HTTP Public Key Pinning Dead?
#
gRegorLove
aaronpk: Sent you a PR for indieweb/rel-me
#
aaronpk
ooh thanks
#
aaronpk
now i just gotta go figure out what was using it and update that
#
gRegorLove
Should be minor and not change most things, though maybe indieauth with weird capitalization of domain names.
#
gRegorLove
Learned to write the tests first. I'd actually written up code to find the t.co meta refresh and use that before I realized cURL was getting the 301 redirect already.
cmal joined the channel
#
cweiske.de
edited /Micropub (+245) "/* Adding Files */ curl file upload example"
(view diff)
#
www.boffosocko.com
edited /wikifying (+61) "/* See Also */ sparkline template how to"
(view diff)
AngeloGladding joined the channel
#
cweiske
who has a micropub endpoint that supports multiple images?
#
cweiske
could you the curl command?
#
www.boffosocko.com
edited /Getting_Started (+145) "link to wikifying oneself"
(view diff)
#
KevinMarks_
So, can we discuss the https issue in indiewebify.me and indieweb/rel-me?
#
KevinMarks_
I don't understand the specific objection to http/https redirection
#
gRegorLove
Not sure I understand it either
#
gRegorLove
Any security implications of using an http rel-me link in indieauth, maybe?
#
KevinMarks_
I don't think this should be a 400. If there is an issue, returning an explanatory string that we could show the user would be better
#
gRegorLove
Agreed, the 400 just seems like a shortcut for the simple AJAX. Would be better to make the AJAX more robust to handle different responses / warnings.
cweiske joined the channel
#
cweiske
some sites show which tool has been used to create the post. is this information transmitted through micropub? which property is used?
#
aaronpk
cweiske: I use the client_id for that
#
aaronpk
since the client ID is the URL of the app, I can fetch the app's h-card info to get the name and icon
#
cweiske.de
edited /Micropub (+162) "/* h-entry */ experimental properties"
(view diff)
#
cweiske
not via micropub then
#
cweiske
s/micropub/micropub properties/
#
aaronpk
right, when the client gets the token, the token is associated with the client_id at that point
#
aaronpk
so when the token is used, the server already knows which app it's for
#
voxpelli
that combined with https://indieweb.org/h-x-app = good data
AngeloGladding and cmal joined the channel
#
kevinmarks.com
uploaded /File:hwcsf.jpg "Homebrew Website Club SF 2016-09-07"
#
cweiske
the micropub "published" property - is it free-format, or is a certain format expected?
#
KevinMarks_
Cweiske published should be a datetime with timezone
#
KevinMarks_
Though normally you let the micropub receiver set it
tantek, KevinMarks_, KevinMarks and miklb joined the channel