#dev 2016-09-08

2016-09-08 UTC
singpolyma, cmal, KevinMarks and KevinMarks_ joined the channel
#
staceydepolo.com edited /events/2016-09-07-homebrew-website-club (+4) "/* San Francisco */" (view diff)
#
staceydepolo.com created /Template:StaceyDePolo (+40) "Created page with "[http://StaceyDePolo.com Stacey De Polo]"" (view diff)
loicm_, gRegorLove, miklb, AngeloGladding and loicm__ joined the channel
#
kevinmarks.com edited /events/2016-09-14-homebrew-website-club (+415) "/* Where */" (view diff)
#
kevinmarks.com edited /events/2016-09-14-homebrew-website-club (+77) "/* Nürnberg */" (view diff)
KevinMarks joined the channel
#
Zegnat KevinMarks, will you put The verify me extension on github?
cweiske, AngeloGladding and loicm__ joined the channel
#
KevinMarks Oh, sure. It's just the code from yesterday wrapped with a manifest
#
Zegnat Oh, alright, I thought you may have itterated on it, KevinMarks. I would like to see if it can be packaged for Firefox.
loicm__ joined the channel
#
freekurt.com edited /Known (+50) "/* IndieWeb Examples */" (view diff)
#
freekurt.com edited /2016/MIT/Guest_List (+285) "/* Participants */" (view diff)
#
freekurt.com edited /2016/MIT/Guest_List (+8) "/* Participants */" (view diff)
#
freekurt.com edited /2016/MIT/Guest_List (+49) "/* Participants */" (view diff)
KevinMarks_ joined the channel
#
freekurt.com edited /IRC_People (+128) "/* Nicknames */" (view diff)
#
freekurt.com created /User:Freekurt.com (+119) "Created page with "== Personal Domains == * https://freekurt.com/ (powered by [https://withknown.com]) ** Wiki user: [[User:Freekurt.com]]"" (view diff)
#
freekurt.com edited /User:Freekurt.com (-36) (view diff)
#
freekurt.com edited /2015/Cambridge/Guest_List (+19) "/* Participants */" (view diff)
#
freekurt.com edited /2015/Cambridge/Guest_List (+5) "/* Participants */" (view diff)
#
freekurt.com edited /2015/Cambridge/Guest_List (-10) "/* Participants */" (view diff)
#
freekurt.com edited /2015/Cambridge/Guest_List (-3) "/* Participants */" (view diff)
#
freekurt.com edited /2015/Cambridge/Guest_List (+16) "/* Participants */" (view diff)
#
@nndmlsvc @ipubme Hey, how can I enable Webmentions? Thanks. (twitter.com/_/status/773801564804878337)
gRegorLove and cmal joined the channel
#
gregorlove.com edited /next-hwc (+0) "next" (view diff)
#
gregorlove.com edited /Main_Page (+365) "/* Homebrew Website Club */ next two hwc" (view diff)
#
gregorlove.com edited /Template:Homebrew_Website_Club (+54) "+9/14 hwc" (view diff)
#
gregorlove.com edited /events/2016-09-21-homebrew-website-club (+410) "/* Where */ bellingham" (view diff)
#
gregorlove.com edited /events/2016-09-21-homebrew-website-club (+92) "/* Bellingham, WA */ rsvp, indie event" (view diff)
#
gregorlove.com edited /events/2016-09-21-homebrew-website-club (+2) "https urls" (view diff)
#
cweiske ben_thatmustbeme, I replied to https://ben.thatmustbe.me/note/2016/9/7/2/ but the comment is not showing up on your page
#
Loqi [Ben Roberts] Successful posting from the new app!
#
cweiske webmention endpoint says "200 OK" with no content
#
cweiske do you have to manually approve comments?
Zegnat joined the channel
#
GWG cweiske: Does the spec say you have to return content with a 200? I don't remember seeing that.
#
cweiske webmention spec says "Any 2xx response code must be considered a success.
#
cweiske "
#
GWG cweiske: Yes, but it doesn't say what constitutes a success.
#
GWG The receiver doesn't have to display it.
#
cweiske https://www.w3.org/TR/webmention/#sender-notifies-receiver
#
Loqi [Aaron Parecki] Webmention
#
GWG Just accept it.
#
cweiske I just wondered why a) it did not show up and b) was a 200 and not 204
#
GWG So, if someone manually approves comments, or just stores webmentions for statistical data, they would still return success.
#
GWG cweiske: I don't think 204 is appropriate
#
cweiske "204 No Content" is not appropriate for "all fine, but I have nothing to say"?
#
cweiske yes, 201 or 202 would be better
#
GWG I think there is no expectation by the sender that the receiver will display content.
#
GWG That is why 204 isn't appropriate.
#
cweiske I don't think the HTTP spec says anything about /expectations/
#
cweiske oh, it does
#
GWG I'm referring to the Webmention spec.
#
cweiske "However, folding of header lines is not expected by some applications"
#
cweiske "204 No Content: The server has fulfilled the request but there is no new information to send back."
#
GWG Again, still think that the webmention specification doesn't require new information sent back. It requires either to alert that it was accepted, or accepted but queued.
#
cweiske which is 201 or 202
#
GWG Exactly
#
cweiske so ben_thatmustbeme's 200 response is semantically incorrect
#
GWG cweiske: If ben_thatmustbeme is processing synchronously, then it would be correct according to the spec.
#
@WebDeveloper1 followers - … eswc2015 (11); sparql (11); profiles (10); advertising (10); webmention (10) … annotation (7); fe... http://futurewavewebdevelopment.com/triangle_news/2016/09/08/followers/ (twitter.com/_/status/773858972151508992)
#
@brucemwhealton followers - … eswc2015 (11); sparql (11); profiles (10); advertising (10); webmention (10) … annotation (7); fe... http://futurewavewebdevelopment.com/triangle_news/2016/09/08/followers/ (twitter.com/_/status/773860660115562496)
#
Zegnat I never bothered to check the HTTP headers on my own receiver. I should do that when I get home. My implantation should be giving 202, but I expect I am doing 200...
#
@familylineage followers - … eswc2015 (11); sparql (11); profiles (10); advertising (10); webmention (10) … annotation (7); fe... http://futurewavewebdevelopment.com/triangle_news/2016/09/08/followers/ (twitter.com/_/status/773869976210051073)
#
@familylineage followers - … eswc2015 (11); sparql (11); profiles (10); advertising (10); webmention (10) … annotation (7);... http://futurewavewebdevelopment.com/triangle_news/2016/09/08/followers/ (twitter.com/_/status/773870064852283392)
#
myfreeweb hey aaronpk please fix https://github.com/aaronpk/Quill/issues/54
#
voxpelli myfreeweb: if you have time for a PR, then that usually speeds things up. I guess a concern for aaronpk is also that there might be a need for some backwards compatibility
#
aaronpk I will have to think about the backwards compatibility of that. I've been doing those kinds of changes in quill with a backwards compatibility flag and a notice where you can opt in to the change when you're ready
#
aaronpk Oh dear my SSL cert expired a few minutes ago. For some reason my auto renew failed!
#
GWG Another glorious Indieweb day for all?
#
myfreeweb it's just weird that your client is not compliant with your spec
#
myfreeweb it's unlikely that anyone implemented an endpoint that only responds to GET /micropub with the config, but not GET /micropub?q=config
#
GWG The specification was still partially undefined when several implementations came out.
#
GWG It means that I am not sure what constitutes a reference implementation/client.
#
aaronpk oh! i wasn't using letsencrypt for my cert!
#
aaronpk there we go, fixed it and put it into the rotation
#
aaronpk yes, quill is meant to be a reference implementation but i am behind on it since i've been making faster progress on the micropub spec lately since it's been in the w3c
#
GWG aaronpk, I appreciate you. I do not think I am alone.
#
voxpelli myfreeweb: my endpoint is more likely to respond to /micropub than /micropub?q=config as it was constructed fairly early
#
myfreeweb aren't unknown query params usually ignored?
#
myfreeweb i guess it could check "q=" for other things and return an error for an unknown one though, yeah
#
voxpelli that's what mine does
#
GWG I think last night I figured out Indieauth for WordPress REST infrastructure
#
voxpelli https://github.com/voxpelli/node-micropub-express/blob/master/index.js#L328 and https://github.com/voxpelli/node-micropub-express/blob/master/index.js#L337
doesntgolf joined the channel
#
myfreeweb implemented mine according to the spec over a month ago. still can't post images.
#
cweiske myfreeweb, is your code public?
#
myfreeweb https://github.com/myfreeweb/sweetroll/blob/master/library/Sweetroll/Micropub/Endpoint.hs#L54
#
myfreeweb yeah i could make it work with a one line fix. but this is still incredibly frustrating. i want to follow the spec, not the client's implementation
#
voxpelli I'm happy that aaronpk has such a great client and that he values to stay compatible with us early adopters – everyone can write their own clients if they want or contribute to the ones that exists
#
voxpelli it's that atmosphere of mutual contributions that I find so appealing with the IndieWeb
#
ben_thatmustbeme cweiske: your comment was queued for approval as it wasn't whitelisted and didn't have a vouch
#
cweiske ok
#
voxpelli ben_thatmustbeme++
#
Loqi ben_thatmustbeme has 167 karma (1 in this channel)
#
voxpelli nice setup :)
#
cweiske nobody will vouch anonymous users :)
#
myfreeweb staying compatible with literally everything is how you become microsoft
#
cweiske so myfreeweb you have a media endpoint?
#
cweiske that's like the first I see
#
myfreeweb i haven't ever seen getting the config without ?q=config in the draft
#
ben_thatmustbeme also, it should have responded 202, not 200
#
myfreeweb yeah i have a media endpoint
#
cweiske apart from aaronpk's private one
#
myfreeweb yeah exactly
#
myfreeweb so i wonder who needs backwards compatibility for THAT
#
cweiske nobody.
#
aaronpk myfreeweb: normally what i do is i check my logs to see who is using a particular feature and if there are people then i will create a feature flag for the change and let them opt in to the change when ready
#
aaronpk new users get the new behavior by default
#
myfreeweb was the old media endpoint discovery behavior (no q=config) *ever* in the spec?
#
myfreeweb oh i guess you could also query *both* urls
#
aaronpk hm looks like the first w3c draft only had q=syndicate-to but didn't mention no q parameter
#
voxpelli there were talks about using no q as a way to verify log in success, but that warped into ?q=config
#
aaronpk checked some old versions of the spec before w3c
#
myfreeweb my endpoint returns auth info for no q
#
aaronpk looks like it never mentioned anything about a GET request to the endpoint with authentication and no query parameters
#
aaronpk looking at Quill, it actually expects all the config info to come back in a single request which is probably why I made my endpoint return both the syndicate-to list as well as the media endpoint on an empty GET request
#
aaronpk that is now described as q=config here https://www.w3.org/TR/micropub/#configuration
#
Loqi [Aaron Parecki] Micropub
#
myfreeweb yep and i put that on q=config
#
voxpelli such iterative evolving is key to the momentum – waiting for a full spec before implementations kills any momentum
#
cweiske I wonder why the media endpoint is in that config at all, and not at the same place as the micropub server link
#
aaronpk cweiske: that was a tricky one, I wasn't totally sure about which way to go with it
#
voxpelli as it's an instruction to the micropub client
#
aaronpk I figured that for the most part, the media endpoint is an implementation detail of the micropub endpoint, so users shouldn't be bothered with it
#
ben_thatmustbeme btw, cweiske, yeah, that tool isn't done yet, i was just testing its ability to post
#
aaronpk (assuming the user is at least aware of the html tags that go into their home page)
#
ben_thatmustbeme i have a lot of work still ahead of me
#
cweiske aaronpk, same could be said of the token endpoint
#
aaronpk yeah that is true
#
voxpelli token endpoint is connected to a domain identity, media endpoint is connected to a content destination
#
aaronpk really the user should only have to specify their authorization endpoint and their micropub endpoint
#
cweiske voxpelli, token endpoint is actually determined by the micropub endpoint
#
voxpelli cweiske: my micropub endpoint supports plenty of token endpoints
#
cweiske because the micropub endpoint has to verify the token against the token server, without knowing which user the token sent
#
cweiske voxpelli, then I'm curious how you determine which token endpoint to query
#
voxpelli cweiske: relevant code is here: https://github.com/voxpelli/node-micropub-express/blob/master/index.js#L194
#
cweiske you query all of them?
#
voxpelli yep
#
cweiske erm
#
cweiske wtf
#
cweiske aaronpk, that's a weak point in the spec
#
voxpelli if a token returns a valid "me" from any of the supported token endpoints, then success
#
cweiske I don't doubt that this works. it's just not good idea to have a spec that requires you to do this
#
voxpelli of course it wouldn't scale to thousands of users, but if I were to have thousands of users I would instead implement my own token endpoint
#
voxpelli I see no problem at all with doing what I'm doing
#
voxpelli and I don't think the spec is flawed because of it
#
cweiske voxpelli, then all people would be required to list your token endpoint on their page
#
aaronpk "all of them"?
#
cweiske voxpelli stores a list of all his user's token endpoints
#
voxpelli cweiske: if I were to have thousands of users of my endpoint, then it would probably be because I was running a small indieweb friendly social network or similar and then I would be in control of all those social network profiles as well
#
cweiske and then queries all of them
#
aaronpk oh that's bad...
#
aaronpk because that means your'e sending tokens all over the place
#
cweiske oooooooooh
#
cweiske i haven't thought about that
#
cweiske that's awesome
#
cweiske free tokens for all!
#
cweiske access to everyone's private admin accounts!
#
voxpelli aaronpk: it's a list of trusted places to query – it's something that's hard coded into an environment variable
#
voxpelli ...
#
voxpelli I'm sending a nuke to the server location right away – not
#
aaronpk If it's hard coded then you haven't really made it work with arbitrary token endpoints
#
cweiske but all generic micropub endpoints will have this problem
#
cweiske they get a request with a token, but don't know which token server to query
#
voxpelli aaronpk: it's an environemtn variable right now but could be loaded from the database just as well
#
voxpelli well, they know which token services that are allowed to provide access, but they don't know which one of those a token is from if there are more than one
#
voxpelli that issue comes from the fact that micropub has primarily been designed with a single user in mind – but if one has a multi-user site, then the problem will arise – especially if people of that multi-user site will log in with their personal sites
#
cweiske so when mr. malicious X logs into such a generic micropub server, his token endpoint will be added to the list of potential token endpoints
#
cweiske and thus will in future get all tokens handed to him
#
voxpelli cweiske: the generic micropub server would give Mr X his own micropub endpoint
#
cweiske that'd be a way to circumvent that issue indeed
#
voxpelli and if Mr X doesn't add anyone else to his own micropub endpoint, then no other token endpoints than his will be checked for access
#
voxpelli that's the way I do it
#
voxpelli I do allow multiple identities to access my endpoints though – I support independent discovery of user identity and micropub destination
#
voxpelli (which is a reason why token endpoint should be discoverable separately from the micropub one)
#
unrelenting.technology edited /XML (+179) "security / defusedxml" (view diff)
#
aaronpk voxpelli: what do you mean "his own micropub endpoint"?
#
aaronpk is that like example.com/username/micropub or something?
#
voxpelli aaronpk: yes
#
voxpelli in my case example.com/micropub/targetsite.dev https://github.com/voxpelli/webpage-micropub-to-github/blob/master/lib/main.js#L40
#
aaronpk what list of token endpoints do you check?
#
voxpelli especially since a single identity can be used to publish to multiple destinations so every destination needs it's own endpoint
#
voxpelli aaronpk: the advanced config can be found here: https://github.com/voxpelli/webpage-micropub-to-github/blob/master/sample.env#L15
#
aaronpk i'm not sure i understand
#
voxpelli so basically a JSON array like: [{"endpoint":"https://tokens.indieauth.com/token","me":"http://micropub-test-blog.voxpelli.com/"}]
#
aaronpk what happens when I log in and my token endpoint is https://aaronparecki.com/auth/token?
#
voxpelli aaronpk: then I'll check your token against the ones configured for that specific endpoint and since the token isn't recognized by any of them it will fail
singpolyma joined the channel
#
aaronpk voxpelli: i'm just confused about what the config file is for. you have to be discovering token endpoints dynamically
#
voxpelli aaronpk: no, my endpoint isn't dynamic yet, this version is manually configured – in the future I will probably launch a dynamic hosted version that will discover token endpoints automatically and save to a db
#
voxpelli people still have to self host and manually configure this version
#
aaronpk ah okay
#
voxpelli (and my main focus now with my little time is to complete that SWAT0 thing finally :P )
#
aaronpk fun
#
www.boffosocko.com uploaded /File:Homebrew_Website_Club_LA_20160907.jpg "Chris Aldrich and Angelo Gladding at Homebrew Website Club Los Angeles"
#
rhiaro hmm aaronpk: indieauth doesn't do discovery on auth endpoints with a HEAD first?
#
aaronpk i thought it did?
#
www.boffosocko.com edited /events/2016-09-07-homebrew-website-club (+54) "+LA Photo" (view diff)
#
rhiaro If it is doing, it shouldn't be rejecting the response based on content type, should it?
#
rhiaro I just got Unknown error retrieving http://rhiaro.co.uk/: The URL http://rhiaro.co.uk/ returned an invalid content-type: 'application/ld+json'
#
rhiaro Which means indieauth.com either sent */* or no Accept header
#
aaronpk it probably sent no accept header
#
rhiaro but if it's just checking Link headers it shouldn't care what the content-type is?
#
aaronparecki.com uploaded /Special:Log/upload "uploaded "[[File:2016-09-07-pdx-hwc.jpg]]""
#
aaronpk true, could be bad defaults of the ruby http client
#
rhiaro (and sending no accept header implies the same as */* if my http spec reading memory is correct, so rejecting anything I think is wrong)
#
rhiaro or at least, dishonest
#
aaronparecki.com edited /events/2016-09-07-homebrew-website-club (+165) "/* Photos */" (view diff)
#
aaronpk oh i remember, it doesn't do a HEAD request because most of the URLs it needs the body of the response anyway
#
aaronpk (it doesn't know whether something is an authorization endpoint until after it checks)
#
aaronpk derp i am wrong again
#
aaronpk https://github.com/aaronpk/IndieAuth.com/blob/master/lib/relparser.rb#L218
#
aaronpk that is actually making a head request
cweiske joined the channel
#
cweiske does micropub allow upload of multiple photos?
#
cweiske http://micropub.net/draft/#uploading-files says that the name has to be "photo", and known fails with "photo[]" as name
#
Loqi [Aaron Parecki] Micropub
#
voxpelli I support multiple values for both "photo" and "photo[]": https://github.com/voxpelli/node-micropub-express/blob/master/index.js#L149
#
voxpelli It should certainly be supported
#
cweiske the spec certainly says nothing about it
#
voxpelli "To specify multiple values for a property, such as multiple categories of an h-entry, use array bracket notation for the property name." – seems to be the generic suggestion?
#
cweiske hm. yes.
#
cweiske then it's a bug in known
#
martymcgui.re edited /User:Martymcgui.re (+205) "/* Working On */ add notes about bridgy publish POSSE for wehavetoask.com" (view diff)
#
cweiske aaronpk, does micropub officially allow "photo[]" as file name?
#
aaronpk yes, according to the sentence voxpelli quoted
#
cweiske ok
#
cweiske I wonder how to make curl cli tool to give a name to the uploaded file
#
aaronpk good question. if you figure it out, plz document on /micropub
#
aaronpk it'd be great to have a collection of curl commands there to use for testing
#
cweiske aaronpk, shpub outputs a curl command when passing the --debug option
#
aaronpk nice
#
cweiske verrry useful for debugging
#
voxpelli cweiske: docs say: curl -F "file=@localfile;filename=nameinpost"
#
@jgmac1106 @dshanske @sdepolo Thanks. I have all plug-ins but need to tweak my theme a bit so webmentions display. Need to tweak Wordpress theme (twitter.com/_/status/773912766159749120)
#
www.boffosocko.com edited /Template:photosrcalt (+1) "fix alt text on photos which was not showing up" (view diff)
gRegorLove joined the channel
#
cmal is it safe to say the debate over TLS or plaintext will be over soon? https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html
#
aaronpk hopefully this helps encourage hosting providers to make SSL free and easy to enable without lots of work
#
cmal I think it's going to happen anyway, or they're going to lose *a lot* of clients ^^
#
aaronpk sure hope so!
#
cmal yeah so we can finally stop having this plumbering argument and focus on how to implement proper security protocols on top of it (the necessity of TLS changes MUCH in this regard)
#
gRegorLove This was an interesting read: https://blog.qualys.com/ssllabs/2016/09/06/is-http-public-key-pinning-dead
#
Loqi Is HTTP Public Key Pinning Dead?
#
cmal +1
#
gRegorLove aaronpk: Sent you a PR for indieweb/rel-me
#
aaronpk ooh thanks
#
aaronpk now i just gotta go figure out what was using it and update that
#
gRegorLove Should be minor and not change most things, though maybe indieauth with weird capitalization of domain names.
#
gRegorLove Learned to write the tests first. I'd actually written up code to find the t.co meta refresh and use that before I realized cURL was getting the 301 redirect already.
cmal joined the channel
#
cweiske.de edited /Micropub (+245) "/* Adding Files */ curl file upload example" (view diff)
#
www.boffosocko.com edited /wikifying (+61) "/* See Also */ sparkline template how to" (view diff)
AngeloGladding joined the channel
#
cweiske who has a micropub endpoint that supports multiple images?
#
cweiske could you the curl command?
#
www.boffosocko.com edited /Getting_Started (+145) "link to wikifying oneself" (view diff)
#
KevinMarks_ So, can we discuss the https issue in indiewebify.me and indieweb/rel-me?
#
KevinMarks_ https://github.com/indieweb/indiewebify-me/issues/54
#
KevinMarks_ I don't understand the specific objection to http/https redirection
#
gRegorLove Not sure I understand it either
#
gRegorLove Any security implications of using an http rel-me link in indieauth, maybe?
#
KevinMarks_ I don't think this should be a 400. If there is an issue, returning an explanatory string that we could show the user would be better
#
KevinMarks_ Aaronpk?
#
gRegorLove Agreed, the 400 just seems like a shortcut for the simple AJAX. Would be better to make the AJAX more robust to handle different responses / warnings.
cweiske joined the channel
#
cweiske some sites show which tool has been used to create the post. is this information transmitted through micropub? which property is used?
#
aaronpk cweiske: I use the client_id for that
#
aaronpk since the client ID is the URL of the app, I can fetch the app's h-card info to get the name and icon
#
cweiske.de edited /Micropub (+162) "/* h-entry */ experimental properties" (view diff)
#
cweiske ok
#
voxpelli cweiske: this client_id: https://indieweb.org/authorization-endpoint#Request
#
cweiske oh
#
cweiske not via micropub then
#
cweiske s/micropub/micropub properties/
#
aaronpk right, when the client gets the token, the token is associated with the client_id at that point
#
aaronpk so when the token is used, the server already knows which app it's for
#
voxpelli that combined with https://indieweb.org/h-x-app = good data
AngeloGladding and cmal joined the channel
#
kevinmarks.com edited /events/2016-09-07-homebrew-website-club (-130) "/* San Francisco */" (view diff)
#
kevinmarks.com edited /events/2016-09-14-homebrew-website-club (+155) "/* Silicon Valley */" (view diff)
#
kevinmarks.com uploaded /File:hwcsf.jpg "Homebrew Website Club SF 2016-09-07"
#
kevinmarks.com edited /events/2016-09-07-homebrew-website-club (+106) "add sf photo" (view diff)
#
kevinmarks.com edited /events/2016-09-14-homebrew-website-club (+48) "/* Silicon Valley */" (view diff)
#
cweiske the micropub "published" property - is it free-format, or is a certain format expected?
#
kevinmarks.com edited /events/2016-09-21-homebrew-website-club (+21) "/* Where */" (view diff)
#
kevinmarks.com edited /events/2016-09-21-homebrew-website-club (+68) "/* San Francisco */" (view diff)
#
kevinmarks.com edited /events/2016-09-21-homebrew-website-club (+51) "/* San Francisco */" (view diff)
#
KevinMarks_ Cweiske published should be a datetime with timezone
#
KevinMarks_ Though normally you let the micropub receiver set it
tantek, KevinMarks_, KevinMarks and miklb joined the channel