#dev 2016-09-13
2016-09-13 UTC
# gRegorLove petermolnar: I'm interested to learn more about the reflection attach you mentioned. Not sure I understand.
# gRegorLove In my implementation, if you send vouch=C and the domain of C isn't in my approved vouches list, it's rejected without crawling any other domains.
# gRegorLove The list of approved vouch domains can be updated manually, but also parses from a "following" page, e.g. http://gregorlove.com/following/
# gRegorLove You can point the plugin to any "following" page and it parses the URLs from the h-cards, so in theory could point it to some shared list
# gRegorLove s/attach/attack/
# gRegorLove (This is also when "require vouch" option is on. It's not on at the moment for my site.)
# gRegorLove It's part of the ProcessWire Webmention plugin, not a standalone library. I based it on ben_thatmustbeme's open source code.
doesntgolf joined the channel
# gRegorLove barely tries? I don't follow
# gRegorLove Yep
# gRegorLove I think /Vouch purposefully doesn't lay out exactly how you decide if a vouch URL is valid or not. Many approaches to it. https://indieweb.org/Vouch#How_do_I_verify_a_vouch
# gRegorLove Double check the FAQs on there; I think it addresses most things, but we can certainly add new ones.
# @kwlug And now @andrew_s_cant demonstrates the principles of #webmentions, used in blog comments, for example (twitter.com/_/status/775487402110574592)
# @kwlug And now @andrew_s_cant demonstrates the principles of #webmentions, used in blog comments, for example (twitter.com/_/status/775488416918142976)
# gRegorLove "verify the vouch" means a) Does the vouch URL link to the source domain, as the webmention sender claims.
# gRegorLove b) Do I trust the vouch URL?
# gRegorLove Doesn't require parsing a specific format.
# gRegorLove I don't understand the problem
# gRegorLove I think https://indieweb.org/spam#Spam_Prevention is the main other place on the wiki discussing other anti-spam options in general
# ben_thatmustbeme looks up
# ben_thatmustbeme yay, more vouch
# gRegorLove But /Vouch has been the main proposal/implementation specific to webmention.
# cmal so for instance if your webmention endpoint is open (no vouching) as it is, I can just send you a comment that's going to be displayed on your site with a link to a third site under my control ; from there, I can send spammy spam to all people trusting you to vouch people by just linking to the article I commented on?
# gRegorLove Re: XFN, for me I don't use it because I haven't seen a use-case for consuming it. My "following" page is primarily for internal purposes: my plugin parses h-cards for the whitelist.
# ben_thatmustbeme cmal recarding what you said, "i can just send spammy spam to all people trusting you to vouch people" thats not always a published list. I publish it, but I don't know that anyone else does.
# gRegorLove Heh, yeah
# ben_thatmustbeme also true, xfn is modeling much more than is needed for indieweb's use's
# gRegorLove cmal: Thinking through your example, it's valid. I don't know how one would get a list of "all the people trusting [gregorlove.com] to vouch", though. Presumably if they started seeing a lot of spam get through with my domain as a vouch, they'd remove my domain as a vouch.
# gRegorLove Which is some moderation work on their part, yes, but (I think?) less than moderating un-vouched spam.
# ben_thatmustbeme yes, but its still a huge improvement on open webmentions, it significantly increases the difficulty of attacks,(you can to scan websites for all interactions) and even then you may not get anywhere as not everyone will accept vouches and will moderate
# gRegorLove Vouch is less of a vector for DDOS than without Vouch, right? Am I missing something?
# ben_thatmustbeme also, following and accepting vouches from are two VERY different things
# gRegorLove I didn't take it as criticism, just trying to better understand :)
# ben_thatmustbeme i just like debating
# gRegorLove No you don't
# gRegorLove :D
# ben_thatmustbeme "Look I was looking for an argument" "OH, this is abuse! Arguments is down the hall"
# ben_thatmustbeme Anyway, it is true that if someone comments on aaron's site and he displays it, they would be able to automatically get a spam post on my site as well. but I would later notice the spam, delete it, and then look at where the vouch came from
# ben_thatmustbeme it offers me an obvious recourse on how to stop that. "I can't trust aaron to not have spam, so i guess he's off my whitelist for now"
# ben_thatmustbeme I'm willing to bet a lot of sites will get moderation by default pretty quickly after the first attack though
# gRegorLove Part of the reason we're working on and thinking about Vouch now is that it's solid when Webmention is more widely supported.
# ben_thatmustbeme indeed
# gRegorLove So it's not an "off-by-default" thing
# gRegorLove It's only off-by-default in my ProcessWire plugin because I know of 3 sites using vouch :)
# gRegorLove I think a WordPress plugin should definitely be on-by-default
# cmal mapping the IndieWeb social graph, identifying open webmention endpoints, just having one meaningful (hence inoffensive-looking) comment there (or just a reshare, as it would usually be enough to get a link to my site)… with a proper VM I'm sure this script could run throughout the whole Indieweb in a matter of hours
# ben_thatmustbeme well there are thousands and thousands of known installs that don't connect to each other
# ben_thatmustbeme so i don't think anyone could ever get the "whole indieweb"
# ben_thatmustbeme if you mean the core group, i'll save you time https://indieweb.org/irc-people
# gRegorLove Yeah, no comments needed, just add yourself there :)
# gRegorLove pre-emptively blacklists cmal.
# gRegorLove jk
# ben_thatmustbeme (although i don't accept indieweb.org as a whitelist vouch)
# ben_thatmustbeme tries to remember who used the "anonymous" post site
# gRegorLove cweiske?
# ben_thatmustbeme ended up removing the comment because of it
# ben_thatmustbeme yeah
# ben_thatmustbeme oh, and there is one other thing, no comments on my site will act as a vouch
# ben_thatmustbeme i tag them all rel=nofollow
# ben_thatmustbeme its only if I actually reply to the commentor that they can use me as a springboard for spamming the network
# ben_thatmustbeme i believe many others do as well
# ben_thatmustbeme feel free to expand on the reason for it
# ben_thatmustbeme cool
# gRegorLove I seem to recall tantek making a case against using nofollow on links, but I don't remember exactly what they were.
# ben_thatmustbeme tantek was making that case i believe yes. rel=nofollow has been pretty much pointless in practice
# gRegorLove Do you send/receive webmentions currently cmal, or waiting to work through these issues?
# ben_thatmustbeme it would really just be repurposing something that has not been too useful
# gRegorLove Just double-checked and mine won't accept a nofollow link as a vouch either.
# gRegorLove Hah, unixcorn. Love it.
# cmal it's a free-price hosting cooperative, still very new and small, also the blog is not really finished yet (almost finished to implement on https://nimportequoi.unixcorn.org , microformats2 are not everywhere just yet)
# ben_thatmustbeme woo, i think all the functionality of my new app is done, well, i should probably retest posting from it
# ben_thatmustbeme but then its just a TON of UI work to do
# ben_thatmustbeme yep
# ben_thatmustbeme replacing mobilepub
# ben_thatmustbeme success. but not for categories
# ben_thatmustbeme hmm
# ben_thatmustbeme oh, duh, my website was using category as a comma sepperated list.... good thing i can change that in the configs on the new app
# ben_thatmustbeme i went a bit overboard in configs
# ben_thatmustbeme OH, i'm still missing one part functionality wise
# ben_thatmustbeme adding new fields
# ben_thatmustbeme gah
# ben_thatmustbeme GWG. Yes though I believe I made a few modifications for my setup. Been a while since one touched that code
tantek, KevinMarks_, AngeloGladding, KevinMarks, KevinMarks__, cweiske and loicm_ joined the channel
# KevinMarks__ Zegnat - what language are you implementing in?
# KevinMarks__ Ah right, I wasn't sure if you were making something server side
# KevinMarks__ I don't know the fetch api well enough to advise. Does it let you get called back on 301/302?
# Zegnat On http://epeus.blogspot.com/ the extension finds 3 rel-me links. It will then have to do a fetch for each one to resolve it. And somehow I would like to exit that process as soon as one of them resolved to the URL I am looking for (ie. http://www.kevinmarks.com/)
# KevinMarks__ Reading docs, there is a manual redirect mode, which is on by default in chrome now.
# KevinMarks__ The spec says request has a url list of the redirected ones
# Loqi A reply (or comment) is a kind of post that is a text (typically, though photos are possible too) response to some other post, that makes little or no sense without reading or at least knowing the context of the source post https://indieweb.org/reply
# Loqi A reply (or comment) is a kind of post that is a text (typically, though photos are possible too) response to some other post, that makes little or no sense without reading or at least knowing the context of the source post https://indieweb.org/reply
# cweiske.de created /Category:PostType (+58) "Created page with "Types of posts that [[Micropub]] and/or software supports."" (view diff)
# KevinMarks__ If you have a list of promises, can't you cancel the incomplete ones?
cmal joined the channel
# petermolnar right. I recreated my formerly PHP standalone webmention receiver in python with background processes for parsing - I should have switched languages for this a _long_ while ago
# petermolnar I don't need queues this way
# petermolnar but I'm really not going to show this yet, my Python is caveman style for now :D
# KevinMarks__ Zegnat, having read lots of discussion about fetch and cancellable promises, I see what you mean. I'd suggest that you don't put them all in flight at once, but start the next fetch once the first has completed so you don't use up all the client's http resources.
# KevinMarks__ Also, given you only want the redirect chain, see if you can use HEAD first as that should let you resolve the redirects without fetching data
# voxpelli aaronpk: on Micropub feedback – have anyone looked at or discussed the https://github.com/w3c/Micropub/issues/33 ?
singpolyma joined the channel
doesntgolf joined the channel
# @WendyandCharles ReadersGazette: BLOG Indie Author Answers by Jim Heskett http://www.thejugglingauthor.com/indieauth/ Get help writing your book #bookbloggers 70 (twitter.com/_/status/775426321883230208)
bear, miklb, j4y_funabashi, tantek and cweiske joined the channel
cweiske joined the channel
kants_, AngeloGladding, rascul, KevinMarks__, cweiske, Zegnat, tommorris, kline, tonious, sknebel, myfreeweb, singpolyma, rhiaro, bnvk_, ben_thatmustbeme, tantek, bear, GWG, petermolnar, plindner, j4y_funabashi, cmal, aaronpk, bret, voxpelli and gRegorLove joined the channel
# tantek !tell cweiske thanks for the ping on https://github.com/w3c/Micropub/issues/48 - followed up on that and the related h-entry issue with hopefully a sufficient explanation. Likely worthy of an FAQ.
# gRegorLove Was anyone running queries against micropub endpoints today, about 8:50AM Pacific? I got a log (and found a bug)
# gRegorLove Hoping it was someone here
# gRegorLove Cool. Thanks
# gRegorLove What's the preferred micropub response to ?q= if it's not supported?
j4y_funabashi and aaronpk joined the channel
# gRegorLove aaronpk: Thanks, I'll read up on it.
# gRegorLove My logging is incomplete; did you just query with ?q=q or send an access token?
# AngeloGladding hey aaronpk -- wondering if rel=pgpkey support was removed from IndieAuth or if I'm doing something wrong
# AngeloGladding /security/pgp/keys/133D0563643FADBF.asc
# AngeloGladding This is not a supported authentication provider.
# AngeloGladding that's one of my IndieAuth bullet points after a re-scan
# AngeloGladding it has a `rel="me pgpkey"`
# AngeloGladding tried `.pub` and `.pgp`
# AngeloGladding oh it isn't currently fetchable..
# AngeloGladding that's probably going to be it
# AngeloGladding and of course that was it!
# AngeloGladding sorry to bother
# AngeloGladding *works beautifully*
# loqi.me created /no-follow (+21) "prompted by KartikPrabhu and dfn added by gRegorLove" (view diff)
# loqi.me created /rel-nofollow (+21) "prompted by gRegorLove and dfn added by gRegorLove" (view diff)
thebaer and tantek joined the channel