#eli_oatOr, maybe link-backs is a better term, then POSSE
#eli_oatWhat I mean is when I cross post an image, for instance, it includes a link-back to Instagram. I just made a post on my site that includes a code snippet that I made into a gist, rather than embed the gist itself I include it as a link-back: https://eli.li/entry.php?id=20170614014000
#Loqi[eli] Currently, whenever I reply to or like a link the source URL displays. I've found a really sturdy way to parse content titles, but the performance is absolutely abysmal. Wicked wicked wicked slow. I think it may be something to do with how I'm invoki...
#petermolnar_I'm curious of the emoji hell keeps running will utf8 suffice in the coming years
#tantek.comedited /longevity (+113) "open data and longevity post from nearly 11 years ago, sort articles reverse chronological, cleanup author/by a bit" (view diff)
#petermolnarrandom thoughts: why is there no schedule for a h-event? is would that be nested h-events? and why doesn't Facebook have a schedule option already for events?
#[kevinmarks]Ah, I see. Well, there's nothing to stop you putting events inside events, but it may be a little confusing.
#[kevinmarks]We did try to mark up a session grid with the original hcalendar, but it needed to include venue by reference I think, which made markup and parsing hard.
#ZegnatI guess you could write parsing rules so that venue is implied from a parent h-event?
#ZegnatThat would get around duplicate information quiet nicely.
#petermolnaryeah, but there comes the problem of the venue of the schedule, eg. the main venue is "indie elementary school", schedule for "X" happening between "8am-9am" in "classroom A" which is a sub-venue of "indie elementary school" and suddenly I'm reimplementing schema.org
#[kevinmarks]You'd still need to wrap the parent h-events around the columns.
#[kevinmarks]Hm. So you have a parent h-event, with an h-card for each room, and make the sessions children of that h-card? That makes a kind of sense
#ZegnatNo parsing rules for col elements, [kevinmarks]? I guess not...
#[kevinmarks]It's tricky. An html table does make sense but it is not quite clear how to combine the thead info
#[kevinmarks]And you really want to pull the venue from the column header and the time from the row
#loqi.mecreated /LaTeX (+136) "prompted by petermolnar and dfn added by petermolnar" (view diff)
#eli_oatI'm not doing it that way, but have been curious about spam prevention. I've been toying with trying to rate-limit or IP limit the endpoint, but haven't come up with a solution, yet
#ZegnatI am building vouch into my new WM code, as well as private mentions, and was just wondering if I should implement pow too. Guess I’ll skip that.
#sknebelZegnat: what's puzzling about it? just the time constraint?
#sknebel(I have 1,5 concepts for private webmentions without the time limit floating around, but didn't yet get around to build even the most basic of prototypes)
#sebselah, and I send mentions for bookmarks as well, I see, although i am in doubt about that indeed
#sebselI really want to redo a lot of webmention stuff as well
#sknebelheh, me too. was one of the first things I wrote, and its creaking on failed assumptions
#sknebelmy verifications triggers almost immediately once a received mention has been queued, and I've thought about adding a priority queue for private webmentions for situations with higher load
#ZegnatOn my Swedish web hosting, where I am currently hosting my endpoint, I do not have enough server access to set something like that up. Best I can do is trigger a script once every 5 minutes.
#ZegnatI imagine many others on shared hosting would face similar problems.
#ZegnatAs the `code` I receive with a private webmention may only be available for 60 seconds, it is impossible for me to do private webmentions async
#sebselZegnat you can point vanderven.se/martijn/'s rel=webmention to licit.li/webmention, or where ever you want.
#sebselyou would lose your relative-url edge case however :P
#ben_thatmustbememay only be available for 60 seconds? that seems unreasonable
eli_oat joined the channel
#ZegnatI know. I could build it specifically to a server where I have more access. But that does not address the problem everyone else on shared hosting has, sknebel.
#ben_thatmustbemei normally process my webmentions on a several minute delay
#Zegnatben_thatmustbeme 60 seconds to 10 minutes is the timespan. But you do not decide that, the site issueing the code decides.
#ZegnatIt also will not tell you about the timespan, so you cannot order accordingly.
#ZegnatYes, but I want the first exchange to be async for all the reasons as I want async for the second exchange, sebsel. I am fetching an unknown payload from an external server.
#ben_thatmustbemebut as long as that is simple, then yeah, i can do that before i queue it
#sebselyou can discover the token endpoint by a HEAD request, so no need for big payloads
#sebselbut it need two queues yeah, one for token, one for the mention
#ZegnatI could see myself finding the token endpoint with the HEAD. No problem. But then I still need to exchange my code for a token, and that request is a normal POST with an unknown payload coming back
#sknebelat least it doesn't involve parsing content as sebsel noted
#ZegnatWho guarantees that the endpoint I am now fetching synchronously will be small, though, sknebel?
#ZegnatOr maybe I should limit private webmentions to whitelisted / vouched domains only.
#sknebelif you (all of you) want to help flesh out an alternative proposal say so, then I'll try to write something down about it in the next few days
#sknebel(doing verification with some type of /non-interactive IndieAuth , but there are some issues with identities for that)
eli_oat joined the channel
#sknebel(and of course the issue of non-interactive IndieAuth in general)
#ZegnatWould love to discuss, sknebel. I might skip private wm for now, it just doesn’t fit in with the flow I am trying to establish.
#sknebel(also, please add your concerns to /private-webmention if they aren't reflected already, or maybe add +1 to them to make it clearer people actually have an issue with them)
KevinMarks joined the channel
#ben_thatmustbemeZegnat: if you need any inspiration, i am doing everything in laravel now
#Zegnatben_thatmustbeme, why would I do anything async then? The entire point of doing verification async is to handle contacting external sources outside of the first request. Now I am going to have to fetch from an external source sync anyway?
#ben_thatmustbemei have not looked at the protocol, but is it actually polling the page, or the auth endpoint
#ben_thatmustbemeauth should be a lot faster, but i agree, ideally it should all be doable async
#ZegnatI get a code. I then have to HEAD the source to retrieve the token_endpoint URL (I could get behind allowing a HEAD request sync). Then I have to POST the code to the token_endpoint URL and get back an unknown payload (should be JSON containing auth info).
#ZegnatIf I am going to allow a POST to retrieve (and parse) an unknown payload sync, then I might as well allow normal WM verification sync.
#sebselI just talked with sknebel about it in DM, (for I am not sure if this is worth your time :P) and he disliked the point that every page has to have an AuthEndpoint then.
#Loqinon-interactive IndieAuth is a future way of using IndieAuth to authenticate/authorize services against other services, without a human user confirming things https://indieweb.org/non-interactive_IndieAuth
KevinMarks joined the channel
#sknebel(That's what I'd want to use, similar to sebsel s thing, but exact protocol and which identity exactly gets used to log in is open)
#sknebelReminds me, I wanted to read that IETF draft aaronpk recommended again
#ZegnatWhat is the difference then, sknebel? On one I expect valid JSON, on the other valid HTML, to be returned within as short amount of time as possible.
#ZegnatIn both cases, as the requester, I have no guarantees on exactly what I will get back.
#ZegnatThis is why I said I might still implement it, synchronously, but then only for whitelisted domains.
#ZegnatI would trust several people to adhere to the spec and quickly return a JSON body and nothing else. But to allow private webmentions from everyone?
#sknebelI'd be a lot more demanding towards the API when it comes to speed and size of response. But it still is fetching and parsing content, as you say. A stricter format than JSON would be easier for that
#sknebelThus: let's see if we can figure out something better
tantek and pfefferle joined the channel
#sknebelAaronpk : I think this time I understood the dialback oauth proposal. it seems more or less identical in function to the IndieAuth dance of fetching a page and looking for an auth endpoint? If you'd replace the host or web finger lookup with looking for a rel-link you'd basically have indieauth, minus he first step of entering the domain and getting redirected (which indeed could probably be skipped)
#LoqiA nicknames cache is a way indieweb sites store information about people to improve the user experience of the site owner referring, mention, and/or linking to those people https://indieweb.org/nickname_cache
#sebselfor those not in the call: we're discussing my new @-mentioning, and wether that should be a person-tag or just a mention. (so: mark it up with .u-category.h-card or not)
#sebselI'm now considering adding a syntax to explicitly tag someone vs just mentioning.
#snarfedre this morning's conversation on expiring webmention endpoints (Zegnat sebsel ben_thatmustbeme)...just as a reminder, bridgy currently caches them for up to 2h.
#aaronpki think i called alice's the auth endpoint, although it might be something different
#aaronpki try to avoid calling things tokens that aren't bearer tokens
#sknebelwhy does it directly talk to the token endpoint and not going through bobs auth endpoint? I guess I should wait for a text description bfore asking ;)
#aaronpkthe authorization endpoint is used when bob needs to be in front of his computer to confirm a request, and bob's browser is directed to bob's authorization endpoint. that doesn't really apply in this case at all.
#Zegnataaronpk, I think I got it now. Not very different from the private wm flow, but you can no longer send the temp code to an endpoint that doesn’t expect it? That’s the “fix”?
#tantek.comedited /tag-reply (+325) "move how to to brainstorming since no one does it yet, and add tag and fallback as a use-case that is perhaps more interesting / expected than tag and comment" (view diff)
#ZegnatE.g. a WordPress theme could have h-entry support that I do not touch. I can still hand-roll an event by embedding the h-event HTML inside my post body.
#aaronpkthe only way i can see to make that parsable as an h-event is if the uid property was in the h-event instead of h-entry
#Zegnathow about u-url for h-event matching the u-url for h-entry? “Representative event”, like with h-cards? (Obviously does not apply to my event post.)
#aaronpkI'm hesitant to start recommending this tho cause it's adding work to consumers
#ZegnatI am not a super big fan of uid property, tbh. url is so much better within web.
#gRegorLove+1 for removing "optionally they can be wrapped in h-entry"
#Zegnatthen we need to scrap it from the wiki, only allow root events. Current wording is a bit ambiguous and lets people like me break honest websites like sebsel’s ;)
#gRegorLoveGiven the option, some people will definitely do it and it will become more widespread
[kevinmarks] joined the channel
#gRegorLoveis working on sample markup to add there
#Loqi[sebsel] #42 Parse h-entry with embedded h-event as 'event'
#tantekZegnat: yes the page / post is supposed to just *be* an h-event
#ZegnatMy vote definitely goes to striking that sentence from the wiki then.
#tantekit was added when we were first developing events as an indieweb thing, and that was the fastest / easiest way to get WordPress folks being able to support it
#tantekbut in practice posting events using WordPress never took off anyway (nor RSVPs for that matter) so yeah, no need to bend over backwards for something that never took off
#Loqi[David Shanske] Description
Post Kinds adds support for responding to and interacting with other sites using the standards
developed by the IndieWeb by implementing
kinds of posts.
It can also distinguish certain types of passive posts in a manner similar to pos...
#tantek.comedited /event (-99) "drop h-entry parent option - it never saw any uptake in 4+ years; note at least Benwerd's site has h-event as the top item" (view diff)
#tantekgRegorLove: ok finally updated /event per discussion above
#tantekand noted explicitly that Benwerd's site does it right
#tantekcould use some help verifying the markup of the indie event post permalinks on other examples on https://indieweb.org/event#IndieWeb_Examples (like add a nested list item for each noting what type of markup it is using on the event permalink page - just h-event at the top, or contained in anything else)
#aaronpkit could be because of a webmention extension that indicates that, it could be that alice always fetches bob's home page with an authorization header when she start following bob, etc
#ZegnatHmm, yeah, guess it is out of scope for /server-indieauth. I was just mulling over in my head how I would get from receiving a webmention, to identifying it as private, then to the /server-indieauth flow.
#aaronpkfor private webmentions, i'd say the response of the initial verification request returning 401 along with the Link header would be sufficient
#ZegnatI think private webmentions is a great first place for implementing and testing out this flow. Though I am biased as I am working on wm code and do not like the current private wm flow.
#aaronpkyeah it's a solid use case for sure, but i also want to be able to have people fetch my home page with an access token and provide private posts in the feed for them
#sknebelIn indieauth, the thing called to verify the data is called auth endpoint, I'm not sure it's that much different?
#aaronpkyeah my thought with calling it auth endpoint was that it verifies short-lived codes
#aaronpkooh if you add another step between 4 & 5 then you could actually prompt the user out of band to approve the request
#sknebelI kind of want the webmention ebtpoint to be able to use its own identity, but thats a detail of the specific aplication of it for private WMs, not of this level
#aaronpkthat would let third-party apps use this flow as well
#aaronpkspeaking of that... i should compare this against the OAuth 2 Device Flow
#sknebel(Because the webmention endpoint acts sort of in place of a human, but it could be different users and it should only be permitted to do so in specific cases)
[kevinmarks] joined the channel
#sknebelWith replies, I'd kind of want to give access to the posts author (URL), but that could be on a different domain. Then what identity does the webmention endpoint use?
tantek joined the channel
#aaronpkthat's kind of where i was going with the oauth thing
#aaronpkessentially you give your webmention endpoint a way to authenticate as you
#aaronpkit's a relationship between your webmention endpoint and your authorization endpoint
#aaronpkif they're both in the same code base then of course you don't need a spec for it. but if it's like webmention.io and your site, then webmention.io would need a way to talk to your auth endpoint to be able to generate and use the auth codes
#sknebelThen multiple endpoints could still act interchangeably.
#sknebel(As in, if you post on an external site using wm.io, and have your own endpoint on your homepage, and I send you a homepage WM, then wm.io could (if it knew the URL) read that
#tantekGWG, I partially implemented events in /Falcon and then got interrupted
#Loqitantek: gRegorLove left you a message 1 hour, 52 minutes ago: Updated /event examples. Looks like only WordPress is the outlier with a an h-event inside h-entry
#Loqitantek: GWG left you a message 19 minutes ago: I never implemented events. I could someday
#GWGSame reason why it took me so long to do RSVPs
#tantekmakes sense, scratch your itchiest itch first!
#tantekinteresting the h-event discussion makes me think that it's bad for WP core to include anything "entry" in the markup, and that should be left up to themes with smart defaults in themese