#dev 2017-06-20

2017-06-20 UTC
Loqi_, ejd, dansup, sknebel and kants joined the channel
# 00:19 
reitnauer.com edited /Homebrew_Website_Club (+399) "/* Getting Started or Need Restarting */" (view diff)
kline and eli_oat joined the channel
# 00:21 
reitnauer.com edited /Homebrew_Website_Club (+2) "/* Wellington */" (view diff)
# 00:23 
reitnauer.com created /Template:Timo_Reitnauer (+51) "Created page with "Co-founder at [https://iwantmyname.com iwantmyname]"" (view diff)
gRegorLove and [miklb] joined the channel
# 00:41 
reitnauer.com created /User:Reitnauer.com (+51) "Created page with "Co-founder at [https://iwantmyname.com iwantmyname]"" (view diff)
# 00:43 
reitnauer.com edited /Template:Timo_Reitnauer (+129) (view diff)
dougbeal|mb1 joined the channel
# 01:43 
reitnauer.com edited /User:Reitnauer.com (+129) (view diff)
eli_oat, j12t, gRegorLove and [miklb] joined the channel
# 03:42 
GWG [miklb]: May I bounce some thoughts off you?
# 03:50 
[miklb] absolutely!
# 03:51 
GWG Trying to figure out how to make the new microformats 2 plugin better
# 04:02 
[miklb] In what specific ways?
# 04:07 
GWG Well, for now, it is good enough
# 04:12 
[miklb] so what a thinkin’?
# 04:16 
GWG I wish it could do more
tantek joined the channel
# 04:22 
[miklb] the goal is to make a non mf2 theme have mf2 support. Is anything missing? Is there more that could be added to reach that goal?
# 04:35 
www.boffosocko.com edited /Posts_about_the_IndieWeb (+330) "IndieWebifying my website: part 1, the why & how" (view diff)
# 04:40 
GWG Not with what can be done.
deathrow1, [sebsel], barpthewire, cweiske, KevinMarks, tantek, [kevinmarks], j12t_, gRegorLove_ and wagle joined the channel
# 08:18 
strugee.net edited /pump.io (-463) "Remove outdated mf2 issue" (view diff)
KevinMarks, j12t and tommorris joined the channel
# 11:44 
pfefferle good morning
j12t joined the channel
# 11:53 
GWG Good morning, pfefferle
[kevinmarks] joined the channel
# 11:53 
[kevinmarks] Interesting https://www.scirra.com/blog/ashley/34/html-imports-are-the-best-web-component
# 12:01 
GWG pfefferle: I did want to ask what you think would make wordpress-microformats-2 better.
# 12:18 
pfefferle GWG hey hey
# 12:19 
pfefferle GWG hmmm tough question... I am not sure if there is anything to make it better...
# 12:21 
pfefferle GWG the best way is to use a good theme, so the plugin will always be a bit hacky ;)
tantek, j12t and singpolyma joined the channel
# 13:49 
Zegnat Re: simple TOTP & password IndieAuth self-contained thingamabob, how about encrypting the TOTP secret with the user’s password? That way password isn’t stored on the server at all and TOTP secret is not stored in the clear. Any obvious drawbacks to that?
# 13:49 
Zegnat sknebel ^^^
# 13:50 
sknebel Zegnat: that works
j12t and barpthewire joined the channel
# 13:57 
Zegnat wants indieauth.rocks to have something to develop against :p
# 13:58 
sknebel what PHP versions are still common today?
# 13:59 
Zegnat Depends on who you ask. If you ask WordPress: all of them
# 14:00 
sknebel for this thing. for easy use, we probably shouldn't depend on uncommon external modules, so it'll have to make do with what php provides
# 14:01 
Zegnat https://wordpress.org/about/stats/ - 5.3 is still bigger than 7.0 for WordPress
# 14:03 
Zegnat Hmm, the library I use for TOTP doesn’t go lower than 5.5, so might have to find something else. https://github.com/Spomky-Labs/otphp/tree/v8.3.0
# 14:06 
sknebel reviews writing by paragonie.com
# 14:06 
Zegnat paragonie seem to have a totp lib too, but according to packagist also pinned to PHP 7
# 14:07 
aaronpk You can test against signing in to Telegraph
# 14:09 
Zegnat sknebel, maybe not worry about PHP version as step one, but get the flow working first? When we have a working thing that is easily deployable we can work backwards to support older PHP versions
# 14:09 
Zegnat I was going to test against the wiki, aaronpk. But could do Telegraph too :)
# 14:10 
sknebel Zegnat: sure, I just wanted to get a basic idea what libs and apis are useable
eli_oat joined the channel
# 14:10 
sknebel 5.5 seems like a reasonable starting point, with password_hash being available
# 14:10 
Zegnat It looks like most of the [HT]OTP libs on packagist have all moved on to 7.0+, so it would require loading a lower version in almost all cases and hoping they backport fixes
# 14:11 
Zegnat Nice thing about encrypting the TOTP secret with password: no need for hashing algos in PHP, only encryption.
# 14:11 
Zegnat And AES encryption shouldn’t be too hard to access, I think
# 14:13 
Zegnat I wonder if we could package it as a PHAR so everything is contained in one file. Make it truly “drop this one file on your server, link to it, and use IndieAuth”.
# 14:14 
sknebel heh, I'd prefer to only use hashing if proper hashes are available, most encryption apis are a pain
# 14:16 
Zegnat defuse and paragonie made https://github.com/defuse/php-encryption which is fine to use in my experience. And PHP 5.4 compatible.
# 14:16 
Loqi [defuse] php-encryption: Simple Encryption in PHP.
# 14:17 
Zegnat I am not sure how I want to handle code validation yet though, I’d rather not end up storing codes
# 14:17 
sknebel signed codes
jonnybarnes joined the channel
# 14:19 
Zegnat signed codes does mean I end up having: 1) a password to protect, 2) a shared TOTP secret to protect, 3) a private signing key to protect.
# 14:19 
Zegnat But yeah, I see no other way either
# 14:20 
Zegnat 1 & 2 can be combined by encrypting 2 with 1, as I previously stated. Still leaves the private signing key.
# 14:20 
sknebel those all have the same risk level, so there being multiple things doesn't make a difference
# 14:21 
sknebel wait, wrong, since password hash
# 14:21 
sknebel still, thats the way to go without a way to safely store temp data
# 14:22 
Zegnat Surely the private signing key has a higher risk level? It would allow any endpoint to create keys that my endpoint accepts. The other two only have value together, and only to login through my actual endpoint (which could theoretically also be IP whitelisted etc.etc.)
# 14:22 
Zegnat Oh, I am not disagreeing with you that signed codes are the way :) Just over-analysing
# 14:22 
sknebel yes, you are right, mentally ignored the hashing
# 14:25 
Zegnat to be honest, might as well store everything in the clear. The entire endpoint can only be as secure as the signing key storage, and the signing key must be stored in the clear...
# 14:26 
Zegnat <?php $identities['vanderven.se/martijn/'] = ['password'=>'letmein','shared_secret'=>'1234567890','private_key'=>'0987654321']; ?>
[miklb] joined the channel
# 14:40 
[miklb] I feel bad, I’ve lost a lot of my motivation for the theme I started after seeing all of the restrictions for the WordPress theme repo.
# 14:42 
sknebel what restrictions are that?
tantek joined the channel
# 14:44 
@SocialMedia547 On comments and webmentions http://business-commerce.InfignosMedia.com/socialopine/index.cfm?a=T837088&subcat=71 #SocialMedia ? (twitter.com/_/status/877175285543833600)
# 14:45 
sknebel Zegnat: asymmetric signatures are an option, but maybe not for the first iteration then
# 14:46 
sknebel Loqi: WTF?
# 14:46 
Zegnat I think I have seen that Twitter account pop up here before. Seems to tweet a random collection of buzzwords followed by a link.
# 14:47 
Zegnat What problem do asymmetric signatures solve here?
# 14:48 
tantek yes that twitter looks like spam
# 14:49 
tantek !spammer @SocialMedia547
# 14:49 
sknebel Zegnat: allows signing only when knowing (password-protected) secret, verification possible without secret
# 14:49 
sknebel I don't think Loqi has a blacklist anymore
# 14:51 
Zegnat Alright, so you would be able to have your TOTP shared secret and your private signing key encrypted with the password and then a public key for verifying codes that are sent back.
# 14:51 
Zegnat I guess that would work.
# 14:52 
sknebel same for password-only mode (which also should be a step before TOTP)
# 14:55 
Zegnat Yes, this would be the same without TOTP, only difference is how much data is being stored encrypted
j12t joined the channel
# 14:55 
Zegnat I don’t know what asym libs are available to us though
# 14:55 
[miklb] sknebel well, I wanted to build a theme that was fully ready for the several IW WP plugins but you can’t require plugins with a theme, so I would have to write checks to see if each plugin was active and do a bunch of conditionals.
petermolnar joined the channel
# 14:59 
sknebel [miklb]: hm, understandable but annoying
# 15:26 
ben_thatmustbeme well, this was my trian ride this morning, quite sure it doesn't work yet, but https://github.com/Inklings-io/selfauth
# 15:26 
Loqi [Inklings-io] selfauth: self-hosted auth_endpoint using simple login mechanism
# 15:26 
ben_thatmustbeme if anyone wants to take a look
# 15:37 
Zegnat I’ll have a look when D&D night is over
# 15:38 
tantek ??
# 15:41 
[miklb] GWG when you have a few minutes, I’d like to discuss simple location a bit.
j12t, gRegorLove and [cleverdevil] joined the channel
# 16:36 
sknebel ben_thatmustbeme: somewhat-recent php has a bunch of default functions for hmacs and such that I'd try to use instead (any specific reason you went for md5 everywhere?). and a few other small things. how do you want to work on it? Give me/us (I guess Zegnat is interested as well) access, or do you want issues and PRs?
# 16:37 
ben_thatmustbeme either way, i'm fine giving whoever access
# 16:37 
ben_thatmustbeme i use md5 just as a proof of concept
# 16:37 
ben_thatmustbeme i am close to actually having it work
# 16:37 
sknebel assumed so
# 16:37 
ben_thatmustbeme figured get it working then improve from there
# 16:40 
sknebel well, then I'd like access (sknebel on github as well), and will look into it over the next few days
# 16:40 
Zegnat I’m in for improving definitely. (Zegnat on GitHub.)
# 16:41 
Zegnat should not read IRC and play D&D though, argh
# 16:41 
sknebel sorry for highlighting you, will stop
# 16:41 
[miklb] to quote snarfed “that way there be dragons”
eli_oat and j12t joined the channel
# 16:51 
ben_thatmustbeme it works!
# 16:54 
ben_thatmustbeme sknebel, Zegnat, given write access to selfauth
# 16:54 
sknebel thx
# 16:56 
ben_thatmustbeme what is selfauth?
# 16:56 
Loqi It looks like we don't have a page for "selfauth" yet. Would you like to create it?
sgriffee joined the channel
# 16:58 
ben_thatmustbeme selfauth is a single user authorization endpoint written in php which is easy for anyone to get runing https://github.com/inklings-io/selfauth
# 16:58 
loqi.me created /selfauth (+170) "prompted by ben_thatmustbeme and dfn added by ben_thatmustbeme" (view diff)
# 16:58 
Loqi ok
# 16:58 
Loqi [Inklings-io] selfauth: self-hosted auth_endpoint using simple login mechanism
# 16:58 
ben_thatmustbeme selfauth << todo, support authorization as well as authentication.  currently scope is ignored
# 16:58 
Loqi ok, I added "todo, support authorization as well as authentication.  currently scope is ignored" to the "See Also" section of /selfauth
# 16:58 
loqi.me edited /selfauth (+102) "/* See Also */ new section" (view diff)
sebsel joined the channel
# 17:20 
sebsel selfauth++ :D
# 17:20 
Loqi selfauth has 1 karma
jackjamieson and eli_oat joined the channel
# 18:01 
GWG miklb, what are you thinking?
jackjamieson and [miklb] joined the channel
# 18:04 
[miklb] GWG for one, trying to figure out where `$geodata['public']` is getting set
# 18:05 
[miklb] I switched to the master on micropub and a lot of stuff is working now that I thought was missing before. need to add the checkin post kind now.
# 18:05 
[miklb] pending 1.2 release I think
# 18:05 
GWG miklb, it is time, I agree
# 18:06 
[miklb] snarfed added checkin so I think so ?
# 18:07 
GWG miklb, the public issue was related to Chrisaldrich's complaint
# 18:07 
[miklb] which was?
# 18:17 
jackjamieson.net edited /IRC_People (+127) "/* Nicknames */" (view diff)
KevinMarks joined the channel
# 18:18 
GWG Public by default
# 18:18 
jackjamieson.net edited /IRC_People (+2) (view diff)
# 18:19 
[miklb] GWG so it’s private by default and only per-post setting? I couldn’t find an option anywhere to change to public by default.
# 18:19 
ben_thatmustbeme i'm pretty surprised how easy that was to write selfauth though
# 18:20 
GWG miklb, it is a variable. I need to enhance
# 18:20 
GWG Geodata specification states public by default
# 18:26 
GWG I will be doing some Simple Location fixes next
# 18:26 
GWG Possibly during the Summit
# 18:37 
gRegorLove I need to narrow down my list a bit and come up with something to work on at IWS.
# 18:38 
gRegorLove Been feeling a bit burnt out. Hopefully it will be an inspiring weekend, as it usually is.
j12t joined the channel
# 18:49 
ben_thatmustbeme whats on your list gRegorLove?
# 18:53 
gRegorLove https://indieweb.org/User:Gregorlove.com#Interests is the mostly up to date list
# 18:53 
gRegorLove Maybe I'll wrap up the new version of Webmention for ProcessWire
[chrisaldrich] joined the channel
# 19:54 
kodfabrik.se edited /2017/Leaders (+15) "/* Remote Participation */ Adding myself" (view diff)
# 19:59 
ben_thatmustbeme gRegorLove: websub/push ++
# 20:00 
gRegorLove That one just means setting up a button in my UI to push my articles feed so I don't have to use command line curl
# 20:00 
gRegorLove That's a quick one
# 20:03 
gRegorLove With Salt not being able to make it, we now have more remote attendees for Leaders Summit than in-person :)
# 20:04 
ben_thatmustbeme also submitting implementation reports for websub
# 20:05 
ben_thatmustbeme that would be really good
# 20:06 
voxpelli is looking forward to Leaders Summit
[cleverdevil] joined the channel
# 22:11 
gregorlove.com edited /discuss (-67) "/* Email */ rephrase" (view diff)
dansup_ joined the channel
# 22:27 
gregorlove.com edited /FAQ (+73) "s/IRC/chat/, links to /discuss instead of /IRC" (view diff)
KevinMarks, KevinMarks_ and eli_oat joined the channel