#dev 2017-09-25

2017-09-25 UTC
KartikPrabhu, tantek and renem joined the channel
#
loqi.me edited /tinbox (+119) "tantek added "keep processing https://www.youtube.com/watch?v=ufBLI6bB9sg for adding to: [[Loqi#IndieWeb_x_Loqi_Dominate_the_Day]]" to "See Also"" (view diff)
#
@tomwiththeweath I wrote up "IndieAuth with Yubikey" http://herestomwiththeweather.com/2017/09/24/indieauth-with-yubikey/ #indieweb (twitter.com/_/status/912149845946839040)
[grantcodes] joined the channel
#
[grantcodes] Ok so with micropub there's no option to send to send children outside of the properties like the microformats example? http://pin13.net/mf2/?url=https%3A%2F%2Faaronparecki.com%2F2017%2F03%2F11%2F6%2Fpdx-highball-week
#
[grantcodes] Seems like it'll either need to be a custom property for now or maybe `featured` is appropriate
#
aaronpk [grantcodes]: since JSON Micropub is just sending the mf2 JSON it would work fine. It's just that nobody has done it before so it hasn't been documented yet ?
#
aaronpk but it's definitely possible as far as the spec is concerned
#
aaronpk (not possible with the simple form-encoded Micropub tho)
#
[grantcodes] aaronpk yeah I tried that, I guess my micropub endpoint strips out everything that's not type or properties
#
aaronpk Yeah it'll definitely take some special handling of Micropub endpoints
#
[grantcodes] But the client works ? Full gallery posting with photos uploaded via the media endpoint, even grabs exif data for name, published, and location.
#
aaronpk wow
#
aaronpk k I'm gonna have to give this a try cause I've been wanting an interface for this
#
[grantcodes] Then there will also be updating children on existing galleries, but I think the micropub update spec only supports updating properties?
#
[grantcodes] I'll upload it tomorrow, it's just running locally just now. Needs plenty of work yet but it seems functional for me
#
aaronpk Each photo in the galllery has its own URL tho so you can update that
#
[grantcodes] Yeah but if you want to add a new photo
#
aaronpk Oh gotcha
#
aaronpk we'll have to figure it out
#
aaronpk uncharted territory :-)
#
[grantcodes] Yeah, at the moment I just have a property called collection with the array of urls
#
[grantcodes] ```
#
[grantcodes] properties": {
#
[grantcodes] "collection": [
#
[grantcodes] "https://grant.codes/2017/09/25/59c879a106b4a915f8d5f47c"
#
[grantcodes] "https://grant.codes/2017/09/25/59c879a106b4a915f8d5f47a",
#
[grantcodes] ],
#
[grantcodes] "name": [
#
[grantcodes] "This is a test"
#
[grantcodes] ]
#
Loqi [Grant Richmond] events-dark-bg.png https://grant.codes/media/2017/09/25/events-dark-bg.png
#
Loqi [Grant Richmond] email-dark-bg.png https://grant.codes/media/2017/09/25/email-dark-bg.png
#
[grantcodes] },
#
[grantcodes] "type": [
#
[grantcodes] "h-entry"
#
[grantcodes] ]
#
[grantcodes] ```
tantek, snarfed, barpthewire, [kevinmarks] and cweiske joined the channel
#
@nhoizey C’est quand même cool, les webmentions ! +@edasfr https://nicolas-hoizey.com/2015/06/les-cartes-de-visite-moo-sont-parfaites-pour-les-photographes.html#webmentions (twitter.com/_/status/912230082697203712)
Kzzircuit and [kevinmarks] joined the channel
#
loqi.me edited /static-site (+84) "[kevinmarks] added "https://davidea.st/articles/measuring-server-side-rendering-performance-is-tricky" to "See Also"" (view diff)
eli_oat, singpolyma, snarfed, [wordpress1992], blueyed, [kevinmarks], [keithjgrant], [miklb] and [grantcodes] joined the channel
#
[grantcodes] Ok here's that photo gallery micropub client I'm working on: https://photo.postrchild.com/
#
[grantcodes] Still mega buggy but will send the requests ok.
#
sknebel Interesting that MP doesn't cover children, only nested properties.
#
sknebel Not sure why nobody complained earlier, but i guess there aren't many use cases?
#
aaronpk Oh I remember... at one point we were considering having the update syntax include "properties" as a key but for 99.9% of the use cases all that did was add an unnecessary level of nesting
#
aaronpk to be clear, creating with Micropub has no problem with "children", it's just the update syntax that gets confusing
#
aaronpk We'll have to add an explicit way to update the children property
#
sknebel Oh, create works? Must have missed that while skimming the spec just now
#
aaronpk it's not mentioned explicitly in the spec, but a create request is sending a microformats JSON object so it can include children
#
[grantcodes] Yeah, super niche use case at the moment it seems
#
sknebel Oh, ok
#
aaronpk maybe i should write up a draft extension for updates
#
sknebel And document explicitly that children are a thing
#
[grantcodes] would something like this be valid?
#
[grantcodes] ```
#
[grantcodes] type: ['h-entry'],
#
[grantcodes] children: ['photourl', 'photourl2']
#
[grantcodes] {
#
[grantcodes] }
#
[grantcodes] ```
#
aaronpk yeah that's the idea
#
[grantcodes] It has no properties though which is strange
#
aaronpk that's fine
#
[grantcodes] cool
#
aaronpk most micropub endpoints already imply a couple properties, like "published" and "author"
#
[grantcodes] Usually it will be sent with a name anyway
#
aaronpk ah yeah
#
sknebel Heh, I expect frantic patching of all the endpoints once people want to use this ;)
#
[grantcodes] Ha doesn't even work with mine at the moment
#
sknebel (If it's not tested in micropub.rocks it doesn't exist or something)
Kongaloosh joined the channel
#
aaronparecki.com edited /Micropub-brainstorming (+3766) "brainstorming on micropub for collections" (view diff)
#
aaronpk alright here's some thoughts on that https://indieweb.org/Micropub-brainstorming#Collections
#
aaronpk including how to reorder items in a collection
rMdes_ joined the channel
#
[grantcodes] Nice, I like it! I think I'll just keep on working on the publishing first ? Now I need to get my site to support collections!
snarfed and tantek joined the channel
#
loqi.me edited /lulz (+136) "tantek added "https://m.photofunia.com/effects/retro-wave for that 1980s / new wave look like the Homebrew Website Club header image on some events" to "See Also"" (view diff)
skippy joined the channel
#
sknebel Lambda << [https://github.com/digital-sailors/iam-indieauth A IndieAuth to IAM bridge]
#
Loqi ok, I added "[https://github.com/digital-sailors/iam-indieauth A IndieAuth to IAM bridge]" to the "See Also" section of /Lambda
#
loqi.me edited /Lambda (+79) "sknebel added "[https://github.com/digital-sailors/iam-indieauth A IndieAuth to IAM bridge]" to "See Also"" (view diff)
#
Loqi [digital-sailors] iam-indieauth: A IndieAuth to IAM bridge
#
skippy interesting.
#
aaronpk wait what awesome
#
sknebel skippy: checked his public repos, didn't find anything indieweb related
#
sknebel s/anything/anything else
#
skippy that AerosolCMS looks pretty neat, if you don't mind going all-in on Amazon solutions.
#
skippy https://aerosolcms.com/
snarfed and [keithjgrant] joined the channel
#
[keithjgrant] Publishing Omnibear 0.5.3 to the Chrome web store. Includes big fixes when identifying h-entries on the page and fixes some permissions issues for non-Chrome browsers
#
[keithjgrant] I should probably set up an official release notes page on the website
#
aaronpk nice! publish a short blog post and send it to indienews! then it'll make it into the newsletter :)
#
Loqi it is probable
[miklb] joined the channel
#
[miklb] googles converting Chrome extensions to Safari
#
tantek keithjgrant - is Omnibear compatible with the WebExtension spec - which is also implemented by Firefox?
#
tantek largely similar to Chrome extensions, just more standardized
#
tantek darn it's js;dr morning with the news
#
[keithjgrant] I have it working in Firefox, but it got rejected from the Add-on store
#
[keithjgrant] Webpack is adding `eval`s to the code, and I can't figure out how to get rid of them
#
[keithjgrant] aaronpk I'll write something up :)
[grantcodes] joined the channel
#
[grantcodes] keithjgrant I imagine the `eval` is something to do with the `webpack.optimize.UglifyJsPlugin` options
#
[grantcodes] just a guess though
#
tantek keithjgrant rejected? really? can you forward that to me? and the URL of your submission?
#
[grantcodes] I need to have a look at it to see if I can get it to work in vivaldi as well, the new update still doesn't authenticate.
#
[keithjgrant] https://addons.mozilla.org/en-US/developers/addon/omnibear
#
[keithjgrant] Rejected for two issues: the evals coming out of webpack, and setting innerHTML, which I should be about to refactor away
#
[keithjgrant] *able to
#
tantek !tell davidmead hey have you gotten any problems because of this too? http://www.bbc.com/news/uk-northern-ireland-41384829
#
Loqi Ok, I'll tell them that when I see them next
#
tantek !tell davidmead like this: https://twitter.com/DavidMeadeLive/status/911562198991982594
#
Loqi Ok, I'll tell them that when I see them next
#
@DavidMeadeLive @Gareth_Mc And I had a day of death threats, my site crashed with traffic. Still getting hundreds of threatening messages to my site every day. (twitter.com/_/status/911562198991982594)
#
tantek do we have a page about the problems of identity, names, disambiguation, owning your name etc.?
#
tantek note the indieweb aspect: "my site crashed with traffic. Still getting hundreds of threatening messages to my site every day"
#
tantek "His website has been so inundated with traffic that it has crashed three times, something he said was a concern, as he has five employees."
KartikPrabhu and snarfed joined the channel
#
@rubygems jekyll-webmention_io (2.8.4): This Gem includes a suite of tools for managing webmentions in Jekyll: * Tags *… https://rubygems.org/gems/jekyll-webmention_io (twitter.com/_/status/912381624175689730)
#
loqi.me created /microcast (+123) "prompted by GWG and dfn added by aaronpk" (view diff)
John__, snarfed, tbbrown and tantek joined the channel
#
loqi.me created /Steemit (+380) "prompted by tantek and dfn added by tantek" (view diff)
tbbrown and snarfed joined the channel
#
tantek tbbrown: do you know if there's an open source implementation of ubikey support that you could add to your own server so it could act as indieauth itself rather than using indieauth.com?
#
tbbrown i think i've seen open source libraries.
#
tantek even via github is cool, but without github would be even cooler
#
tbbrown this may be where i saw them: https://github.com/yubico
#
aaronpk i've been looking for something like that. the API seems quite complicated
#
tantek aaronpk: remember when you demo'd IndieAuth at TPAC in Portugal?
#
tantek pretty sure this is the latest on that - re: FIDO etc.
#
aaronpk yea!
#
tantek I *think* the only API you need to know / use is not yubico, but rather, webauthn
#
tantek hmm
#
tantek what is webauthn
#
Loqi It looks like we don't have a page for "webauthn" yet. Would you like to create it?_
#
tantek what is Web Authentication
#
Loqi It looks like we don't have a page for "Web Authentication" yet. Would you like to create it?
#
tbbrown yes. that's my understanding
#
tantek (yeah they actually called it that)
#
aaronpk every time i try to read that API it seems very complicated
#
tantek Web Authentication is https://www.w3.org/TR/webauthn/ a W3C working draft for an API to access public key credentials, including for a browser, optionally with the use of a hardware key.
#
loqi.me created /Web_Authentication (+213) "prompted by tantek and dfn added by tantek" (view diff)
#
Loqi ok
#
kaja.sknebel.net edited /Web_Authentication (+1) "linkify ('… is <url>' pattern)" (view diff)
#
Loqi [Vijay Bharadwaj] W3C Web Authentication: An API for accessing Public Key Credentials Level 1 W3C Working Draft, 11 August 2017 This vers...
#
tantek webauthn is [[Web Authentication]]
#
Loqi ok
#
loqi.me created /webauthn (+31) "prompted by tantek and dfn added by tantek" (view diff)
#
tantek tbbrown feel free to add to that ^^^
#
aaronpk i'm kind of getting to the point of preferring to offload the complicated authentication stuff to services
#
tantek oh boy
#
aaronpk github, google, and amazon all do a great job of having a secure multifactor authentication system
#
snarfed wp.com too
#
aaronpk it's a *lot* of work to replicate all the features they have
#
tantek so a couple of things
#
snarfed aaronpk++
#
Loqi aaronpk has 75 karma in this channel (1432 overall)
#
tantek 1 they have all (AFAIK) revoked *accounts* (not just sites) without explanation
#
tantek 2 they all (AFAIK) provide the option (if not *encouragement*!) to use SMS as a "factor" (sometimes 2-factor, often for account recovery) which is pretty big security hole
#
tantek anyone is welcome to disprove me on either of those points, would welcome it
#
snarfed fortunately indieauth/relmeauth elegantly handles 1 just like indieweb by using domain as identifier and making migration easy
#
snarfed ie "silos as plumbing"
#
snarfed and 2, sure, many things *can* be configured insecurely. that's not a strong argument for avoiding them
#
tantek snarfed, yes, that helps mitigate the dependency too - except if changing your site requires using one of those authns!
#
snarfed sure! i don't think that was the proposal though
#
tantek snarfed, the *encouragement* to use insecure SMS is terribly irresponsible.
#
tantek beyond just "can be configured insecurely"
#
aaronpk github provides SMS as a "fallback", but it's not really promoted
#
tantek especially the SMS for account recover. seriously WTF
#
snarfed email/password + SMS is still meaningfully more secure for the average user than just email/password
#
snarfed even if it's less secure than TOTP etc
#
tantek I want a way to turn-off SMS as an option
#
aaronpk looks like there's a new option on github too, "GitHub can store a recovery token with another provider."
#
aaronpk so here's the thing about SMS
#
tantek snarfed, I disagree about email/pw + SMS being "more secure" than just email/pw BECAUSE turning on that +SMS *also* turns on SMS account recovery
#
tantek which, since defaults matter, makes your setup *less* secure
#
aaronpk it's recently become apparent that it's insecure for many reasons, but at one point, it was seen as a good solution for 2-factor auth. many providers added it, and now some are demoting it or at least letting you opt out of it. the point is the security landscape is always changing, and I would rather trust someone whose business it is to handle authentication to keep up with those changes.
#
snarfed tantek: sounds like you're talking about a specific service details which i'm not familiar with
#
tbbrown the recovery token may be this: https://github.com/facebook/DelegatedRecoverySpecification
#
Loqi [facebook] DelegatedRecoverySpecification: Allows an application to delegate the capability to recover an account to an account controlled by the same user or entity at a third party service provider.
#
snarfed if you're talking about SMS account recovery *without* password, then yes, true
#
snarfed i was thinking about SMS 2FA
#
tantek snarfed, both apple and google *encourage* you to use cell# as SMS recovery when you add it
#
aaronpk SMS recovery != SMS 2fa
#
snarfed again, please elaborate. do you mean *without* password?
#
tantek you can't talk about one without the other in practice
#
tantek yes - seriously this was reported in NYT
#
tantek aaronpk, see above about defaults
#
tantek setup SMS 2fa = by default setup SMS recovery = normals get owned
#
snarfed yeah that's not at all the standard in the industry
#
snarfed even if some services do it
#
tantek this is civil liability IMO IANAL on behalf of apple on google
#
snarfed NYT is good journalism, but i don't always trust that fine details get precisely distinguished in mainstream media coverage
#
snarfed (e.g. social eng vs SMS recovery vs SMS 2FA)
#
tantek snarfed, this was reported in tech journalism 6-18 mo before NYT covered it
#
tantek plus you can read the citations for yourself (from the NYT article etc.)
#
aaronpk I still would rather let someone else handle keeping up to date with the best practices
#
snarfed sure, ok. i still don't personally remember the details nearly as well as you, so i can't discuss those cases very well
#
aaronpk because like i said, at one point, the industry considered SMS recovery a good idea
#
tantek and yeah that was laughably crazy pants when introduced
#
tantek exhibit in A in "industry considered" = clueless
#
aaronpk if you're saying i shouldn't trust anyone else to handle my authentication, then you're basically saying that I need to be constantly paying attention to what's the best way to secure accounts, keep up on all the new browser APIs for 2fa, etc etc
#
snarfed right, this ^
#
tantek I didn't say "anyone else" <- that's a strawman
#
snarfed security is significantly harder to get right than just implementing web sites and other features. we have to be much more careful if we encourage people to roll it themselves, use smaller providers/implementations, etc
#
aaronpk i gave github, google and amazon as examples, not as a complete list
#
tantek I'm saying perhaps industry in general makes decent decisions, however because they've shown that time to time they make totally idiotic decision, yes you do need to keep up with what they do
#
tantek snarfed, not disagreeing with that statement either
#
snarfed great!
#
tantek but we can give advice like: DO NOT use SMS for *anything* security related. Use an Authenticator app
#
snarfed yes! which is good, and also orthogonal to whether you use a silo for auth
#
tantek semi-orth
#
aaronpk but also don't use an authenticator app as a primary factor, and don't use it for account recovery
#
tantek not fully, and not in practice. because "silo for auth" puts you down a UX path where SMS is their offered path of least resistance with bad defaults
#
tantek aaronpk: I know of ZERO examples of any system that allows auth app as primary or recovery
#
tantek please feel free to provide something real world
#
aaronpk right but if you're saying roll your own then that becomes a potential security risk
#
tantek no need to warn people about things that don't exist
#
tantek nowhere did I say "roll your own" - you're strawmanning again
#
tantek not sure why you see this as that dichotomy
#
snarfed the realistic alternative for auth is something like self hosted wordpress or known with email/password, which will get brute forced, or fall behind security updates and get hacked, because sysadminning is hard
#
snarfed compared to that, i'd still probably choose to point people to silos, and also give them strong advice like tantek's
#
tantek IMO there is no realistic non-dev / non-gen1 alternative for auth :(
#
tantek and even for dev / gen1 - it's both hard, and yet to be built
#
tantek hence why I started by asking questions
#
snarfed i think we all agree!
#
tantek.com edited /SMS (+95) "move citation to criticism / Insecure Account Recovery" (view diff)
#
tantek.com edited /SMS (+377) "bit more silo details" (view diff)
EmreSoku_ joined the channel
#
tantek Emre!
#
EmreSoku_ hey
#
tantek hopefully I got the Turkish right on the IWC Istanbul page
#
EmreSoku_ :)
John__ joined the channel
#
tantek also what's your opinion of Steemit?
#
EmreSoku_ I just checked one more time, it seems fine
#
EmreSoku_ I wrote a blog post about Steemit
#
tantek oh! can you add it to /Steemit ?
#
EmreSoku_ here it is; http://altplatform.org/2017/07/24/the-problem-with-steem-and-all-altcoins/
#
Loqi [Emre Sokullu] The problem with Steem (and all altcoins)
#
EmreSoku_ sure
#
tantek that sounds familiar
#
EmreSoku_ what do you think about it?
#
tantek I was wondering if anyone anyone knew was making any $ and if so how much?
#
tantek also curious about their gamification (badges / achievements)
#
EmreSoku_ I don't think anyone is making yet :) Richard told me he got $20 **virtual** for one of his AltPlatform posts.
#
EmreSoku_ I don't really know how it works honestly, I'm still waiting for them to approve my membership request!?
#
tantek very odd
#
tantek definitely worth noting on /Steemit of what the application / membership process is
#
EmreSoku_ ok I'll share my experiences.
#
EmreSoku_ btw the Istanbul event may be livestreamed too, we'll know for sure tomorrow and I'll let you know.
#
tantek great!
#
tantek I'm bringing a second laptop to try to livestream at least part of IWC NYC
#
EmreSoku_ In regards to Steemit, I believe Reddit may also do something there. I mean, incentivizing their user base via cryptocurrency. Right now the content on steemit remains too niche, it seems, so there is an opportunity for Reddit to copy and make it big there.
#
www.boffosocko.com edited /iTunes (+19) "playlist links" (view diff)
#
tantek Emre - the home page is both hilarious and a bit tabloid. I guess it goes to show what gets attention
#
emresokullu.com edited /Steemit (+341) "added (1) information on the approval (2) negative reviews" (view diff)
#
EmreSoku_ I agree :)
kl1n3 and kline joined the channel
#
tantek does anyone have a good strategy for archiving individual pages from a MediaWiki install - i.e. assume you do not have backend access of any kind, all you have is a user account you can login, edit, etc.
#
tantek so no don't say anything "SQL" or "DB" because it does not apply
#
aaronpk i used spiderpig to flatten the old version of my site that was mediawiki
#
aaronpk now it's all static HTML http://2012.aaronparecki.com/
#
Loqi Aaron Parecki
#
tantek aaronpk - did that capture historical versions of pages?
#
tantek or just latest version?
#
aaronpk just the latest
#
tantek ok
#
aaronpk (spiderpig hates URLs with query strings)
#
tantek what is spiderpig
#
Loqi Spiderpig is a web crawler for archiving a website as static HTML files https://indieweb.org/Spiderpig
#
aaronpk I'm still trying to find a solution for archiving a pbwiki including all past versions
#
tantek yeah
#
tantek is spiderpig in node?
#
aaronpk it is
#
snarfed aaronpk pls give spiderpig a cookie for me
#
snarfed has fun/horrible memories of http://www.indiemap.org/docs.html#exceptions
#
aaronpk haha
#
Loqi hehe
#
tantek starts filing issues
#
tantek really wants https://github.com/aaronpk/spiderpig/issues/7
#
Loqi [tantek] #7 clientside browser version of Spiderpig like as a WebExtension
#
aaronpk that'd be pretty beat
#
aaronpk neat
#
tantek right?
#
aaronpk remember when "save webpage as" used to actually work?
kl1n3, kline, snarfed, KartikPrabhu and eli_oat joined the channel
#
aaronpk snarfed: does bridgy publish look up the syndication URLs of the post being replied to and match up a twitter ID from that? e.g. if you were to reply to this post, would bridgy publish know to include my tweet ID of it in the twitter API request? https://aaronparecki.com/2017/09/22/9/
#
Loqi [Aaron Parecki] Not sure if I've spoken more words to my cat or Alexa today. #workingfromhome
#
snarfed aaronpk: yes!
#
aaronpk wow fancy
#
snarfed not a well known feature, always catches people off guard
#
aaronpk snarfed++
#
Loqi snarfed has 14 karma in this channel (300 overall)
#
snarfed https://brid.gy/about#reply
#
aaronpk nice. i looked there but didn't see that :)
#
aaronpk i'm finally adding this to my own syndication code!
#
snarfed cool!
#
aaronpk writes a bunch of code. holds breath before running it for the first time.
#
aaronpk it worked!
#
schmarty ?
#
aaronpk i think i can tweetstorm now
#
snarfed cool! is authoring any better than having to switch each reply on twitter?
#
aaronpk i doubt it
#
aaronpk actually this might not be bad
#
tantek oh boy
#
tantek anything like Noterlive?
#
aaronpk no still way more clicks
#
tantek presumably a micropub client?
#
aaronpk just quill
#
tantek o rly
#
aaronpk quill -> type first note -> get redirected to my website -> click browser reply bookmarklet -> launches quill with reply URL filled -> type second note -> get redirected to my website
#
tantek did my Known feature request issue help at all?
#
tantek wait that sounds like using existing work
#
tantek what "bunch of code" did you write?
#
aaronpk i had to add code for matching up twitter URLs when syndicating
#
aaronpk previously my site had no concept of syndication targets belonging to specific services
#
tantek ohhhh
#
aaronpk they are all just generic micropub endpoints
#
tantek really curious how you solved that
#
tantek short of hardcoding
#
tantek and without reinventing WS-Deathstar
#
tantek :)