#dev 2017-09-25

2017-09-25 UTC
KartikPrabhu, tantek and renem joined the channel
#
loqi.me
edited /tinbox (+119) "tantek added "keep processing https://www.youtube.com/watch?v=ufBLI6bB9sg for adding to: [[Loqi#IndieWeb_x_Loqi_Dominate_the_Day]]" to "See Also""
(view diff)
[grantcodes] joined the channel
#
[grantcodes]
Ok so with micropub there's no option to send to send children outside of the properties like the microformats example? http://pin13.net/mf2/?url=https%3A%2F%2Faaronparecki.com%2F2017%2F03%2F11%2F6%2Fpdx-highball-week
#
[grantcodes]
Seems like it'll either need to be a custom property for now or maybe `featured` is appropriate
#
aaronpk
[grantcodes]: since JSON Micropub is just sending the mf2 JSON it would work fine. It's just that nobody has done it before so it hasn't been documented yet ?
#
aaronpk
but it's definitely possible as far as the spec is concerned
#
aaronpk
(not possible with the simple form-encoded Micropub tho)
#
[grantcodes]
aaronpk yeah I tried that, I guess my micropub endpoint strips out everything that's not type or properties
#
aaronpk
Yeah it'll definitely take some special handling of Micropub endpoints
#
[grantcodes]
But the client works ? Full gallery posting with photos uploaded via the media endpoint, even grabs exif data for name, published, and location.
#
aaronpk
k I'm gonna have to give this a try cause I've been wanting an interface for this
#
[grantcodes]
Then there will also be updating children on existing galleries, but I think the micropub update spec only supports updating properties?
#
[grantcodes]
I'll upload it tomorrow, it's just running locally just now. Needs plenty of work yet but it seems functional for me
#
aaronpk
Each photo in the galllery has its own URL tho so you can update that
#
[grantcodes]
Yeah but if you want to add a new photo
#
aaronpk
Oh gotcha
#
aaronpk
we'll have to figure it out
#
aaronpk
uncharted territory :-)
#
[grantcodes]
Yeah, at the moment I just have a property called collection with the array of urls
#
[grantcodes]
properties": {
#
[grantcodes]
"collection": [
#
[grantcodes]
"https://grant.codes/2017/09/25/59c879a106b4a915f8d5f47c"
#
[grantcodes]
"https://grant.codes/2017/09/25/59c879a106b4a915f8d5f47a",
#
[grantcodes]
"name": [
#
[grantcodes]
"This is a test"
#
[grantcodes]
"type": [
#
[grantcodes]
"h-entry"
tantek, snarfed, barpthewire, [kevinmarks] and cweiske joined the channel
Kzzircuit and [kevinmarks] joined the channel
#
loqi.me
edited /static-site (+84) "[kevinmarks] added "https://davidea.st/articles/measuring-server-side-rendering-performance-is-tricky" to "See Also""
(view diff)
eli_oat, singpolyma, snarfed, [wordpress1992], blueyed, [kevinmarks], [keithjgrant], [miklb] and [grantcodes] joined the channel
#
[grantcodes]
Ok here's that photo gallery micropub client I'm working on: https://photo.postrchild.com/
#
[grantcodes]
Still mega buggy but will send the requests ok.
#
sknebel
Interesting that MP doesn't cover children, only nested properties.
#
sknebel
Not sure why nobody complained earlier, but i guess there aren't many use cases?
#
aaronpk
Oh I remember... at one point we were considering having the update syntax include "properties" as a key but for 99.9% of the use cases all that did was add an unnecessary level of nesting
#
aaronpk
to be clear, creating with Micropub has no problem with "children", it's just the update syntax that gets confusing
#
aaronpk
We'll have to add an explicit way to update the children property
#
sknebel
Oh, create works? Must have missed that while skimming the spec just now
#
aaronpk
it's not mentioned explicitly in the spec, but a create request is sending a microformats JSON object so it can include children
#
[grantcodes]
Yeah, super niche use case at the moment it seems
#
sknebel
Oh, ok
#
aaronpk
maybe i should write up a draft extension for updates
#
sknebel
And document explicitly that children are a thing
#
[grantcodes]
would something like this be valid?
#
[grantcodes]
type: ['h-entry'],
#
[grantcodes]
children: ['photourl', 'photourl2']
#
aaronpk
yeah that's the idea
#
[grantcodes]
It has no properties though which is strange
#
aaronpk
that's fine
#
aaronpk
most micropub endpoints already imply a couple properties, like "published" and "author"
#
[grantcodes]
Usually it will be sent with a name anyway
#
aaronpk
ah yeah
#
sknebel
Heh, I expect frantic patching of all the endpoints once people want to use this ;)
#
[grantcodes]
Ha doesn't even work with mine at the moment
#
sknebel
(If it's not tested in micropub.rocks it doesn't exist or something)
Kongaloosh joined the channel
#
aaronparecki.com
edited /Micropub-brainstorming (+3766) "brainstorming on micropub for collections"
(view diff)
#
aaronpk
including how to reorder items in a collection
rMdes_ joined the channel
#
[grantcodes]
Nice, I like it! I think I'll just keep on working on the publishing first ? Now I need to get my site to support collections!
snarfed and tantek joined the channel
#
loqi.me
edited /lulz (+136) "tantek added "https://m.photofunia.com/effects/retro-wave for that 1980s / new wave look like the Homebrew Website Club header image on some events" to "See Also""
(view diff)
skippy joined the channel
#
sknebel
Lambda << [https://github.com/digital-sailors/iam-indieauth A IndieAuth to IAM bridge]
#
Loqi
ok, I added "[https://github.com/digital-sailors/iam-indieauth A IndieAuth to IAM bridge]" to the "See Also" section of /Lambda
#
loqi.me
edited /Lambda (+79) "sknebel added "[https://github.com/digital-sailors/iam-indieauth A IndieAuth to IAM bridge]" to "See Also""
(view diff)
#
Loqi
[digital-sailors] iam-indieauth: A IndieAuth to IAM bridge
#
skippy
interesting.
#
aaronpk
wait what awesome
#
sknebel
skippy: checked his public repos, didn't find anything indieweb related
#
sknebel
s/anything/anything else
#
skippy
that AerosolCMS looks pretty neat, if you don't mind going all-in on Amazon solutions.
snarfed and [keithjgrant] joined the channel
#
[keithjgrant]
Publishing Omnibear 0.5.3 to the Chrome web store. Includes big fixes when identifying h-entries on the page and fixes some permissions issues for non-Chrome browsers
#
[keithjgrant]
I should probably set up an official release notes page on the website
#
aaronpk
nice! publish a short blog post and send it to indienews! then it'll make it into the newsletter :)
#
Loqi
it is probable
[miklb] joined the channel
#
[miklb]
googles converting Chrome extensions to Safari
#
tantek
keithjgrant - is Omnibear compatible with the WebExtension spec - which is also implemented by Firefox?
#
tantek
largely similar to Chrome extensions, just more standardized
#
tantek
darn it's js;dr morning with the news
#
[keithjgrant]
I have it working in Firefox, but it got rejected from the Add-on store
#
[keithjgrant]
Webpack is adding `eval`s to the code, and I can't figure out how to get rid of them
#
[keithjgrant]
aaronpk I'll write something up :)
[grantcodes] joined the channel
#
[grantcodes]
keithjgrant I imagine the `eval` is something to do with the `webpack.optimize.UglifyJsPlugin` options
#
[grantcodes]
just a guess though
#
tantek
keithjgrant rejected? really? can you forward that to me? and the URL of your submission?
#
[grantcodes]
I need to have a look at it to see if I can get it to work in vivaldi as well, the new update still doesn't authenticate.
#
[keithjgrant]
Rejected for two issues: the evals coming out of webpack, and setting innerHTML, which I should be about to refactor away
#
tantek
!tell davidmead hey have you gotten any problems because of this too? http://www.bbc.com/news/uk-northern-ireland-41384829
#
Loqi
Ok, I'll tell them that when I see them next
#
Loqi
Ok, I'll tell them that when I see them next
#
@DavidMeadeLive
@Gareth_Mc And I had a day of death threats, my site crashed with traffic. Still getting hundreds of threatening messages to my site every day.
(twitter.com/_/status/911562198991982594)
#
tantek
do we have a page about the problems of identity, names, disambiguation, owning your name etc.?
#
tantek
note the indieweb aspect: "my site crashed with traffic. Still getting hundreds of threatening messages to my site every day"
#
tantek
"His website has been so inundated with traffic that it has crashed three times, something he said was a concern, as he has five employees."
KartikPrabhu and snarfed joined the channel
#
@rubygems
jekyll-webmention_io (2.8.4): This Gem includes a suite of tools for managing webmentions in Jekyll: * Tags *… https://rubygems.org/gems/jekyll-webmention_io
(twitter.com/_/status/912381624175689730)
#
loqi.me
created /microcast (+123) "prompted by GWG and dfn added by aaronpk"
(view diff)
John__, snarfed, tbbrown and tantek joined the channel
#
loqi.me
created /Steemit (+380) "prompted by tantek and dfn added by tantek"
(view diff)
tbbrown and snarfed joined the channel
#
tantek
tbbrown: do you know if there's an open source implementation of ubikey support that you could add to your own server so it could act as indieauth itself rather than using indieauth.com?
#
tbbrown
i think i've seen open source libraries.
#
tantek
even via github is cool, but without github would be even cooler
#
tbbrown
this may be where i saw them: https://github.com/yubico
#
aaronpk
i've been looking for something like that. the API seems quite complicated
#
tantek
aaronpk: remember when you demo'd IndieAuth at TPAC in Portugal?
#
tantek
pretty sure this is the latest on that - re: FIDO etc.
#
tantek
I *think* the only API you need to know / use is not yubico, but rather, webauthn
#
tantek
what is webauthn
#
Loqi
It looks like we don't have a page for "webauthn" yet. Would you like to create it?_
#
tantek
what is Web Authentication
#
Loqi
It looks like we don't have a page for "Web Authentication" yet. Would you like to create it?
#
tbbrown
yes. that's my understanding
#
tantek
(yeah they actually called it that)
#
aaronpk
every time i try to read that API it seems very complicated
#
tantek
Web Authentication is https://www.w3.org/TR/webauthn/ a W3C working draft for an API to access public key credentials, including for a browser, optionally with the use of a hardware key.
#
loqi.me
created /Web_Authentication (+213) "prompted by tantek and dfn added by tantek"
(view diff)
#
kaja.sknebel.net
edited /Web_Authentication (+1) "linkify ('… is <url>' pattern)"
(view diff)
#
Loqi
[Vijay Bharadwaj] W3C Web Authentication: An API for accessing Public Key Credentials Level 1 W3C Working Draft, 11 August 2017 This vers...
#
loqi.me
created /webauthn (+31) "prompted by tantek and dfn added by tantek"
(view diff)
#
tantek
tbbrown feel free to add to that ^^^
#
aaronpk
i'm kind of getting to the point of preferring to offload the complicated authentication stuff to services
#
tantek
oh boy
#
aaronpk
github, google, and amazon all do a great job of having a secure multifactor authentication system
#
snarfed
wp.com too
#
aaronpk
it's a *lot* of work to replicate all the features they have
#
tantek
so a couple of things
#
snarfed
aaronpk++
#
Loqi
aaronpk has 75 karma in this channel (1432 overall)
#
tantek
1 they have all (AFAIK) revoked *accounts* (not just sites) without explanation
#
tantek
2 they all (AFAIK) provide the option (if not *encouragement*!) to use SMS as a "factor" (sometimes 2-factor, often for account recovery) which is pretty big security hole
#
tantek
anyone is welcome to disprove me on either of those points, would welcome it
#
snarfed
fortunately indieauth/relmeauth elegantly handles 1 just like indieweb by using domain as identifier and making migration easy
#
snarfed
ie "silos as plumbing"
#
snarfed
and 2, sure, many things *can* be configured insecurely. that's not a strong argument for avoiding them
#
tantek
snarfed, yes, that helps mitigate the dependency too - except if changing your site requires using one of those authns!
#
snarfed
sure! i don't think that was the proposal though
#
tantek
snarfed, the *encouragement* to use insecure SMS is terribly irresponsible.
#
tantek
beyond just "can be configured insecurely"
#
aaronpk
github provides SMS as a "fallback", but it's not really promoted
#
tantek
especially the SMS for account recover. seriously WTF
#
snarfed
email/password + SMS is still meaningfully more secure for the average user than just email/password
#
snarfed
even if it's less secure than TOTP etc
#
tantek
I want a way to turn-off SMS as an option
#
aaronpk
looks like there's a new option on github too, "GitHub can store a recovery token with another provider."
#
aaronpk
so here's the thing about SMS
#
tantek
snarfed, I disagree about email/pw + SMS being "more secure" than just email/pw BECAUSE turning on that +SMS *also* turns on SMS account recovery
#
tantek
which, since defaults matter, makes your setup *less* secure
#
aaronpk
it's recently become apparent that it's insecure for many reasons, but at one point, it was seen as a good solution for 2-factor auth. many providers added it, and now some are demoting it or at least letting you opt out of it. the point is the security landscape is always changing, and I would rather trust someone whose business it is to handle authentication to keep up with those changes.
#
snarfed
tantek: sounds like you're talking about a specific service details which i'm not familiar with
#
Loqi
[facebook] DelegatedRecoverySpecification: Allows an application to delegate the capability to recover an account to an account controlled by the same user or entity at a third party service provider.
#
snarfed
if you're talking about SMS account recovery *without* password, then yes, true
#
snarfed
i was thinking about SMS 2FA
#
tantek
snarfed, both apple and google *encourage* you to use cell# as SMS recovery when you add it
#
aaronpk
SMS recovery != SMS 2fa
#
snarfed
again, please elaborate. do you mean *without* password?
#
tantek
you can't talk about one without the other in practice
#
tantek
yes - seriously this was reported in NYT
#
tantek
aaronpk, see above about defaults
#
tantek
setup SMS 2fa = by default setup SMS recovery = normals get owned
#
snarfed
yeah that's not at all the standard in the industry
#
snarfed
even if some services do it
#
tantek
this is civil liability IMO IANAL on behalf of apple on google
#
snarfed
NYT is good journalism, but i don't always trust that fine details get precisely distinguished in mainstream media coverage
#
snarfed
(e.g. social eng vs SMS recovery vs SMS 2FA)
#
tantek
snarfed, this was reported in tech journalism 6-18 mo before NYT covered it
#
tantek
plus you can read the citations for yourself (from the NYT article etc.)
#
aaronpk
I still would rather let someone else handle keeping up to date with the best practices
#
snarfed
sure, ok. i still don't personally remember the details nearly as well as you, so i can't discuss those cases very well
#
aaronpk
because like i said, at one point, the industry considered SMS recovery a good idea
#
tantek
and yeah that was laughably crazy pants when introduced
#
tantek
exhibit in A in "industry considered" = clueless
#
aaronpk
if you're saying i shouldn't trust anyone else to handle my authentication, then you're basically saying that I need to be constantly paying attention to what's the best way to secure accounts, keep up on all the new browser APIs for 2fa, etc etc
#
snarfed
right, this ^
#
tantek
I didn't say "anyone else" <- that's a strawman
#
snarfed
security is significantly harder to get right than just implementing web sites and other features. we have to be much more careful if we encourage people to roll it themselves, use smaller providers/implementations, etc
#
aaronpk
i gave github, google and amazon as examples, not as a complete list
#
tantek
I'm saying perhaps industry in general makes decent decisions, however because they've shown that time to time they make totally idiotic decision, yes you do need to keep up with what they do
#
tantek
snarfed, not disagreeing with that statement either
#
snarfed
great!
#
tantek
but we can give advice like: DO NOT use SMS for *anything* security related. Use an Authenticator app
#
snarfed
yes! which is good, and also orthogonal to whether you use a silo for auth
#
tantek
semi-orth
#
aaronpk
but also don't use an authenticator app as a primary factor, and don't use it for account recovery
#
tantek
not fully, and not in practice. because "silo for auth" puts you down a UX path where SMS is their offered path of least resistance with bad defaults
#
tantek
aaronpk: I know of ZERO examples of any system that allows auth app as primary or recovery
#
tantek
please feel free to provide something real world
#
aaronpk
right but if you're saying roll your own then that becomes a potential security risk
#
tantek
no need to warn people about things that don't exist
#
tantek
nowhere did I say "roll your own" - you're strawmanning again
#
tantek
not sure why you see this as that dichotomy
#
snarfed
the realistic alternative for auth is something like self hosted wordpress or known with email/password, which will get brute forced, or fall behind security updates and get hacked, because sysadminning is hard
#
snarfed
compared to that, i'd still probably choose to point people to silos, and also give them strong advice like tantek's
#
tantek
IMO there is no realistic non-dev / non-gen1 alternative for auth :(
#
tantek
and even for dev / gen1 - it's both hard, and yet to be built
#
tantek
hence why I started by asking questions
#
snarfed
i think we all agree!
#
tantek.com
edited /SMS (+95) "move citation to criticism / Insecure Account Recovery"
(view diff)
#
tantek.com
edited /SMS (+377) "bit more silo details"
(view diff)
EmreSoku_ joined the channel
#
tantek
Emre!
#
EmreSoku_
hey
#
tantek
hopefully I got the Turkish right on the IWC Istanbul page
#
EmreSoku_
:)
John__ joined the channel
#
tantek
also what's your opinion of Steemit?
#
EmreSoku_
I just checked one more time, it seems fine
#
EmreSoku_
I wrote a blog post about Steemit
#
tantek
oh! can you add it to /Steemit ?
#
Loqi
[Emre Sokullu] The problem with Steem (and all altcoins)
#
EmreSoku_
sure
#
tantek
that sounds familiar
#
EmreSoku_
what do you think about it?
#
tantek
I was wondering if anyone anyone knew was making any $ and if so how much?
#
tantek
also curious about their gamification (badges / achievements)
#
EmreSoku_
I don't think anyone is making yet :) Richard told me he got $20 **virtual** for one of his AltPlatform posts.
#
EmreSoku_
I don't really know how it works honestly, I'm still waiting for them to approve my membership request!?
#
tantek
very odd
#
tantek
definitely worth noting on /Steemit of what the application / membership process is
#
EmreSoku_
ok I'll share my experiences.
#
EmreSoku_
btw the Istanbul event may be livestreamed too, we'll know for sure tomorrow and I'll let you know.
#
tantek
great!
#
tantek
I'm bringing a second laptop to try to livestream at least part of IWC NYC
#
EmreSoku_
In regards to Steemit, I believe Reddit may also do something there. I mean, incentivizing their user base via cryptocurrency. Right now the content on steemit remains too niche, it seems, so there is an opportunity for Reddit to copy and make it big there.
#
www.boffosocko.com
edited /iTunes (+19) "playlist links"
(view diff)
#
tantek
Emre - the home page is both hilarious and a bit tabloid. I guess it goes to show what gets attention
#
emresokullu.com
edited /Steemit (+341) "added (1) information on the approval (2) negative reviews"
(view diff)
#
EmreSoku_
I agree :)
kl1n3 and kline joined the channel
#
tantek
does anyone have a good strategy for archiving individual pages from a MediaWiki install - i.e. assume you do not have backend access of any kind, all you have is a user account you can login, edit, etc.
#
tantek
so no don't say anything "SQL" or "DB" because it does not apply
#
aaronpk
i used spiderpig to flatten the old version of my site that was mediawiki
#
aaronpk
now it's all static HTML http://2012.aaronparecki.com/
#
Loqi
Aaron Parecki
#
tantek
aaronpk - did that capture historical versions of pages?
#
tantek
or just latest version?
#
aaronpk
just the latest
#
aaronpk
(spiderpig hates URLs with query strings)
#
tantek
what is spiderpig
#
Loqi
Spiderpig is a web crawler for archiving a website as static HTML files https://indieweb.org/Spiderpig
#
aaronpk
I'm still trying to find a solution for archiving a pbwiki including all past versions
#
tantek
is spiderpig in node?
#
snarfed
aaronpk pls give spiderpig a cookie for me
#
Loqi
hehe
#
tantek
starts filing issues
#
Loqi
[tantek] #7 clientside browser version of Spiderpig like as a WebExtension
#
aaronpk
that'd be pretty beat
#
tantek
right?
#
aaronpk
remember when "save webpage as" used to actually work?
kl1n3, kline, snarfed, KartikPrabhu and eli_oat joined the channel
#
aaronpk
snarfed: does bridgy publish look up the syndication URLs of the post being replied to and match up a twitter ID from that? e.g. if you were to reply to this post, would bridgy publish know to include my tweet ID of it in the twitter API request? https://aaronparecki.com/2017/09/22/9/
#
Loqi
[Aaron Parecki] Not sure if I've spoken more words to my cat or Alexa today. #workingfromhome
#
snarfed
aaronpk: yes!
#
aaronpk
wow fancy
#
snarfed
not a well known feature, always catches people off guard
#
aaronpk
snarfed++
#
Loqi
snarfed has 14 karma in this channel (300 overall)
#
aaronpk
nice. i looked there but didn't see that :)
#
aaronpk
i'm finally adding this to my own syndication code!
#
aaronpk
writes a bunch of code. holds breath before running it for the first time.
#
aaronpk
it worked!
#
aaronpk
i think i can tweetstorm now
#
snarfed
cool! is authoring any better than having to switch each reply on twitter?
#
aaronpk
i doubt it
#
aaronpk
actually this might not be bad
#
tantek
oh boy
#
tantek
anything like Noterlive?
#
aaronpk
no still way more clicks
#
tantek
presumably a micropub client?
#
aaronpk
just quill
#
tantek
o rly
#
aaronpk
quill -> type first note -> get redirected to my website -> click browser reply bookmarklet -> launches quill with reply URL filled -> type second note -> get redirected to my website
#
tantek
did my Known feature request issue help at all?
#
tantek
wait that sounds like using existing work
#
tantek
what "bunch of code" did you write?
#
aaronpk
i had to add code for matching up twitter URLs when syndicating
#
aaronpk
previously my site had no concept of syndication targets belonging to specific services
#
tantek
ohhhh
#
aaronpk
they are all just generic micropub endpoints
#
tantek
really curious how you solved that
#
tantek
short of hardcoding
#
tantek
and without reinventing WS-Deathstar