#[grantcodes]Seems like it'll either need to be a custom property for now or maybe `featured` is appropriate
#aaronpk[grantcodes]: since JSON Micropub is just sending the mf2 JSON it would work fine. It's just that nobody has done it before so it hasn't been documented yet ?
#aaronpkbut it's definitely possible as far as the spec is concerned
#aaronpk(not possible with the simple form-encoded Micropub tho)
#[grantcodes]aaronpk yeah I tried that, I guess my micropub endpoint strips out everything that's not type or properties
#aaronpkYeah it'll definitely take some special handling of Micropub endpoints
#[grantcodes]But the client works ? Full gallery posting with photos uploaded via the media endpoint, even grabs exif data for name, published, and location.
#[grantcodes]Still mega buggy but will send the requests ok.
#sknebelInteresting that MP doesn't cover children, only nested properties.
#sknebelNot sure why nobody complained earlier, but i guess there aren't many use cases?
#aaronpkOh I remember... at one point we were considering having the update syntax include "properties" as a key but for 99.9% of the use cases all that did was add an unnecessary level of nesting
#aaronpkto be clear, creating with Micropub has no problem with "children", it's just the update syntax that gets confusing
#aaronpkWe'll have to add an explicit way to update the children property
#sknebelOh, create works? Must have missed that while skimming the spec just now
#aaronpkit's not mentioned explicitly in the spec, but a create request is sending a microformats JSON object so it can include children
#[grantcodes]Yeah, super niche use case at the moment it seems
#aaronpkincluding how to reorder items in a collection
rMdes_ joined the channel
#[grantcodes]Nice, I like it! I think I'll just keep on working on the publishing first ? Now I need to get my site to support collections!
snarfed and tantek joined the channel
#loqi.meedited /lulz (+136) "tantek added "https://m.photofunia.com/effects/retro-wave for that 1980s / new wave look like the Homebrew Website Club header image on some events" to "See Also"" (view diff)
#[keithjgrant]Publishing Omnibear 0.5.3 to the Chrome web store. Includes big fixes when identifying h-entries on the page and fixes some permissions issues for non-Chrome browsers
#[keithjgrant]I should probably set up an official release notes page on the website
#aaronpknice! publish a short blog post and send it to indienews! then it'll make it into the newsletter :)
#tantektbbrown: do you know if there's an open source implementation of ubikey support that you could add to your own server so it could act as indieauth itself rather than using indieauth.com?
#aaronpkevery time i try to read that API it seems very complicated
#tantekWeb Authentication is https://www.w3.org/TR/webauthn/ a W3C working draft for an API to access public key credentials, including for a browser, optionally with the use of a hardware key.
#Loqiaaronpk has 75 karma in this channel (1432 overall)
#tantek1 they have all (AFAIK) revoked *accounts* (not just sites) without explanation
#tantek2 they all (AFAIK) provide the option (if not *encouragement*!) to use SMS as a "factor" (sometimes 2-factor, often for account recovery) which is pretty big security hole
#tantekanyone is welcome to disprove me on either of those points, would welcome it
#snarfedfortunately indieauth/relmeauth elegantly handles 1 just like indieweb by using domain as identifier and making migration easy
#tanteksnarfed, I disagree about email/pw + SMS being "more secure" than just email/pw BECAUSE turning on that +SMS *also* turns on SMS account recovery
#tantekwhich, since defaults matter, makes your setup *less* secure
#aaronpkit's recently become apparent that it's insecure for many reasons, but at one point, it was seen as a good solution for 2-factor auth. many providers added it, and now some are demoting it or at least letting you opt out of it. the point is the security landscape is always changing, and I would rather trust someone whose business it is to handle authentication to keep up with those changes.
#snarfedtantek: sounds like you're talking about a specific service details which i'm not familiar with
#Loqi[facebook] DelegatedRecoverySpecification: Allows an application to delegate the capability to recover an account to an account controlled by the same user or entity at a third party service provider.
#snarfedif you're talking about SMS account recovery *without* password, then yes, true
#tantekthis is civil liability IMO IANAL on behalf of apple on google
#snarfedNYT is good journalism, but i don't always trust that fine details get precisely distinguished in mainstream media coverage
#snarfed(e.g. social eng vs SMS recovery vs SMS 2FA)
#tanteksnarfed, this was reported in tech journalism 6-18 mo before NYT covered it
#tantekplus you can read the citations for yourself (from the NYT article etc.)
#aaronpkI still would rather let someone else handle keeping up to date with the best practices
#snarfedsure, ok. i still don't personally remember the details nearly as well as you, so i can't discuss those cases very well
#aaronpkbecause like i said, at one point, the industry considered SMS recovery a good idea
#tantekand yeah that was laughably crazy pants when introduced
#tantekexhibit in A in "industry considered" = clueless
#aaronpkif you're saying i shouldn't trust anyone else to handle my authentication, then you're basically saying that I need to be constantly paying attention to what's the best way to secure accounts, keep up on all the new browser APIs for 2fa, etc etc
#tantekI didn't say "anyone else" <- that's a strawman
#snarfedsecurity is significantly harder to get right than just implementing web sites and other features. we have to be much more careful if we encourage people to roll it themselves, use smaller providers/implementations, etc
#aaronpki gave github, google and amazon as examples, not as a complete list
#tantekI'm saying perhaps industry in general makes decent decisions, however because they've shown that time to time they make totally idiotic decision, yes you do need to keep up with what they do
#tanteksnarfed, not disagreeing with that statement either
#aaronpkbut also don't use an authenticator app as a primary factor, and don't use it for account recovery
#tanteknot fully, and not in practice. because "silo for auth" puts you down a UX path where SMS is their offered path of least resistance with bad defaults
#tantekaaronpk: I know of ZERO examples of any system that allows auth app as primary or recovery
#tantekplease feel free to provide something real world
#aaronpkright but if you're saying roll your own then that becomes a potential security risk
#tantekno need to warn people about things that don't exist
#tanteknowhere did I say "roll your own" - you're strawmanning again
#tanteknot sure why you see this as that dichotomy
#snarfedthe realistic alternative for auth is something like self hosted wordpress or known with email/password, which will get brute forced, or fall behind security updates and get hacked, because sysadminning is hard
#snarfedcompared to that, i'd still probably choose to point people to silos, and also give them strong advice like tantek's
#tantekIMO there is no realistic non-dev / non-gen1 alternative for auth :(
#tantekand even for dev / gen1 - it's both hard, and yet to be built
#tantekI'm bringing a second laptop to try to livestream at least part of IWC NYC
#EmreSoku_In regards to Steemit, I believe Reddit may also do something there. I mean, incentivizing their user base via cryptocurrency. Right now the content on steemit remains too niche, it seems, so there is an opportunity for Reddit to copy and make it big there.
#tantekdoes anyone have a good strategy for archiving individual pages from a MediaWiki install - i.e. assume you do not have backend access of any kind, all you have is a user account you can login, edit, etc.
#tantekso no don't say anything "SQL" or "DB" because it does not apply
#aaronpki used spiderpig to flatten the old version of my site that was mediawiki
#aaronpkremember when "save webpage as" used to actually work?
kl1n3, kline, snarfed, KartikPrabhu and eli_oat joined the channel
#aaronpksnarfed: does bridgy publish look up the syndication URLs of the post being replied to and match up a twitter ID from that? e.g. if you were to reply to this post, would bridgy publish know to include my tweet ID of it in the twitter API request? https://aaronparecki.com/2017/09/22/9/
#Loqi[Aaron Parecki] Not sure if I've spoken more words to my cat or Alexa today. #workingfromhome
#aaronpkquill -> type first note -> get redirected to my website -> click browser reply bookmarklet -> launches quill with reply URL filled -> type second note -> get redirected to my website
#tantekdid my Known feature request issue help at all?