#dev 2017-11-23

2017-11-23 UTC
#
aaronpk that'd be a good pattern to use for clients to fetch new things from a microsub channel
#
aaronpk which would cover the use case "show me things added to the channel after this post X"
#
aaronpk actually solves it better since it basically would be saying "show me things that have changed" which could include updates
#
tantek IMO that info should be derived from the dt-updated of the entry
#
[kevinmarks] Er 304 dyac
#
tantek instead of duplicating the info somewhere else
#
tantek or making up something abstract and harder to code (etag)
#
[kevinmarks] No
#
aaronpk okay well you're back to the fact that there may not be a dt-updated, or even a dt-published
#
[kevinmarks] Etag is opaque, so does not involve timezone magic
#
[kevinmarks] Or clock sync
#
tantek and is also thus harder to inspect / get right
#
aaronpk this is more about the client sitting there waiting for new items to appear at a URL
#
tantek aaronpk, you could annotate the entry with additional properties indicating when the microsub server saw the item
#
aaronpk yeah I do want to include that information somewhere
#
aaronpk right now there isn't a precedent for the microsub server including additional properties in the entry though
#
[kevinmarks] https://web.archive.org/web/20030602181009/http://fishbowl.pastiche.org/archives/001132.html
#
tantek e.g. something like dt-msub-first-retrieved, dt-msub-last-retrieved
#
tantek (because -ms- is already taken ;) )
#
aaronpk heh
#
[kevinmarks] No, you fetch the feed, and remember the etag and last modified from it *in its terms*
#
tantek and the server can make claims about when it retrieved the item (first), and last time it got it
#
tantek no the feed may have no such properties
#
[kevinmarks] Then you send them back next time to see if it has changed
#
tantek so you can't depend on them anyway
#
tantek and it's putting more work on the publisher for no good reason
#
aaronpk we're not talking about the publisher
#
aaronpk this has nothing to do with fetching the original source feeds
#
tantek kevinmarks is when he says *in its terms*
#
aaronpk its = microsub server
#
aaronpk in this context
#
aaronpk but yes also RSS/Atom feeds can and do support this HTTP ETag mechanism already
#
tantek then "last modified" is what I said above, dt-updated
#
aaronpk that's not how http works
#
aaronpk this is an http level thing, not something we're making up
#
[kevinmarks] Read that 2002 link
#
tantek ah http level not format level ok
#
aaronpk speaking of which, I should add ETag fetching/parsing to my feed poller
#
tantek what is an ETAG
#
Loqi etag is a header sent in an HTTP response to allow future fetches of the same URL to be skipped if nothing has changed https://indieweb.org/etag
#
tantek what is Last-Modified
#
Loqi It looks like we don't have a page for "Last-Modified" yet. Would you like to create it?
#
[kevinmarks] Using a content hash for the etag is a Good idea too. (rather than the file inode or whatever apache defaults to)
#
tantek kevinmarks, perhaps add to /etag accordingly with citations?
#
aaronparecki.com edited /Microsub-spec (+1120) "/* Objects */ add example jf2 item" (view diff)
#
www.boffosocko.com edited /Indieweb_for_Journalism (+1692) "Additional material on syndication" (view diff)
leg and bengo joined the channel
#
grantcodes Yes! Loving the microsub chat!
#
aaronpk ?
#
grantcodes So here goes with some random thoughts
#
grantcodes I don't understand how an entry can't have a url? I can see it not having a unique url, but it must have been retreived from a url somewhere? But apart from that I don't know a solution.
#
aaronpk grantcodes: right now, i'm not actually fetching any post permalinks, i'm only parsing entries from an h-feed page, so it's entirely possible there's an h-entry there with no URL
#
grantcodes My point is the feed has a url. Although that might not be very useful
#
aaronpk yeah but that doesn't identify a specific entry within the feed
KartikPrabhu joined the channel
#
grantcodes What I can see being very useful in the long term is for a way for clients to add metadata to posts on the microsub server. You can say send a update request to mark a entry as the last read entry or it has been liked or replied to.
#
grantcodes This would be especially useful when using multiple clients / moving client
#
tantek right, where is the "read" state kept? or "starred" as readers used to let you star things, etc.
#
grantcodes Exactly. There could be a `microsub-properties` object for example to store all this stuff
#
aaronpk i'm not sure I actually want the concept of per-item read state tracking
#
aaronpk I think that's part of the legacy of treating RSS readers as an email-like interface, with the display of number of unread items which everyone grew to dislike
#
grantcodes RE: Image resizing, I think it might be ok as an optional feature to a microsub server. I love when apis or whatever have on demand image resizing so the client can request whatever width & height they want. It can also be easily done with graceful degredation, if a client requests micropubserver.com/image.jpg?height=100&width=100 the server could read the query and resize or it could do nothing and return the full
#
grantcodes size image. I guess the problem with this is then clients would have to be able handle the image if it is not resized
#
aaronpk most client-side environments can handle arbitrary size images though, right? it's just a matter of reducing the download time really. you can stick a 3000x6000 pixel image into an <img width="100"> tag and the browser will resize it
#
grantcodes aaronpk: not necessarily per item but I think the last read item is pretty vital. Noone likes scrolling back through a feed to find their last read
#
aaronpk yeah a single marker to indicate your read state is good
#
aaronpk like slack/irc
#
grantcodes Yeah more or less, but changing aspect ratio is more difficult.
#
grantcodes Changing apect ration is possible clientside using backgrounds but just another thing the client will need to be aware of
#
aaronpk yeah the aspect ratio issue is always going to be tough, even with an image sizing service
tantek joined the channel
#
aaronpk there's always the question of do you crop or fit, how do you indicate which direction is okay to crop, etc. just look at the syntax for imagemagick's resize functions, it's super ugly
#
grantcodes Yeah, I use a wordpress plugin called timber a lot and it includes what i think is really nice on the fly image resizing.
#
aaronpk image resizing is also unfortunately one of the big places security holes pop up
#
grantcodes It has options for width and height. And the cool one is letterboxing, which is where it adds extra whitespace to fit the entire image inside a specific aspect ratio if that is what you want
#
aaronpk http://websynthesis.com/timthumb-fiasco/ and https://imagetragick.com/ come to mind
#
grantcodes Even with all this discussion I don't think it is unreasonable to ask the client to do resizing
#
tantek browsers are good at resizing
#
aaronpk it does seem like image sizing is something the microsub server could help out with, especially since it also means the server could cache/store images so they're available for readers even if the originals are gone
#
tantek p.s. re: where to track things you like, reply to etc... how about your own website?
#
aaronpk defining the actual API for that sounds tricky tho
#
tantek we even have the concept of /read posts
#
tantek so user reading/responding state should be kept .. on the website they signed-in with
#
grantcodes Yeah my use case is I host full size images at around 8mb and galleries of 100+ images. You do not want to download those full size on your mobile internet ?
#
aaronpk tantek: yes, but the next step is that the client needs to know whether or not a post has already been liked on your website, and it's unreasonable to make the client fetch your website to check, since there isn't a good way to even do that
#
tantek the client is already subscribed to your website through the same microsub server
#
aaronpk no it's not
#
tantek why not?
#
aaronpk the microsub server is subscribed to your website, not the client
#
aaronpk s/is/can be
#
tantek sorry that's what I meant
#
aaronpk that's not even a requirement
#
tantek the microsub server subscribes to your website to keep track of read-state, liked etc.
#
aaronpk the microsub server could be subscribed to your website to find out whether you've liked a post, but now we need some way to indicate that to the client
#
grantcodes Yeah if there was a part of the micropub api that supported searching for likes then that might work
#
tantek or posts that are in-reply-to another post
#
tantek sounds like microsearch :)
#
aaronpk heh
[cleverdevil] joined the channel
#
[cleverdevil] I definitely want "read/unread" for some feeds and definitely not for others.
#
tantek or microquery
#
tantek since search implies free text, whereas query implies faceted which is the use-case we're talking about
#
aaronpk so the other way to think about this is the microsub server could tell the client which actions are possible to take on a post
#
tantek sounds like /webactions
KartikPrabhu joined the channel
#
aaronpk not really cause the actions would be micropub requests and may also come from a native application
#
grantcodes With the microquery (or whatever) the problem then is you now have an extra set of requirements, you need a microsub server and your site must support this not trivially easy to set up microquery system in order to have a good user experience
#
aaronpk yeah I think the simple version is the microsub server can subscribe to your site and track all your likes/replies/etc that appear there, then include that information in the items it returns to the client
#
tantek precisely ^^^
#
tantek and thus your site only needs to support micropub, so that the client can post your reads/likes etc. to your site
#
grantcodes Yeah it could. But what about previous likes? Or if you switch microsub server?
#
tantek previous likes?
#
tantek what is backfill
#
Loqi backfill is the action of importing all your past posts, typically from a social media silo, into your own site https://indieweb.org/backfill
#
[cleverdevil] That seems limited...
#
[cleverdevil] I am not so sure I want read/unread state on my site.
#
aaronpk yeah that seems like an edge case. also the microsub server can crawl your site for old stuff if it really wants
#
[cleverdevil] That’s a lot of noise when it could be elegantly handled by the Microsub server and wouldn’t require someone to have a Micropub compatible website to use a reader.
#
aaronpk read/unread state I agree. but I'm talking about "likes" specifically
#
tantek [cleverdevil] it's just moving the problem to somewhere it is already solved
#
aaronpk for example there isn't really any point in clicking a "like" button in your reader if it doesn't actually go anywhere
#
grantcodes Well you can't like something on an indieweb reader unless you support micropub already anyway
#
tantek right
#
tantek also why the goal of your site being your reader makes even more sense
#
aaronpk oh yeah if your site is also your micropub and microsub server then all this is internal and trivially solved
#
tantek I could see using an external microsub server just like I use an external websub hub
#
[cleverdevil] I guess? Still, seems a huge assumption that someone would have a Micropub site.
snarfed joined the channel
#
[cleverdevil] Likes I think I agree though.
#
aaronpk yeah i'm not saying read state is a micropub request
#
[cleverdevil] Not for read/unread state though.
#
[cleverdevil] Cool.
#
aaronpk I don't think anyone said that
#
[cleverdevil] Ah maybe I misread ?
#
tantek [cleverdevil], it's a simplifying assumption. you have to do the work somewhere to store/retrieve "stuff", that *is* a micropub server, which makes the most sense to be your own server
#
[cleverdevil] Yeah I’m in agreement on likes/reposts/etc.
#
[cleverdevil] Makes total sense.
#
aaronpk I think it's perfectly appropriate for some amount of user interface state to be maintained in the microsub server
#
grantcodes But when you do like something the microsub server would still have to store it as you might move clients or you would have to scrape your website for those likes every time you open a client
#
aaronpk grantcodes: yeah the microsub server needs to be made aware of the "like" that was created via a micropub request. how that actually happens is an implementation decision, since someone's micropub and microsub server might be the same.
#
tantek grantcodes - the microsub server automatically stores the like because it gets it from the subscription to your server
#
aaronpk for a standalone external microsub server, then subscribing to your site and watching for likes makes sense
#
grantcodes ?
#
tantek or reposts, replies etc. all /response posts
#
tantek bookmarks, quotes
#
aaronparecki.com edited /Microsub-spec (+1292) "/* Issues */ more things" (view diff)
#
aaronpk captured some of that
snarfed joined the channel
#
aaronpk lol look at the timestamps of these edits https://indieweb.org/wiki/index.php?title=Microsub-spec&action=history 8:57, 9:12, 10:15, 12:33, 15:12, 16:10, 17:10... i've been at this all day
#
tantek that's a good sign
#
grantcodes Well in terms of MVP my personal priorities of what is being discussed would be 1. Feed subscription & retrieval (of course) 2. Read state / maybe more channel state variables 3. /response saving 4. Image resizing
#
[kevinmarks] Cleverdevil: with silo.pub a lot of people have micropub sites
#
grantcodes I think the /response saving and image resizing are lower priority as they lead to improved UI not really actual features
#
aaronpk can you document other state things you'd want? especially if you can cite examples of other APIs or UIs that do it?
#
[kevinmarks] If you want a good image munger, the google one on appengine is nice
#
[kevinmarks] You could also convert all images to svg
#
[kevinmarks] http://svgur.com/i/3vW.svg
bengo joined the channel
#
grantcodes Bit more activity on that reddit post from the other day: https://www.reddit.com/r/selfhosted/comments/7ebm5w/is_it_time_to_seriously_promote_the_idea_of/dq5d9pa/
#
grantcodes Oops should be in general
#
tantek aaronpk I'm particularly intersted in the microsub client use-case of an indieweb site itself being a client
#
aaronpk being a... client?
#
tantek AKA integrated reader
#
aaronpk ah
#
tantek being a microsub client
#
aaronpk I mean you don't really need microsub for that
#
tantek I don't want to deal with all the feed polling and parsing and caching
#
aaronpk oh gotcha
#
aaronpk interesting
#
tantek and assume the server does all that
#
aaronpk that'd be an interesting split
#
tantek has all the same efficiency characteristics as using a separate Websub hub, but for reading rather than publishing!
#
aaronparecki.com edited /Microsub-spec (+141) "/* Tracking read state or position */" (view diff)
#
aaronpk yeah true
#
tantek if a bunch of indieweb sites use the same microsub server, and happen to subscribe/follow the same feeds, the microsub server gets to request those feeds *once* instead of once per client
#
grantcodes aaronpk: Only other thing that hasn't been discussed that I can think of for storing in state would be something like the tweetdeck filters for channels. Eg. I want a channel that is only actual content from people I follow. Not likes, reposts, bookmarks etc,
#
aaronpk ah yeah, post type filters?
#
grantcodes More or less yeah
#
aaronpk I was trying to decide whether that makes sense as a client-side setting or whether that's part of the actual subscription
#
tantek good question
#
aaronpk e.g. when I subscribe to a feed maybe I subscribe to the feed for items matching X
#
tantek I think that will require some experimentation
#
grantcodes Always with the client side the issue is if you use different clients it is not saved
#
tantek but I'd start with, don't make it more work for publishers
#
tantek i.e. don't expect publishers to provide separate fields for *your* use-cases
#
tantek separate *feeds*
#
aaronpk of course, i'm talking about filtering content at existing feeds
#
aaronpk I actually want to sometimes subscribe to keyword matches within feeds
#
grantcodes Yeah, I would imagine it working more like the user muting that is already defined, but per channel.
bengo joined the channel
#
aaronpk per channel? interesting
#
tantek I think this is more of a UI problem, and that by solving the UI problem (with multiple examples), you might be able to find commonalities that a protocol feature would make more efficient
#
aaronpk yeah as it stands, a client could already just not show any item that comes through with a "like-of" property (to ignore all likes)
#
grantcodes Again has that same benefit that you can then change your filters but all the posts that were hidden are still stored on the microsub server and can be shown
#
aaronpk moving it to the protocol means those settings would be preserved between clients
#
tantek right, so maybe that just belongs in a "Client UI considerations" section for now?
#
tantek I guess because I'm more interested in the "your website is your reader" use-case, I'm less interested (lower, not zero, priority) in questions of "preserved between clients"
#
aaronpk one of the UI goals I have is to have completely different layouts for presenting posts, where some of the layouts only make sense for certain post types, e.g. a photo grid wouldn't even show posts without photos
#
aaronpk that could certainly be done in the client though
#
tantek both pinterest and tumblr have interesting grid-like layouts that work for composite streams, not just photos
#
aaronpk or a map view for checkins, where there isn't even really a place to include posts that don't have location data
#
tantek I could see a grid like presentation of text notes that just looked like a grid of sticky notes
#
tantek no images at all
bengo joined the channel
#
tantek aaronpk, the marauder's map as a microsub client use-case :)
#
tantek not just checkins, but any post with location info
#
grantcodes aaronpk: did you look at together.tpxl.io yet ?
#
aaronpk yes :)
#
grantcodes Yeah the map view is super fun
#
[cleverdevil] So I’ve been sucked into The Parenting Zone. Haha. I’ll catch up on this good conversation later!
#
Loqi nice
#
aaronparecki.com edited /pagination (+688) "how slack does pagination" (view diff)
#
grant.codes uploaded /File:tweet-deck-channel-filters.png "A screenshot showing how tweetdeck implements filters per "channel" https://indieweb.org/File:tweet-deck-channel-filters.png"
#
[kevinmarks] This sounds a bit like the blogger modes thing
jjuran joined the channel
#
aaronparecki.com edited /Microsub-spec (+463) "/* Search */ TBD searching for posts" (view diff)
#
grant.codes edited /Microsub-spec (+417) "/* Issues */ Add section on per channel filters" (view diff)
#
[kevinmarks] https://googleblog.blogspot.co.uk/2011/09/dynamic-views-seven-new-ways-to-share.html
#
aaronpk grantcodes: what do you think about this UI pattern for finding feeds to follow? https://indieweb.org/follow#Feedly
#
aaronpk I tried to screenshot the whole workflow
#
aaronpk I'm trying to spec out an API that would allow that workflow to be created
#
grantcodes Yeah the feedly discovery / follow workflow is solid
#
aaronpk great
#
grantcodes That's going to be handled on a per client basis though isn't it?
#
grantcodes Or are you expecting the server to actually have a ui as well?
#
aaronpk I thought it'd be helpful for the microsub server to handle a bit of it
#
aaronpk not a UI no
#
grantcodes Yeah like receiving url meta descriptions, icons, feed previews etc
#
aaronpk yeah
#
grantcodes Don't think you'd need much more than the h-card (or equivalent if missing) and the feed
#
aaronpk step 1: client provides a search term and gets back a list of results: https://indieweb.org/Microsub-spec#Search
#
aaronpk step 2: client requests a preview of the feed before subscribing: https://indieweb.org/Microsub-spec#Preview
#
aaronpk step 3: client tells the server to follow the specific feed https://indieweb.org/Microsub-spec#Following
#
grantcodes Sounds right to me
#
aaronpk i'm going to make monocle return cached data for the preview if it's already been fetching that feed, and if it hasn't seen it yet it'll actually go and fetch the feed to preview it
#
tantek makes sense
#
grantcodes How would you expect to handle the channels thing? Every subscription is added to the home channel correct? Then you can optionally add it to other channels
#
aaronpk a feed is always added to a specific channel
#
tantek aaronpk - do you have a notion of a "person" that has several feeds? or is that what a channel is?
#
tantek I'm hoping that microsub uses concepts for the state of the art social web, not the legacy feed ecosystem
#
grantcodes Hmm, not sure on forcing to select a channel, the popularity of silos proves that a lot of people not not care about channels
#
aaronpk you mean when subscribing to something?
#
tantek yeah
#
aaronpk grantcodes: that's the idea with "default", if you don't select one then it just goes to the default channel. i'm expecting the vast majority of people to just have that one channel like a twitter home timeline
#
tantek I'm worried that if you focus too much on a "feed" then microsub clients will just look like dumb RSS clients of yore
#
tantek like great, a protocol for decentralizing the UI of the past
#
tantek I know that's not your intent, but even just thinking of things in terms of "feeds", it shapes the thinking/design
#
aaronpk tantek: what I liked about this UI https://indieweb.org/follow#Feedly is you can just type "tantek.com" and click "follow" on the first result. nowhere does it even mention "feed" in the UI
#
tantek reads
#
aaronpk (okay there are two places it mentions feeds but they are inconsequential. one is the little grey "feed" on the preview, and the other is in the "follow" dropdown menu but that is confusingly a different meaning of "feed")
#
grantcodes aaronpk: cool, so you have to pass channel=default or any other channel the user selects
#
aaronpk "If no channel is specified, then the default channel is assumed."
#
tantek you mean unlike the big text "Add a feed" ?
#
grantcodes perfect
#
tantek that's kinda what I'm talking about the legacy feed reader UIs of yore
#
aaronpk grantcodes: so basically you can ignore the whole concept of channels if you want
#
tantek even why is there a Name: field, and why is it first?
#
aaronpk tantek: Feedly, not FeedHQ
#
tantek (presumably it's optional)
#
aaronpk scroll down
#
tantek darn it I don't know why it didn't scroll to that
#
www.boffosocko.com edited /h-card (+831) "h-card generator; link to additional examples; expand definition; category: microformats; How to on WordPress" (view diff)
#
aaronpk that FeedHQ example is a great example of an antipattern
#
tantek aaronpk, perhaps move it to at least not be the first example?
#
aaronpk ?
#
tantek or seriously we should consider relegating such legacy UIs to their own scarlet section
#
tantek like "Legacy Feed Reader UIs"
#
aaronparecki.com edited /follow (+0) "move FeedHQ below" (view diff)
#
tantek ooh yes Feedly's free text plus auto-suggest results is a good start
#
tantek similar to the FB search dropdown
#
grantcodes Only problem I see with it is it might be hard for servers to return a decent list of results without the huge existing dataset that I'm sure feedly already stores.
#
aaronpk tbh I think that's fine
#
tantek grantcodes that's why we suggest pre-populating it with /irc-people :D
#
aaronpk if they enter a URL, go fetch the URL and show that
#
www.boffosocko.com edited /microformats (+20) "fix image for pagelogo; move TOC; microformats category" (view diff)
#
grantcodes Yeah agreed,
#
tantek aaronpk - got to be careful about sharing suggested URLs across users, as some may be capability URLs of private feeds
#
tantek examples: some Flickr feeds, FB event ICS
#
aaronpk yeah
#
aaronpk and private podcast feeds
#
tantek one possible hack for those is, if they're not HTML, if they have a rel=alternate back to an HTML page which then has a rel=alternate back to them, then they're public
#
aaronpk I think i'll make my search avoid returning any URLs that contain query string parameters
#
tantek (though it's possible they may rel=alternate to an HTML capability URL, more likely they'll rel=alternate to the "plain" HTML page, which if it works without auth to provide a rel=alternate link back to the feed, then the feed is likely public)
#
tantek that's another way for sure
#
aaronpk i'm more concerned about making "aaronpk.com" return "https://aaronparecki.com/" first
#
Loqi Aaron Parecki
#
tantek or even "aaronpk"
#
aaronpk like assuming the ".com"?
#
aaronpk he
#
aaronpk h
#
aaronpk I kind of like that idea actually lol
#
aaronpk just try appending ".com" to the word and see if it's a site
#
tantek or you could make people type @aaronpk.com@aaronpk.com
#
aaronpk lolol
#
grantcodes I'm sure you will, but if you separate that "search" functionality out so it would be extendable that would be awesome. Can see it continually improving, like searching by Twitter handle for example
#
aaronpk I like having it be opaque to the client, so that the server can just keep returning better results
#
aaronpk just finished the initial version. it now returns this response https://xray.p3k.io/feeds?pretty=1&url=https://aaronpk.com for "aaronpk", "aaronpk.com" and "aaronparecki.com"
#
tantek I feel like there was a bunch of prior brainstorming / prototyping on this
#
tantek what is autosuggest
#
Loqi autosuggest (AKA auto-suggest) is a user-interface feature that provides a list of options while the user is typing, related to what the user has typed, possibly beyond mere (sub)string matches https://indieweb.org/autosuggest
#
tantek ^^^ yeah check that
#
aaronpk i'm happy with this for the first draft :)
#
aaronpk okay that's enough for today
#
aaronpk thanks for the help everyone!
renem joined the channel
#
schmarty aaronpk++ !
#
Loqi aaronpk has 88 karma in this channel (1475 overall)
j12t, KartikPrabhu, tantek, jjuran, cweiske, bengo, [kevinmarks], loicm and [chrisaldrich] joined the channel
#
Zegnat Ugh, my token provider tool thing doesn’t work with Quill :( https://github.com/indieweb/indieauth-client-php/issues/16
#
Loqi [Zegnat] #16 normalizeMeURL returns false for query strings.
deathrow1, snarfed, tantek and jjuran joined the channel
#
aaronpk hmm
tbbrown and John__ joined the channel
#
GWG aaronpk: Hmm?
#
Zegnat Possibly a reaction to my issue
#
aaronpk indeed
#
Zegnat Not only did I not remember the use-case for empty href, I also don’t remember why I didn’t just PR the fix myself aaronpk. Sorry for that one, haha
#
Loqi Zegnat: lol
#
aaronpk heh it's fine! now there are tests
#
Zegnat Also, “a pretty unique use case”, it is as if you do not even know me!
#
aaronpk lol
#
Zegnat Alright, I now score an A on my HTTPS config for licit.li :) At least I got something done today
#
ancarda Why not A+ :P
#
ancarda But A is great as well!
#
ancarda Zegnat++
#
Loqi zegnat has 38 karma in this channel (152 overall)
#
Zegnat I ... don’t know why it isn’t A+? :P I am going the user-whatever-petermolnar-uses approach.
#
ancarda You probably just need to add an HSTS header, let me check
#
Zegnat Oh, maybe because I have HSTS turned off for now, as I didn’t want to lock my browser into HTTPS while testing
#
Zegnat Yeah
#
Zegnat I was also testing my port 80 nginx config, so couldn’t turn HSTS on
#
Zegnat does that now
#
ancarda Who hosts your DNS? The other thing you could do is add CAA records
#
aaronpk oh I didn't know about CAA records! that's great. that would stop those crazy enterprise "security" products that MITM all their employees
#
ancarda I don't think it will; CAA records are checked by CAs when they go to issue a certificate - it's suppose to help with mis-issuance and make it harder for an attacker to get a certificate by limiting them to CAs you trust, but security products will make one on the fly
#
Zegnat Namecheap I think handles the DNS for licit.li
#
aaronpk oh hmm
KartikPrabhu joined the channel
#
aaronpk so browsers don't check that?
#
aaronpk what is CAA?
#
ancarda What would stop that is HPKP (HTTP Public Key Pinning), but that's being removed from Chrome due to it being problematic
#
Loqi It looks like we don't have a page for "CAA" yet. Would you like to create it?
#
ancarda Right now, no. Only CAs do
#
ancarda Hmm, I should write some wiki pages, hang on
#
aaronpk can you summarize that there?
#
ancarda Yeah, sure - can also link to a few places that explain exactly what it does and how it works
#
aaronpk ?
#
aaronpk Zegnat: woo all green https://travis-ci.org/indieweb/indieauth-client-php/builds/306416901
#
ancarda Zegnat: If you check Namecheap, they might allow CAA records to be created. You'd need one called "issue letsencrypt.org" (make a new `issue` record per CA you want to whitelist). You can also add "iodef mailto:your@email.address" which will email you when there's an attempted certificate request that was blocked
#
Zegnat Nice aaronpk! :D
#
Zegnat HSTS should be on now
#
ancarda CAA is an acronym for Certification Authority Authorization, a DNS record type that indicates what Certificate Authorities are allowed to issue certificates for a domain. It supports whitelisting certificates, wildcards, and can also send reports of attempted requests that were blocked.
#
loqi.me created /CAA (+314) "prompted by aaronpk and dfn added by ancarda" (view diff)
#
Loqi ok
#
ancarda CAA << https://gist.github.com/roycewilliams/1710ade469c05eb0b090d268470aa741 (List of supported DNS software and hosting providers)
#
loqi.me edited /CAA (+145) "/* See Also */ new section" (view diff)
#
Loqi ok, I added "https://gist.github.com/roycewilliams/1710ade469c05eb0b090d268470aa741 (List of supported DNS software and hosting providers)" to the "See Also" section of /CAA
#
ancarda CAA << https://scotthelme.co.uk/certificate-authority-authorization/
#
Loqi ok, I added "https://scotthelme.co.uk/certificate-authority-authorization/" to the "See Also" section of /CAA
#
loqi.me edited /CAA (+64) "ancarda added "https://scotthelme.co.uk/certificate-authority-authorization/" to "See Also"" (view diff)
#
ancarda What is HSTS
#
Loqi HSTS is short for HTTP Strict Transport Security, an extension to HTTPS https://indieweb.org/HSTS
#
ancarda Damnit
#
ancarda Hmm... Can I add more detail to that page? It's very short
#
ancarda Oh god I'm going to be here all night
#
KartikPrabhu ancarda: it is a wiki. you on't nee to ask permission
#
KartikPrabhu *don't need
#
aaronpk the rest of the editing you'll have to do from the website
#
aaronpk IRC can only create the initial definition and add to "See Also"
#
ancarda KartikPrabhu: Yeah, you're right. I'm just new to the community and I don't want to step on anyone's toes. Although, the line "This article is a stub. You can help the IndieWeb wiki by expanding it." basically says the wiki welcomes edits
#
KartikPrabhu ancarda: yes I understand the initial hesitation :)
#
Zegnat And that line is basically on every page ;)
#
sknebel heh, yes. maaybe we should list one day "which pages have >2k text and still a stub warning"?
#
Zegnat aaronpk++ for the IndieAuth client fixes. Hopefully they will trickle down to all the projects using the lib soon :D
#
Loqi aaronpk has 89 karma in this channel (1476 overall)
#
ancarda CAA << https://sslmate.com/caa/ (CAA record generator for a variety of DNS server software)
#
aaronpk oh I should tag a release of that
#
Loqi ok, I added "https://sslmate.com/caa/ (CAA record generator for a variety of DNS server software)" to the "See Also" section of /CAA
#
loqi.me edited /CAA (+87) "ancarda added "https://sslmate.com/caa/ (CAA record generator for a variety of DNS server software)" to "See Also"" (view diff)
#
ancarda CAA << https://blog.qualys.com/ssllabs/2017/03/13/caa-mandated-by-cabrowser-forum
#
Loqi ok, I added "https://blog.qualys.com/ssllabs/2017/03/13/caa-mandated-by-cabrowser-forum" to the "See Also" section of /CAA
#
loqi.me edited /CAA (+77) "ancarda added "https://blog.qualys.com/ssllabs/2017/03/13/caa-mandated-by-cabrowser-forum" to "See Also"" (view diff)
#
Loqi CAA Mandated by CA/Browser Forum
#
Zegnat Looks like Namecheap will not let me add CAA records, ancarda
#
ancarda Aw that sucks :/
#
sknebel oh, right, I wanted to investigate dependency-tracking services for my projects. good keyword
#
Zegnat ancarda let me know if there are any more places I should tinker with my SSL set-up please :)
#
Zegnat Also, is there an easy way to load this same SSL block for all my nginx port 443 vhosts? Include of some kind?
#
aaronpk you can put the ssl settings outside of the server vhost
#
aaronpk I have my main ssl ciphers and stuff defined in the http{} block
#
aaronpk the only thing in each server{} block is the ssl_certificate and key
#
Zegnat Oh, cool
#
Zegnat I have switched to a single default server file for port 80, so all port 80 calls should be redirected to HTTPS no matter which domain you try
#
aaronpk nice
#
Zegnat Seems to work, at least. I am guessing as I go, haha
#
Loqi hehe
#
Zegnat I was using https://aaronparecki.com/2015/12/07/8/letsencrypt to set-up the certificates. Basically serving that port 80 server block as default.
#
Loqi [Aaron Parecki] Setting up HTTPS with Letsencrypt.org
#
markdain.net edited /CAA (+1344) "Added basic information about what CAA is and how to use issue, issuewild, and iodef" (view diff)
#
Zegnat aaronpk++ for that Lets Encrypt guide
#
ancarda CAA << https://tools.ietf.org/html/rfc6844 (RFC6844 - DNS Certification Authority Authorization (CAA) Resource Record)
#
Loqi ok, I added "https://tools.ietf.org/html/rfc6844 (RFC6844 - DNS Certification Authority Authorization (CAA) Resource Record)" to the "See Also" section of /CAA
#
loqi.me edited /CAA (+114) "ancarda added "https://tools.ietf.org/html/rfc6844 (RFC6844 - DNS Certification Authority Authorization (CAA) Resource Record)" to "See Also"" (view diff)
#
Zegnat Hmm, I have been ++ing too much apparently
#
petermolnar what is ++ing?
#
Loqi It looks like we don't have a page for "++ing" yet. Would you like to create it?
#
petermolnar what is tanteking?
#
Loqi Tantek-ing is a method of encouraging people to contribute to the wiki by indirectly prompting the person who first mentioned the term to create a short wiki dfn page for it https://indieweb.org/tanteking
#
markdain.net edited /CAA (+289) "Added an example set of CAA records" (view diff)
#
aaronpk hmm, since my home page has a clock on it, my feed fetcher is thinking the page is changing every minute
#
ancarda Ok I think I'm done
#
Zegnat “Verbing weirds language.” —Bill Watterson
#
aaronpk ben_thatmustbeme's home page has a csrf token in it which changes on every request too
#
ancarda Oh I think tantek tantek'd me the other day to make an article on FTTC and FTTH
#
Zegnat Don’t think there is a way around that, aaronpk? Guess you just have to have WebSub on your site so you don’t need to do polling but can wait for the feed to tell you about significant changes.
#
Zegnat also has the clock, stole that idea from aaronpk
#
aaronpk I can't control what other crawlers are doing to determine whether my page has changed tho
#
KartikPrabhu rel="not-an-update"
#
aaronpk maybe I will switch it to load that via JS
#
sknebel proper cache headers (that don't treat clocks as changes) might be a start?
#
aaronpk seems relatively harmless since it's just a fun thing and not really part of the content
#
aaronpk I should do proper etag headers tho too
#
Loqi yea!
#
aaronpk that's a bit harder though
#
markdain.net edited /HSTS (+1329) "Added example HSTS headers along with a description" (view diff)
#
ancarda HSTS << https://hstspreload.org/
#
Loqi ok, I added "https://hstspreload.org/" to the "See Also" section of /HSTS
#
loqi.me edited /HSTS (+27) "ancarda added "https://hstspreload.org/" to "See Also"" (view diff)
#
ancarda HSTS << https://tools.ietf.org/html/rfc6797 (RFC6797 - HTTP Strict Transport Security (HSTS))
#
loqi.me edited /HSTS (+88) "ancarda added "https://tools.ietf.org/html/rfc6797 (RFC6797 - HTTP Strict Transport Security (HSTS))" to "See Also"" (view diff)
#
Loqi ok, I added "https://tools.ietf.org/html/rfc6797 (RFC6797 - HTTP Strict Transport Security (HSTS))" to the "See Also" section of /HSTS
snarfed joined the channel
#
ancarda Right, I have to go home. Perhaps we should have a security section so we can group CAA, HSTS, CSP, etc...?
#
KartikPrabhu what is security?
#
Loqi security in the context of the indieweb may refer to security concerns regarding personal domains, web hosting, https setup, private data, identity etc https://indieweb.org/security
#
KartikPrabhu ancarda: ^
#
ancarda Oh god
#
aaronpk ?
#
ancarda Ok, once I get home, else it'll be midnight when I finally leave the office
#
ancarda Been here almost an hour now just working on the wiki page
#
aaronpk ancarda++
#
Loqi ancarda has 2 karma in this channel (3 overall)
#
sknebel ancarda: yeah, go home. that happens way to easily ;)
#
KartikPrabhu ancarda: no need to wikify at the expense of general life :)
#
KartikPrabhu ancarda++
#
Loqi ancarda has 3 karma in this channel (4 overall)
#
ancarda Thanks, hopefully this page is ok? https://indieweb.org/CAA -- could someone tell me if it looks alright and if you want more detail or anything?
#
Zegnat Maybe start on a security category ancarda? ;)
#
ancarda Oh, I'd be happy to
#
sknebel that page is great. for security stuff, I tend to mostly link to good outside resources
#
aaronparecki.com edited /Microsub-spec (+151) "/* Search */" (view diff)
amz3 and [chrisaldrich] joined the channel
#
www.svenknebel.de edited /StartSSL (+53) "startcom officially dead." (view diff)
#
schmarty wow, RIP startssl!
#
aaronparecki.com edited /pagination (+543) "/* APIs */ add facebook api example" (view diff)
#
aaronpk ouch
#
aaronpk my 2-year verification from startssl just expired the other week
#
aaronpk RIP free wildcard certificates
#
ancarda aaronpk: https://letsencrypt.org/2017/07/06/wildcard-certificates-coming-jan-2018.html
#
ancarda Free wildcard certificates are back (soon)
#
aaronpk ?
#
aaronpk that'll clean up my ssl config a lot
#
aaronpk whoa this paging works real well
#
aaronparecki.com edited /Microsub-spec (+209) "/* Timelines */ add paging parameters" (view diff)
#
aaronparecki.com edited /Microsub-spec (+3345) "/* Paging */ describe paging mechanism" (view diff)
#
aaronpk I think I got that right
#
Zegnat I think I got that right too, but my “that” is putting my SSL config in a separate file and including it within the http{} block
davidmead joined the channel
#
davidmead happy thanksgiving to all other US-based indiewebbers :-)
#
Loqi davidmead: tantek left you a message on 2017-09-25 at 5:56pm UTC: hey have you gotten any problems because of this too? http://www.bbc.com/news/uk-northern-ireland-41384829
#
Loqi davidmead: tantek left you a message on 2017-09-25 at 5:57pm UTC: like this: https://twitter.com/DavidMeadeLive/status/911562198991982594
#
davidmead tantek no i haven’t - hadn’t even heard of it until i clicked on that link :-)
#
Zegnat aaronpk, any tips for running several PHPs side by side?
#
aaronpk I just set that up the other day!
#
aaronpk if you're on ubuntu it's basically built in now
#
GWG The new Press This plugin in WordPress is really helping me refine my own parsing code...my xray equivalent. I test every URL someone there complains about not working.
#
Zegnat No, I’m on Debian I’m afraid
#
aaronpk apt-get install php5.6-fpm php7.1-fpm
#
aaronpk check if your php package is already installed in a versioned folder like /usr/lib/php/5.6 and if it is, then your distro already supports it
#
aaronpk my nginx config basically has upstream php5 { server unix:/var/run/php/php5.6-fpm.sock; } and php7 { server unix:/var/run/php/php7.1-fpm.sock; }
#
aaronpk so I can point each vhost to the different backend
#
Zegnat Ah, yeah, I think my php7.1-fpm is already in a versioned folder!
#
Zegnat Cool
#
GWG I have to ask all of you. If a site you are trying to respond to returns a non 200 because it is filtering your retrieval of it, let's say by user agent...what should your site do? This applies to webmentions, and to my case...the link preview I'm trying to generate.
#
aaronpk GWG: I fake the user agent until it accepts it
#
aaronpk my reasoning is these things happen because people run plugins intended to stop certain types of bots, and my use of that site does not fall under the type of thing they're trying to block, so I work around it
#
GWG aaronpk: I'll have to think on that.
#
GWG I worry because of how easy it is to install a WordPress plugin
John___ joined the channel
#
grant.codes uploaded /File:PhotoPostr-preview.png "A screenshot of PhotoPostr https://indieweb.org/File:PhotoPostr-preview.png"
#
grant.codes created /PhotoPostr (+1870) "Create PhotoPostr page" (view diff)
#
grant.codes edited /photo-album (+141) "Add section on micropub clients with PhotoPostr as an example" (view diff)
#
grantcodes Anyone aware of a difference between a /gallery and a /photo-album they seem to be the same thing to me with different names
jjuran joined the channel
#
amz3 context?
#
amz3 ok got it
jjuran, John___, amz3 and tantek joined the channel
#
tantek nice security additions
#
tantek ancarda++
#
Loqi ancarda has 4 karma in this channel (5 overall)
#
GWG I'm still on the fence about this issue of spoofing user agents
#
tantek oh? are you seeing that in your logs?
#
GWG tantek: No. I'm looking at the code I use to generate link previews using OGP and MF2 and some sites block retrieval with a 999 or such.
#
GWG aaronpk commented his solution is to change user agents. I'm trying to decide if I should.
#
aaronpk You don't have to hide your own, just add enough of the Mozilla Safari stuff for it to work
#
aaronpk I mean chrome even puts Mozilla in their user agent so...
#
GWG What does your look like?
#
tantek !tell snarfed ICYMI - looks like I found a bug with Bridgy Publish's support of longer tweets when there's a photo included: https://chat.indieweb.org/dev/2017-11-18/1510993441166000 I couldn't find an issue on this in particular, should I file a new one?
#
Loqi Ok, I'll tell them that when I see them next
#
Loqi [tantek] hmm somehow found a bug in Bridgy Publish recent update to support longer POSSE to Twitter: https://brid.gy/log?start_time=1510993330&key=aglzfmJyaWQtZ3lyawsSDVB1Ymxpc2hlZFBhZ2UiRGh0dHA6Ly90YW50ZWsuY29tLzIwMTcvMzIxL3QyL2xhc3Qtc2F0dXJkYXktcmFjaW5nLXRh...
#
aaronpk The last one I did takes the user agent from chrome and then adds "p3k/http 1.3, Monocle 0.1" or whatever
#
tantek Every browser puts "Mozilla" in their UA string since Netscape started to and sites started only sending "rich content" to Netscape via checking for Mozilla.
#
tantek (1990s legacy issue)
#
GWG So, mentioning that makes me feel a bit better.
#
GWG Right now, I'm testing URLs that people reported could not be parsed.
#
GWG Like this thing.. http://www.davidghoyle.co.uk/WordPress/?p=1827
#
GWG X-ray can't figure this one out either.
#
aaronpk That's cause it thinks it's a feed
#
tantek GWG what's its content-type?
#
tantek all this talk of UA strings reminded me to check my traffic again from bots