#Zegnat!tell aaronpk was there a reason https://indieweb.org/Microsub-spec#Per-Item_Data calls out Feedbin for starred items? That was Google Reader behaviour that everyone seems to have copied (NewsBlur, Feed Wranger are 2 more examples with a starred flag)
#Loqiaaronpk: Zegnat left you a message 2 hours, 55 minutes ago: was there a reason https://indieweb.org/Microsub-spec#Per-Item_Data calls out Feedbin for starred items? That was Google Reader behaviour that everyone seems to have copied (NewsBlur, Feed Wranger are 2 more examples with a starred flag)
#aaronpkZegnat: because I found the API docs for Feedbin easily
#ZegnatGotcha. I was thinking about linking to other API pages, or adding commentary about how it is a Google Reader idiom and is basically “in reader bookmarking”. But not sure that actually adds anything to the brainstorm itself.
#aaronpkunix timestamps that are trying to be some sort of local time are wrong
#aaronpki'll see if I can verify what instagram is doing tho
#snarfedagreed! there's lots of wrong out there :P sgtm, thanks
#Zegnatsecond based timestamps are pinned to an epoch, that epoch could theoretically be in a specific timezone. But that would be a huge engineering hassle, very unlikely they would do that.
#aaronpkok i'm looking at my last photo on instagram
#aaronpkthe HTML ends up with "2018-01-03T20:33:33.000Z"
#aaronpkthe time I posted that was 12:33 local time
#ben_thatmustbemeit says you can use it if the rel tag is defined as body-ok
#ben_thatmustbemegives a list of rel tags but says that other specs can define rel tags as body-ok
#ben_thatmustbemeso basically the parser has no way of knowing when it hits an unknown rel
#ZegnatThat’s true, the validator should be saying that the LINK is not allowed in the body for the rel values defined by the HTML spec.
#ben_thatmustbemei've been look at what is wrong with the numbers of the mf2 vs mf1 vs rdf vs microdata
#ben_thatmustbemeseems like there is a lot of things broken in their parser
#ben_thatmustbemeapache any23 uses apache tika, which uses something called Grib (which is dead), which uses a very old (2012) version of jSoup, which was still working out html5 bugs
#aaronpkcould you file a bug on the common crawl project with a super simple html5 example (not involving microformats) showing that it completely breaks?
#sknebelben already did parse bugs with any23 if I saw right
#ZegnatWhat is the state of HTML parsers in programming languages these days anyway? I only know PHP is still relying on libxml2 for its parsing.
#LoqiIt looks like we don't have a page for "state of HTML parsers in programming languages these days anyway" yet. Would you like to create it? (Or just say "state of HTML parsers in programming languages these days anyway is ____", a sentence describing the term)
#sknebelI would have probably pointed to a few any23 bugs and asked if they have numbers for how many sites they ignored due to that or something like that
#ben_thatmustbemei think breaking on <input> not having </input> is going to kill a LOT
#gRegorLove[miklb] The dates should be correct in my Atom feed now. Going forward they should look right in Evergreen.
snarfed joined the channel
#tantek.comcreated /prehistory (+1743) "move prehistoric articles from before the web to a separate page, relevance to the indieweb is not nearly the same level as actual arcticles mentioning / discussing the indieweb an indie web etc." (view diff)
#tantek.comedited /Posts_about_the_IndieWeb () "(-1067) move prehistoric articles from before the web to a separate page, relevance to the indieweb is not nearly the same level as actual arcticles mentioning / discussing the indieweb an indie web etc." (view diff)
#aaronpk!tell benwerd your cert on benwerd.com expired and I was using your screenshot tool that's on that domain! any chance you can renew it or move that to werd.io?
#LoqiIt looks like we don't have a page for "https admin tax" yet. Would you like to create it? (Or just say "https admin tax is ____", a sentence describing the term)
#aaronpkI was confused because it looks like it's part of the content
#[tantek]https admin tax is the additional amount of nontrivial regular administrative work you or your web host service provider must do to keep your [[https]] site running and available as compared to http. Search IndieWeb irc for "certificate expired" or "cert expired" for examples of failure to pay this admin tax.
#[tantek]E.g. You post to your site, you posse to twitter, someone @-replies on twitter, and then they put that reply permalink into the "send a webmention" form on your original post permalink?
#[tantek]Semi manual backfired without bridgy that is
#grantcodesI'm sure embeds / link unfurling will be involved in that part so I just made it text for now
#aaronpkyeah, I haven't decided how I want to handle getting that data in monocle either
snarfed and KartikPrabhu joined the channel
#tantek.comedited /https_admin_tax (+575) "not a requirement since it still works in browsers, is a tax due to failure to pay breaking your site. Fragility section" (view diff)
#snarfedfavorite quote: "longevity and privacy/security are all worthwhile goals. We should work toward both of them at the same time, instead of seeing them as a (false) dichotomy."
#snarfedunrelated, [tantek], if your manual backfeed q is motivated by github, another thought would be to sponsor someone to add it to bridgy. i bet we could earmark open collective funds for that.
#[tantek]Also, probably worth moving/merging the /https section on fragility to the separate page
#aaronpkbridgy doesn't know about my original post, so it doesn't know what URL to put as the in-reply-to
#aaronpkso I can make a bridgy permalink for any tweet, but a webmention from that page won't work since the bridgy page doesn't actually link to my post
#aaronpkso the other path here is if I know the twitter URL i'm trying to send a webmention for, how could bridgy find my post that it should put as the in-reply-to URL
#Loqi[Blaine Cook] @aaronpk @lauraglu designing for yourself isn't the same as designing for users. Dogfooding is eating something not made FOR but BY you.
#Loqi[Kartik Prabhu] Got rid of some fatwigoo ( otsukare.info/2017/11/02/fat… ) from my site! Safe defaults with CSS as enhancement; I like it! (kartikprabhu.com/notes/got-rid-…)
#snarfeddemonstrates some implicit trust assumptions we all make
#KartikPrabhuyup. I guess bridgy is simply reconstructing the HTML+mf2 without checking that it is a reply on Twitter
#aaronpkanyway snarfed do you think you can fix the "resend for post" for this example of mine? If so, I'll hold off on sending that webmention manually
#snarfedKartikPrabhu: kind of. it does checks that it's a reply, just upstream from that point
#snarfedaaronpk: yeah i'm filing the issue now, but feel free to go ahead if you want, i have no eta yet
#KartikPrabhusnarfed: in my example above, my tweet is not a reply to anything much less aaronpk's tweet
#snarfedKartikPrabhu: yes. which bridgy determines during its regular polls. so it never sent a webmention for that "wrong" reply :P
#KartikPrabhusnarfed: aah yes that I agree. I just meant I could use that URL in aaronpk's webmention form and it would work :P
#snarfedsure! you can also publish arbitrary HTML on your site and spoof anything. hence my comment about implicit trust assumptions :P
#tantek.comedited /Webmention-brainstorming (+925) "move receiving webmentions for POSSE copies to proper section, add rough changes / extension need to the webmention spec, possible way to implement" (view diff)
#[tantek]That's my contributions for today I think. One positive (receiving webmentions for POSSE copies), and one critical (https admin tax page / example)
#LoqiIt looks like we don't have a page for "microformats tax" yet. Would you like to create it? (Or just say "microformats tax is ____", a sentence describing the term)
#[tantek]It is extra work to be sure miklb. Just less than the alternatives, and leaving it out won't "break" your pages (thus not being a tax per se, more of a cost to get some additional features)
#aaronpkMicroformats tax is the additional effort required to maintain the Microformats markup on a web page when you want to make unrelated changes to the web page.
#[tantek]IIRC technorati stats were that only a third or so of feeds actually "worked" for blogs
#[tantek]So in the long term "usually" didn't matter. Feeds were fragile.
#[miklb]I can definitely say that changing WordPress themes usually doesn’t have any effect on the feed
#[tantek]Miklb changing the markup and not the CSS would break the visible page
#[miklb]breaking mf2 wouldn’t change the display in the browser is my point
#[tantek]It's like your argument of letsencrypt aaronpk. microformats puts the markup where it will make you see and maintain it. Instead of forgetting about it for a while until it breaks (silently)
#aaronpkbut microformats aren't visible, so I wont know i've broken anything until my posts show up other places broekn
#[tantek]miklb ideally, yes. In the past we've mixed styling and microformats with the same classes and then breaking one would often break the other.
#[miklb]browsers to my knowledge do not care if you have `u-syndication' or `z-syndication`
#aaronpkwhich is about the same as waiting to notice that my feed has broken
#[tantek]Except that there's usually different code to generate the feed
#[tantek]This that code gets out of date (even if it doesn't "break" per se) and your feed content / details go out of date
#aaronpkany change you want to make is going to require some amount of testing and spot-checking, whether that change is to the visible page or some sort of internal change
#[tantek]The positive ideal is that we should be able to add mf2 without breaking or even changing the element markup of a page
#[tantek]So obv breaking that is unlikely to break the page too
#[miklb]I’m just advocating that discouraging https because it requires maintenance isn’t a healthy stance.
#aaronpkI was trying to clarify on that page that just because something is a tax doesn't mean that's discouraging it. perhaps that needs to be clearer.
#Loqihttps admin tax is the additional amount of nontrivial regular administrative work you or your web host service provider must do to keep your https site running and available as compared to http https://indieweb.org/https_admin_tax
#[tantek]It's not a discouragement. It's an acknowledgment.
#[tantek]Doesn't mean it is, especially in more complex systems.
#[miklb]followed by “why doesn’t my webmentions work?” Oh, you need to wrap that in a `p-name` and you have nested properties so you need to change, this, this ,and ths.
#[tantek]and adding it doesn't make your site more fragile.
#[tantek]Not, getting it right for the new functionality. That's a differ t issue
#aaronpk"existing functionality" also refers to maintaining your posts showing up in micro.blog or Monocle
#aaronpkafter you've done the first step of getting the mf2 added in the first place
#[tantek]No that's the point. That's all part of the new functionality you're getting
#aaronpksure adding mf2 is not hard (tho that depends on whether you are writing your HTML yourself or using something like wordpress themes), but i'm talking about the maintenance of it
#[tantek]Yeah themes are harder because ideally the theme author handles all your markup including your mf2.
#aaronpkright now my baseline is my site works and my posts show up in micro.blog and in Monocle. now whenever I change anything I have to make sure I maintain the Microformats to ensure that continues to be true.
#[tantek]Sure but that's different than losing functionality you had before.
#aaronpkbefore what? I am literally talking about losing functionality
#[tantek]That should be normal for any new feature you add. It requires maintenance to keep it working, but it should break other features.
#[miklb]tantek, my argument is that the wiki is a community resource and as we as a community encourage mf2, webmentions and the like, having pages like that https admin tax page reflects on the community as a whole. I wouldn’t care if you wrote a blog post on your site with that opinion.
#[tantek]adding https-only has the potential (and examples) of breaking *everything else* on the site
#[tantek]That's a categorically different kind of fragility vulnerability.
#aaronpk[miklb]: I still dont think the intent of that page is to discourage https, so if that is not clear then the wording needs to be changed.
#[tantek]We should make the risks clear. That's the point.
[kevinmarks] joined the channel
#[kevinmarks]I'm still working on my crazy metadata post, and the mf tax is a lot lower than the schema one.
#aaronpk"The receiver should check that target is a valid resource for which it can accept Webmentions."
#aaronpkif you accept webmentions to targets that are redirects like bit.ly, then "valid" has a broad definition for your site
#aaronpkyou can just accept any URL in that step, and resolve the redirect in the asynchronous part
#[tantek]Miklb, to be clear I encourage adoption of https, with transparency about the the potential costs (including time)
#ZegnatHmm, true. I guess because [tantek] was writing about “verification” of target my mind leapt to the valid resource check.
#ZegnatE.g. I do not have further target verification after the valid resource check.'
#ZegnatMy mind: “Request Verification” is synchronous and contains target verification, “Webmention Verification” is asynchronous and contains source verifications.
#ZegnatBut of course there is no reason further target verification can’t happen during Webmention Verification.
#[tantek]The reason I referred to it as an admin tax is that it is required just to keep your site up & running even if you do nothing else.
#[tantek]And the fragility is about what happens with just the passage of time
#[tantek]E.g. You setup a static site with https and leave it alone, it will break eventually.
#[tantek]Yes as soon as you use a popular CMS that requires irregular security update, it will also break when left alone
#ZegnatDomain renewal is definitely another admin tax though. Not sure it is mentioned on the wiki as such? We should have plenty examples of domains not getting renewed.
#sknebelZegnat: just checked, I do full target verification synchronously
#[miklb]static site doesn’t mean it’s etched in a stone tablet. There’s still a webserver
#[tantek]Though we could try to start another page if there's enough confirmed examples
#Zegnat“renewing your domain names” is actually on /admin_tax already. Above HTTPS even :)
#[tantek]People in practice seem pretty good about renewing their domains, much more so than renewing their certs
#[miklb]just because some people haven’t taken the time (myself included) to update how they are using letsencrypt to auto-renew and make sure nginx restarts doesn’t mean it is a broken process.
#[tantek]As long as we still see examples of cert expirations by folks here, especially those using letsencrypt, the cost is still too high
#[tantek]Why does any IndieWeb site need to worry about GDPR?
#[miklb]tantek, I’m not saying those aren’t all valid points to document, but with snarknition type additions to the wiki, I personally do not think it’s productive.
#[tantek]The point is not snark, the point is documenting explicit risks instead of candy coating
#dgold[tantek]: because the current GDPR is a first step towards EU citizens having generally applicable privacy rights
#[miklb]but I am telling you that it comes across as snark to me
#[tantek]Miklb "required in 2018" was also pure opinion right?
#aaronpksame, which is why I was trying to fix the page and make it more factual
#Zegnat“Why does any IndieWeb site need to worry about GDPR?” – displaying comments, for one, probably.
#[miklb]Again, speaking for myself, I assume the wiki is a community resource, not your personal document. That is what our personal blogs, the main thing we advocate for, should be used for.
#[tantek]Miklb no lecture. I wrote facts with citations/examples.
#aaronpk"A feature can be anything from ... a new CSS property"
#[tantek]zegnat no more like new DOM APIs in practice
#[tantek]Aaronpk that's overstating it afaik and I'll follow up when back from vacation
#[tantek]Same with new JS language features, too hard to subset JS Lang processing just for http so that will likely stay equivalent until / unless JS is turned off completely for http (which I've actually asked for by default)
#ZegnatYes, “requiring secure contexts results in undue implementation complexity” is a given reason for exception from the rule [tantek]. So that probably applies to JS language features.
#ZegnatBut CSS properties are specifically mentioned as an example of things that will go on secure context only. So that will be interesting to see.
#[tantek]AFAIK there is no such https only policy for new CSS features e.g. discussed/agreed on W3C www-style or csswg github issues
#Loqi[dbaron] #75 Describe when features should be limited to secure contexts.
#[tantek]Like I said, I'll look into more when I'm back but without a citation for the discussion for that claim, I'm skeptical. I'm sure that's what Anne wants, so it's a good stake in the ground, but AFAIK that hasn't been agreed to on dev-platform, bugzilla, www-style, or even the W3C TAG
#[tantek]^^^ all sources you or anyone can search for any such evidence
#tantek.comedited /Webmention (+166) "clean-up see also, clearly separate Webmention Development subpages that used to be part of this page" (view diff)
#tantek.comedited /https_admin_tax (+129) "note even if you make no other changes to your site, note should add HTTPS per existing reasons, move Chrome treatment to HTTPS page because it has nothing to do with the admin tax in particular, note HSTS can add more fragility, https-only outages" (view diff)
#tantek.comedited /https_admin_tax (+825) "more examples from https, explicit FAQ with letsencrypt and comparison to domain registration" (view diff)
#tantek.comedited /HTTPS (-337) "/* Maintenance tax and site fragility */ main article, move examples to main article" (view diff)
#tantek.commoved /FreeMyOAuth to /appaccess "way more user friendly name, much easier to share with a typical user as a page to use to see what apps have what access to their accounts"
#[tantek]Hoping that makes it more real world shareable with friends who get strange emails notifying them that they just granted access to a particular service / account with certain privileges etc
#sknebelall this is very "own server" centric, but I guess that makes sense - on a normal webhost you are going to leave these things to them and might not even know if it is let's encrypt or somebody else providing the certificate in the end
#LoqiWeb hosting can be the primary regular cost in maintaining an IndieWeb site; this page lists several options from free on up depending on your publishing needs, like a static, shared, private, or dedicated server https://indieweb.org/web_host
#[tantek]Should exist (ideal, opinion) and does typically exist (can cite examples) are two different things, things I feel are often errantly conflated here
#sknebelshould have said "shared hosting". E.g. the Let's Encrypt page primarily talks about using it with certbot on your own server, including "you need some kind of access to your server" when e.g. Dreamhost shared hosting has it integrated into their management UI and does all the details for you
#[tantek]I have shared hosting, my provider doesn't do it for example.
#[tantek]You should assume providers do not do all the details for you unless you can actually link to their docs and/or UI (preferably with screenshots)
#[miklb]what is kind a funny, I had already planned for tonight to switch my single site WP install to multi-site and set up letsencrypt certs for all of the sites. I’m going to need a tax cut
#LoqiIt looks like we don't have a page for "kind a funny, I had already planned for tonight to switch my single site WP install to multi-site and set up letsencrypt certs for all of the sites. I’m going to need a tax cut" yet. Would you like to create it? (Or just say "kind a funny, I had already planned for tonight to switch my single site WP install to multi-site and set up letsencrypt certs for all of the sites. I’m going to need a tax cut is ____", a sentence describing the term)
#www.svenknebel.deedited /HTTPS (-191) "/* Obtain */ remove Wosign - distrusted, currently not offering free certificates as a consequence" (view diff)
#sknebelI think we also shouldn't list CACert on there - objections? While I kind of like the idea of what they are trying to do, they are a far-off choice and not something a typical Indieweb site should use
[kevinmarks] joined the channel
#[kevinmarks]google cloud now manages certs for you via letsencrypt