#dev 2018-08-28

2018-08-28 UTC
#
vilhalmer
it was happy with the output of `gpg -s --armor` as well which contains just a BEGIN PGP MESSAGE section
#
vilhalmer
(once I manually enabled the button)
#
vilhalmer
the one is your screenshot is --clear-sign?
#
vilhalmer
you may be able to tell I don't actually use pgp for much
#
aaronpk
Same haha
#
aaronpk
Well if that worked then file an issue with the details and I'll make the JS recognize that too
#
vilhalmer
will do, thanks for the help
#
vilhalmer
I can submit a pr if you'd prefer too
KevinMarks joined the channel
#
aaronpk
sure if you're up for it!
#
vilhalmer
done and done!
#
aaronpk
woohoo thanks!
#
Loqi
yay!
#
aaronpk
probably can't look at it til wednesday
renem, isgy, AngeloGladding, kicks, [tantek], KartikPrabhu and iasai joined the channel
#
GWG
Hmm... aaronpk's site does Accept: application/mf2+json
[eddie], AngeloGladding, KartikPrabhu, cweiske, Guest92, jeremych_ and [pfefferle] joined the channel
#
@megarush1024
That time you search through all the posts on your site because you know you complained about Spotify’s suggestion algo when you have a playlist on shuffle and it something lame, and you know @jage9 told you how to fix it in a Twitter reply that came back as a webmention.
(twitter.com/_/status/1034332413911023616)
stevestreza, [kevinmarks], jeremych_, [pfefferle], rigelk, KevinMarks, [jgmac1106], [xavierroy], jgmac1106, [jgarber] and [tantek] joined the channel
#
GWG
How do you securely store access tokens so a website can retrieve data on your behalf?
[Niklas], niklas, ben_thatmustbeme, KevinMarks and barpthewire joined the channel
#
@caraudioshoppin
Don't be fooled by its size or name...the MicroSub™ CP208 enclosure will provide just the right of amount of bass in this GMC Yukon! Nice choice by our friends ! #HowWePlay #JLAudio #MicroSubb #GMCYukon Repost from @jlaudioinc
(twitter.com/_/status/1034435716745490432)
jgmac1106 and KevinMarks joined the channel
#
@jgmac1106
↩️ Why not just use your own domain for your to-do list and own your task. Here is my example: https://jgregorymcverry.com/my-to-do-list/ I send myself a webmention as updates. I have used Google Keep as well and just pin a “to-do, doing,  done” (http://jgregorymcverry.com/6265-2/)
(twitter.com/_/status/1034444516898623489)
iasai and AngeloGladding joined the channel
#
petermolnar_
how large of a html file is a definite no? I'm re-evaluating of creating a scrobbles archive, but given the csv is 4.3MB, the html would easily lick the 10s of MB size if I want a single page archive
tantek__, KartikPrabhu and [cleverdevil] joined the channel
#
tantek__
good question petermolnar_ ! I believe aaronpk has similar issues with tracking location
#
tantek__
This is a good use-case for storing webmentions from 3rd parties on your own server, and serving them up server-side: being able to search them with web search tools! https://twitter.com/megarush1024/status/1034332413911023616
#
@megarush1024
That time you search through all the posts on your site because you know you complained about Spotify’s suggestion algo when you have a playlist on shuffle and it something lame, and you know @jage9 told you how to fix it in a Twitter reply that came back as a webmention.
(twitter.com/_/status/1034332413911023616)
#
tantek__
what is search
#
Loqi
search in the context of the IndieWeb refers to being able to search your personal site for your own content https://indieweb.org/search
#
aaronpk
Yeah I decided to split my location data up into per-day files so that no file is more than 86,400*record size bytes
#
eli_oat
@tantek_ I often think of handling webmentions in that way for exactly that reason but worry it is a violation of GDPR, or just basic trust
#
aaronpk
In practice they range from 400k-1.5mb or so
#
tantek__
search << Use-case: searching your posts and the webmentions they have received using web search tools, good reason to store received webmentions and render them server-side: https://twitter.com/megarush1024/status/1034332413911023616
#
@megarush1024
That time you search through all the posts on your site because you know you complained about Spotify’s suggestion algo when you have a playlist on shuffle and it something lame, and you know @jage9 told you how to fix it in a Twitter reply that came back as a webmention.
(twitter.com/_/status/1034332413911023616)
#
Loqi
ok, I added "Use-case: searching your posts and the webmentions they have received using web search tools, good reason to store received webmentions and render them server-side: https://twitter.com/megarush1024/status/1034332413911023616" to the "See Also" section of /search https://indieweb.org/wiki/index.php?diff=51350&oldid=48188
#
aaronpk
I didn't want to deal with managing a multi gigabyte single file
#
tantek__
eli_oat: there's lots of exaggeration around GDPR, maybe check /GDPR for some details
#
aaronpk
(Whether that's a MySQL data file or flat data file)
#
tantek__
in particular, lots of exemptions for personal use, note that webmention protocol already had "delete" as required etc.
#
eli_oat
ooh, good call
[eddie] joined the channel
#
tantek__
pingback OTOH does not have delete. nor do any other forms of refback (trackback, linkback whatever)
#
[eddie]
eli_oat: One option is also storing all the webmentions but not displaying them all publically
#
tantek__
so you *could* make the case that by formalizing and requiring "delete" support, webmention by default enables more/easier GDPR compliance than any of the prior alternatives
#
eli_oat
that is sort of where I started to move, but then also realized that the effort wasn't really worth the benefit I'd gain
#
tantek__
eli_oat: indeed there are use-cases for storing but not displaying all
#
tantek__
e.g. muting, blocking, recording a pattern of (mis)behavior etc.
AngeloGladding joined the channel
#
eli_oat
I hadn't thought about the data-set value, that seems sort of fun...intriguing
#
eli_oat
Thanks for these thoughts tantek__
KartikPrabhu joined the channel
#
tantek__
no problem! I'm still working on webmention storage myself so this discussion is helpful!
snarfed, TripFandango and [kevinmarks] joined the channel
#
[kevinmarks]
what is timeline?
#
Loqi
The timeline briefly documents key IndieWeb (and influencing thereof) terms/ideas/concepts, implementations, specifications, events, and other achievements; people involved, and dates/URLs for each https://indieweb.org/timeline
#
[kevinmarks]
ah not that one
#
[kevinmarks]
what is chronological?
#
Loqi
It looks like we don't have a page for "chronological" yet. Would you like to create it? (Or just say "chronological is ____", a sentence describing the term)
#
snarfed
petermolnar_: http archive has great stats on html size (and lots more) across the web. https://httparchive.org/reports/state-of-the-web
#
snarfed
i haven't easily found the query for html only there, but looks like it averages in the 60KB range, just fyi. https://www.sitepoint.com/average-page-weight-increases-15-2014/
#
Loqi
ok, I added "http://www.dieselsweeties.com/ics/617/" to the "See Also" section of /chronological_timeline https://indieweb.org/wiki/index.php?diff=51351&oldid=51063
#
tantek__
what is chronological feed
#
Loqi
chronological feed is a stream of posts in time order, typically in reverse chronological order of their published date (newest first), popularized on the web by journals and blog home pages, feed readers, and social media, until the latter switched to algorithmic feeds, frustrating many users https://indieweb.org/chronological_feed
#
snarfed
as another data point, when bridgy crawls h-feeds to find synd links, it rejects any HTML page over 500KB
#
[kevinmarks]
I think it belongs on that one
#
tantek__
what is chronological timeline
#
Loqi
chronological timeline is a redundant phrase (timelines are inherently chronological, because they are *time*lines) used to refer to a chronological feed https://indieweb.org/chronological_timeline
#
tantek__
so close kevinmarks
#
tantek__
it belongs here IMO
#
tantek__
what is algorithmic timeline?
#
Loqi
algorithmic timeline (sometimes non-chronological timeline) is a doublespeak phrase propagated by silos (and some popular media) to refer to social media algorithmic feed feature(s), as a timeline is "a display of a list of events in chronological order"[1], whereas silos now (since 2016+) use "timeline" to refer to often out of chronological order display of aggregations of following's posts which still presentationally resemble previous chronologically ordered displays https://indieweb.org/algorithmic_timeline
#
tantek__
maybe even as the page embedded graphic 😂
#
snarfed
ooh there's also indie map. trying now
#
snarfed
it says the mean html page size in its dataset (indieweb sites) is 34KB.
#
snarfed
(minor note: that's technically characters, not bytes)
#
[kevinmarks]
mastodon has better mf2 than the origin site
#
snarfed
(query was `select avg(length(html)) from indiemap.pages` on https://console.cloud.google.com/bigquery?project=indie-map )
#
tantek__
kevinmarks yes!
AngeloGladding joined the channel
#
GWG
Morning all
#
GWG
I asked earlier, but will ask again. How do I securely store tokens I need to use?
#
tantek__
GWG what is an example of such a token?
KartikPrabhu joined the channel
#
GWG
Let's say that I want my site to query a Micropub Endpoint, which requires an Oauth2 bearer token
#
GWG
The only place I have to store it is in the database
strugee joined the channel
#
GWG
But isn't that insecure?
#
gRegorLove
You could store it in the session instead. As I realized with indiebookclub, db storage of tokens is only really necessary if you're doing something non-interactively, like Quill's email-to-post
#
tantek__
what is a token?
#
Loqi
A token is an identifier that apps use to authenticate between each other and sites; IndieWeb software often uses an access_token obtained via IndieAuth https://indieweb.org/token
#
tantek__
perhaps worth adding to a Brainstorming or FAQ section there?
#
gRegorLove
You could also periodically clear the tokens from the db.
#
GWG
I want to do something non interactively
#
gRegorLove
"isn't that insecure" is of course a gradient and there's multiple factors, in code, password strength, how secure the server is, etc.
#
GWG
WordPress option table
#
gRegorLove
If you're talking about a distributed plugin writing to options table, personally I'd be nervous, just because of WP security issues (being such a big target)
#
GWG
But I currently store mapbox API keys there, same discomfort
#
GWG
Want to secure it somehow
#
gRegorLove
Yeah. Personally I would feel safer writing them in files in a non-web directory with permissions locked down.
#
GWG
Which is a problem for users installing it.
#
GWG
It should be seamless
#
GWG
That's why I asked
#
gRegorLove
options table with periodic clearing might be the best compromise
#
GWG
Need some ideas
#
gRegorLove
What's the non-interactive use-case?
[schmarty] joined the channel
#
[schmarty]
GWG: as i understand it, storing API keys and other secrets as WP options is common practice. however, i feel like i have also seen plugins which create their own database tables for this purpose to keep them somewhat separated.
#
GWG
Well, how about the mapbox one...to auto add a map on post creation?
#
GWG
I don't want to make it impossible. Just not easy
#
GWG
I suppose I could encrypt it using the salt built into WordPress.
#
GWG
Then you'd need to compromise the database and a locked down file on the server
#
gRegorLove
Eh, they only need to compromise the server to read wp-config in that instance, still
#
[schmarty]
i think the general security model for WP is "if they have your database they have it all"
#
tantek__
right, most of these attacks come down to "only need to compromise the server"
#
GWG
So, I should let it be?
#
[schmarty]
whispered words of wisdom.
#
tantek__
GWG, in general it is good to avoid 'security theater'
#
tantek__
where it seems like you're doing something to add security, but in practice you're not, and that "seems like" may actually be a negative in that it gives a false impression of added security
#
GWG
I should hide the key from being copied in the UI though
#
GWG
Which I don't now.
#
GWG
So much to learn
jackjamieson and [keithjgrant] joined the channel
#
[keithjgrant]
If anyone is willing/interested to try out the new Omnibear, it's stable in the `bookmarks` branch
#
[keithjgrant]
(reacji is the only feature not working at this point. Plus some misc cleanup remaining)
KevinMarks_, KevinMarks, KartikPrabhu, snarfed and jgmac1106 joined the channel
#
gRegorLove
looking good!
jgmac1106 joined the channel
#
tantek__
[keithjgrant]++ nice!
#
Loqi
[keithjgrant] has 7 karma in this channel over the last year (20 in all channels)
#
tantek__
what is omnibar
#
Loqi
It looks like we don't have a page for "omnibar" yet. Would you like to create it? (Or just say "omnibar is ____", a sentence describing the term)
#
tantek__
what is omnibear
#
Loqi
Omnibear is a browser extension for posting text notes, replies, and likes to your website using Micropub https://indieweb.org/Omnibear
#
tantek__
[keithjgrant]: does the screenshot ^^^ need an update? or maybe archiving as a previous version? perhaps still useful for the /create page
leg joined the channel
#
[keithjgrant]
Yeah, once I wrap up the release, I'll update screenshots on omnibear.com and the entry here
#
[keithjgrant]
looks like the screenshot on the wiki is from the original version. Oooooold
strugee joined the channel
#
boffosocko.com
edited /accessibility (+309) "Accessibility and Contrast Bookmarklet & Userway accessibility plugins"
(view diff)
#
GWG
Any movement on the cookie issue in Omnibear?
jgmac1106 and TripFandango joined the channel
#
@jackjamieson
↩️ By the way, Yarns has turned into https://github.com/jackjamieson2/yarns-microsub-server and I'm not really working on the old version anymore. The new version is still in progress, but works pretty well. If you want to try it out I'd be happy to walk you through the setup
(twitter.com/_/status/1034520781768859654)
eli_oat1 and [keithjgrant] joined the channel
#
[keithjgrant]
@GWG yes, [grantcodes] fixed it in his library. I just need to bump my dependency
#
[keithjgrant]
So that will be fixed in this release 🎉
#
GWG
Great
#
GWG
Tell me when
#
pstuifzand
I'm trying to build a full browser based Microsub client, but I need to everything to support CORS (Access-Control-Allow-Origin and friends)
#
pstuifzand
Is this something a Microsub server should support in some way?
#
aaronpk
yeah i think so
#
pstuifzand
Yeah, I thought so, because otherwise you need to write the server twice
#
pstuifzand
And how about Indieauth endpoints?
#
aaronpk
do we need to do more to prevent CSRF attacks other than using the HTTP Authorization header?
#
aaronpk
I'm trying to remember all the attacks that the CORS header is there to protect against in the first place
#
pstuifzand
"rendered" javascript from a post could hook into the reader javascript and send requests throught it's api's
[kevinmarks] joined the channel
#
aaronpk
good reason to make sure you don't render JS from posts
#
pstuifzand
but that javascript from the timeline posts should be removed
jgmac1106 and KevinMarks joined the channel
#
loqi.me
created /Thread_Reader_App (+282) "prompted by gRegorLove and dfn added by gRegorLove"
(view diff)
#
kaja.sknebel.net
edited /Thread_Reader_App (+2) "linkify ('… is <url>' pattern)"
(view diff)
#
gRegorLove
whoa, fast.
jgmac1106, jackjami_ and [cleverdevil] joined the channel
#
gregorlove.com
edited /block (+185) "/* See Also */ thread, archived"
(view diff)
snarfed and [grantcodes] joined the channel
#
[grantcodes]
Yeah indieauth is one of the main reason to not build everything client side. Asking microsub servers to support cors is fine, but every other website not so much
#
[grantcodes]
But you could just have a backend for auth
#
[grantcodes]
Then there's also micropub too
#
[cleverdevil]
Catching up on scrollback, with regard to storing location history, I save each batch of data from Overland, in a slightly transformed state (one line of normalized JSON data per line) in a single "object" in S3.
#
[cleverdevil]
Result is that I have hundreds of thousands of objects saved, but that's exactly what S3 is good for.
#
[cleverdevil]
Then, I have the data in the objects queryable with SQL using Athena.
#
[cleverdevil]
Basically treats my S3 "data lake" as a gigantic database table.
#
[cleverdevil]
Pretty neat 🙂
#
[cleverdevil]
If you're interested in the details, I actually spoke about it last week at the AWS Summit in Anaheim - https://cleverdevil.io/s/dlag1GnFrU.pdf
#
[cleverdevil]
(Those are my slides!)
#
pstuifzand
grantcodes: it seems I only needed to add a header in one place and that's on the POST of the token_endpoint
#
[grantcodes]
Hmm pstuifzand: How do you read users endpoints from their sites?
KevinMarks_, snarfed and ben_thatmustbeme joined the channel