#dev 2018-08-28

2018-08-28 UTC
#
vilhalmer it was happy with the output of `gpg -s --armor` as well which contains just a BEGIN PGP MESSAGE section
#
vilhalmer (once I manually enabled the button)
#
vilhalmer the one is your screenshot is --clear-sign?
#
vilhalmer you may be able to tell I don't actually use pgp for much
#
aaronpk Same haha
#
aaronpk Well if that worked then file an issue with the details and I'll make the JS recognize that too
#
vilhalmer will do, thanks for the help
#
vilhalmer I can submit a pr if you'd prefer too
KevinMarks joined the channel
#
aaronpk sure if you're up for it!
#
vilhalmer done and done!
#
aaronpk woohoo thanks!
#
Loqi yay!
#
aaronpk probably can't look at it til wednesday
#
vilhalmer np
renem, isgy, AngeloGladding, kicks, [tantek], KartikPrabhu and iasai joined the channel
#
GWG Hmm... aaronpk's site does Accept: application/mf2+json
[eddie], AngeloGladding, KartikPrabhu, cweiske, Guest92, jeremych_ and [pfefferle] joined the channel
#
@megarush1024 That time you search through all the posts on your site because you know you complained about Spotify’s suggestion algo when you have a playlist on shuffle and it something lame, and you know @jage9 told you how to fix it in a Twitter reply that came back as a webmention. (twitter.com/_/status/1034332413911023616)
stevestreza, [kevinmarks], jeremych_, [pfefferle], rigelk, KevinMarks, [jgmac1106], [xavierroy], jgmac1106, [jgarber] and [tantek] joined the channel
#
GWG How do you securely store access tokens so a website can retrieve data on your behalf?
[Niklas], niklas, ben_thatmustbeme, KevinMarks and barpthewire joined the channel
#
@caraudioshoppin Don't be fooled by its size or name...the MicroSub™ CP208 enclosure will provide just the right of amount of bass in this GMC Yukon! Nice choice by our friends ! #HowWePlay #JLAudio #MicroSubb #GMCYukon Repost from @jlaudioinc (twitter.com/_/status/1034435716745490432)
jgmac1106 and KevinMarks joined the channel
#
@jgmac1106 ↩️ Why not just use your own domain for your to-do list and own your task. Here is my example: https://jgregorymcverry.com/my-to-do-list/ I send myself a webmention as updates. I have used Google Keep as well and just pin a “to-do, doing,  done” (http://jgregorymcverry.com/6265-2/) (twitter.com/_/status/1034444516898623489)
iasai and AngeloGladding joined the channel
#
petermolnar_ how large of a html file is a definite no? I'm re-evaluating of creating a scrobbles archive, but given the csv is 4.3MB, the html would easily lick the 10s of MB size if I want a single page archive
tantek__, KartikPrabhu and [cleverdevil] joined the channel
#
tantek__ good question petermolnar_ ! I believe aaronpk has similar issues with tracking location
#
tantek__ This is a good use-case for storing webmentions from 3rd parties on your own server, and serving them up server-side: being able to search them with web search tools! https://twitter.com/megarush1024/status/1034332413911023616
#
@megarush1024 That time you search through all the posts on your site because you know you complained about Spotify’s suggestion algo when you have a playlist on shuffle and it something lame, and you know @jage9 told you how to fix it in a Twitter reply that came back as a webmention. (twitter.com/_/status/1034332413911023616)
#
tantek__ what is search
#
Loqi search in the context of the IndieWeb refers to being able to search your personal site for your own content https://indieweb.org/search
#
aaronpk Yeah I decided to split my location data up into per-day files so that no file is more than 86,400*record size bytes
#
eli_oat @tantek_ I often think of handling webmentions in that way for exactly that reason but worry it is a violation of GDPR, or just basic trust
#
aaronpk In practice they range from 400k-1.5mb or so
#
tantek__ search << Use-case: searching your posts and the webmentions they have received using web search tools, good reason to store received webmentions and render them server-side: https://twitter.com/megarush1024/status/1034332413911023616
#
@megarush1024 That time you search through all the posts on your site because you know you complained about Spotify’s suggestion algo when you have a playlist on shuffle and it something lame, and you know @jage9 told you how to fix it in a Twitter reply that came back as a webmention. (twitter.com/_/status/1034332413911023616)
#
Loqi ok, I added "Use-case: searching your posts and the webmentions they have received using web search tools, good reason to store received webmentions and render them server-side: https://twitter.com/megarush1024/status/1034332413911023616" to the "See Also" section of /search https://indieweb.org/wiki/index.php?diff=51350&oldid=48188
#
aaronpk I didn't want to deal with managing a multi gigabyte single file
#
tantek__ eli_oat: there's lots of exaggeration around GDPR, maybe check /GDPR for some details
#
aaronpk (Whether that's a MySQL data file or flat data file)
#
tantek__ in particular, lots of exemptions for personal use, note that webmention protocol already had "delete" as required etc.
#
eli_oat ooh, good call
[eddie] joined the channel
#
tantek__ pingback OTOH does not have delete. nor do any other forms of refback (trackback, linkback whatever)
#
[eddie] eli_oat: One option is also storing all the webmentions but not displaying them all publically
#
tantek__ so you *could* make the case that by formalizing and requiring "delete" support, webmention by default enables more/easier GDPR compliance than any of the prior alternatives
#
eli_oat that is sort of where I started to move, but then also realized that the effort wasn't really worth the benefit I'd gain
#
tantek__ eli_oat: indeed there are use-cases for storing but not displaying all
#
tantek__ e.g. muting, blocking, recording a pattern of (mis)behavior etc.
AngeloGladding joined the channel
#
eli_oat I hadn't thought about the data-set value, that seems sort of fun...intriguing
#
eli_oat Thanks for these thoughts tantek__
KartikPrabhu joined the channel
#
tantek__ no problem! I'm still working on webmention storage myself so this discussion is helpful!
snarfed, TripFandango and [kevinmarks] joined the channel
#
[kevinmarks] what is timeline?
#
Loqi The timeline briefly documents key IndieWeb (and influencing thereof) terms/ideas/concepts, implementations, specifications, events, and other achievements; people involved, and dates/URLs for each https://indieweb.org/timeline
#
[kevinmarks] ah not that one
#
[kevinmarks] what is chronological?
#
Loqi It looks like we don't have a page for "chronological" yet. Would you like to create it? (Or just say "chronological is ____", a sentence describing the term)
#
snarfed petermolnar_: http archive has great stats on html size (and lots more) across the web. https://httparchive.org/reports/state-of-the-web
#
snarfed i haven't easily found the query for html only there, but looks like it averages in the 60KB range, just fyi. https://www.sitepoint.com/average-page-weight-increases-15-2014/
#
[kevinmarks] chronological timeline << http://www.dieselsweeties.com/ics/617/
#
Loqi ok, I added "http://www.dieselsweeties.com/ics/617/" to the "See Also" section of /chronological_timeline https://indieweb.org/wiki/index.php?diff=51351&oldid=51063
#
tantek__ what is chronological feed
#
Loqi chronological feed is a stream of posts in time order, typically in reverse chronological order of their published date (newest first), popularized on the web by journals and blog home pages, feed readers, and social media, until the latter switched to algorithmic feeds, frustrating many users https://indieweb.org/chronological_feed
#
snarfed as another data point, when bridgy crawls h-feeds to find synd links, it rejects any HTML page over 500KB
#
[kevinmarks] I think it belongs on that one
#
tantek__ what is chronological timeline
#
Loqi chronological timeline is a redundant phrase (timelines are inherently chronological, because they are *time*lines) used to refer to a chronological feed https://indieweb.org/chronological_timeline
#
[kevinmarks] http://www.dieselsweeties.com/strips666/ds617.png
#
tantek__ so close kevinmarks
#
tantek__ it belongs here IMO
#
tantek__ what is algorithmic timeline?
#
Loqi algorithmic timeline (sometimes non-chronological timeline) is a doublespeak phrase propagated by silos (and some popular media) to refer to social media algorithmic feed feature(s), as a timeline is "a display of a list of events in chronological order"[1], whereas silos now (since 2016+) use "timeline" to refer to often out of chronological order display of aggregations of following's posts which still presentationally resemble previous chronologically ordered displays https://indieweb.org/algorithmic_timeline
#
[kevinmarks] hah
#
tantek__ maybe even as the page embedded graphic 😂
#
snarfed ooh there's also indie map. trying now
#
[kevinmarks] hm is this a better preview? https://mastodon.social/@rstevens/100627924797962998
#
snarfed it says the mean html page size in its dataset (indieweb sites) is 34KB.
#
snarfed (minor note: that's technically characters, not bytes)
#
Loqi [rstevens 🐳💨✅] Today's comic hates the algorithm.http://www.dieselsweeties.com/ics/617/ https://files.mastodon.social/media_attachments/files/005/857/204/original/76ea869e3f81bc41.png
#
[kevinmarks] mastodon has better mf2 than the origin site
#
snarfed (query was `select avg(length(html)) from indiemap.pages` on https://console.cloud.google.com/bigquery?project=indie-map )
#
tantek__ kevinmarks yes!
AngeloGladding joined the channel
#
GWG Morning all
#
GWG I asked earlier, but will ask again. How do I securely store tokens I need to use?
#
tantek__ GWG what is an example of such a token?
KartikPrabhu joined the channel
#
GWG Let's say that I want my site to query a Micropub Endpoint, which requires an Oauth2 bearer token
#
GWG The only place I have to store it is in the database
strugee joined the channel
#
GWG But isn't that insecure?
#
gRegorLove You could store it in the session instead. As I realized with indiebookclub, db storage of tokens is only really necessary if you're doing something non-interactively, like Quill's email-to-post
#
tantek__ what is a token?
#
Loqi A token is an identifier that apps use to authenticate between each other and sites; IndieWeb software often uses an access_token obtained via IndieAuth https://indieweb.org/token
#
tantek__ perhaps worth adding to a Brainstorming or FAQ section there?
#
gRegorLove You could also periodically clear the tokens from the db.
#
GWG I want to do something non interactively
#
gRegorLove "isn't that insecure" is of course a gradient and there's multiple factors, in code, password strength, how secure the server is, etc.
#
GWG WordPress option table
#
gRegorLove If you're talking about a distributed plugin writing to options table, personally I'd be nervous, just because of WP security issues (being such a big target)
#
GWG But I currently store mapbox API keys there, same discomfort
#
GWG Want to secure it somehow
#
gRegorLove Yeah. Personally I would feel safer writing them in files in a non-web directory with permissions locked down.
#
GWG Which is a problem for users installing it.
#
GWG It should be seamless
#
gRegorLove Yep
#
GWG That's why I asked
#
gRegorLove options table with periodic clearing might be the best compromise
#
GWG Need some ideas
#
gRegorLove What's the non-interactive use-case?
[schmarty] joined the channel
#
[schmarty] GWG: as i understand it, storing API keys and other secrets as WP options is common practice. however, i feel like i have also seen plugins which create their own database tables for this purpose to keep them somewhat separated.
#
GWG Well, how about the mapbox one...to auto add a map on post creation?
#
GWG I don't want to make it impossible. Just not easy
#
GWG I suppose I could encrypt it using the salt built into WordPress.
#
GWG Then you'd need to compromise the database and a locked down file on the server
#
gRegorLove Eh, they only need to compromise the server to read wp-config in that instance, still
#
[schmarty] i think the general security model for WP is "if they have your database they have it all"
#
tantek__ right, most of these attacks come down to "only need to compromise the server"
#
GWG So, I should let it be?
#
[schmarty] whispered words of wisdom.
#
tantek__ GWG, in general it is good to avoid 'security theater'
#
tantek__ where it seems like you're doing something to add security, but in practice you're not, and that "seems like" may actually be a negative in that it gives a false impression of added security
#
GWG I should hide the key from being copied in the UI though
#
GWG Which I don't now.
#
Loqi yea
#
GWG So much to learn
jackjamieson and [keithjgrant] joined the channel
#
[keithjgrant] If anyone is willing/interested to try out the new Omnibear, it's stable in the `bookmarks` branch
#
[keithjgrant] https://github.com/keithjgrant/omnibear/tree/bookmarks
#
[keithjgrant] (reacji is the only feature not working at this point. Plus some misc cleanup remaining)
KevinMarks_, KevinMarks, KartikPrabhu, snarfed and jgmac1106 joined the channel
#
[keithjgrant] https://pbs.twimg.com/media/DltF-6uXgAIoKoX.jpg:large
#
gRegorLove looking good!
jgmac1106 joined the channel
#
tantek__ [keithjgrant]++ nice!
#
Loqi [keithjgrant] has 7 karma in this channel over the last year (20 in all channels)
#
tantek__ what is omnibar
#
Loqi It looks like we don't have a page for "omnibar" yet. Would you like to create it? (Or just say "omnibar is ____", a sentence describing the term)
#
tantek__ what is omnibear
#
Loqi Omnibear is a browser extension for posting text notes, replies, and likes to your website using Micropub https://indieweb.org/Omnibear
#
tantek__ [keithjgrant]: does the screenshot ^^^ need an update? or maybe archiving as a previous version? perhaps still useful for the /create page
leg joined the channel
#
[keithjgrant] Yeah, once I wrap up the release, I'll update screenshots on omnibear.com and the entry here
#
[keithjgrant] looks like the screenshot on the wiki is from the original version. Oooooold
strugee joined the channel
#
boffosocko.com edited /accessibility (+309) "Accessibility and Contrast Bookmarklet & Userway accessibility plugins" (view diff)
#
GWG Any movement on the cookie issue in Omnibear?
jgmac1106 and TripFandango joined the channel
#
@jackjamieson ↩️ By the way, Yarns has turned into https://github.com/jackjamieson2/yarns-microsub-server and I'm not really working on the old version anymore. The new version is still in progress, but works pretty well. If you want to try it out I'd be happy to walk you through the setup (twitter.com/_/status/1034520781768859654)
eli_oat1 and [keithjgrant] joined the channel
#
[keithjgrant] @GWG yes, [grantcodes] fixed it in his library. I just need to bump my dependency
#
[keithjgrant] So that will be fixed in this release 🎉
#
GWG Great
#
GWG Tell me when
#
[keithjgrant] Will do
#
pstuifzand I'm trying to build a full browser based Microsub client, but I need to everything to support CORS (Access-Control-Allow-Origin and friends)
#
pstuifzand Is this something a Microsub server should support in some way?
#
aaronpk yeah i think so
#
pstuifzand Yeah, I thought so, because otherwise you need to write the server twice
#
pstuifzand And how about Indieauth endpoints?
#
aaronpk do we need to do more to prevent CSRF attacks other than using the HTTP Authorization header?
#
aaronpk I'm trying to remember all the attacks that the CORS header is there to protect against in the first place
#
pstuifzand "rendered" javascript from a post could hook into the reader javascript and send requests throught it's api's
[kevinmarks] joined the channel
#
aaronpk good reason to make sure you don't render JS from posts
#
pstuifzand but that javascript from the timeline posts should be removed
#
pstuifzand yeah
jgmac1106 and KevinMarks joined the channel
#
loqi.me created /Thread_Reader_App (+282) "prompted by gRegorLove and dfn added by gRegorLove" (view diff)
#
kaja.sknebel.net edited /Thread_Reader_App (+2) "linkify ('… is <url>' pattern)" (view diff)
#
gRegorLove whoa, fast.
jgmac1106, jackjami_ and [cleverdevil] joined the channel
#
gregorlove.com edited /block (+185) "/* See Also */ thread, archived" (view diff)
snarfed and [grantcodes] joined the channel
#
[grantcodes] Yeah indieauth is one of the main reason to not build everything client side. Asking microsub servers to support cors is fine, but every other website not so much
#
[grantcodes] But you could just have a backend for auth
#
[grantcodes] Then there's also micropub too
#
[cleverdevil] Catching up on scrollback, with regard to storing location history, I save each batch of data from Overland, in a slightly transformed state (one line of normalized JSON data per line) in a single "object" in S3.
#
[cleverdevil] Result is that I have hundreds of thousands of objects saved, but that's exactly what S3 is good for.
#
[cleverdevil] Then, I have the data in the objects queryable with SQL using Athena.
#
[cleverdevil] Basically treats my S3 "data lake" as a gigantic database table.
#
[cleverdevil] Pretty neat 🙂
#
[cleverdevil] If you're interested in the details, I actually spoke about it last week at the AWS Summit in Anaheim - https://cleverdevil.io/s/dlag1GnFrU.pdf
#
[cleverdevil] (Those are my slides!)
#
pstuifzand grantcodes: it seems I only needed to add a header in one place and that's on the POST of the token_endpoint
#
[grantcodes] Hmm pstuifzand: How do you read users endpoints from their sites?
KevinMarks_, snarfed and ben_thatmustbeme joined the channel