#dev 2019-01-20

2019-01-20 UTC
#
gRegorLove Doesn't work on mobile yet. Next step.
#
KartikPrabhu unrelated but nice use of CSS grid + CSS variables
#
KartikPrabhu or "custom properties"
#
gRegorLove All credit to https://codepen.io/michellebarker/post/building-an-aspect-ratio-css-grid-layout
#
jacky that grid looks nice gRegorLove!
[eddie] and [dmitshur] joined the channel
#
[dmitshur] I added a new feature for the Go packages hosted on my personal website.
#
[dmitshur] previously, it was only possible to view the git history of an entire repository, even if it contains many Go packages inside. e.g., `dmitri.shuralyov.com/gpu/mtl/...` is a repo with 6 Go packages.
#
[dmitshur] and the repo git history shows all commits, as usual: https://dmitri.shuralyov.com/gpu/mtl/...$history
#
[dmitshur] but now it's possible to view history of a single Go package, filtering out all the commits that didn't touch it:
#
[dmitshur] https://dmitri.shuralyov.com/gpu/mtl/example/hellotriangle$history
#
[dmitshur] (it is similar to how you can view history for a subdirectory in GitHub, e.g. https://github.com/golang/go/commits/master/src/encoding, except it filters out subdirectories too, so it's really just that Go package and nothing else.)
j12t_, [tantek] and [eddie] joined the channel
#
[eddie] !tell gRegorLove Overcast has an “extended OPML file” that lists episodes you have watched and stuff.
#
Loqi Ok, I'll tell them that when I see them next
#
gRegorLove nice!
#
[eddie] It’s behind the login so you [cleverdevil] made a genius script to login and download the file and then parse that OPML file and input into know
#
[eddie] I’ve copied that python code and made a Node.js version that posts it via Micropub
#
gRegorLove The "all data" export?
#
[eddie] Yeah I think that’s the one
#
[eddie] It’s only on the website not the app
#
[eddie] Ohh yep all data
#
[eddie] Is what it’s called
#
[eddie] There is heavy rate limiting on it
#
[eddie] So we’re essentially just running a cron job 1-2 times a day and grabbing it and checking for new stuff
#
[eddie] In doing once a day at 1am
#
[eddie] And grabbing things that are less than 1 day old
#
gRegorLove Cool cool. Just updated /Overcast, maybe you can add more details to your example
#
[eddie] Great idea!
#
[eddie] 👍
#
[eddie] I’ll do that tonight
#
gRegorLove I'll have to check that out. I love Overcast. indieweb always giving me new ideas, heh
#
[eddie] Lol!!
#
gRegorLove And hey, maybe Marco will have to change this note on there about the All Data export: "It’s much larger, and no apps are currently known to import this non-standard format."
#
gRegorLove [eddie], you've got a got eye for UI, any feedback on this article archive I'm working on? https://gregorlove.com/archives.html (whenever you have time)
#
[eddie] Cool, yeah I’ll take a look!
#
[eddie] Haha yeah, [cleverdevil] did message Marco about it so if he feels like it, he can update that text
#
[eddie] I’m also thinking about creating follow posts for Podcasts based on the OPML file
#
GWG [eddie]: I like the sound of this.
#
GWG On an unrelated note, does anyone show word count or read time on article posts?
#
[eddie] I used to on my Jekyll sure
#
[eddie] Site
#
[eddie] I want to add it back in
#
gRegorLove I think Known does, or at least I've seen it on werd.io
#
gRegorLove "3 min read" https://werd.io/2019/values-values-values
#
GWG [eddie]: Which ones?
#
[eddie] Oh read time on articles
#
GWG I am just deciding if it belongs in a theme or a plugin.
#
GWG But not a dev question
#
[eddie] Ohhh hmm yeah that’s tricky. I feel like a plugin should make it available but I feel like how it looks is a theme thing
#
GWG I'm stripping things out of a theme and making a microformats fork
#
[eddie] Ohhh interesting
#
GWG Trying to make a few more themes.
[xavierroy] joined the channel
#
jacky thinking more on how private messaging can work within the indieweb; lots of good content on the wiki
#
aaronpk yeah there's been quite a few attempts over the years, but nothing has caught on with more than 2 or 3 implementations
#
jacky that's prob the biggest "anchor" for me and from what I get from asking around
#
aaronpk totally
#
jacky I wonder what's the ultimate blocker?
#
jacky interactivity with people from silos?
#
jacky like I could see something where I share a link with a few friends but they don't have an indieweb site to login with
#
jacky notes that this is lightly optimized to encourage people from silos to come in
#
dansup is interested in this too, indieweb ephemeral content could be a pretty big feature imo
#
dansup it would depend of course on private messages though
#
jacky what is ephermeral
#
Loqi It looks like we don't have a page for "ephermeral" yet. Would you like to create it? (Or just say "ephermeral is ____", a sentence describing the term)
#
jacky agh there's a page on it
#
jacky I was reading it earlier
#
jacky https://indieweb.org/ephemeral
#
dansup what is ephemeral
#
Loqi Expiring content is content that is only temporarily (ephemerally) relevant, and also part of a larger post, that can and should be (preferably automatically) removed once a particular datetime has passed (the expiration date) https://indieweb.org/ephemeral
#
jacky right
#
dansup oh cool
#
jacky the thing is; once someone "ingests" a message; you have to trust their implementation to delete the message on their site
#
jacky kinda like the whole AP Create -> Update flow
#
jacky or rather just Delete
#
dansup yeah, i mean its possible to screen capture it anyways
#
jacky right lol
#
jacky and at that point, it doesn't even matter
#
jacky can't engineer that away
#
dansup I've thought a lot about this for pixelfed stories and I have to remember that by nature they are a mass DM sent to every follower. For the first iteration, it will be local only while I figure out the federated solution. I'm thinking signed urls for each follower that expires in 24 hours
#
jacky signed URIs seem like the proven way to go if you treat it like a resource that has some sort of ACL on it
#
jacky agh now the act of having people "sign in" a personal site feels a bit wonky
#
dansup yeah, I'm not sure how this would work in the indieweb
#
jacky but mentally it's not; it's like letting someone into your home - they can see public spaces but with permission, they can get a time-lapsed key to other rooms
#
jacky I just see `WWW-Authenticate: IndieAuth` everywhere lol
#
dansup heh
#
jacky https://w3ctag.github.io/capability-urls/
#
jacky so many w3c docs in my wallabag reader lol
#
dansup Interesting, I didn't know this had a technical name
#
jacky this is the thing I think kaniini was talkign about in their blog series
tw2113 joined the channel
#
dansup yeah
#
dansup I never put 2 and 2 together lol, I thought OCAP was more complicated
#
jacky same! I spent some time digging today on it
#
jacky like if all goes well, this is how everything _should_ be done
#
jacky asking for permission instead of just giving everything away
#
dansup yeah! I was a bit concerned about how enumerable the mastodon v1 APIs are so I am implementing hashids in pixelfed
#
dansup https://hashids.org/
#
jacky oh I remember looking into this!
#
jacky they're also a bit cleaner than UUIDs all over the place lol
#
jacky yeah this is actually really nice
#
jacky I don't know if this would be handy for a single tenant system tho
#
dansup true, not sure it would matter for that
[eddie] joined the channel
#
[eddie] jacky: I think the two biggest blockages in IndieWeb world for private content is Readers apps and Automated Authentication
#
[eddie] With Microsub we’re finally making good ground on a way to live inside of an IndieWeb Social Reader
#
[eddie] What is AutoAuth?
#
Loqi AutoAuth is the working title of an extension to IndieAuth that allows clients to authorize to other servers in the name of their user, without the user being present to confirm each individual authorization flow https://indieweb.org/AutoAuth
#
[eddie] And that is a brainstorm from 2018 IWCs on how to let a reader access private info
#
[eddie] But we need to start implementing and testing AutoAuth (that’s on my todo list on my site)
#
jacky looks into autoauth
micahsilverman and [asuh] joined the channel
#
[asuh] could Reader and Auth apps just use public key crypto for it to be as private as possible? Similar to TLS and PGP
[pfefferle] joined the channel
#
jacky something like this would be a good use case of Occam's Razor
#
jacky I wanna try this out but I have to build / hack on a reference reader
#
jacky this = an idea I have
#
jacky possibly using a status code indicating that more authentication is required and providing a link to handle that could help
#
jacky a bit like the WWW-Authenticate approach
#
jacky I _think_ that's the problem AutoAuth is aiming to solve
#
jacky regarding cap URIs, this bit seems useful https://w3ctag.github.io/capability-urls/#second-life
leg, KartikPrabhu and [kevinmarks] joined the channel
#
[kevinmarks] That reminds me of google reader - it made feed urls for your favorites and shares that looked like those capability URLs - the had huge GUIDs in.
#
[kevinmarks] So users thought of them as private, when it was just bad URL design. The Reader team then made them discoverable so you could find your contacts' favorite feeds, and some people got very upset.
#
@chrisbiscardi ↩️ Webmentions are going well. I haven't done really any styling on them but gatsby-plugin-webmention works and I'm sending tweet replies through with http://brid.gy https://www.christopherbiscardi.com/post/composition-of-styles-strings-vs-objects has a bunch of them at the bottom of the post (twitter.com/_/status/1086939935939080192)
#
@chrisbiscardi ↩️ Webmentions are going well. I haven't done really any styling on them but gatsby-plugin-webmention works and I'm sending tweet replies through with http://brid.gy https://www.christopherbiscardi.com/post/composition-of-styles-strings-vs-objects has a bunch of them at the bottom of the post (twitter.com/_/status/1086939935939080192)
#
[kevinmarks] http://googlereader.blogspot.com/2007/12/
#
Zegnat !tell jacky there was a demo of autoauth at the end of IWC Berlin by sknebel and me, watchable on YouTube. We worked on that experimental extension together with aaronpk in Nürnberg. The WWW-Authenticate is the HTTP Header for telling a client that further auth will change the page, so seemed right.
#
Loqi Ok, I'll tell them that when I see them next
#
[kevinmarks] the other feed-based thing that the capability urls remind me of is http://themineproject.org/
[grantcodes] joined the channel
#
@noorulad ↩️ https://webmention.io (twitter.com/_/status/1086968439187550209)
jjuran, barpthewire, eduardm, jeremych_, leg, [schmarty] and [eddie] joined the channel
#
[eddie] !tell jacky, asuh you are of course welcome to work on whatever you guys would like. But heading straight into encryption is a pretty big jump and due to the complications that adds, I don’t think many will follow you that far. But of course, you are welcome to scratch your own itch
#
Loqi Ok, I'll tell them that when I see them next
#
sknebel encryption?
#
sknebel must have missed some scrollback
#
[eddie] https://chat.indieweb.org/dev/2019-01-20#t1547969184715500
#
sknebel ah
#
sknebel I'd be skeptical of that without good arguments why HTTPS isn't enough
#
sknebel always happy about feedback or other implementers for AutoAuth though!
[kevinmarks] joined the channel
#
aaronpk I will say it again, baking crypto into the layer of the protocol has not worked well historically. it's best to use crypto as the transport layer so that it can continue to evolve while the application layer doesn't change. this is how HTTPS works for example. we've gone through many versions of SSL/TLS over the years but the HTTP vocabulary doesn't need to know.
#
aaronpk this is also one of the reasons oauth 1 failed
#
sknebel yes, that.
#
sknebel also having other people make libraries and tooling for HTTPS is quite valuable. E.g. in ActivityPub it seems quite a bit of time for implementers goes into getting the signature stuff right, because it isn't commonplace and battle-tested yet
#
aaronpk and as soon as there's a bug found in the signature protocol, everyone is going to have to update their code bases to fix it, whereas when there's an openssl bug, it's an update of the underlying operating system but no change to application code
KartikPrabhu joined the channel
#
[eddie] Yeah, the primary reason I went with Bridgy for my Fediverse integration over custom was because of crypto and signatures
#
[eddie] It was just too much of a headache, and believe me, I tried all the tutorials I could find
#
[eddie] Everything else for ActivityPub was fine (pushing JSON around)
#
[eddie] Eventually I decided Bridgy Fed was easier
#
[eddie] We don’t want an essential IndieWeb protocol to encourage people to offload the work like that
noor1 joined the channel
#
Zegnat It is also a different mind-set, I think. SSB does the encryption thing, because it always delivers the content and by you being able to decrypt it you proof you may read it. AutoAuth is the other way around, where you must first proof you may read it before you can fetch the content. That way having the transaction itself encrypted (https) gives a lot of the needed privacy in itself.
#
sknebel SSB is even further in that direction, yes, but it is designed to work offline, so it has to
#
Zegnat For sure, I just find it a nice and clear project to compare with because of the transport difference
[kevinmarks] joined the channel
#
[kevinmarks] I downloaded ssb, but didn't have anyone to use it with
KartikPrabhu joined the channel
#
Zegnat I am interested in it for its sneakernet qualities, but haven’t had a good opportunity to test it yet
[schmarty] and [asuh] joined the channel
#
[asuh] good discussion, i didn’t know the history and discussion for crypto integration
#
Loqi [asuh]: [eddie] left you a message 3 hours, 3 minutes ago: you are of course welcome to work on whatever you guys would like. But heading straight into encryption is a pretty big jump and due to the complications that adds, I don’t think many will follow you that far. But of course, you are welcome to scratch your own itch
[grantcodes], [tantek], [jgmac1106] and eduardm joined the channel
#
[tantek] what is crypto
#
Loqi It looks like we don't have a page for "crypto" yet. Would you like to create it? (Or just say "crypto is ____", a sentence describing the term)
#
[tantek] aaronpk, that succinct summary of crypto and protocol design is excellent, especially with the examples
#
[tantek] eddie, yours too
#
[tantek] please capture those insights on the wiki, they're definitely both non-obvious, and quite relevant to indieweb building blocks
#
[tantek] (worth having to around to link to)
#
aaronpk what is cryptography?
#
Loqi It looks like we don't have a page for "cryptography" yet. Would you like to create it? (Or just say "cryptography is ____", a sentence describing the term)
#
aaronpk crypto is /cryptography
#
Loqi ok
#
aaronpk huh lots of related terms already on the wiki too
KartikPrabhu and [kevinmarks] joined the channel
#
@smartworldsec Dweb: Identity for the Decentralized Web with IndieAuth – Mozilla Hacks - the Web developer blog https://hacks.mozilla.org/2018/10/dweb-identity-for-the-decentralized-web-with-indieauth/ (twitter.com/_/status/1087081877872230400)
[Rose] and KartikPrabhu joined the channel
#
aaronpk [eddie] when you get a chance feel free to add your experience here! https://indieweb.org/cryptography
[jgmac1106] and [eddie] joined the channel
#
GWG https://tiny.n9n.us/ - Playing with adding a status bar at the top and putting weather and such in it. How does it look so far?
#
[jgmac1106] gwg++
#
Loqi gwg has 40 karma in this channel over the last year (157 in all channels)
#
GWG Is that a...looks good so far?
#
[jgmac1106] the 300X 77 box siz iIMO makes too much negative space between your widgets
#
[jgmac1106] though having hard time in Inpector telling where the weather widget and the post kind widget start and stop, but that is probably me messing up
#
[jgmac1106] now I see the status bar....if you want a bar to stick out need a different background color IM)
eduardm_ joined the channel
#
GWG I was working on the text.
#
GWG I have not yet gotten to color
#
GWG Also, the theme allows for color changes, so I have to factor that in
#
jacky yeah I mean I don't think I would have ventured down that road
#
Loqi jacky: Zegnat left you a message 9 hours, 53 minutes ago: there was a demo of autoauth at the end of IWC Berlin by sknebel and me, watchable on YouTube. We worked on that experimental extension together with aaronpk in Nürnberg. The WWW-Authenticate is the HTTP Header for telling a client that further auth will change the page, so seemed right.
#
Loqi jacky: [eddie] left you a message 6 hours, 20 minutes ago: you are of course welcome to work on whatever you guys would like. But heading straight into encryption is a pretty big jump and due to the complications that adds, I don’t think many will follow you that far. But of course, you are welcome to scratch your own itch
#
jacky just would have left the authz in IndieAuth
#
[eddie] Ohhh gotcha.
#
jacky I think the furthest I'd go would be attaching a link to a signature of the page from my site using my GPG key
#
jacky like if I sent a PM from https://jacky.wtf/xyz123, there'd be a https://jacky.wtf/xyz123.sig or something
#
jacky meh
jjuran joined the channel
#
[eddie] !tell aaronpk added experiences to Cryptography page
#
Loqi Ok, I'll tell them that when I see them next
#
aaronpk yay thanks
#
Loqi aaronpk: [eddie] left you a message 8 minutes ago: added experiences to Cryptography page
snarfed joined the channel
#
snarfed jacky: yeah proof of identity/ownership is a common argument for why a protocol needs something like public key crypto, signatures, etc
#
snarfed the standard indieweb answer is, domain + SSL cert already serves that purpose. ie if something is posted on your (indieweb) domain, that's enough to prove that you wrote/own it
#
sknebel as a consequence, nearly everything is pull-based: you want to check something is from a domain? fetch it's url and check if it's actually there. vs e.g. signed e-mails, where you push a signed message, because you can't "fetch" something, or ActivityPub (I think), ...
#
sknebel (although the latter of course needs to know the key for the signature, or be able to fetch it somehow, and validate it's not expired/revoked, ...)
#
snarfed also public key crypto requires PKI which is more or less an unsolved problem in general. SSL certs and GPG web of trust are afaik the only solutions implemented at scale, and really only SSL is truly at scale.
#
snarfed (hence ^ sknebel's "needs to know the key...)
#
aaronpk interestingly, activitypub's solution to key discovery is to use https
tw2113 joined the channel
#
snarfed aaronpk: you mean w/http signatures? only a little, right. it distributes its own keys, ie it doesn't use SSL certs, but it does depend on SSL to guarantee the integrity of that key distribution
#
snarfed (its other option is LD sigs, which i haven't looked into)
#
aaronpk yeah http signatures relies on fetching the key over https so it's still relying on the whole CA PKI stuff
#
aaronpk LD sigs too but the signed data becomes part of the JSON instead of just sent in the HTTP headers
tomasparks joined the channel
#
aaronpk the main difference between the two is LD sigs lets someone else pass along signed messages, whereas http sigs only the author can send the signed message
#
snarfed also http sigs use their own keys, so they rely on CAs for PKI way less than indieweb
#
aaronpk my point is that the key distribution for both http and LD sigs goes over HTTPS first
#
snarfed yes, i understand
#
snarfed curious though, does AP mandate HTTPS?
#
snarfed er, does http sigs?
#
snarfed looking
#
aaronpk IIRC it doesn't say how to find the key
#
snarfed haven't found that yet in https://tools.ietf.org/html/draft-cavage-http-signatures-05
#
aaronpk keyId is an opaque string https://tools.ietf.org/html/draft-cavage-http-signatures-10#section-2.1.1
#
aaronpk activitypub says that keyId is a URL which is the key
#
aaronpk "Management of keys and assignment of `keyId` is out of scope for this document"
#
snarfed lol
#
snarfed so as far as we know AP/http sigs actually don't guarantee/depend on SSL, CA PKI, etc
#
snarfed maybe implicitly but maybe not explicitly 🤦‍♀️
#
aaronpk well activitypub has effectively mandated that keyId is an HTTPS URL
#
aaronpk but there isn't an actual spec that says that, because reasons
#
aaronpk there's been some progress on litepub, actually I bet it's there
#
snarfed "effectively"...but not in a spec. nice :P
#
aaronpk hm I don't see anything about keyId https://litepub.social/litepub/overview.html
#
aaronpk ooh it may have been in the web payments group spec
#
aaronpk I remember they were referencing stuff from that
#
aaronpk anyway yes neither HTTP signatures nor ActivityPub actually describe enough to create interoperable implementations, they both require decisions that are "out of scope" of both documents.
#
aaronpk similar story to OAuth 2
#
aaronpk and similar to how the webmention spec doesn't tell you anything about how to find comment text, you need microformats for that which is a different spec
#
snarfed heh yup. i know this from experience, at least w/AP, implementing it for bridgy fed (including http sigs)
#
snarfed and fumbling through misc github issues across projects to get things to interop
psy1 and KartikPrabhu joined the channel