#dev 2019-09-05

2019-09-05 UTC
tbbrown joined the channel
#
[tantek]
exactly! a follow post!
tbbrown joined the channel
#
@Cambridgeport90
↩️ @jgmac1106 Yes. @MastodonProject needs WebMention support. Though wasn't that a huge debate in the past?
(twitter.com/_/status/1169408983767113728)
[manton] joined the channel
#
[tantek]
[aaronpk] check out the hearts health display here: https://en.wikipedia.org/wiki/Health_(gaming)#Display
#
aaronpk
I feel like that needs to be more than just based on hunger
[fluffy] joined the channel
#
[fluffy]
oops, webmention.js is vulnerable to XSS injections. I would have expected webmention.io to filter that stuff out.
#
aaronpk
webmention.io does intentionally give you HTML in the HTML property
#
aaronpk
it should be pretty strict about what it allows tho
#
[fluffy]
It looks like one `<script>` tag made it through.
#
aaronpk
huh that doesn't sound right
#
aaronpk
are you sure you aren't rendering a plaintext property as unescaped HTML?
#
[fluffy]
Pretty sure?
#
[fluffy]
I’m opening a bug report against webmention.js in any case
#
[fluffy]
I’ll post it when I get to it 😛
#
aaronpk
k. I wanna double check webmention.io is sanitizing properly too, cause it should be
#
[fluffy]
yeah I’m working on getting the useful information for this stuff
#
[fluffy]
it looks like the actual alert that pops up is just from the page that’s linked to though
#
[fluffy]
Safari is making it look like the XSS worked but it didn’t actually
#
[fluffy]
It’d be nice if there were a simple thing from the webmention.io dashboard to get the JSON data as a text/plain directly from there
#
Loqi
[fluffy-critter] #5 XSS vulnerability
#
[fluffy]
and yeah I’m using .text without escaping, oops
#
[fluffy]
well that’s a trivial fix
#
[fluffy]
… why doesn’t javascript have a built-in htmlentities function?
#
[fluffy]
it has escape() but that URL-encodes things
#
aaronpk
Good idea
qotta joined the channel
#
[fluffy]
Hm, what’s `url` supposed to be in the mention itself? The topmost mention on https://webmention.io/api/mentions.jf2?target=http://beesbuzz.biz/blog/chatter/4201-Just-testing-something-on-webmention-io has a url that’s different from wm-source.
#
aaronpk
Reported url from the microformats on the page
#
[fluffy]
ah, or maybe the rel=“canonical”?
cghfgh joined the channel
#
@fluffy
↩️ Right, and that's the point - right now if someone links to a blog post on Mastodon, no Webmention is sent. If Mastodon were to implement sending Webmentions, then the Webmention will be sent. This is seen as a potential privacy issue.
(twitter.com/_/status/1169453841550495744)
#
aaronpk
I don't think it looks at rel canonical
[xavierroy] joined the channel
#
[xavierroy]
[snarfed] the Facebook notification mails are the problem. I suddenly get for a post and then nothing for a few and then I get notifications for another post. I've enabled all notifications from FB. Looks like more an issue from their end than yours.
#
@fluffy
ATTN folks who are using webmention.js: I done goofed and failed to sanitize some input, so there's an XSS vulnerability which needs addressing. If you're using webmention.js on your site, please update to the latest version at https://github.com/PlaidWeb/webmention.js
(twitter.com/_/status/1169460753629212672)
[jeremycherfas], [tantek], cweiske, deathrow1, [Rose], jgmac1106Discord, bekoDiscord[m] and [pawel_madej] joined the channel
#
[pawel_madej]
Please share this issue and vote by using 👍 to get webmention icon better visibility and maybe addition to font awesome icon set
#
[pawel_madej]
We need 50 👍 to get to the first page of icon requests there. But more than 100 to get it to main stream and developement cosideration.
[grantcodes] joined the channel
#
[grantcodes]
You might have better luck with forkawesome if it's not already there
#
beko[m]
Does this bot repost everything tagged with IndieWeb on TW?
#
[grantcodes]
Depending on what you mention
#
[grantcodes]
I think it is in this channel because you mentioned webmention
#
[grantcodes]
And every tweet that mentions indieweb goes in the meta channel
#
jgmac1106
What is loqi?
#
Loqi
Loqi is a friendly and useful bot/digital therapist present in the IndieWeb discussion channels https://indieweb.org/Loqi
#
jgmac1106
I think the list of trigger words and what channels they get sent should be in that article
#
beko[m]
better not. might attract a spammer =)
#
beko[m]
Hot one this morning in a TG group of 17 people that tried to sell bitcoins. In person. Not even a Bot. Hilarious.
aleksip, krychu and [Rose] joined the channel
#
jgmac1106
turns out it wasn’t ftping 80 gigs of music overloading my servers: 20:16:56 10406 jgregory /opt/cpanel/ea-php72/root/usr/bin/php-cgi /home/jgregory/clmoocring.jgregorymcverry.com/index.php
[schmarty] and [jgmac1106] joined the channel
#
[jgmac1106]
I can not kill this process.....number changes each time I check the PID
#
jgmac1106
hoping to restore to a backup, thinking some kind of malicous script, going to have to get stricter on registration
#
jgmac1106
finally finished this, thought this was the culprit….https://jgregorymcverry.com/music/ now to add to robot.txt and password protect the page
[grantcodes] joined the channel
#
[grantcodes]
You can't kill that process because it is the process you use to check processes
#
[grantcodes]
So it stops when you quit out of top
dopplergange joined the channel
#
jgmac1106
ahh thx grantcodes, shared host is trying to fix now, I am locked out for a bit
#
jgmac1106
had no idea…..just assumed it was moving too many files…didn’t check
[snarfed] joined the channel
#
[snarfed]
ugh, hosting provider anti-pattern: overly aggressively blocking bots and bad traffic will also often include other innocent servers, since the easiest line to draw is server vs end user. indieweb depends on server to server HTTP requests working, so these "security" measures hurt our interop.
jackjamieson joined the channel
#
[schmarty]
anyone played with https://dashblock.com/ ? it's a service for making screen scrapers that output JSON
#
[schmarty]
word is some folks are using it for instagram
#
[schmarty]
also these keywords on their front page 😂 "Don’t bother with bot protection, we handle IP rotation and have some secret sauces that make things work."
#
[schmarty]
free for 1000 calls/month, which ain't much. jumps up fast from there.
eli_oat joined the channel
#
[jgmac1106]
Figured it was bitninja... I reached out to them and it was on "me" to prove the IP address wasn't malicious
#
[schmarty]
dashblock free tier works out to a little more than one call per hour on average. 😬
#
beko[m]
Hm.. [schmarty] when we wrote a scraper years ago in our company we handed every coworker a raspberry that would connect as RR. So when our alpha crawler requested stuff it picked some rasp and forwarded that request. Since all requests were eventually made over dialup connections usually valid for a maximum of 24h we didn't run into many captchas. Later, when it grew, we moved to spinning up and down AWS instances
#
beko[m]
depending on where they were cheapest 😆
#
[schmarty]
beko: 😂
#
beko[m]
Do you have IPv6 on your disposal? It's amazing how many firewalls simply ignore this. Still.
#
aaronpk
ugh blocking all of google cloud addresses? that seems...like not a good idea
#
[jgmac1106]
I went down this rabbit hole with bitninja... Spun me in circles. It why I can't send webmentions on WP and my best guest why Kirby doesn't work
#
sknebel
Let me guess, a bunch of VPS providers too, so not only various services, but individual sites running webmentions etc blocked too?
#
sknebel
What is reclaim?
#
Loqi
It looks like we don't have a page for "reclaim" yet. Would you like to create it? (Or just say "reclaim is ____", a sentence describing the term)
#
sknebel
What is reclaim hosting?
#
Loqi
Reclaim Hosting is a web hosting company focused on the education sector to provide educators and instutitions an easy way to offer their students domains and web hosting that they own and control https://indieweb.org/Reclaim_Hosting
#
sknebel
reclaim hosting << running [[WAF]] that blocks various Indieweb tools: https://github.com/snarfed/bridgy/issues/885#issuecomment-528395948
#
sknebel
What is BitNinja?
#
Loqi
It looks like we don't have a page for "BitNinja" yet. Would you like to create it? (Or just say "BitNinja is ____", a sentence describing the term)
#
Loqi
[snarfed] hi tim! honestly, if BitNinja is indiscriminately blacklisting huge swathes of IP blocks like Google Cloud's, that seems extremely aggressive to me. i expect it's also blacklisting many others too, and probably affecting many legitimate users, both a...
#
beko[m]
Can't be helped. I know this game from beeing blacklisted because of neighborhood on microsoft mailservers. That includes Live and Hotmail not just Outlook. Similar for GMail. I simply gave up on this and suggest to ppl to use a decent mailprovider. Tired of getting my servers unblocked when the majority of spam is coming exactly _from_ those providers.
krychu and [tantek] joined the channel
#
[jgmac1106]
Reclaim also makes their bread and butter on large institutional customers... It's how they can provide affordable (read at a loss) for singleton academics and bloggers auch as my self
#
[jgmac1106]
... But this brings in additional liability around FERPA so being extra strict makes sense
#
[jgmac1106]
But this is a BitNinja problem... I can't find any of my own communication... Wonder if it was with an online chat room or something
#
[jgmac1106]
I went round and round with them trying to get webmentions and then fed bridgy working
#
@Big_EL2
Sometimes a client need a little bottom end, or low frequency and if space is limited, this #MicroSub+ will get the job done Everytime. #bigbassonly #bigbass #dynamite #smallandawesome @ Stereo One Memphis https://www.instagram.com/p/B2CVo3blc0V/?igshid=1ekhvzwyjzlf1
(twitter.com/_/status/1169651191892140032)
#
[jgmac1106]
That is a small footprint for a 250watt subwoofer. I have a 300 watt in my car, I want more bass (my kids don't) but what's the point of a steroe if you can hear yout kids?
jeremycherfas, krychu and [snarfed] joined the channel
#
[snarfed]
obligatory: scraping is bad. costs way more maintenance and headaches over time than APIs, which obviously we should strongly prefer. we should avoid scraping at all costs, and when we "have" to, we should reconsider how much we really want the use case in the first place.
#
[snarfed]
(i assume we all agree, just stating the obvious)
[pawel_madej] joined the channel
#
[pawel_madej]
[snarfed] do you have plans to connect brid.gy to gitlab as it is for github?
#
[snarfed]
[pawel_madej] nope. why do you ask?
#
aaronpk
but webmention verification isn't "scraping" right? i mean it's an unauthenticated request, but still
#
[snarfed]
aaronpk ahh sorry very good point! the conversation got (wrongly!) twisted into scraping.
jeremycherfas joined the channel
#
[snarfed]
as soon as we start talking about rotating IP addresses, running fleets of raspberry pis, etc just to get normal interop working, that's a harmful road that we should generally avoid, not dive into headfirst
#
[snarfed]
all that is an arms race that never ends and doesn't really help our community make meaningful progress
#
[snarfed]
(aaronpk and i currently have to scrape for instagram, but we dislike that strongly)
#
aaronpk
that does bring up an interesting point though. once we (eventually) get private webmentions working, it might make sense to use the same authentication from there when fetching public posts, because that's a strong signal to turn off rate limiting
jeremycherfas joined the channel
#
[snarfed]
yes! we already see that w/instagram scraping via cookies
#
[snarfed]
unrelated: i'm trying so hard to be civil. so hard. https://github.com/snarfed/bridgy/issues/885#issuecomment-528480861
#
Loqi
[snarfed] @timmmmyboy Google Cloud has many different products. some do include dedicated IPs, but Bridgy runs on [App Engine](https://cloud.google.com/appengine/), a serverless platform, so it doesn't have dedicated IPs per se. more importantly, outbound HTTP...
#
[jgmac1106]
aaronpk++ for doing what they hate to bring us what we love
#
Loqi
aaronpk has 44 karma in this channel over the last year (192 in all channels)
#
[pawel_madej]
[snarfed] i plan to run issue submitting from my webpage for github and was interested if that would be also possible for gitlab repositories
#
[jgmac1106]
snarfed please also understand this is the start of the semester, there entire customer base are universities adding 1,000s of domains and websites right now
#
[jgmac1106]
their* stupid homophones
#
sknebel
aaronpk: although the typical kind of ratelimiting like that happens in layers that do not understand conception like auth
#
[snarfed]
jgmac1106 fair! fortunately this is mostly their problem, not mine
#
jgmac1106
yes thanks for jumping and explaining things in a way Will and I can’t…all I could say was, “Its a problem with bitNinja"
#
[snarfed]
sknebel: unsophisticated tools, sure. but auth does matter to big sophisticated ones, eg instagram, facebook, and google
#
[snarfed]
[pawel_madej] ah! as a product feature. heh i misinterpreted, thought you meant put bridgy's source itself on github
#
[pawel_madej]
Yep
#
[snarfed]
i don't use gitlab personally, so i'm the wrong person to implement the feature, but i'd happily merge PRs that add it! details on how to do that here: https://bridgy.readthedocs.io/#adding-a-new-silo
#
[snarfed]
first step would be to add an issue with API details
#
[pawel_madej]
Thx for hint. When my page is done I will look at it. Maybe this wont be to hard to do 😉
#
[snarfed]
it's not easy, it takes work, but it's definitely doable!
watDiscord[m] and [fluffy] joined the channel
#
GWG
Afternoon all
#
[snarfed]
hey GWG
#
GWG
[snarfed]: Re your header issue, I have some questions related I am pondering
#
Loqi
[dshanske] #75 Remove webmention header if Pings closed
eli_oat joined the channel
#
GWG
So, your issue is advertising webmentions on private posts... but I am trying to figure out how granular to get
#
GWG
Where would I proposed
#
GWG
Where would I propose a webmention extension?
#
GWG
I probably should bounce it off people first
#
GWG
If I use the same endpoint for my entire site, why can't I add something to the header to say that?
#
[snarfed]
GWG i don't think this needs to touch the protocol or HTTP headers. i think this is strictly a CMS/server internal thing
#
[snarfed]
for wordpress, i suggested triggering it by category and/or tag: https://github.com/pfefferle/wordpress-webmention/issues/75#issuecomment-514386893 . that still seems like the best idea to me.
#
Loqi
[snarfed] sounds like this was done but then later reverted? i'd like this. my use case is that i'm using "unlisted" posts to approximate private posts with better accessibility. background: https://indieweb.org/unlisted#Similarity_to_private_posts i don't ...
#
GWG
I am going to add settings so someone can turn it off
#
GWG
So...all pages, or just where pings are open
#
GWG
The extension question was unrelated
#
GWG
I was thinking about caching endpoints
#
[snarfed]
ok! again, i suggest category or tag, but if you want to use pings open instead, then sure
#
[snarfed]
iirc the protocol says (explicitly or implicitly) that endpoints shouldn't be cached. bridgy disobeys that right now, but it's an exception.
[pfefferle] joined the channel
#
[pfefferle]
I would start to add headers only to post-types that have enabled pings
#
[pfefferle]
We do not need any settings for that
#
[snarfed]
i guess i can probably find a plugin that automatically disables pings for certain categories/tags
#
jgmac1106[m]
And it will only conflict with two other critical plugins you use...IMO A ping isn't a webmention. Unchecking that box means something different.
#
jgmac1106[m]
Do like the idea of being able to toggle an endpoint on and off at post level
#
[pfefferle]
But if we do not use the ping setting, we have to learn Gutenberg!
#
jgmac1106[m]
Paging grantcodes arush Cambridgeport90 if you want to stick with WordPress going to take community effort and learning Gutenberg
#
jgmac1106[m]
Or tantek blowing folks away at WordCamp, tumblr then becomes auttomatic's IndieWeb playground since the reader features built. Then due to success microformats get baked into Core
#
[snarfed]
jgmac1106++ re learning gutenberg
#
Loqi
jgmac1106 has 11 karma in this channel over the last year (117 in all channels)
waw joined the channel
#
jgmac1106
and if you don’t want to learn Gutenberg Known is written in PHP….justsayin
#
[pfefferle]
WordPress bashing?
#
[pfefferle]
I would like to learn Gutenberg!
#
[snarfed]
pfefferle++
#
Loqi
pfefferle has 1 karma in this channel over the last year (19 in all channels)
#
jgmac1106
no pointing out divergent paths to people who may want to keep building their PHP skills
#
jgmac1106
note I also invited people in before pointing to the exit, pathwyas= plurality
#
jgmac1106
…and Sawyering hard work…I gots work to be done on my Known site…really I eventually want it to fade into the background as an engine, let me do my front end however
#
jgmac1106
well off to record a video for my students in their getting started options, micro.blog, tumblr, wordress.com, blogger, and self hosted WP….and stay under 5 minutes
[manton], qotta, tmo, strugee, t-mo, [tantek], [KevinMarks] and snarfed joined the channel
#
[snarfed]
hey jamietanna[m] , http://meetup-mf2.jvt.me/ is exciting!...but also seems like it's been down since you launched it. any plans to get it back up?
#
[snarfed]
ah nm, i see your note in https://www.jvt.me/posts/2019/08/31/microformats-meetup/#caveats that there's no front page
#
sknebel
redirecting the front page to that blog post could be an easy "fix" :D
#
sknebel
jamietanna++ btw for this
#
Loqi
jamietanna has 3 karma in this channel over the last year (7 in all channels)
JKingWeb and jackjamieson joined the channel
#
jamietanna[m]
That's a fair shout sknebel - I'll try and get to that this weekend!
#
jamietanna[m]
sknebel have you been looking at using it for your own stuff?
#
sknebel
no, but I looked at doing similar things a while back (when HWC Berlin was running and used Meetup I looked into integrating RSVPs)
wagle joined the channel
#
jamietanna[m]
Ah fair enough!
[grantcodes] joined the channel
#
[grantcodes]
Re ping / webmention option - that shouldn't have anything to do with Gutenberg. The old way of doing sidebar options should work for the foreseeable future
#
@Cambridgeport90
↩️ @fluffy @jgmac1106 @MastodonProject I appreciate privacy concerns, but if webmention were really one, how could it exist?
(twitter.com/_/status/1169746135591870464)
#
@fluffy
↩️ I mean the issue is about the expectation around it. People on Mastodon/Twitter/etc. expect to be able to post a link to a thing without necessarily tagging in the author of who wrote the thing. I personally think that having opt-in support for sending webmention would be good.
(twitter.com/_/status/1169746542481199104)
#
@fluffy
↩️ And I also think that Mastodon *receiving* webmention would be incredible. I think that some of the existing Mastodon privacy controls would map onto whether or not to send Webmentions pretty well.
(twitter.com/_/status/1169746913760956416)
#
@fluffy
↩️ Like I do see the Mastodon developers' point of view, in that adding Webmention would violate expectations and potentially be seen as a privacy issue. I don't think Webmention itself is a privacy issue. I'm very much in favor of having fine-grained privacy controls, in any case.
(twitter.com/_/status/1169747294406660096)
#
Loqi
[singpolyma] #1384 Receive and parse inbound Webmention
#
[snarfed]
ah yes, mentioned in the thread
[fluffy] joined the channel
#
[fluffy]
I believe so
#
[fluffy]
I’d seen the second one but not the first.
#
[snarfed]
i'd drop the obligatory https://fed.brid.gy/ plug, but i think everyone on that thread already knows it
[jgmac1106] joined the channel
#
[jgmac1106]
grantcodes more the larger issue of microformats and blocks and post types.... The "then we have to learn Gutenberg" was a fun and important detour
#
[jgmac1106]
I just know A: you are fan of react and B: you WordPress alot in day job. Will be a good mentor to community members into Gutenberg
#
[fluffy]
I figure if I want to send webmentions from my mastodon posts I could just run pushl on my atom feed.
#
[fluffy]
At least for as long as mastodon still has atom feeds
#
[snarfed]
those would either not work or would be very ugly
#
[snarfed]
but technically yes
#
[jgmac1106]
Here is thing that made me most weary of Mastodon...go back to issues and threads on micropub. It's Eugene's decision.. Granted they do gather feedback first. But it's a BDFL model...don't like that kind of open source
#
[jgmac1106]
That and I have been in different instances and couldn't follow rules or didn't get approved in membership to others.. Meh
#
[jgmac1106]
I'll just blog and have a reader (I still Twitter a ton.. hypocrisy is spice of hyperbole)
#
[fluffy]
hm, interesting, pushl isn’t detecting outgoing links from mastodon posts.
#
[fluffy]
ah, it’s because mastodon sets all links rel=“nofollow”
#
[fluffy]
which pushl ignores
#
[fluffy]
at least by default. If I remove the nofollow blacklist it goes through… and looks just fine. https://beesbuzz.biz/blog/chatter/4201-Just-testing-something-on-webmention-io
JKingWeb joined the channel
#
JKingWeb
I've been reading through the Microsub spec, and I'm unclear about how a channel works, exactly. I gather from https://github.com/indieweb/microsub/issues/21 that feeds are now directly addressable (though the spec does not reflect this yet, it seems), but feeds must still belong to a channel, yes? Can they belong to more than one channel?