#dev 2019-11-07

2019-11-07 UTC
# 00:00 
sknebel No hurry, but if you could test if quill in Firefox uses the media endpoint properly bwould be interesting
# 00:01 
sknebel For me it uploads the photo, but then puts the photo in the micropib request again instead of using the URL of that uploaded photo
# 00:03 
GWG On Android only?
# 00:03 
GWG sknebel: What would be the testing protocol?
# 00:03 
sknebel Post a note in quill with an attached photo
# 00:03 
sknebel After you select the photo, it should upload it and show the preview of it
# 00:04 
sknebel Then submit the actual post and check your logs etc if it used the uploaded photo, or sent it again on a formencoded request
# 00:05 
GWG Hmm..I have to remember if I configured my logs that way
# 00:05 
sknebel Yes, only seeing that on Android right now, but wonder now if there's some way of getting a session messed up
# 00:06 
GWG I may manually add a log setting for that.
# 00:06 
GWG Just finishing dinner right now.
# 00:07 
sknebel Again, no hurry at all, I haven't looked to deeply into it myself yet
# 00:17 
mblaney ok thanks again [jgmac1106] I'm going to make some changes to the default set up but first page of documentation is up: https://i.haza.website/edit-your-profile
# 00:20 
[jgmac1106] mblaney++
# 00:20 
Loqi mblaney has 3 karma in this channel over the last year (12 in all channels)
tbbrown__ and [fluffy] joined the channel
# 00:46 
sknebel this seems interesting: https://blog.webrecorder.io/2019/11/06/self-hosted-archival-embeds.html
# 00:46 
Loqi Contact Us
# 00:47 
sknebel lol
[snarfed], tbbrown, gRegorLove, beko, [Michael_Beckwit, [tantek], swentel and cweiske joined the channel
# 08:04 
swentel so, dumb question maybe, but for websub you only expose the hub link tags on pages where people want you to subscribe to right ?
# 08:04 
swentel And if people want to subscribe, they send that exact url to to the hub.
# 08:04 
swentel s/to to/to
[LewisCowles] joined the channel
# 08:06 
[LewisCowles] !tell aaronpk updated branch. I may look at adding some tests next
# 08:06 
Loqi Ok, I'll tell them that when I see them next
# 08:14 
[LewisCowles] What needs testing on an android?
# 08:14 
[LewisCowles] Is there a testing script?
# 08:59 
jacky swentel: yeah
# 08:59 
jacky that makes sense
# 08:59 
jacky b/c you'd send that page to the hub so you can sub to it
# 09:01 
swentel ok thanks, makes sense indeed.
# 09:05 
Loqi Ok, I'll tell them that when I see them next
# 09:05 
petermolnar !tell aaronpk any thoughts on https://github.com/aaronpk/Aperture/issues/76 ?
# 09:05 
Loqi [petermolnar] #76 consider to be google for tumblr
[qubyte] and [tonz] joined the channel
# 09:45 
swentel hmm aaronpk do you think you could tag a release for p3k-websub ? or are you using other libraries to discover/subscribe
# 09:54 
Loqi aaronpk: [LewisCowles] left you a message 1 hour, 48 minutes ago: updated branch. I may look at adding some tests next
# 09:54 
aaronpk Huh
# 09:54 
Loqi aaronpk: petermolnar left you a message 49 minutes ago: any thoughts on https://github.com/aaronpk/Aperture/issues/76 ?
# 09:55 
aaronpk petermolnar: sounds reasonable
# 09:55 
aaronpk swentel: I'm not sure why there aren't any releases tagged. I don't actually remember writing that tho lol
# 09:56 
swentel aaronpk, heh, well I'm writing a websub component for the drupal indieweb module, and I'm too lazy to write the discover part. That little library seems to do it well :) (actually, haven't tested it yet)
# 09:57 
swentel I could just copy/paste parts of it of course
asymptotically joined the channel
# 09:59 
aaronpk Oh look I can tag a release from my phone
# 09:59 
aaronpk https://github.com/aaronpk/p3k-websub/releases/tag/0.0.1
# 09:59 
swentel hehe, cool
# 09:59 
swentel thanks
# 09:59 
aaronpk this code comes with no warranty whatsoever
# 09:59 
aaronpk lol
# 09:59 
swentel that's totally fine :)
# 10:00 
swentel if it finds the hub, I'm already glad
gRegorLove joined the channel
# 10:27 
@mattiasgeniar ↩️ that `htop` header was indeed very distinguishable from all other blogs ... i hope this new layout is too, gotta get used to it :)

for the comments: i keep hearing good things about webmention, seems easier to integrate (twitter.com/_/status/1192388163475591169)
# 10:43 
@lcveades ↩️ @venadek microsub. (twitter.com/_/status/1192392044246814722)
# 10:49 
swentel aaronpk, discovery still works, it finds the hub for your primary feed. Next up, testing subscription.
# 11:00 
aaronpk great
swentel_, swentel, [jgmac1106] and M9uapawDiscord[m joined the channel
# 11:47 
@freekmurze ↩️ @ArnabWahid https://freek.dev/1406-how-to-add-webmentions-to-a-laravel-powered-blog (twitter.com/_/status/1192408190824198144)
# 12:32 
swentel aaronpk, trying out websub.rocks for testing. subscribe and subscribe are fine. But I fail to see how I can get a notification in - trying out test 300, but when I see the blog I don't know what todo there :)
# 12:41 
swentel I guess switchboard.io also does async validation right? websock.rocks does it immediately when trying to subscribe, kind of annoying in a way I guess (but makes sense too)
# 12:50 
aaronpk Hm i don't remember the details of the tests anymore, it's been a while
# 12:51 
swentel no problem
jbove and LostSheep joined the channel
# 12:55 
swentel well, I can subscribe to your feed
# 12:55 
swentel let's see if I see notifications coming now :)
# 12:56 
swentel I'll fix them when I see them
# 12:56 
LostSheep greetings all
jeremych_ joined the channel; fLsh42Discord[m] left the channel
# 13:51 
@ramsey ↩️ First I’ve heard of it. Is there more information about it? I can’t find much on their homepage. Is it an open source project? Federated? Using webmentions, micropub, activity streams? (twitter.com/_/status/1192439468231417856)
gxt joined the channel
# 14:13 
aaronpk https://twitter.com/jacobian/status/1192440303439007746?s=21
# 14:13 
@jacobian I applied for a Twitter developer account to use @simonw's twitter-to-sqlite, and got rejected. Apparently apps for personal use are no longer allowed. Cool cool cool cool cool. https://pbs.twimg.com/media/EIxmImvWwAEq8rU.png (twitter.com/_/status/1192440303439007746)
# 14:13 
aaronpk Oh no twitter isn’t allowing new developer accounts even for personal use
[tantek] joined the channel
# 14:19 
[tantek] Wow
fauno_ and [chrisbergr] joined the channel
# 14:30 
[chrisbergr] Is it possible that they will take away your existing developer account if they notice that it is only used for personal projects?
# 14:32 
aaronpk I doubt it, they usually don't work that way
# 14:32 
aaronpk it's too hard to determine that. It's easier to hold back new features
# 14:32 
aaronpk e.g. if you want the new streaming api then you have to make a new application and such
# 14:34 
[chrisbergr] okay.
[grantcodes] joined the channel
# 14:38 
[grantcodes] Oh that sucks. Just as well I have a few already approved apps... I don't want to lose my daily generated twitter banner 😛
[KevinMarks] joined the channel
# 14:47 
[KevinMarks] Interesting OAuth implementation bug https://blog.teddykatz.com/2019/11/05/github-oauth-bypass.html
# 14:47 
Loqi Bypassing GitHub's OAuth flow
[tonz] joined the channel
# 14:54 
aaronpk I saw that
# 14:54 
aaronpk good tip for everyone building an authorization interface
[snarfed] joined the channel
# 15:26 
petermolnar heh. one more nail in silo coffins.
[manton] joined the channel
# 15:41 
[snarfed] eh no indieweb isn't inherently better at security specifically. it's likely worse, purely due to way fewer resources and expertise
# 15:41 
[snarfed] on the other hand, it doesn't carry the risk of breaches affecting tons of people, which is good
# 15:48 
[snarfed] (SPOAs notwithstanding 😎)
# 15:52 
petermolnar oh, the nail was for the twitter rejecting dev accounts
# 15:54 
[manton] [snarfed] I was thinking about that yesterday with that news of Twitter employees looking up private info for Saudi Arabia. That's easier when you have many accounts concentrated in one place.
# 15:55 
[snarfed] ah, sorry petermolnar
# 15:55 
[snarfed] [manton] yup. shades of the generation ago "macs are more secure than windows" arguments, which mostly boiled down to target size incentive
# 15:57 
[snarfed] but it applies to plurality/monoculture too. eg the vast majority of indieweb sites are either wordpress or known. (https://indiemap.org/docs.html#data-mining )
# 15:58 
[snarfed] there are lots of good reasons to go indieweb! security may not be high on that list, but that's ok.
# 15:58 
[snarfed] (privacy, on the other hand, may be!)
# 16:00 
[manton] Agreed. Except maybe the part about Mac vs. Windows which is a different debate. 🙂
# 16:01 
[manton] I did a bunch of stuff in the classic Mac OS web server community (WebSTAR, etc.) and those old servers without unix were pretty secure. 🙂
# 16:04 
petermolnar my father used to run their company emails on VMS with DECnet in the background. Good luck hacking something that's not even tcp/ip
# 16:05 
[manton] Haha.
[snarfed]1 and [chrisbergr]1 joined the channel
# 16:05 
petermolnar [snarfed] the world leaning towards wordpress monoculture is terrifying in my opinion
# 16:09 
[snarfed]1 eh. complicated. https://snarfed.org/2010-10-08_standards_or_diversity_monoculture_or_fragmentation
# 16:10 
[snarfed]1 fortunately we're pushing plurality here
[jgmac1106] joined the channel
# 16:30 
@swlkr ↩️ TIL bridget, webmentions and indieweb

https://brid.gy/ (twitter.com/_/status/1192479329541742593)
# 16:30 
@swlkr ↩️ TIL bridget, webmentions and indieweb

https://brid.gy/ (twitter.com/_/status/1192479329541742593)
[tantek] joined the channel
# 17:05 
[snarfed]1 go bridget go
gRegorLove and [cleverdevil] joined the channel
# 18:08 
GWG aaronpk: Might want to keep an eye on https://github.com/WP-API/authentication
# 18:08 
Loqi [WP-API] authentication: The home for design & development of a core WordPress REST API authentication solution
# 18:10 
aaronpk Oh boy ok
# 18:16 
GWG I am watching their chat
# 18:16 
GWG dynamic client registration
[KevinMarks] joined the channel
# 18:16 
[KevinMarks] is that Bridget pronounced the French way?
# 18:17 
GWG [KevinMarks]: I thought that might be [snarfed]'s new community manager.
# 18:18 
GWG aaronpk: Is that in your book?
# 18:18 
aaronpk I think I mention it briefly
# 18:19 
aaronpk The description in their repo seems reasonable
# 18:19 
aaronpk Thankfully it's not what that other guy was saying
# 18:19 
[snarfed]1 sounds like mastodon's
# 18:25 
aaronpk I wonder if I can nudge them towards IndieAuth without ever actually saying it
# 18:26 
GWG aaronpk: I tried, I don't think I had success
# 18:26 
GWG They agreed that they will be building frameworks so I could add IndieAuth
# 18:28 
aaronpk If you go in asking for IndieAuth then they look at it and are like what
# 18:29 
[cleverdevil] kadam is a nice guy. Reasonable.
# 18:29 
aaronpk so instead I will try to encourage them to do things that IndieAuth does without ever naming it
# 18:29 
[cleverdevil] Worth trying! But, given WordPress history, I’m guessing they end up inventing something instead :)
# 18:29 
aaronpk ugh I hope not
# 18:30 
aaronpk at least the initial comments look like they're using OAuth as a template
# 18:30 
[cleverdevil] Hey I’d love to be wrong. Seven years at DreamHost made me pretty jaded about WordPress haha.
# 18:30 
GWG aaronpk: That's why I volunteered to comment and asked you to monitor the repo
[chrisaldrich], eli_oat, asymptotically, ola, [asuh], leg and [LewisCowles] joined the channel
# 19:51 
[LewisCowles] Does anyone know about iframe communications changes between firefox 60 and 68?
# 19:52 
[LewisCowles] I have a friend who is currently undergoing chemo and he’s suffering a bit with something he’s doing between iframes. I’d really like to help him
# 19:52 
[LewisCowles] > Some time between Firefox60 and Firefox68, code I had written over many years while teaching to communicate with IFrames has stopped working. The changes are supposed to make it more difficult for hackers to exploit them. Details as to what they have done are sparse, not helped by the fact they seemed to have screwed their own relevant wiki pages in the process. I’m currently working through my scripts to get them working again, but it
# 19:52 
[LewisCowles] a slow process. The iframe has two parameters, ‘allow’ and ‘sandbox’ which I suspect hold the key. Most tutorials on the subject are also screwed in the same way my code is, so not much help there either.
KartikPrabhu, leg and eli_oat joined the channel
# 20:03 
[LewisCowles] I’m thinking he either has default content-security policy issues or another missing http header
# 20:05 
[LewisCowles] I know I added this to a ruby app at work. TBH I try to avoid frames of all kinds
# 20:05 
[LewisCowles]       response.headers["X-Frame-Options"] = "ALLOWALL"
# 20:05 
[LewisCowles] ```
# 20:05 
[LewisCowles]       response.headers["Content-Security-Policy"] = "frame-ancestors #{frame_host}"
# 20:05 
[LewisCowles] ```
eli_oat, [snarfed], gxt and [LewisCowles]1 joined the channel; HerculanoDiscord left the channel
# 21:42 
@brokencodebot Fix broken webmention-tools send command (twitter.com/_/status/1192558028538683392)
# 21:43 
jacky lol
# 21:44 
beko[m] https://twitter.com/brokencodebot/status/1192554254210412551
# 21:44 
@brokencodebot http://www.victoriassecret.com - design is broken (twitter.com/_/status/1192554254210412551)
# 21:44 
beko[m] sounds like the bot one has to follow xD
[manton] joined the channel
# 21:47 
[manton] IndieAuth question if [aaronpk] or anyone has thoughts on this... Micro.blog as an auth provider currently assumes you have a hosted blog on Micro.blog, so if you delegate an external blog to Micro.blog's auth URLs, things don't work when Micro.blog is figuring out what to put in the "me" URL response. But I'm think if an external URL is verified on your account, I could support it. Does that make sense or are there any security concerns I
# 21:47 
[manton] should think about?
# 21:48 
[manton] The use case is you have a static site somewhere and auth with Micro.blog to use Aperture, etc.
# 21:49 
[manton] (This also might just be a bug and should have always worked that way.)
[jgmac1106], [benatwork], [LewisCowles], [KevinMarks], KartikPrabhu, [tantek] and NickVennerDiscor joined the channel
# 23:04 
[manton] Pretty sure I'm going to change this so that it works in Micro.blog. Seems like a good change. Carry on. 🙂
# 23:06 
[jgmac1106] manton++ no more checking your email to login!!
# 23:06 
Loqi manton has 19 karma in this channel over the last year (52 in all channels)
# 23:07 
[jgmac1106] go to hang on micro.blog and 3 hours later I am almost through the email I wanted to avoid
# 23:07 
GWG [manton]: I still need to figure out those posse challenges.
# 23:09 
GWG [eddie] had some solutions, but haven't seen him around much
# 23:09 
[jgmac1106] Wp->micropub->micr.blog do that gwg
# 23:10 
GWG [jgmac1106]: How?
# 23:10 
GWG Did I miss a way to do that if you self host?
# 23:11 
[jgmac1106] I don't have the slightest, I was using the RSS feed
# 23:11 
[jgmac1106] as long as the post kind RSS feeds are proper for note, photo, article, reply everything should work
# 23:11 
[jgmac1106] ...well reply I don't know how that works
# 23:12 
[jgmac1106] I just wish the POSSed notes showed up on my micro.blog site and not just in the feeds
# 23:13 
GWG It works well enough, but I don't get back the links for rel syndication
# 23:17 
gRegorLove [manton] I think as long as the domain doesn't change between what's entered and what's the auth endpoint returns. e.g. if I enter micro.blog/gregorlove as my profile, it would be go against spec for the auth endpoint to return gregorlove.com
# 23:18 
gRegorLove but if I entered gregorlove.com -> mb auth endpoint returns gregorlove.com, should be ok
NickVennerDiscor left the channel
# 23:46 
mblaney I just tried setting up twitter-atom for a new twitter account, this makes me sad:  https://mblaney.xyz/2019-11-08-oh_no_httpstwitter-atomappspotcom_is_one_of_m
# 23:46 
Loqi [Malcolm Blaney] oh no https://twitter-atom.appspot.com is one of my favourite things but looks like I can't recommend it any more?? 😭
[snarfed] joined the channel
# 23:49 
[snarfed] yeah that may be true, sadly
# 23:50 
[snarfed] and i can't run a service for everyone using my own twitter app because they shut it down
# 23:50 
[snarfed] https://snarfed.org/2013-07-09_twitter-atom-is-back
# 23:51 
[snarfed] (shh technically granary actually is this but please don't evangelize it or it will get shut down too 😎 :crossed_fingers:)
# 23:55 
mblaney snarfed I don't want to keep using it as is, knowing my token is going to get revoked at some point too...
# 23:55 
[snarfed] eh they're pretty long lived, they don't expire
# 23:55 
mblaney what do you think about switching to the facebook-atom scraping model?
# 23:55 
[snarfed] sure! feel free to send a PR 😎
# 23:56 
mblaney ok cool will look into it
# 23:56 
[snarfed] i was mostly joking. the scraping is the easy (ish) part. the endless arms race of evading their bot detection is the hard part.
# 23:58 
mblaney do you have more details on that? if scraping was more distributed would that be less detectable?
# 23:59 
[snarfed] oh god, lots, all over the web. there's a whole sketchy cottage industry here. a brief taste in https://github.com/snarfed/bridgy/issues/854#issuecomment-548844715 . rotating IPs, spoofing User-Agent, running some bits of JS to generate reasonable-looking browser fingerprints...it really is an arms race
# 23:59 
Loqi [snarfed] agreed on all counts. i share your frustration!
i actually wrote that crawler you mentioned, a bit ago. www.facebook.com uses JS, so crawling that is hard, but m.facebook.com (with a logged in session cookie) is pure HTML and eminently scrapeable,...
# 23:59 
[snarfed] indieweb as a hobby, i like. evading big competent teams' bot detection as a hobby, no thanks.