#dev 2019-12-13

2019-12-13 UTC
[LewisCowles], alexm1 and [KevinMarks] joined the channel
#
[tantek]
I'm going to have to migrate from webmention.io as part of my moderation requirements
#
[tantek]
so I'll document that on the wiki so others can see the hows and whys of migration from a service (which does provide a lot quite well) to your own implementation or installed software that you can have much more fine-grained control over
#
[tantek]
I'm thinking of *first* turning on displaying at least replies from webmention.io as a way of surfacing the challenges I have to deal with
#
[tantek]
then documenting those
#
[tantek]
then building my own way of receiving / filtering / deleting / blocking them one piece at a time
#
[tantek]
it will be a period of transitional awkwardness for quite some time
#
[tantek]
but I feel like it's a transition that's becoming increasingly urgent
#
@t
↩️ @ParagA #bluesky sounds interesting. For “existing decentralized standard” see #IndieWeb specs https://spec.indieweb.org/ like W3C #Webmention, and community that actively federates with Twitter (like this reply from my site). Happy to discuss more! https://tantek.com/t5421
(twitter.com/_/status/1205302115108708352)
srah joined the channel
#
jacky
what is wormhole
#
Loqi
The Wormhole is a coffee shop in Chicago, and possible HWC venue https://indieweb.org/Wormhole
#
jacky
that's one thing, sure lol
#
GWG_
How long has Loqi been waiting to use that?
#
[tantek]
wow now that's an easter egg I had no idea about
#
Loqi
bret has 1 karma over the last year
#
GWG_
aaronpk: You gave me a lot of reading material there.
#
aaronpk
haha sorry
#
GWG_
I need to do some IndieAuth work
#
GWG_
And some Micropub, webmention.... just everything actually
#
GWG_
aaronpk: How many of the OAuth2.1 proposed standards you suggest are things we should do with the IndieAuth implementations?
j12t joined the channel
#
aaronpk
We already got one of them in there! Token revocation
#
aaronpk
I definitely recommend PKCE
#
GWG_
aaronpk: Check
#
GWG_
And check
#
aaronpk
we also already never used the password grant or implicit so we're good there
#
aaronpk
there's more details to look at but that will require more thought
#
GWG_
aaronpk: What is this about user agent checking?
#
GWG_
Reading these security practices
#
GWG_
Hmmm..referrer protections.
j12t, jjuran and gRegorLove joined the channel
#
jacky
are these documented on the github tracker?
#
jacky
I def want to get RFC 8626 (device grant) working for my site so I can use a phone to auth
#
aaronpk
Do it!
#
jacky
ooh there's a typo here https://oauth.net/3/
#
aaronpk
technically IndieAuth is just a discovery mechanism and user ID format on top of OAuth
#
jacky
> exampels
#
aaronpk
Ha nice catch
#
aaronpk
I wrote that in like 15 minutes perched on a chair in the party hall during a break
#
aaronpk
file a PR :-)
#
jacky
was def in the process
#
jacky
this kinda reminds me
#
jacky
there's a bit of kicking around in the fediverse for something to handle "ticketing" that isn't on github
#
jacky
or whatever people use
#
jacky
before I saw that, I did kind of wonder why we didn't have that
#
aaronpk
Ticketing like events?
#
jacky
but it's also probably because 1) most devs are on github 2) it does a lot of the tracking well
#
jacky
nah like issue tracking
#
jacky
tickets is bugzilla days my bad
#
aaronpk
better name than issues tbh
#
aaronpk
issues is such a negative framing
#
aaronpk
It's a very small leap to use webmention and microformats to enable cross instance issues and discussions between Gitlab/gogs/gitea instances
#
jacky
we need someone who knows Go for gitea
#
jacky
I kept trying and I'm so bad / not good at it lol
#
jacky
on the scale of feasibility, it'd be mf2 > webmention > indieauth for me in gitea
#
jacky
then there's the idea of cloning indienews to do this >:)
#
jacky
someone posts to it to open an idea and salmentions can show up as replies to the main ticket
#
Ruxton
whats up wth gitea/go?
#
Ruxton
I've been using go for 4-5 years now
#
jacky
oh just discussion on being able to post to it via webmention
#
jacky
Ruxton: I wanted to actually first allow sign in to a gitea instance via indieauth (if it used indieauth.com or if it had an implementation built in)
#
jacky
and then go for the webmention receiving support
#
Ruxton
I'll add it to my list of random stuff to work on, maybe I'll find some time over xmas
[tantek] and swentel joined the channel
#
jacky
yo let me know!
#
jacky
as a gitea user, I'd love this
cweiske joined the channel
#
jacky
doesn't like that you can nest p-summary in p-content
#
swentel
I find blockquote in e-content also a bit weird
#
swentel
but maybe that was because I had much trouble getting that right in Drupal :)
KartikPrabhu joined the channel
#
gRegorLove
jacky, are you working on a parser?
KartikPrabhu joined the channel
#
jacky
gRegorLove: nah, it's something I notice in my microsub reader
#
jacky
I might _have_ to because I don't think the original maintainer of the elixir microformats2 library might be responsive to stuff
KartikPrabhu joined the channel
#
jamietanna[m]
> Is your setup sending webmentions to all URLs in the page? It looks like it's sending a wm from your post to your profile url, right?
#
jamietanna[m]
gRegorLove yes, so I believe some of them go to the profile url and some to the page itself. But when it goes to the profile it still shows as a like, when it's really a like of the post, and a mention of the profile
asymptotically, swentel, [fluffy] and gxt joined the channel
#
@felixplesoianu
The Hyperchat Modality: https://www.kickscondor.com/comments/the-hyperchat-modality/ "We’ve been calling it hyperconversation. It’s very informal and fluid. It’s completely simple: just leaving messages for each other on our sites. No Webmentions necessary or anything like that."
(twitter.com/_/status/1205468682585038849)
[manton] joined the channel
#
swentel
hmm GWG, silly question probably, but the indieauth pkce integration in wordpress plugin works right?
#
swentel
trying to get it working with indigenous, but no luck so far
#
GWG_
swentel: I tested it at the time
#
GWG_
I know I asked aaronpk for help
#
swentel
ok, will add some debugging to the code
#
swentel
to see what's going on
#
GWG_
swentel: I have to remember what other things support it to check
#
GWG_
Do we have IndieAuth.rocks yet?
#
swentel
heh, in progress
#
GWG_
I vaguely remember aaronpk added it to Quill for me to test
#
swentel
I see what's wrong
#
swentel
it's my fault
#
swentel
my verifier is not getting hashed
#
swentel
stupid me
#
swentel
actually
#
swentel
it does look goed
#
GWG_
Great
#
swentel
hmm this is confusing
#
swentel
$return['code_challenge'] in your class is a bit different than what I sent
#
swentel
it's a bit longer
#
swentel
very confused now
#
GWG_
I read through all those links aaronpk cited last night. Makes me want to improve my implementation
#
swentel
So I'm sending this
#
swentel
ZGNiNjcxOTdlNjUxNjM3ZGZmMmMzMTkwNjc5MzU2YmE1ZjJhMTBiOTBmNjQ0OTI4OTc3MTYzMzE2
#
swentel
but when you verify, I see this
#
swentel
ZGNiNjcxOTdlNjUxNjM3ZGZmMmMzMTkwNjc5MzU2YmE1ZjJhMTBiOTBmNjQ0OTI4OTc3MTYzMzE2YjYxZmFlZQ==
#
swentel
not sure where YjYxZmFlZQ== comes from
#
swentel
checking now
#
aaronpk
== looks like something forgot the base64url part
#
aaronpk
its base64 encoding with a slight difference
#
GWG_
Me or swentel?
#
swentel
I guess me
#
swentel
you're calling base64_urlencode
#
swentel
which does rtrim( strtr( base64_encode( $string ), '+/', '-_' ), '=' )
#
swentel
on the verifier
#
aaronpk
That's right
#
swentel
and I'm sending uuid's :)
#
swentel
well it's a concatenated uuid
#
swentel
hmm, still not ok, damn
#
swentel
let me go through the code again :)
[jgmac1106] joined the channel
#
jacky
wait jamietanna[m], was that question for me?
#
jacky
re: sending webmentions to every URL
#
jamietanna[m]
Jacky no sorry, I think that was to gRegor on Tuesday
#
jacky
ah gotcha
jolvera joined the channel
#
bear
SECURITY: if you use NPM for your systems please update it - https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli
#
jacky
cries in npm
#
jacky
> The npm, Inc. security team has been scanning the registry for examples of this attack, and have not found any published packages in the registry with this exploit. That does not guarantee that it hasn’t been used, but it does mean that it isn’t currently being used in published packages on the registry.
#
jacky
that's good to know tho
#
jacky
which means I won't do this on my personal but will do it for work
#
aaronpk
avoids running `npm install` on anything until he has a chance to update
gRegorLove, [tantek], [jgmac1106] and [LewisCowles] joined the channel; rozgoDiscord[m] left the channel
#
[LewisCowles]
Is this one of those where a manifest or archive using relative url’s can break out of `pwd` because if so it’s only a bug with strangers packages / archives. It’s a little bit like the spectre meltdown farce which mostly affected cloud providers in terms of likelihood and impact
#
[LewisCowles]
> In versions of npm prior to 6.13.4 (and all versions of yarn as of this announcement), it was possible for a globally-installed package with a binary entry to overwrite an existing binary in the target install location. (That is, not any arbitrary file on the system, but any file in /usr/local/bin.)
#
[LewisCowles]
nvm is used by my user which cannot overwrite /usr/local/bin
#
[jgmac1106]
deleted my yourls link shortner, became a spam vector, going to try and reinstall and hide page behind password or something
#
jacky
[LewisCowles]: same
#
jacky
that's a big reason why I use those kind of version managers for languages
[contact091] joined the channel
#
[contact091]
Has anyone recently POSSE’d to Facebook? Specifically to a group? I’m wondering if that still works somehow.
#
jacky
no, but I also haven't used facebook in some time now
KartikPrabhu and [Rose] joined the channel
#
jacky
lol I might just give up on reply contexts
#
jacky
I really _really_ want them to look good
#
jacky
but the amount of sanitation I have to do is really not worth it
#
jacky
it's one of the weakness, I think, of the flexibility of microformats
[schmarty] joined the channel
#
jacky
I could just ignore things but then posts like a photo + in-reply-to just break
#
[schmarty]
it's hard!
[snarfed] joined the channel
#
[snarfed]
jacky: as an alternative example, i avoid all the work and just do it client side with embedly. example: https://snarfed.org/2019-12-04_ifttt-recipes-for-pesos
#
Loqi
[Ryan Barrett] nice! reminds me of https://snarfed.org/backfeed-without-code
#
[snarfed]
downside is the reply context isn't stored. but you could definitely still store it raw and just not render it yourself
#
jacky
I wouldn't want people's content going out to a third party
#
jacky
esp without their consent
#
[snarfed]
it's only stuff they've already put out publicly on the web 😎
#
jacky
that's not necessarily true in the case of private posts, no?
#
jacky
(which is still kind of theoretical, sure)
#
[snarfed]
yeah. you'd have to do a decent amount of work to get a third party's client side JS to fetch someone's private post. but you could start really trivially by only using it on public replies
#
jacky
what is linting
#
Loqi
It looks like we don't have a page for "linting" yet. Would you like to create it? (Or just say "linting is ____", a sentence describing the term)
#
jacky
what is lint
#
Loqi
It looks like we don't have a page for "lint" yet. Would you like to create it? (Or just say "lint is ____", a sentence describing the term)
#
[snarfed]
lint usually refers to code, you'll want to look for "sanitizing" instead
#
@marinintim
↩️ 24 дня индивеба: http://Webmention.app http://Webmention.app позволяет легко отправлять вебменшены из консоли. https://marinintim.com/2019/indieweb/13/
(twitter.com/_/status/1205593922619265025)
#
jacky
what is sanitation
#
Loqi
It looks like we don't have a page for "sanitation" yet. Would you like to create it? (Or just say "sanitation is ____", a sentence describing the term)
#
jacky
what is sanitizing
#
Loqi
It looks like we don't have a page for "sanitizing" yet. Would you like to create it? (Or just say "sanitizing is ____", a sentence describing the term)
#
jacky
it's okay
#
[snarfed]
sometimes you have to use the web 😁 https://indieweb.org/sanitize
#
jacky
nah I didn't want to add anything to the page tbh
#
jacky
I was looking to see if anyone had a tool for "checking" mf2
#
jacky
oh there's a page lol
#
jacky
what is sanitizing
#
Loqi
It looks like we don't have a page for "sanitizing" yet. Would you like to create it? (Or just say "sanitizing is ____", a sentence describing the term)
#
jacky
sanitizing is /sanitize
#
aaronpk
did not know about that page
#
aaronpk
i should add details on how i handle it
KartikPrabhu, davepeck and [LewisCowles] joined the channel
#
[LewisCowles]
question about micro-formats. Is a guide with prescriptive steps suitable for a recipe microformat? Would it comprise many recipe’s if complex enough?
#
[LewisCowles]
> The hRecipe microformat is designed for the mark-up of instructions for creating meals, drinks or food-based items.
#
[LewisCowles]
Seems to suggest that hRecipe is not suitable for non-food related.
#
aaronpk
what is the consuming use case of the markup?
#
Loqi
It looks like we don't have a page for "consuming use case of the markup" yet. Would you like to create it? (Or just say "consuming use case of the markup is ____", a sentence describing the term)
#
aaronpk
there's no point in marking it up unless you have a reason to consume it
#
aaronpk
depending on what is consuming it will help determine what the appropriate markup is
#
[snarfed]
aaronpk++
#
Loqi
aaronpk has 52 karma in this channel over the last year (197 in all channels)
#
[LewisCowles]
to allow scanning that something contains an ordered list of instructions for manipulating raw ingredients (in this case tasks and software) to achieve an end goal
#
[LewisCowles]
prior to reading the page
#
[LewisCowles]
It’s a sub-set of article I guess
#
aaronpk
i mean do you have specific software in mind that is going to be reading this list of instructions
swentel joined the channel
#
[LewisCowles]
Was a bit of a waynes world, if you build it they will come, but Google would I’m assuming parse it like it parses other hRecipe’s I’d assume
#
swentel
GWG_, I can get it to work
#
swentel
with a hack though at the moment
[fluffy] joined the channel
#
swentel
(the pkce part that is)
#
[snarfed]
[LewisCowles] another way to phrase aaronpk's question is, what do _you_ want some external app to do with your "recipe" guides?
#
swentel
I was just wondering: is there a specific reason you are using the raw binary data in the hash function ? (in indieauth_hash)
#
swentel
another time is fine too to discuss that, would be good to get aaronpk on this as well, because it might be important to align on this
#
[LewisCowles]
1. detect this is not different to sharing a story
#
[LewisCowles]
2. specifically be able to indicate this is a set of instructions with an outcome
#
[LewisCowles]
3. promote such content above undetectable content
#
[LewisCowles]
To be honest I’m less interested in trying to influence other people’s actions as providing the raw structure for them to take advantage of if they should wish. Recipe seems like a conflation, but there are few microformats and a wide variety of things to mark-up so that as well as sharing content, it’s possible to allow people to save time and detect content through standards which is more likely to be what they want vs say a ranty
#
[LewisCowles]
post about the technology
#
[LewisCowles]
unsure where the not came from. Maybe auto-correct
#
[LewisCowles]
1. detect this _is_ different to sharing a story or opinion
#
aaronpk
do you mean like how google will show a list of steps in a card at the top of some search results?
#
[LewisCowles]
> I’m less interested in trying to influence other people’s actions
#
[LewisCowles]
Maybe google does, maybe it doesn’t. I’m not in control of Google, but it’d be nice
#
[LewisCowles]
I find it concerning to discuss software influencing software I don’t own or intend to make, but in the same way I don’t put everything into div tags, but use specialised tags to denote “this is a list”, I’d like to be able to sprinkle more meaning into the page
#
aaronpk
this all sounds very handwavey unless you are talking about a specific case of displaying the data somewhere
#
[snarfed]
these are all good ideas in general, but pretty abstract. our usual advice is to hold off on mf2 until you have a specific, concrete consuming use case.
#
[snarfed]
right. semantic web, solid, etc are all examples of carrying the "make everything everywhere machine-meaningful" banner, and they've tended to get way way ahead of actual use cases, which we've seen as a cautionary tale
#
[LewisCowles]
I think we disagree fundamentally on the point of authorship then
#
[snarfed]
or, on the point of *authoring*? maybe so
#
[LewisCowles]
Those going beyond current use cases. I think they are awesome and that without them the web would suck
#
[snarfed]
you can continue adding more specific, fine grained machine-readable "meaning" and context more or less indefinitely, so you need a way to know when to stop. concrete use cases provide that for us.
#
aaronpk
the specific concern here is regarding microformats
#
[LewisCowles]
Authoring is to convey information, but in the modern digital age there are additional needs.
#
[LewisCowles]
1. When everyone is an author how do you filter noise?
#
[LewisCowles]
Semantic web is a step towards that but it’s quite blunt
#
[LewisCowles]
The amount of sites and apps I see making reviews that have no schema, or any higher-order formatting is disappointing
#
swentel
GWG_, actually have it working now with raw output, but will come back to this at some point though :)
#
[LewisCowles]
2. Exploring schemas is a way to add structure and shape ideas
#
[snarfed]
a different angle on this is, adding lots of machine-readable semantic info for unknown future use cases is an admirable goal, but not really a top priority for this community specifically
#
swentel
GWG_, and you completely ignore my, just read https://tools.ietf.org/html/rfc7636#appendix-A I now understand why you're removing the '=' :)
#
swentel
s/my/me
#
swentel
this means indigenous now has PKCE support :)
#
[LewisCowles]
why I’d based it from.
#
[LewisCowles]
• reach more people.
#
[LewisCowles]
• identity
#
[LewisCowles]
I’ll quit now
KartikPrabhu and mattgorecki joined the channel
#
gRegorLove
what is static site?
#
Loqi
A static site is a website that is served by a web server directly from the file system https://indieweb.org/static_site
superkuh_ joined the channel
#
gRegorLove
superkuh_, there are some services for receiving webmentions to a static site https://indieweb.org/static_site#Receiving_Webmentions
#
[snarfed]
they're not here yet
#
superkuh_
Yeah, I was playing with the web::mentions perl module when I noticed that it doesn't actually do the webmentions bit. It just gets passed some object by an external script that listens (?) and accepts POST.
#
superkuh_
My plan was initially going to be just passing the web logs to a perl script to do webmention stuff in batches asynchronously.
#
[snarfed]
right, webmentions are dynamic content triggered outside the build cycle, so they're not an easy natural fit for static sites
#
[snarfed]
and you're right, parsing logs won't work naturally, since webmention is POST
#
[snarfed]
having said that, many static sites include JS, and pretty much all use code offline to build their HTML. most webmention tools for static sites use one of those two techniques. so webmention support doesn't really fundamentally change their "static"-ness.
#
superkuh_
Yeah, I looked at some workarounds for nginx which use ~20 lines of lua on the location definition to extract the url encoded post data and put it into the logs.
#
superkuh_
A bit too dynamic for my tastes though.
#
[snarfed]
sounds like you want code to stay inside your build step. that can work too!
#
superkuh_
Heh. My build step is ls -v 2019-*.html | tac | xargs cat > blog-2019.html
#
gRegorLove
I think [schmarty] does that in his build, using webmention.io
#
superkuh_
I built a comment system that tails the logs and acts on specific tags so I was hoping to repurpose it. I guess the lua in nginx to get the data in the logs will have to do for now.
#
sknebel
I'm fairly sure yo don't need lua to log post body in nginx
#
superkuh_
If true, that'd be great.
#
superkuh_
Seems like there might be some modules to compile that could do it. Bleh. How did I miss this the first time. Thanks.
#
sknebel
quick google: https://stackoverflow.com/questions/4939382/logging-post-data-from-request-body (few variations, the accepted answer doesn't seem the best)
#
Loqi
misses this the first time too
#
gRegorLove
gives Loqi the first time
#
Loqi
peers at the first time
mattgorecki joined the channel
#
@mxbck
↩️ If you're running it locally, it could be that the post's URL doesn't match the target of the real webmention. For the wms to be displayed, local URL has to be exactly the same as the 'wm-target' in the cached data.
(twitter.com/_/status/1205631168265310209)
#
@mxbck
↩️ Can't look at the source properly right now on my phone, but might also be related to L19 in data/webmentions.js - you seem to exclude your used domain there.
(twitter.com/_/status/1205634143410896896)
[tantek] joined the channel