#dev 2019-12-13

2019-12-13 UTC
[LewisCowles], alexm1 and [KevinMarks] joined the channel
#
[tantek] I'm going to have to migrate from webmention.io as part of my moderation requirements
#
[tantek] so I'll document that on the wiki so others can see the hows and whys of migration from a service (which does provide a lot quite well) to your own implementation or installed software that you can have much more fine-grained control over
#
[tantek] I'm thinking of *first* turning on displaying at least replies from webmention.io as a way of surfacing the challenges I have to deal with
#
[tantek] then documenting those
#
[tantek] then building my own way of receiving / filtering / deleting / blocking them one piece at a time
#
[tantek] it will be a period of transitional awkwardness for quite some time
#
[tantek] but I feel like it's a transition that's becoming increasingly urgent
#
@t ↩️ @ParagA #bluesky sounds interesting. For “existing decentralized standard” see #IndieWeb specs https://spec.indieweb.org/ like W3C #Webmention, and community that actively federates with Twitter (like this reply from my site). Happy to discuss more! https://tantek.com/t5421 (twitter.com/_/status/1205302115108708352)
srah joined the channel
#
jacky what is wormhole
#
Loqi The Wormhole is a coffee shop in Chicago, and possible HWC venue https://indieweb.org/Wormhole
#
jacky that's one thing, sure lol
#
GWG_ How long has Loqi been waiting to use that?
#
[tantek] wow now that's an easter egg I had no idea about
#
[tantek] bret++
#
Loqi bret has 1 karma over the last year
#
GWG_ aaronpk: You gave me a lot of reading material there.
#
aaronpk haha sorry
#
GWG_ I need to do some IndieAuth work
#
GWG_ And some Micropub, webmention.... just everything actually
#
GWG_ aaronpk: How many of the OAuth2.1 proposed standards you suggest are things we should do with the IndieAuth implementations?
j12t joined the channel
#
aaronpk We already got one of them in there! Token revocation
#
aaronpk I definitely recommend PKCE
#
GWG_ aaronpk: Check
#
GWG_ And check
#
aaronpk we also already never used the password grant or implicit so we're good there
#
aaronpk there's more details to look at but that will require more thought
#
GWG_ aaronpk: What is this about user agent checking?
#
GWG_ Reading these security practices
#
GWG_ Hmmm..referrer protections.
j12t, jjuran and gRegorLove joined the channel
#
jacky are these documented on the github tracker?
#
jacky I def want to get RFC 8626 (device grant) working for my site so I can use a phone to auth
#
aaronpk Do it!
#
jacky ooh there's a typo here https://oauth.net/3/
#
aaronpk technically IndieAuth is just a discovery mechanism and user ID format on top of OAuth
#
jacky > exampels
#
aaronpk Ha nice catch
#
aaronpk I wrote that in like 15 minutes perched on a chair in the party hall during a break
#
aaronpk file a PR :-)
#
jacky was def in the process
#
jacky this kinda reminds me
#
jacky there's a bit of kicking around in the fediverse for something to handle "ticketing" that isn't on github
#
jacky or whatever people use
#
jacky before I saw that, I did kind of wonder why we didn't have that
#
aaronpk Ticketing like events?
#
jacky but it's also probably because 1) most devs are on github 2) it does a lot of the tracking well
#
jacky nah like issue tracking
#
aaronpk oh
#
jacky tickets is bugzilla days my bad
#
aaronpk better name than issues tbh
#
aaronpk issues is such a negative framing
#
aaronpk It's a very small leap to use webmention and microformats to enable cross instance issues and discussions between Gitlab/gogs/gitea instances
#
jacky we need someone who knows Go for gitea
#
jacky I kept trying and I'm so bad / not good at it lol
#
jacky on the scale of feasibility, it'd be mf2 > webmention > indieauth for me in gitea
#
jacky then there's the idea of cloning indienews to do this >:)
#
jacky someone posts to it to open an idea and salmentions can show up as replies to the main ticket
#
Ruxton whats up wth gitea/go?
#
Ruxton I've been using go for 4-5 years now
#
jacky oh just discussion on being able to post to it via webmention
#
jacky Ruxton: I wanted to actually first allow sign in to a gitea instance via indieauth (if it used indieauth.com or if it had an implementation built in)
#
jacky and then go for the webmention receiving support
#
Ruxton I'll add it to my list of random stuff to work on, maybe I'll find some time over xmas
[tantek] and swentel joined the channel
#
jacky yo let me know!
#
jacky as a gitea user, I'd love this
cweiske joined the channel
#
jacky doesn't like that you can nest p-summary in p-content
#
swentel I find blockquote in e-content also a bit weird
#
swentel but maybe that was because I had much trouble getting that right in Drupal :)
KartikPrabhu joined the channel
#
gRegorLove jacky, are you working on a parser?
KartikPrabhu joined the channel
#
jacky gRegorLove: nah, it's something I notice in my microsub reader
#
jacky I might _have_ to because I don't think the original maintainer of the elixir microformats2 library might be responsive to stuff
KartikPrabhu joined the channel
#
jamietanna[m] > Is your setup sending webmentions to all URLs in the page? It looks like it's sending a wm from your post to your profile url, right?
#
jamietanna[m] gRegorLove yes, so I believe some of them go to the profile url and some to the page itself. But when it goes to the profile it still shows as a like, when it's really a like of the post, and a mention of the profile
asymptotically, swentel, [fluffy] and gxt joined the channel
#
@felixplesoianu The Hyperchat Modality: https://www.kickscondor.com/comments/the-hyperchat-modality/ "We’ve been calling it hyperconversation. It’s very informal and fluid. It’s completely simple: just leaving messages for each other on our sites. No Webmentions necessary or anything like that." (twitter.com/_/status/1205468682585038849)
[manton] joined the channel
#
swentel hmm GWG, silly question probably, but the indieauth pkce integration in wordpress plugin works right?
#
swentel trying to get it working with indigenous, but no luck so far
#
GWG_ swentel: I tested it at the time
#
GWG_ I know I asked aaronpk for help
#
swentel ok, will add some debugging to the code
#
swentel to see what's going on
#
GWG_ swentel: I have to remember what other things support it to check
#
GWG_ Do we have IndieAuth.rocks yet?
#
swentel heh, in progress
#
GWG_ I vaguely remember aaronpk added it to Quill for me to test
#
swentel ooooh
#
swentel I see what's wrong
#
swentel it's my fault
#
swentel my verifier is not getting hashed
#
swentel stupid me
#
swentel actually
#
swentel it does look goed
#
swentel *good
#
swentel hmm
#
GWG_ Great
#
swentel hmm this is confusing
#
swentel $return['code_challenge'] in your class is a bit different than what I sent
#
swentel it's a bit longer
#
swentel very confused now
#
GWG_ I read through all those links aaronpk cited last night. Makes me want to improve my implementation
#
swentel So I'm sending this
#
swentel ZGNiNjcxOTdlNjUxNjM3ZGZmMmMzMTkwNjc5MzU2YmE1ZjJhMTBiOTBmNjQ0OTI4OTc3MTYzMzE2
#
swentel but when you verify, I see this
#
swentel ZGNiNjcxOTdlNjUxNjM3ZGZmMmMzMTkwNjc5MzU2YmE1ZjJhMTBiOTBmNjQ0OTI4OTc3MTYzMzE2YjYxZmFlZQ==
#
swentel not sure where YjYxZmFlZQ== comes from
#
swentel checking now
#
aaronpk == looks like something forgot the base64url part
#
aaronpk its base64 encoding with a slight difference
#
GWG_ Me or swentel?
#
swentel I guess me
#
swentel you're calling base64_urlencode
#
swentel which does rtrim( strtr( base64_encode( $string ), '+/', '-_' ), '=' )
#
swentel on the verifier
#
aaronpk That's right
#
swentel and I'm sending uuid's :)
#
swentel well it's a concatenated uuid
#
swentel ugh
#
swentel hmm, still not ok, damn
#
swentel let me go through the code again :)
[jgmac1106] joined the channel
#
jacky wait jamietanna[m], was that question for me?
#
jacky re: sending webmentions to every URL
#
jamietanna[m] Jacky no sorry, I think that was to gRegor on Tuesday
#
jacky ah gotcha
jolvera joined the channel
#
bear SECURITY: if you use NPM for your systems please update it - https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli
#
jacky cries in npm
#
jacky > The npm, Inc. security team has been scanning the registry for examples of this attack, and have not found any published packages in the registry with this exploit. That does not guarantee that it hasn’t been used, but it does mean that it isn’t currently being used in published packages on the registry.
#
jacky that's good to know tho
#
jacky which means I won't do this on my personal but will do it for work
#
aaronpk avoids running `npm install` on anything until he has a chance to update
gRegorLove, [tantek], [jgmac1106] and [LewisCowles] joined the channel; rozgoDiscord[m] left the channel
#
[LewisCowles] Is this one of those where a manifest or archive using relative url’s can break out of `pwd` because if so it’s only a bug with strangers packages / archives. It’s a little bit like the spectre meltdown farce which mostly affected cloud providers in terms of likelihood and impact
#
[LewisCowles] > In versions of npm prior to 6.13.4 (and all versions of yarn as of this announcement), it was possible for a globally-installed package with a binary entry to overwrite an existing binary in the target install location. (That is, not any arbitrary file on the system, but any file in /usr/local/bin.)
#
[LewisCowles] nvm is used by my user which cannot overwrite /usr/local/bin
#
[jgmac1106] deleted my yourls link shortner, became a spam vector, going to try and reinstall and hide page behind password or something
#
jacky [LewisCowles]: same
#
jacky that's a big reason why I use those kind of version managers for languages
[contact091] joined the channel
#
[contact091] Has anyone recently POSSE’d to Facebook? Specifically to a group? I’m wondering if that still works somehow.
#
jacky no, but I also haven't used facebook in some time now
KartikPrabhu and [Rose] joined the channel
#
jacky lol I might just give up on reply contexts
#
jacky I really _really_ want them to look good
#
jacky but the amount of sanitation I have to do is really not worth it
#
jacky it's one of the weakness, I think, of the flexibility of microformats
[schmarty] joined the channel
#
jacky I could just ignore things but then posts like a photo + in-reply-to just break
#
[schmarty] it's hard!
[snarfed] joined the channel
#
[snarfed] jacky: as an alternative example, i avoid all the work and just do it client side with embedly. example: https://snarfed.org/2019-12-04_ifttt-recipes-for-pesos
#
[snarfed] (you could also roll your own JS, a la https://snarfed.org/client-side-reply-contexts-with-javascript )
#
Loqi [Ryan Barrett] nice! reminds me of https://snarfed.org/backfeed-without-code
#
[snarfed] downside is the reply context isn't stored. but you could definitely still store it raw and just not render it yourself
#
jacky I wouldn't want people's content going out to a third party
#
jacky esp without their consent
#
[snarfed] it's only stuff they've already put out publicly on the web 😎
#
jacky that's not necessarily true in the case of private posts, no?
#
jacky (which is still kind of theoretical, sure)
#
[snarfed] yeah. you'd have to do a decent amount of work to get a third party's client side JS to fetch someone's private post. but you could start really trivially by only using it on public replies
#
jacky what is linting
#
Loqi It looks like we don't have a page for "linting" yet. Would you like to create it? (Or just say "linting is ____", a sentence describing the term)
#
jacky what is lint
#
Loqi It looks like we don't have a page for "lint" yet. Would you like to create it? (Or just say "lint is ____", a sentence describing the term)
#
jacky hm
#
[snarfed] lint usually refers to code, you'll want to look for "sanitizing" instead
#
@marinintim ↩️ 24 дня индивеба: http://Webmention.app http://Webmention.app позволяет легко отправлять вебменшены из консоли. https://marinintim.com/2019/indieweb/13/ (twitter.com/_/status/1205593922619265025)
#
jacky what is sanitation
#
Loqi It looks like we don't have a page for "sanitation" yet. Would you like to create it? (Or just say "sanitation is ____", a sentence describing the term)
#
jacky what is sanitizing
#
Loqi It looks like we don't have a page for "sanitizing" yet. Would you like to create it? (Or just say "sanitizing is ____", a sentence describing the term)
#
jacky grr
#
jacky lol
#
jacky it's okay
#
[snarfed] sometimes you have to use the web 😁 https://indieweb.org/sanitize
#
jacky nah I didn't want to add anything to the page tbh
#
jacky I was looking to see if anyone had a tool for "checking" mf2
#
jacky oh there's a page lol
#
jacky what is sanitizing
#
Loqi It looks like we don't have a page for "sanitizing" yet. Would you like to create it? (Or just say "sanitizing is ____", a sentence describing the term)
#
jacky sanitizing is /sanitize
#
Loqi ok
#
aaronpk did not know about that page
#
aaronpk i should add details on how i handle it
#
Loqi yea
KartikPrabhu, davepeck and [LewisCowles] joined the channel
#
[LewisCowles] question about micro-formats. Is a guide with prescriptive steps suitable for a recipe microformat? Would it comprise many recipe’s if complex enough?
#
[LewisCowles] > The hRecipe microformat is designed for the mark-up of instructions for creating meals, drinks or food-based items.
#
[LewisCowles] Seems to suggest that hRecipe is not suitable for non-food related.
#
aaronpk what is the consuming use case of the markup?
#
Loqi It looks like we don't have a page for "consuming use case of the markup" yet. Would you like to create it? (Or just say "consuming use case of the markup is ____", a sentence describing the term)
#
aaronpk oops
#
aaronpk there's no point in marking it up unless you have a reason to consume it
#
aaronpk depending on what is consuming it will help determine what the appropriate markup is
#
[snarfed] aaronpk++
#
Loqi aaronpk has 52 karma in this channel over the last year (197 in all channels)
#
[LewisCowles] to allow scanning that something contains an ordered list of instructions for manipulating raw ingredients (in this case tasks and software) to achieve an end goal
#
[LewisCowles] prior to reading the page
#
[LewisCowles] It’s a sub-set of article I guess
#
aaronpk i mean do you have specific software in mind that is going to be reading this list of instructions
swentel joined the channel
#
[LewisCowles] Was a bit of a waynes world, if you build it they will come, but Google would I’m assuming parse it like it parses other hRecipe’s I’d assume
#
swentel GWG_, I can get it to work
#
swentel with a hack though at the moment
[fluffy] joined the channel
#
swentel (the pkce part that is)
#
[snarfed] [LewisCowles] another way to phrase aaronpk's question is, what do _you_ want some external app to do with your "recipe" guides?
#
swentel I was just wondering: is there a specific reason you are using the raw binary data in the hash function ? (in indieauth_hash)
#
swentel another time is fine too to discuss that, would be good to get aaronpk on this as well, because it might be important to align on this
#
[LewisCowles] 1. detect this is not different to sharing a story
#
[LewisCowles] 2. specifically be able to indicate this is a set of instructions with an outcome
#
[LewisCowles] 3. promote such content above undetectable content
#
[LewisCowles] To be honest I’m less interested in trying to influence other people’s actions as providing the raw structure for them to take advantage of if they should wish. Recipe seems like a conflation, but there are few microformats and a wide variety of things to mark-up so that as well as sharing content, it’s possible to allow people to save time and detect content through standards which is more likely to be what they want vs say a ranty
#
[LewisCowles] post about the technology
#
[LewisCowles] unsure where the not came from. Maybe auto-correct
#
[LewisCowles] 1. detect this _is_ different to sharing a story or opinion
#
aaronpk do you mean like how google will show a list of steps in a card at the top of some search results?
#
[LewisCowles] > I’m less interested in trying to influence other people’s actions
#
[LewisCowles] Maybe google does, maybe it doesn’t. I’m not in control of Google, but it’d be nice
#
[LewisCowles] I find it concerning to discuss software influencing software I don’t own or intend to make, but in the same way I don’t put everything into div tags, but use specialised tags to denote “this is a list”, I’d like to be able to sprinkle more meaning into the page
#
aaronpk this all sounds very handwavey unless you are talking about a specific case of displaying the data somewhere
#
[snarfed] these are all good ideas in general, but pretty abstract. our usual advice is to hold off on mf2 until you have a specific, concrete consuming use case.
#
[snarfed] right. semantic web, solid, etc are all examples of carrying the "make everything everywhere machine-meaningful" banner, and they've tended to get way way ahead of actual use cases, which we've seen as a cautionary tale
#
[LewisCowles] I think we disagree fundamentally on the point of authorship then
#
[snarfed] or, on the point of *authoring*? maybe so
#
[LewisCowles] Those going beyond current use cases. I think they are awesome and that without them the web would suck
#
[snarfed] you can continue adding more specific, fine grained machine-readable "meaning" and context more or less indefinitely, so you need a way to know when to stop. concrete use cases provide that for us.
#
aaronpk the specific concern here is regarding microformats
#
[LewisCowles] Authoring is to convey information, but in the modern digital age there are additional needs.
#
[LewisCowles] 1. When everyone is an author how do you filter noise?
#
[LewisCowles] Semantic web is a step towards that but it’s quite blunt
#
[LewisCowles] The amount of sites and apps I see making reviews that have no schema, or any higher-order formatting is disappointing
#
swentel GWG_, actually have it working now with raw output, but will come back to this at some point though :)
#
[LewisCowles] 2. Exploring schemas is a way to add structure and shape ideas
#
[snarfed] a different angle on this is, adding lots of machine-readable semantic info for unknown future use cases is an admirable goal, but not really a top priority for this community specifically
#
[LewisCowles] 👍
#
[snarfed] (background in https://indieweb.org/principles , https://indieweb.org/why , obvs)
#
swentel GWG_, and you completely ignore my, just read https://tools.ietf.org/html/rfc7636#appendix-A I now understand why you're removing the '=' :)
#
swentel s/my/me
#
swentel this means indigenous now has PKCE support :)
#
[LewisCowles] why I’d based it from.
#
[LewisCowles] • reach more people.
#
[LewisCowles] • identity
#
[LewisCowles] I’ll quit now
KartikPrabhu and mattgorecki joined the channel
#
gRegorLove what is static site?
#
Loqi A static site is a website that is served by a web server directly from the file system https://indieweb.org/static_site
superkuh_ joined the channel
#
gRegorLove superkuh_, there are some services for receiving webmentions to a static site https://indieweb.org/static_site#Receiving_Webmentions
#
[snarfed] they're not here yet
#
superkuh_ Yeah, I was playing with the web::mentions perl module when I noticed that it doesn't actually do the webmentions bit. It just gets passed some object by an external script that listens (?) and accepts POST.
#
superkuh_ My plan was initially going to be just passing the web logs to a perl script to do webmention stuff in batches asynchronously.
#
[snarfed] right, webmentions are dynamic content triggered outside the build cycle, so they're not an easy natural fit for static sites
#
[snarfed] and you're right, parsing logs won't work naturally, since webmention is POST
#
[snarfed] having said that, many static sites include JS, and pretty much all use code offline to build their HTML. most webmention tools for static sites use one of those two techniques. so webmention support doesn't really fundamentally change their "static"-ness.
#
superkuh_ Yeah, I looked at some workarounds for nginx which use ~20 lines of lua on the location definition to extract the url encoded post data and put it into the logs.
#
superkuh_ A bit too dynamic for my tastes though.
#
[snarfed] sounds like you want code to stay inside your build step. that can work too!
#
superkuh_ Heh. My build step is ls -v 2019-*.html | tac | xargs cat > blog-2019.html
#
gRegorLove I think [schmarty] does that in his build, using webmention.io
#
superkuh_ I built a comment system that tails the logs and acts on specific tags so I was hoping to repurpose it. I guess the lua in nginx to get the data in the logs will have to do for now.
#
sknebel I'm fairly sure yo don't need lua to log post body in nginx
#
superkuh_ If true, that'd be great.
#
superkuh_ Seems like there might be some modules to compile that could do it. Bleh. How did I miss this the first time. Thanks.
#
sknebel quick google: https://stackoverflow.com/questions/4939382/logging-post-data-from-request-body (few variations, the accepted answer doesn't seem the best)
#
Loqi misses this the first time too
#
sknebel lol
#
gRegorLove gives Loqi the first time
#
Loqi peers at the first time
mattgorecki joined the channel
#
@mxbck ↩️ If you're running it locally, it could be that the post's URL doesn't match the target of the real webmention. For the wms to be displayed, local URL has to be exactly the same as the 'wm-target' in the cached data. (twitter.com/_/status/1205631168265310209)
#
@mxbck ↩️ Can't look at the source properly right now on my phone, but might also be related to L19 in data/webmentions.js - you seem to exclude your used domain there. (twitter.com/_/status/1205634143410896896)
[tantek] joined the channel