#dev 2020-01-07

2020-01-07 UTC
#
@kevinmarks ↩️ @taoeffect @lightcoin @kiarabickers Have a look at webmention for decentralized comments. (twitter.com/_/status/1214345759388250112)
#
[tantek] wow Lightcoin is offering some criticism of Mastodon there
#
[tantek] Mastodon << Criticism: “sign up on this stranger's server” is not really decentralized: https://twitter.com/lightcoin/status/1214293923922874369
#
@lightcoin @taoeffect @kiarabickers @MastodonProject @getongab not a big fan of Mastodon. imo if a decentralized digital media app's first step is "sign up on this stranger's server" it's not good enough, and over time will probably look like email at best. (twitter.com/_/status/1214293923922874369)
#
Loqi ok, I added "Criticism: “sign up on this stranger's server” is not really decentralized: https://twitter.com/lightcoin/status/1214293923922874369" to the "See Also" section of /Mastodon https://indieweb.org/wiki/index.php?diff=67761&oldid=67206
#
[tantek] Mastodon << ^^^ additionally: https://twitter.com/lightcoin/status/1214300933200515073
#
@lightcoin @taoeffect @kiarabickers indeed email has survived but if you run your own server people might never get your emails. it's already getting like that with Mastodon (as your suggestion to avoid http://madtodon.social shows). that's simply not an architecture I can invest energy into/ converting others to. (twitter.com/_/status/1214300933200515073)
#
Loqi ok, I added "^^^ additionally: https://twitter.com/lightcoin/status/1214300933200515073" to the "See Also" section of /Mastodon https://indieweb.org/wiki/index.php?diff=67762&oldid=67761
#
@lightcoin @taoeffect make a decentralized social media app worth using, and maybe people will. (twitter.com/_/status/1214251682265272326)
#
[tantek] This is an interesting challenge for folks here: https://twitter.com/lightcoin/status/1214251682265272326
#
[tantek] what is a decentralized social media app?
#
Loqi It looks like we don't have a page for "decentralized social media app" yet. Would you like to create it? (Or just say "decentralized social media app is ____", a sentence describing the term)
gxt, [jgmac1106] and [schmarty] joined the channel
#
@jeremyfelt Now supporting Webmention https://jeremyfelt.com/2020/01/06/now-supporting-webmention/ (twitter.com/_/status/1214360877459066881)
#
@tw2113 ↩️ @jeremyfelt I hope I succeeded in sending a webmention your way. Check your pending comments :D (twitter.com/_/status/1214367739382554627)
ketudb, KartikPrabhu and eli_oat joined the channel
#
@CrowderSoup Webmentions ftw! #indieweb #Reply https://is.gd/34cTuO (twitter.com/_/status/1214372714007404545)
eli_oat joined the channel; benharri left the channel
#
[tantek] hey [KevinMarks] should I be able to fragmention an image by using its alt text?
#
[tantek] I'm thinking that might be useful. I have a use-case in wanting to reference (and scroll to) the 3rd image here in particular: https://tantek.com/2020/004/t1/first-day-in-office-this-year
#
Loqi [Tantek Çelik] Yesterday, first day in the office this year. Crane on a barge in the bay for some reason and sad to see a layer of smog occluding the East Bay(1). No better in the early evening, could only see lights from Treasure Island and the Port of Oakland(2).... https://fastly.4sqi.net/img/general/width960/476_3SdLSeAYLlfOtkXl6Xo4BZY5yOdfDP_duolYtBzxvGg.jpg
#
[KevinMarks] Interesting - that makes sense, though not sure if the current version would do that. It would work for a figcaption. Another tricky case is in a <details > - should it expand it?
#
[tantek] I can file a feature request for the spec to consider / answer it. Do you mean the current version of the polyfill?
#
[tantek] I mean, that's a bug to be fixed if we agree it should be part of the spec (which I argue from use-case that it should)
#
[KevinMarks] The polyfill, yes.
#
[tantek] also figcaption would scroll to the figcaption. I don't want that. I literally want to scroll to the image itself
#
[KevinMarks] I was thinking of finessing the text by referring to the selected text behaviour, but not sure if that will give you alt text for images
#
[tantek] I think you're going to need to write explicit behavior more than referencing existing behavior
#
[KevinMarks] Testing on that it does
#
[tantek] 🖖
#
[tantek] should the img alt text be considered in-stream (the way a screen reader would read it?) that seems to make the most universal-access sense to me
#
[KevinMarks] https://tantek.com/2020/004/t1/first-day-in-office-this-year#cryptic%20error
#
Loqi [Tantek Çelik] Yesterday, first day in the office this year. Crane on a barge in the bay for some reason and sad to see a layer of smog occluding the East Bay(1). No better in the early evening, could only see lights from Treasure Island and the Port of Oakland(2).... https://fastly.4sqi.net/img/general/width960/476_3SdLSeAYLlfOtkXl6Xo4BZY5yOdfDP_duolYtBzxvGg.jpg
#
[KevinMarks] Do you have the polyfill?
#
[tantek] I do
#
[tantek] that is very odd that it's not doing anything
#
[tantek] um, is it matching the title element? 😂
#
[tantek] should we exclude <title> from fragmention matches?
#
[tantek] and meta?
#
[tantek] nm meta is empty
#
[KevinMarks] Not sure if screen reader and text copy are the same. The text copy is appealing because it has whitespace handling defined, and because that is the easy way to do a link by hand - copy text and paste after a # in the url
#
[tantek] but maybe script should be excluded 🙂
#
[tantek] copy paste will get you alt text if you haven't loaded images
#
[tantek] a screenreader user wanting to reference something they happened have heard in an alt text would absolutely copy paste it with a # after the URL
#
[tantek] I wonder if a fragmentioned img by alt text like that should also show the alt text on top of the image like a closed caption
#
[tantek] and then highlight *that*
#
[KevinMarks] You may hit bounding box issues with long captions
#
[KevinMarks] Do write an issue yes
#
[tantek] ok
#
[tantek] you this kind of thing would be useful for, oh I dunno, web image search maybe?
#
@taoeffect ↩️ @kevinmarks @lightcoin @kiarabickers Yeah Webmention is cool :) (twitter.com/_/status/1214394064939843586)
#
[tantek] posted: https://github.com/indieweb/fragmention/issues/4
#
Loqi [tantek] #4 Fragmentions should scroll to img alt text
hermes, [prtksxna], [Michael_Beckwit, jacky, gRegorLove, swentel, roboX758 and cweiske joined the channel
#
jamietanna[m] https://www.jvt.me/mf2/2020/01/ur7vk/ didn't seem to work, it just RT'd
#
Loqi [Jamie Tanna] https://twitter.com/lrgulliver/status/1214329288079659008
#
jamietanna[m] So I deleted the tweet and posted it again
simons, lahacker, deathrow1, rmdes, mblaney, swentel, [LewisCowles], eli_oat, [jgmac1106] and [Rose] joined the channel; mblaney left the channel
#
@jgmac1106 ↩️ I like when people include a link back to their website. I would send the webmention to the source rather than to the tweet. (https://quickthoughts.jgregorymcverry.com/s/GdYzR) (twitter.com/_/status/1214544960780939266)
simons, sscarfe and [tantek] joined the channel
#
[tantek] This makes me wonder if there’s some IndieWeb way to help fight this. E.g. when you subscribe / follow a feed in a social reader, it should tell how you know them or if no connections can be found: https://www.buzzfeednews.com/article/craigsilverman/disinformation-for-hire-black-pr-firms
simons joined the channel
#
petermolnar what is Project Xanadu?
#
Loqi It looks like we don't have a page for "Project Xanadu" yet. Would you like to create it? (Or just say "Project Xanadu is ____", a sentence describing the term)
#
petermolnar what is Xanadu?
#
Loqi It looks like we don't have a page for "Xanadu" yet. Would you like to create it? (Or just say "Xanadu is ____", a sentence describing the term)
#
petermolnar (it's relevant)
#
@dragonflybsd Webmentions on the Digest: I've added Webmentions on the Digest.  If you don't know what that is, let... http://bit.ly/2ZYGV5M (twitter.com/_/status/1214577155390234626)
[LewisCowles] and [KevinMarks] joined the channel
#
[KevinMarks] Uh oh https://arstechnica.com/information-technology/2020/01/pgp-keys-software-security-and-much-more-threatened-by-new-sha1-exploit/
#
[tantek] petermolnar, IDK, Xanadu was more of a brainstorm (never practical) than anything actually relevant. Certainly not indieweb relevant, nothing beyond its Wikipedia article.
#
@jgmac1106 ↩️ And display webmentions on my site. I currently receive them using http://webmentions.io and can send them with bridgy or telegraph but I wanna figure this out for myself rather than relying on the servers of others. (https://quickthoughts.jgregorymcverry.com/s/1UfRA2) (twitter.com/_/status/1214585812404310019)
[snarfed] joined the channel
#
[snarfed] runs off to typosquat that domain :troll:
[schmarty] joined the channel
#
[snarfed] hey jamietanna, any thoughts on the meetup API requiring a Pro subscription? (~$35/mo.) not sure where that leaves us re adding it to bridgy. you don't currently subscribe yourself, right?
[manton] and sergioma_ joined the channel
#
jamietanna[m] Snarfed no I don't subscribe but I have got an oauth client registered for brid.gy already so we may be safe (although it leaves me as the owner)
#
[snarfed] right! i guess i wonder how long they'll let that key survive without a subscription. have they said anything about that?
#
jamietanna[m] Nope, I've not received anything so far about it. I didn't even know about it being a thing until you said, and it's not clearly called out on their docs so 🤷🏽‍♂️ they obviously don't seem to want to publicise it
#
jamietanna[m] Snarfed I may try and look at finishing the bridgy PR tonight if you're about to maybe answer some questions re the PR?
#
jamietanna[m] Happy to just ask them on the PR so you can reply when you're free 👍🏽
[CrowderSoup] joined the channel
#
[snarfed] definitely! sounds good
#
[snarfed] could you please also ask their support what they plan to do with existing API keys without subscriptions? we'll want to know if they plan to turn them off anytime soon
gRegorLove, leg, [CrowderSoup], [schmarty] and swentel joined the channel
#
[snarfed] (i expect we'd only want to launch bridgy on meetup if we're confident the API access will survive for a while, ie years)
[tantek] and uniquerockrz joined the channel
#
[snarfed] oh also jamietanna i guess we should remove meetup from https://oauth-dropins.appspot.com/ since we don't have an API key for it? (it would stay in the library, just not on that demo app.)
#
jamietanna[m] Snarfed I'm having some difficulty working out the best way of hooking in the scopes to the start of the request, which file would you recommend looking at for how best to do it?
#
jamietanna[m] Snarfed I've got a client we could use for OAuth dropins, and one for bridgy, but it's your call. I don't mind keeping one safe
#
[snarfed] oh ok! that's good news then. thanks!
#
jamietanna[m] If we're unable to launch on bridgy that'd be a shame 😥 I've reached out again on twitter
#
[snarfed] i know! :crossed_fingers:
#
[snarfed] re scopes, try passing them to the oauth-dropins request handlers' scopes= kwarg? eg https://github.com/snarfed/bridgy/blob/master/github.py#L101-L106
#
jamietanna[m] If we're unsure I may keep one of the clients for a personal syndication client in the hopes that they won't notice me using it 😂
#
jamietanna[m] Thanks, I'll try that after dinner 👍🏽
#
jamietanna[m] Ah snarfed I think I've tried that, but then it doesn't seem to get set in the `<form>` that is generated on the home page
#
jamietanna[m] Do I need to do anything special for the `button_html`? I assume not
chrisaldrich, [schmarty] and [chrisaldrich] joined the channel
#
[snarfed] it collects from the scopes=kwarg as well as the form, so either is ok
#
[snarfed] and no, you generally don't need to override button_html
superkuh joined the channel
#
superkuh indieweb should drop, or modify, webmention so that full manual and distributed receiving of webmentions is possible. All it would take is putting the data in the URL string instead of using form encoded POST.
#
superkuh Then everyone wouldn't be centralizing in these third party services to receive web mentions. Which kind of defeats the entire point.
#
aaronpk superkuh: thanks for the note. i'm a little confused about your misunderstanding of webmention here.
#
superkuh I might be confused but I don't think so. I spent a few days trying to implement my own webmention receiver in perl
#
aaronpk with webmention, the only data sent is the source and target URL. turning that into a comment that's displayed will always require additional work by some software somewhere.
#
superkuh Then stopped when I realized the system sucked.
#
superkuh Sent as a POST with www-whatever-form-encoded data.
#
aaronpk yeah, a regular html form post
#
superkuh Which is invisible and not logged.
#
superkuh Where if it were a real URL string it would be.
#
aaronpk which every web framework ever can handle by default
#
aaronpk in fact perl was probably the first to implement that lol
#
superkuh Right. Every web framework! You want people running dynamic scripting languages with attack surfaces?
#
superkuh Why even bother having the manual example page with curl when you can't receive manually?
#
aaronpk sending != receiving
#
aaronpk if you move the data from the post body to the query string, you just move the attack surface to the processing script instead of the server side environment
#
superkuh Both are required for the thing to work and not force people into extra complexity or using third party services.
#
aaronpk you don't avoid it
#
superkuh You can though.
#
superkuh If you just look at your logs manually.
#
aaronpk manually? that doesn't sound very practical
#
superkuh What doesn't sound practical to me is having the tail wag the dog on a static site.
#
superkuh All this needless complexity pushes people to centralize. It's already happening.
#
aaronpk there are many challenges for static sites way beyond handling the form post of webmention
#
aaronpk if you really think it would solve it, i encourage you to build a webmention receiver for your static site that processes the webmention via query string parameters
#
superkuh People willing to run dynamic scripts and expose them to incoming connections could still receive a URL string.
#
[schmarty] logging of requested URLs isn't a feature of a static site
#
superkuh aaronpk, I've already done so.
#
aaronpk it would take a very small server side script to translate the form post to a query string for demonstration purposes
#
superkuh Because that's how I built my comment system.
#
[schmarty] request logs are a feature of a web host, a server.
#
superkuh Uh...
#
aaronpk right, even a static site has a web server in front of it
#
superkuh I've looked into ways of getting form encoded data to log to disk with nginx. Mostly it requires about 30 lines of lua scripting in the location directive for the webmention endpoint.
#
aaronpk the reason webmention works the way it does is so that the webmention form post can be handled by a system separate from the static web host
#
superkuh But, server logs are not something exotic. If you're running a webserver it's very simple.
#
aaronpk there are plenty of examples of static web hosts that don't give you access to the server logs too, so that wouldn't even solve that case
#
superkuh static web hosts are not static sites. They're just more third party services.
#
superkuh Just a subset.
#
superkuh A limited one that invokes third party doctorine and loses any real value.
#
superkuh I guess I'm mostly thinking about people like myself that host from home (and me, from the very computer I'm typing to you on).
#
aaronpk if you're concerned about running some piece of software that handles a form post, and want to also run that software yourself, then you can write a web server that only parses the exact format that webmention requires and can't do anything else, eliminating any concerns of other "attacks" you're describing
#
aaronpk again that's the beauty of webmention, it leaves that possibility open for you while also making it easy for others who don't have those same concerns
#
superkuh I'd prefer to let something already known to be solid and secure like nginx handle it.
#
superkuh That's why url strings work so well.
#
superkuh People who want complexity can do it their way, but it wouldn't be required complexity.
#
aaronpk you're missing the point here though. moving the data from the post body to the url doesn't actually change anything, because once you want to process that webmention you're going to parse the access logs and now you're parsinjg the query string from the log file insteadf of the http request and your'e open to all the same attacks again
#
superkuh Yeah, I'd parse it with grep.
#
aaronpk untrusted data is untrusted data regardless of where you accept it from
#
superkuh And my eyes.
#
superkuh Pretty safe. Pretty easy.
#
superkuh It's not like I'm going to get hundreds or even tens of webmentions per day.
#
superkuh The equivalent of the manual curl send.
#
superkuh Which obviously has value.
#
superkuh And so does a manual way on the receive side.
#
aaronpk so i'm googling "nginx log post body" and finding some good results that are pretty straightforward
#
superkuh Straightforward like adding another module from some random dude and compiling it in.
#
superkuh Or straightforward like adding 30 lines of lua.
#
aaronpk it looks like there is a variable $request_body
#
superkuh If you compile in the Echo module.
#
aaronpk seems reasonable
#
superkuh Pretty much the same as running some dudes random php script, only now it's C.
#
aaronpk i thought you said you trusted nginx tho
#
superkuh I do. The default modules.
#
aaronpk all code is just random scripts at the end of the day
#
superkuh That said, I do appreciate you actually looking to find a solution to my problem.
#
superkuh And yeah, that does seem the easiest.
#
superkuh But not good enough.
#
aaronpk i'm not sure how familiar with HTTP verbs you are, but there are other implications of sending data via GET vs POST that make GET not a good fit for webmention
paulcarroty joined the channel
#
aaronpk nice, i just tried $request_body on my server and if your nginx is proxying to a server then the variable is already set
#
aaronpk http://nginx.org/en/docs/http/ngx_http_core_module.html#var_request_body
#
aaronpk so if you configure nginx to proxy to itself, then you get that variable without any additional modules
#
aaronpk this is great, this will help me debug stuff too since i'll be able to see the request body before it's parsed by my web framework
[kimberlyhirsh] joined the channel
#
superkuh Eh, that's kind of neat.
#
superkuh Maybe there are other ways too then. I guess I should ask on the nginx channel.
#
aaronpk nice, now i'm seeing the full xml payload of pingback in my logs too lol
#
[schmarty] haha that's a fun and weird thing to see in logs
#
aaronpk that woulda been handy when i was first implementing pingback 🤷
uniquerockrz and [Rose] joined the channel
#
@shshaw ↩️ @steeevg @chriscoyier This should be what WebMentions will enable: https://alistapart.com/article/webmentions-enabling-better-communication-on-the-internet/ (twitter.com/_/status/1214658405522165760)
[jgmac1106] and [davidmead] joined the channel
#
jamietanna[m] !tell snarfed looks like I need https://github.com/snarfed/granary/pull/180 (just raised it) before the Brid.gy stuff can continue as that method's used by Brid.gy's code - just doing some validation to confirm it's working ok
#
Loqi Ok, I'll tell them that when I see them next
#
Loqi [jamietanna] #180 Add missing `user_to_actor` method for Meetup
[LewisCowles] and [snarfed] joined the channel
#
[snarfed] ok! will look
#
Loqi [snarfed]: jamietanna[m] left you a message 59 minutes ago: looks like I need https://github.com/snarfed/granary/pull/180 (just raised it) before the Brid.gy stuff can continue as that method's used by Brid.gy's code - just doing some validation to confirm it's working ok
#
jamietanna[m] Thanks, just pushed the last bit which now should work 👍🏽
#
jamietanna[m] That's allowed me to authorize bridgy locally, so now all I need to test is publishing. How did you recommend in the past? Publish an RSVP with the prod bridgy meetup url, then try publish locally via the preview?
#
[snarfed] right!
#
jamietanna[m] Awesome. I'll give that a go tomorrow, although I can't seem to get my local setup working on my laptop so may be later in the evening
#
jamietanna[m] Can you think (off the top of your head) why http://localhost:8080/meetup/189380737 would fail to resolve my user? That's the user_id it should be stored as
#
[snarfed] hmm! not sure. you can look at the actual Meetup datastore entity in http://localhost:8000/ to see if its id looks right
#
[snarfed] also, if you run a normal python shell while in your virtualenv and while dev_appserver is running, and then do eg `Meetup.get_by_id(...)`, it'll use your local datastore
[tantek] and uniquerockrz joined the channel