#[tantek]what is a decentralized social media app?
#LoqiIt looks like we don't have a page for "decentralized social media app" yet. Would you like to create it? (Or just say "decentralized social media app is ____", a sentence describing the term)
gxt, [jgmac1106] and [schmarty] joined the channel
#[KevinMarks]Interesting - that makes sense, though not sure if the current version would do that. It would work for a figcaption. Another tricky case is in a <details > - should it expand it?
#[tantek]I can file a feature request for the spec to consider / answer it. Do you mean the current version of the polyfill?
#[tantek]I mean, that's a bug to be fixed if we agree it should be part of the spec (which I argue from use-case that it should)
#[tantek]should the img alt text be considered in-stream (the way a screen reader would read it?) that seems to make the most universal-access sense to me
#[KevinMarks]Not sure if screen reader and text copy are the same. The text copy is appealing because it has whitespace handling defined, and because that is the easy way to do a link by hand - copy text and paste after a # in the url
#[tantek]copy paste will get you alt text if you haven't loaded images
#[tantek]a screenreader user wanting to reference something they happened have heard in an alt text would absolutely copy paste it with a # after the URL
#[tantek]I wonder if a fragmentioned img by alt text like that should also show the alt text on top of the image like a closed caption
#LoqiIt looks like we don't have a page for "Project Xanadu" yet. Would you like to create it? (Or just say "Project Xanadu is ____", a sentence describing the term)
#[tantek]petermolnar, IDK, Xanadu was more of a brainstorm (never practical) than anything actually relevant. Certainly not indieweb relevant, nothing beyond its Wikipedia article.
#[snarfed]runs off to typosquat that domain :troll:
[schmarty] joined the channel
#[snarfed]hey jamietanna, any thoughts on the meetup API requiring a Pro subscription? (~$35/mo.) not sure where that leaves us re adding it to bridgy. you don't currently subscribe yourself, right?
[manton] and sergioma_ joined the channel
#jamietanna[m]Snarfed no I don't subscribe but I have got an oauth client registered for brid.gy already so we may be safe (although it leaves me as the owner)
#[snarfed]right! i guess i wonder how long they'll let that key survive without a subscription. have they said anything about that?
#jamietanna[m]Nope, I've not received anything so far about it. I didn't even know about it being a thing until you said, and it's not clearly called out on their docs so 🤷🏽♂️ they obviously don't seem to want to publicise it
#jamietanna[m]Snarfed I may try and look at finishing the bridgy PR tonight if you're about to maybe answer some questions re the PR?
#jamietanna[m]Happy to just ask them on the PR so you can reply when you're free 👍🏽
#[snarfed]could you please also ask their support what they plan to do with existing API keys without subscriptions? we'll want to know if they plan to turn them off anytime soon
gRegorLove, leg, [CrowderSoup], [schmarty] and swentel joined the channel
#[snarfed](i expect we'd only want to launch bridgy on meetup if we're confident the API access will survive for a while, ie years)
[tantek] and uniquerockrz joined the channel
#[snarfed]oh also jamietanna i guess we should remove meetup from https://oauth-dropins.appspot.com/ since we don't have an API key for it? (it would stay in the library, just not on that demo app.)
#jamietanna[m]Snarfed I'm having some difficulty working out the best way of hooking in the scopes to the start of the request, which file would you recommend looking at for how best to do it?
#jamietanna[m]Snarfed I've got a client we could use for OAuth dropins, and one for bridgy, but it's your call. I don't mind keeping one safe
#jamietanna[m]Ah snarfed I think I've tried that, but then it doesn't seem to get set in the `<form>` that is generated on the home page
#jamietanna[m]Do I need to do anything special for the `button_html`? I assume not
chrisaldrich, [schmarty] and [chrisaldrich] joined the channel
#[snarfed]it collects from the scopes=kwarg as well as the form, so either is ok
#[snarfed]and no, you generally don't need to override button_html
superkuh joined the channel
#superkuhindieweb should drop, or modify, webmention so that full manual and distributed receiving of webmentions is possible. All it would take is putting the data in the URL string instead of using form encoded POST.
#superkuhThen everyone wouldn't be centralizing in these third party services to receive web mentions. Which kind of defeats the entire point.
#aaronpksuperkuh: thanks for the note. i'm a little confused about your misunderstanding of webmention here.
#superkuhI might be confused but I don't think so. I spent a few days trying to implement my own webmention receiver in perl
#aaronpkwith webmention, the only data sent is the source and target URL. turning that into a comment that's displayed will always require additional work by some software somewhere.
#superkuhThen stopped when I realized the system sucked.
#superkuhSent as a POST with www-whatever-form-encoded data.
#aaronpkif you move the data from the post body to the query string, you just move the attack surface to the processing script instead of the server side environment
#superkuhBoth are required for the thing to work and not force people into extra complexity or using third party services.
#aaronpkmanually? that doesn't sound very practical
#superkuhWhat doesn't sound practical to me is having the tail wag the dog on a static site.
#superkuhAll this needless complexity pushes people to centralize. It's already happening.
#aaronpkthere are many challenges for static sites way beyond handling the form post of webmention
#aaronpkif you really think it would solve it, i encourage you to build a webmention receiver for your static site that processes the webmention via query string parameters
#superkuhPeople willing to run dynamic scripts and expose them to incoming connections could still receive a URL string.
#[schmarty]logging of requested URLs isn't a feature of a static site
#aaronpkright, even a static site has a web server in front of it
#superkuhI've looked into ways of getting form encoded data to log to disk with nginx. Mostly it requires about 30 lines of lua scripting in the location directive for the webmention endpoint.
#aaronpkthe reason webmention works the way it does is so that the webmention form post can be handled by a system separate from the static web host
#superkuhBut, server logs are not something exotic. If you're running a webserver it's very simple.
#aaronpkthere are plenty of examples of static web hosts that don't give you access to the server logs too, so that wouldn't even solve that case
#superkuhstatic web hosts are not static sites. They're just more third party services.
#superkuhA limited one that invokes third party doctorine and loses any real value.
#superkuhI guess I'm mostly thinking about people like myself that host from home (and me, from the very computer I'm typing to you on).
#aaronpkif you're concerned about running some piece of software that handles a form post, and want to also run that software yourself, then you can write a web server that only parses the exact format that webmention requires and can't do anything else, eliminating any concerns of other "attacks" you're describing
#aaronpkagain that's the beauty of webmention, it leaves that possibility open for you while also making it easy for others who don't have those same concerns
#superkuhI'd prefer to let something already known to be solid and secure like nginx handle it.
#superkuhPeople who want complexity can do it their way, but it wouldn't be required complexity.
#aaronpkyou're missing the point here though. moving the data from the post body to the url doesn't actually change anything, because once you want to process that webmention you're going to parse the access logs and now you're parsinjg the query string from the log file insteadf of the http request and your'e open to all the same attacks again
#aaronpki'm not sure how familiar with HTTP verbs you are, but there are other implications of sending data via GET vs POST that make GET not a good fit for webmention
paulcarroty joined the channel
#aaronpknice, i just tried $request_body on my server and if your nginx is proxying to a server then the variable is already set
#jamietanna[m]!tell snarfed looks like I need https://github.com/snarfed/granary/pull/180 (just raised it) before the Brid.gy stuff can continue as that method's used by Brid.gy's code - just doing some validation to confirm it's working ok
#Loqi[snarfed]: jamietanna[m] left you a message 59 minutes ago: looks like I need https://github.com/snarfed/granary/pull/180 (just raised it) before the Brid.gy stuff can continue as that method's used by Brid.gy's code - just doing some validation to confirm it's working ok
#jamietanna[m]Thanks, just pushed the last bit which now should work 👍🏽
#jamietanna[m]That's allowed me to authorize bridgy locally, so now all I need to test is publishing. How did you recommend in the past? Publish an RSVP with the prod bridgy meetup url, then try publish locally via the preview?
#[snarfed]hmm! not sure. you can look at the actual Meetup datastore entity in http://localhost:8000/ to see if its id looks right
#[snarfed]also, if you run a normal python shell while in your virtualenv and while dev_appserver is running, and then do eg `Meetup.get_by_id(...)`, it'll use your local datastore