#dev 2020-01-16
2020-01-16 UTC
jolvera, [KevinMarks]1, [tantek]1, voxpelli, sfoster, [jgmac1106], TGiske, eindoofus and [KevinMarks] joined the channel
# eindoofus hi, just wondering how in-demand sass knowledge is these days? i'm going through online courses for html/css and not sure which to chose. i also see flexbox mentioned in one
# eindoofus i have some backend knowledge but near zero on the frontend, thus the stupid questions
nickodd and [email096] joined the channel
# [email096] Yay, Edge has MIDI support!
[dmitshur] joined the channel
# [dmitshur] is beesbuzz.biz here? (not seeing them but given they reported issues in https://github.com/indieweb/indieauth/issues I'm hopeful)
# [dmitshur] [fluffy] hi!
# [dmitshur] 👋
[fluffy] joined the channel
# [dmitshur] I wanted to share another weird thing I was thinking about re https://github.com/indieweb/indieauth/issues/35 but don't want to derail that issue
# [dmitshur] imagine a user enters https://example.com/ as profile url, an auth endpoint is discovered, IndieAuth authentication flow is successful, and the endpoint returns a "me" value of... a completely different page that is 404 or something.
# [dmitshur] it's an odd case for me to consider because I want to discover user's metadata such as h-card.photo, find rel=me links, etc.
# [dmitshur] but here's the thing, I want to implement RelMeAuth and use it only when there isn't an authorization endpoint
# [dmitshur] so if I discover IndieAuth authz endpoint, I may need to consider one URL as their canonical user profile.
# [dmitshur] Otherwise I need to consider a very different URL...
# [dmitshur] so I need to decide what URL to use for RelMeAuth purposes
# [dmitshur] maybe I should just mimic the https://indieauth.spec.indieweb.org/#discovery-by-clients behavior for RelMeAuth too.
# [dmitshur] yeah
# [dmitshur] I haven't either yet, it's a TODO
# [dmitshur] but things would be much simpler if there weren't redirects 😛 or fewer of them
# [fluffy] Incidentally, regarding indieauth issue 35 I wrote https://github.com/fluffy-critter/AnyAuth and also have https://anyauth.beesbuzz.biz/
# [dmitshur] hehe
# [dmitshur] that might come in handy for me later, thanks
# [dmitshur] yeah, right now I'm just not supporting redirection at all and requiring all URLs to be equal, with a "TODO: add support for advanced redirection"... and working on resolving the TODO.
# [dmitshur] well, cheers, thanks for looking at this stuff too and sharing your findings 🙂
# [dmitshur] what exactly is annoying? What OpenID impls do, or that IndieAuth differs?
# [dmitshur] I see.
# [fluffy] I just remember being supremely annoyed by how one forum I was on didn’t see http://example.com/me and http://example.com/me/ as equivalent.
# Loqi [[dmitshur]] On a different but related note, "https://example.com/user" and "https://example.com/user/" are technically different URLs. It seems weird to let 2 completely different people differ only by a trailing slash. But https://indieauth.spec.indieweb.org/#...
# [dmitshur] I will say, as I understand the spirit and target audience of IndieAuth, I am okay with the domain being a unit of trust, especially if that buys simplicity. I wouldn't want IndieAuth to try to solve the thousands-of-users per domain problem, because that'd likely make it much more complicated... but I understand other people may have different priorities or preferences and that's valid.
# [dmitshur] and if two users want to troll and have URLs that differ only by a trailing slash, that's their choice and great. if a single user wants to be able to enter their URL with a trailing slash or without, and have the authz endpoint return a canonical version, that's great too.
# [dmitshur] I'm in agreement on not violating expectations.
# [dmitshur] my top goals are to let more people use URLs as identifiers, and to let people sign in to my site even if github is down. if you're curious, what I'm working on is https://github.com/shurcooL/home/issues/34.
# [fluffy] user has a webpage on tilde.club. Say, https://tilde.club/~alice/
# [fluffy] let’s say tilde.club/~alice sets their profile as an IndieAuth endpoint that provides a “me” URL of https://tilde.club/~bob/
# [dmitshur] so the high level problem is when example.com has no idea what IndieAuth is, but lets certain people control certain pages. then, if a user has full control over example.com/foo/ but no control over example.com or any other pages, they can still control the entire example.com domain. is that right?
# [dmitshur] yep. in the context of being able to authenticate via IndieAuth.
# [dmitshur] this reminds me of how the Go project deals with this problem for custom import paths.
# [dmitshur] > The import-prefix is the import path corresponding to the repository root. It must be a prefix or an exact match of the package being fetched with "go get". If it's not an exact match, another http request is made at the prefix to verify the <meta> tags match.
# [dmitshur] should be easier to understand by looking at the comment at https://github.com/golang/go/blob/f77e7ed7e374311e684fe810bf1aabaf18965a8a/src/cmd/go/internal/get/vcs.go#L825-L830
# [dmitshur] applied to IndieAuth, it could mean something like... if authz endpoint returns a "me" URL where the original user profile URL isn't a prefix of it, then it should be confirmed that the returned "me" URL specifies the same authorization endpoint URL.
# [dmitshur] so if tilde.club/~bob uses the authorization endpoint evil.com/auth that returns a "me" value of "tilde.club/~alice", then we check and see tilde.club/~alice doesn't have the same authorization endpoint evil.com/auth, so we can't trust bob.
# [dmitshur] and I think the prefix rule can be simplified to just inequality. if the returned "me" value is different, then it should be confirmed that if used for authorization discovery, it reports the same authz endpoint.
# [dmitshur] for authorization endpoint* discovery
# [dmitshur] I don't know how others feel about this idea, but I'm liking it so far, and I may make it a proposal (if no one else beats me to doing that).
# [dmitshur] by consumer, do you mean IndieAuth client?
# [dmitshur] I see two scenarios. either the authz endpoint returns the same URL as what the user entered. in that case nothing more needs to be done.
# [dmitshur] the second scenario is that the authz endpoint returns a different URL. then the client must do a second "discover the authorization endpoint" call on a different URL.
# [dmitshur] it's just running the same code on 2 URLs instead of 1.
# [dmitshur] it seems conceptually simple to me. what makes you not like it?
# [dmitshur] I see, thanks
# [dmitshur] I'll think about it more before I do anything, of course.
# [dmitshur] I agree it adds complexity, but it seems justified for the problem it's solving. but if there's a simpler solution, that'd be better.
# [dmitshur] I might be biased but I find the ability of the authz endpoint to return a non-200-OK URL quite unpleasant, and this change would make that scenario impossible as a byproduct.
# [dmitshur] you can still have 1 handshake if you enter your canonical profile URL into the sign in form.
# [dmitshur] I appreciate feedback 🙂
# [dmitshur] but instead it should be assumed to be authoritative over that URL itself, and all deeper paths, is that what you mean?
# [dmitshur] gotcha.
# [dmitshur] I think that's a valid concern but I'm not sure if I believe it's best for it to be in scope of IndieAuth. but I haven't made up my mind about these things yet.
# [dmitshur] I think that's fair. you have certain use cases in mind and desire to enable/support, and you're done work in that direction.
# [dmitshur] it comes down to trade-offs of having more specialized, simpler protocols, but more of them... vs fewer but more complicated.
# [dmitshur] yeah, the bar to implement one's own IndieAuth authz endpoint is quite high now, so I'm not surprised it's used by very few people. even using another server's existing authz endpoint is still non-trivial.
# [dmitshur] I'm learning of new projects today 🙂
# [dmitshur] I think my second-discovery-on-me-mismatch idea above should be compatible with vast majority of existing IndieAuth implementations, so I have the option of attempting to prototype it and learn from the experience before making any proposals.
[tantek] joined the channel
# [dmitshur] I have to take off soon. thanks for the discussion!
# [dmitshur] it was nice to meet you today 🙂
[fluffy], [tantek], [dmitshur]1 and [email096]1 joined the channel
KartikPrabhu joined the channel
# @jeremyfelt Webmentions work log 20200115 https://jeremyfelt.com/2020/01/15/webmentions-work-log-20200115/ (twitter.com/_/status/1217698234828591104)
dietricha, shakeel, kitt, jmac, myfreeweb, jolvera, mattl, danyao, gRegorLove, voxpelli, superjen96, jeneliza_, TGiske, sfoster, ludovicchabant, willnorris, jimpick, jenelizabeth, [Marlin_Forbes], swentel, simons, gxt, KartikPrabhu, [Rose] and [KevinMarks] joined the channel; nickodd left the channel
# [KevinMarks] there is a case for profile URLs redirecting, especially with a 301 - think of the rel-me auth case where pointed-to profiles may move.
# [KevinMarks] a key one was where (eg) profiles.google.com/kevinmarks would redirect to the G+ profile (all of this is now broken, of course)
rainw6ter, simons, TGiske, jjuran and [tantek] joined the channel
# [tantek] I'm seeing a site down message here, anyone else? https://foursquare.com/v/muni-stop-id-14618-fillmore--haight-outbound-22/52310eea11d2cb66d5de5427
[Marlin_Forbes] joined the channel
# [Marlin_Forbes] yeah gonna timeout
# [Marlin_Forbes] yup, just got a varnish error page
# [Marlin_Forbes] classy
# [Marlin_Forbes] the error page renderer is also down
# [Marlin_Forbes] probably a CPT POP cached the wrong page for 503
# [Marlin_Forbes] CPT = Cape Town
# [Marlin_Forbes] CDN issue probable, this says it's up https://downforeveryoneorjustme.com/foursquare.com
# [Marlin_Forbes] unless there's some special backend service required to render that specific page, possible
simons joined the channel; gimochiDiscord[m left the channel
ci_trex joined the channel; ci_trex left the channel
[KevinMarks] joined the channel
# [KevinMarks] well no, not any more. Google profiles was a good rel-me provider from 2008 to 2016, through the G+ transition, but then as G+ got neglected they broke it
[jgmac1106], simons, jgmac1106, [Rose], glgac, CyOp0x00Discord[, [fluffy], [tantek] and [snarfed] joined the channel
# [snarfed] i'm seeing more and more sites regularly reattempt bridgy publishing many or all of their posts, all at once. probably static sites that use bridgy publish links and auto (re)send webmentions on every build. not a problem, but getting to be a more notable source of load, esp some sites that post many times a day and have well over >10k posts total
# [snarfed] they're generally all 400s, and normally it'd be easy to short circuit that response, except bridgy publish supports 410 delete, so i have to request each page, follow redirects, look up in the db to see if i've already published that final url, and then also check that it isn't a 410. so they're not cheap
# [snarfed] unrelated, [srushe] has been reattempting bridgy publish for https://deeden.co.uk/reposts/2020/01/16/134744 once a minute for a while now. [srushe] you might want to add a limit to the number of times you retry webmentions 😆
[srushe] joined the channel
# [srushe] Oops. On it
# [snarfed] (speaking of which, hope he's ok, i'd love to keep going on https://github.com/snarfed/bridgy/pull/906 !)
KirushikDiscord[ and [schmarty] joined the channel
# [schmarty] i don't think any SSG actually supports sending WMs?
# [schmarty] but an SSG building/hosting platform like Netlify could
# [schmarty] right. i built that into my site builder very early
# jamietanna[m] Snarfed I am! It's been super busy here unfortunately and I'm on holiday (without laptop) next week so won't be back to bridgy work until following week unfortunately
# jamietanna[m] I have a sitemap that I generate (and use to list what should get wm'd) - I could use that and see the `lastmod` for what I need to send, reducing what is outgoing even more
# jamietanna[m] Oh no I'm not yet on holiday! Just been too busy unfortunately - I'd love to get it finished too
# jamietanna[m] Sorry snarfed is that for the meetup bridgy ones? Or ie ones I've already got syndicated?
# jamietanna[m] > (jamietanna your site is one of the more noticeable ones ^, just fyi)
# jamietanna[m] That question in response to this
# jamietanna[m] Oh interesting. I think they shouldn't be attempting to resend so that isn't great. I can look into it
# @bmann ↩️ Has anyone bugged y'all about using the WP Webmentions plugin https://wordpress.org/plugins/webmention/ along with Bridgy? https://brid.gy/about
Totally different implementation, but would mean Twitter (and other networks!) would get sucked right into the AVC website. (twitter.com/_/status/1217868832959844354)
# @bmann ↩️ Has anyone bugged y'all about using the WP Webmentions plugin https://wordpress.org/plugins/webmention/ along with Bridgy? https://brid.gy/about
Totally different implementation, but would mean Twitter (and other networks!) would get sucked right into the AVC website. (twitter.com/_/status/1217868832959844354)
eli_oat joined the channel
[generativist] joined the channel
petermolnar joined the channel
# jamietanna[m] Agreed! Snarfed if you're able to share some URLs I've tried to re-syndicate in the past few weeks I can look at investigating what's gone wrong with my webmention sending 👍🏽
# [snarfed] jamietanna sure! recent example ended at 10:13am PST yesterday. last three URLs were https://www.jvt.me/mf2/2019/12/yudga/ , https://www.jvt.me/mf2/2019/12/0nbqa/ , https://www.jvt.me/mf2/2019/12/isqba/
# Loqi [Jamie Tanna] This post has been published by my Micropub endpoint (code in https://gitlab.com/jamietanna/www-api ) and syndicated to Twitter via https://brid.gy 🙌 #IndieWeb - I'm able to own my tweets from my personal website at https://www.jvt.me and you can ...
# jamietanna[m] Thanks snarfed, I'll look into them!
# jamietanna[m] I have a feeling it will be that it didn't get written to the DB properly (sqlite Java library has an issue with locking)
gRegorLove joined the channel
[KevinMarks] joined the channel
# [tantek] I'm going to call links like https://brid.gy/publish/twitter "command links" as they're links for essentially performing a command
[mykola_bilokons joined the channel
# [generativist] Greetings, everyone. After talking with [tantek], I realized I should introduce what I'm working on right now. I mentioned before, but -- like a lot of python-favoring data scientists -- I spend most days inside collections of Jupyter/Ipython notebooks. Previously, I've had ad-hoc collections of scripts to make webpages out of them. And, my entire dissertation was a large collection of notebooks converted to PDF. So right now, I'm turning
# [generativist] it into an indieweb-favoring command line tool.
# [generativist] E.g. (roughly)
# [generativist] `$ falsifiable init # creates project`
# [generativist] `$ falsifiable build # converts all notebooks and creates directory indices`
# [generativist] `$ falsifiable publish # extensible if you're not just doing git`
# [generativist] Mostly, I want this. But, I also think a lot of people who follow me on twitter in general and data scientists in particular are technically competent and recognize the value in owning your domain -- so this is a low friction onboarding thing.
# [tantek] alright, documented my brainstorm before implementing so I don't feel like I have to neglect everything else just to code this today: https://indieweb.org/Bridgy#Minimize_Publish_Rerequests
tsrt^ and KartikPrabhu joined the channel
# @_carlbrand Testing Webmentions
https://carlbrand.dev/2-testing-webmentions (twitter.com/_/status/1217916132885237762)
# @jezcope In which I rip out Disqus in favour of something decentralised and free (as in speech): https://erambler.co.uk/blog/replacing-comments-with-webmentions/ (twitter.com/_/status/1217917686199586816)
coryschwartzDisc, gRegorLove_ and TGiske joined the channel
# @vform Replacing comments with webmentions | eRambler - https://erambler.co.uk/blog/replacing-comments-with-webmentions/ (twitter.com/_/status/1217930294164107266)
[tantek] and [manton] joined the channel