#dev 2020-05-31

2020-05-31 UTC
# 00:00 
@alfakini A web pode ser interpretada como um grafo unidirecional navegando-se pelos seus links. Podemos voltar pro nó anterior, mas não é possível de forma fácil descobrir quais nós apontam para o nó (grafo bidirecional). Imagina que incrível seria isso! https://www.w3.org/TR/2017/REC-webmention-20170112/ (twitter.com/_/status/1266881165920698374)
vilhalmer, geoffo, lahacker, mlncn, chimo, MylesBraithwaite, wagle, [manton] and [chrisaldrich] joined the channel
# 05:59 
petermolnar Google has beta image licence data recommendations: https://developers.google.com/search/docs/data-types/image-license-metadata including an IPTC tag, "Web Statement of Rights" - had anyone used this before?
# 06:02 
jacky what is a bookshelf
# 06:02 
Loqi It looks like we don't have a page for "bookshelf" yet. Would you like to create it? (Or just say "bookshelf is ____", a sentence describing the term)
# 06:02 
jacky grr
# 06:02 
jacky what are books
# 06:02 
Loqi A book is a written work typically longer than an article, on the indieweb, there are examples of publishing whole books on IndieWeb sites, and publishing lists of books https://indieweb.org/books
# 06:03 
jacky hmm I just wanna mark up a list of books
# 06:03 
jacky going to do the h-feed / h-entry approach
# 06:18 
petermolnar fyi I found this on photo licencing: https://blog.laurencebichon.com/how-to-set-licensor-and-webstatement-for-google-license-in-capture-one/
# 06:23 
petermolnar further reading here: https://iptc.org/standards/photo-metadata/quick-guide-to-iptc-photo-metadata-and-google-images-2/
leg joined the channel
# 06:48 
jacky I asked about the bookshelf because I've been asked by people to build something w.r.t political education
# 06:48 
jacky and figured this would be a good chance to slowly pull from goodreads and friends
# 07:20 
jacky wikipedia++
# 07:20 
Loqi wikipedia has 1 karma over the last year
# 07:20 
jacky I'm trying to use it to link all of the books I'm building up
# 07:20 
jacky it's sad to see so few revolutionary bits of material on there
[fluffy] and [LewisCowles] joined the channel
# 07:32 
[LewisCowles] Still time yet jacky
nickodd, moppy and jeremych_ joined the channel
# 08:29 
jacky this is what I've cobbled together
# 08:29 
jacky https://jacky.wtf/library.html
# 08:30 
jacky the mf2 looks good imo
# 08:30 
jacky ideally if I exposed a websub on that page too and someone subscribed to a feed reader with websub support
# 08:30 
[LewisCowles] jacky, the abolish silicon valley... Hide it until you're done interviewing lol
# 08:31 
jacky they'd see it adjust as I go
# 08:31 
jacky [LewisCowles]: lmfaoo
# 08:31 
[LewisCowles] I too would like certain parts of VC to do one. I'm adding that to my reading list
# 08:34 
jacky I think the toughest read on that list (like page-wise) was Capital
# 08:34 
jacky it's like the size of the bible lol
# 08:36 
jeremycherfas I've gone to chat for this.
# 08:58 
[LewisCowles] !tell Zegnat I still want to know more about that LIBXML thing, while I've been waiting for one computer to compile things, I've been digging. https://bugs.php.net/bug.php?id=74004 came up
# 08:58 
Loqi Ok, I'll tell them that when I see them next
# 09:02 
[LewisCowles] also from my feed https://www.zdnet.com/article/github-warns-java-developers-of-new-malware-poisoning-netbeans-projects/
KartikPrabhu joined the channel
# 09:45 
Zegnat I saw that issue too, [LewisCowles], but as the NOWARNING flag worked in all my tests I just went with it anyway, haha
# 09:45 
Loqi Zegnat: [LewisCowles] left you a message 47 minutes ago: I still want to know more about that LIBXML thing, while I've been waiting for one computer to compile things, I've been digging. https://bugs.php.net/bug.php?id=74004 came up
# 09:46 
Zegnat Do keep us posted if you find anything. I should probably file a bug on the PHP bug tracker, just haven’t had time yet. Right now 100% on a project for work
# 10:48 
[fluffy] so, my latest Publ release seems to improve performance on my deployed site by, oh, only *900%*
# 10:49 
[fluffy] object pooling: it’s what’s for dinner
[LewisCowles] joined the channel
# 11:25 
[LewisCowles] nice one fluffy
# 11:25 
[LewisCowles] how is the new job?
# 11:42 
[fluffy] It’s pretty okay. Kind of an organizational clusterfuck. I’d say we should move this to #chat but I’m also trying to sleep (I am bad at it)
gRegorLove, dopplergange and [dmitshur] joined the channel
# 14:45 
[dmitshur] What do people think of https://news.ycombinator.com/item?id=23362149 ? Has it been discussed earlier?
# 14:45 
Loqi [masnick] Zero-day in Sign in with Apple
# 14:51 
aaronpk i’m writing up a blog post about it
# 14:51 
aaronpk because i can’t stand all the replies
[John_Payne] and [snarfed] joined the channel
# 14:55 
[snarfed] vulnerabilities seem like outages. they happen. nothing is perfect. individual ones don't necessarily mean anything bigger about whether any product or service is "good" or not. details (and broader techniques) can definitely be interesting, but probably more for other communities than us, right?
# 14:55 
[snarfed] aaronpk specifically works on oauth and directly related stuff, so details are worth looking at for him in that context
# 14:58 
[snarfed] vulnerabilities and outages seem similar to academic papers in that sense. each one matters, but science isn't any individual paper(s), it's the overall body of literature and knowledge over time
# 14:59 
aaronpk [snarfed]++
# 14:59 
Loqi [snarfed] has 52 karma in this channel over the last year (94 in all channels)
[tantek], [schmarty], [fluffy], [Ramiro_Ruiz], nickodd, KartikPrabhu, geoffo, dogfart, [LewisCowles], Mikaela and [Aaron_Klemm] joined the channel; nickodd left the channel
# 21:17 
[Aaron_Klemm] Does OIDC even support logging in via URL? Googling hasn't got me there.
# 21:19 
aaronpk you mean like openid 1 did?
# 21:22 
[Aaron_Klemm] yes
# 21:28 
[Aaron_Klemm] That’s what I mean.
superkuh and [chrisaldrich] joined the channel
# 21:53 
aaronpk theoretically yes, using the "self-issued.me" provider, which is what I am told every time I mention indieauth
# 21:53 
aaronpk however I do not know of anyone actually using that
# 21:56 
aaronpk https://openid.net/specs/openid-connect-core-1_0.html#SelfIssued
# 21:57 
aaronpk tho now that I think about it, this seems slightly different
[dmitshur] joined the channel
# 22:07 
[dmitshur] haha. looking forward to the blog post Aaron.
# 22:08 
aaronpk just finished it!
# 22:08 
aaronpk https://aaronparecki.com/2020/05/31/30/the-real-cause-of-the-sign-in-with-apple-zero-day
# 22:08 
[dmitshur] woot
# 22:08 
Loqi woot
# 22:13 
[dmitshur] I already have a guess as to what the "real cause" is; curious if my guess will match... hmm, yeah, I think it was close. my guess was that the cause was the complexity of the OAuth spec as it is today making it harder to implement it fully and consider all the things (and serving as motivation for simplifying/consolidating it in future versions, rather than just adding more on top). i.e., the OAuth 2.1 initiative.
# 22:14 
aaronpk hm no not at all
# 22:16 
[dmitshur] "take a very careful look at all of the OAuth RFCs and make sure you know what you’re getting in to before you start."
# 22:16 
[dmitshur] that's a lot of work.
# 22:16 
[dmitshur] "Rule number 1 of authentication: Never roll your own authentication."
# 22:16 
[dmitshur] valid advice, but really only viable until you _really_ need to invent your own thing. just be prepared for the possibility of mistakes.
# 22:17 
aaronpk did you just skip to the end? :)
# 22:18 
[dmitshur] haha yeah.
# 22:18 
[dmitshur] i'm reading the whole thing now.
# 22:18 
aaronpk i'm gonna add a sentence to the last paragraph then :)
# 22:21 
[dmitshur] > The original writeup heavily mentions JWTs and emphasizes the OAuth exchange, and I’ve seen many reactions suggesting that the problem was in the JWT creation or validation, or some poor implementation of OpenID Connect. But instead, the problem was much actually much simpler than that.
# 22:21 
[dmitshur] oh, I hadn't seen that. I was already under the impression it was a really simple/trivial mistake of forgetting to validate a part of the input.
# 22:24 
[dmitshur] so my "root cause" analysis was looking for an explanation of how such a mistake could've happened... and I attributed it to them taking the risk of creating their own implementation, which needed to be since they weren't implementing OAuth precisely, but a small spin off from it.
# 22:35 
aaronpk that works
# 22:40 
[dmitshur] I wonder if there are any obvious-in-hindsight forgetting-to-validate-input bugs in my IndieAuth implementation. 🙂
# 22:41 
jacky I know there's some in mine
# 22:41 
jacky I'm working to refactor it far from my site tbh lol
# 22:43 
[dmitshur] I made that kind of a mistake two times in a row in another place:
# 22:43 
[dmitshur] it wasn't security sensitive, but unpleasant nevertheless. (I got lucky that no one made use of the missed validation before I patched it.)
# 22:43 
[dmitshur] exhibit A — https://github.com/shurcooL/home/commit/a7761166f35f41add758dbd9e38bbdc267090788
# 22:43 
[dmitshur] exhibit B — https://github.com/shurcooL/home/commit/614ca99ffc1dec921aa3bd4380e72e10d3bfe068
chimo and gRegorLove joined the channel
# 22:55 
sknebel aaronpk: are you aware of any work on finding this kind of thing automatically? I guess some kinds of static analysis can catch this kind of thing, but I'm also not sure that's actually used and effective in practice
# 22:58 
jacky that's a trade secret lol
# 23:03 
aaronpk gosh it's not even in the owasp top 10?
# 23:05 
aaronpk https://owasp.org/www-project-proactive-controls/v3/en/c5-validate-inputs
# 23:06 
jacky ah yes
# 23:06 
jacky the one thing I hate to do lol
# 23:07 
jacky you know sometimes I feel bad for how much stuff I think I might have write in elixr
# 23:07 
jacky but then I look at https://indieweb.org/p3k
# 23:07 
jacky and realize that it's not that bad lol
# 23:08 
aaronpk 😂
# 23:13 
sknebel ah yes, the "just remember to do the right thing" method of automation
# 23:13 
jacky lmfao
# 23:15 
sknebel (I'll take this as "no, not aware of anything". Which doesn't particularly surprise me, sadly)
# 23:16 
aaronpk yeah i can't even imagine how you'd pull that off
# 23:16 
jacky tbh that might be something that indieauth.rocks could do?
# 23:16 
jacky manipulating fields in the flow (but that smells like something under a headless web browser)
# 23:16 
jacky under the work of a headless web browser
# 23:20 
aaronpk indieauth.rocks can test and poke the oauth parts
# 23:20 
aaronpk but this bug was not in those parts
# 23:21 
jacky ah right right
# 23:21 
aaronpk and yeah it'd definitely be a good idea for indieauth.rocks to include some tests where it throws bad data at the client and server
# 23:22 
sknebel yeah, for this specific thing the testing needs to be application-specific. I guess random input/fuzzying could catch it - i.e. validating that whatever is done to the untrusted requests they either fail or produce a known-good result
# 23:24 
sknebel some static analysis tools can potentially catch "you didn't validate that input" too, but that then totally depends on the tooling available for the environment you're building the app in. and to a large degree only help give more chances to surface it as a problem, not guarantee to catch it
# 23:28 
sknebel i.e. unless you told something "this has to be one of the original choices", it'll have accept if you tell it "this code that checks if it is a valid email address is validation", even if thats not the validation you were supposed to do
# 23:29 
aaronpk yeah that seems tough