#dev 2020-05-31
2020-05-31 UTC
# @alfakini A web pode ser interpretada como um grafo unidirecional navegando-se pelos seus links. Podemos voltar pro nó anterior, mas não é possível de forma fácil descobrir quais nós apontam para o nó (grafo bidirecional). Imagina que incrível seria isso! https://www.w3.org/TR/2017/REC-webmention-20170112/ (twitter.com/_/status/1266881165920698374)
vilhalmer, geoffo, lahacker, mlncn, chimo, MylesBraithwaite, wagle, [manton] and [chrisaldrich] joined the channel
# petermolnar Google has beta image licence data recommendations: https://developers.google.com/search/docs/data-types/image-license-metadata including an IPTC tag, "Web Statement of Rights" - had anyone used this before?
# Loqi It looks like we don't have a page for "bookshelf" yet. Would you like to create it? (Or just say "bookshelf is ____", a sentence describing the term)
# Loqi A book is a written work typically longer than an article, on the indieweb, there are examples of publishing whole books on IndieWeb sites, and publishing lists of books https://indieweb.org/books
# petermolnar fyi I found this on photo licencing: https://blog.laurencebichon.com/how-to-set-licensor-and-webstatement-for-google-license-in-capture-one/
leg joined the channel
[fluffy] and [LewisCowles] joined the channel
# [LewisCowles] Still time yet jacky
nickodd, moppy and jeremych_ joined the channel
# [LewisCowles] jacky, the abolish silicon valley... Hide it until you're done interviewing lol
# [LewisCowles] I too would like certain parts of VC to do one. I'm adding that to my reading list
# jeremycherfas I've gone to chat for this.
# [LewisCowles] !tell Zegnat I still want to know more about that LIBXML thing, while I've been waiting for one computer to compile things, I've been digging. https://bugs.php.net/bug.php?id=74004 came up
KartikPrabhu joined the channel
# Loqi Zegnat: [LewisCowles] left you a message 47 minutes ago: I still want to know more about that LIBXML thing, while I've been waiting for one computer to compile things, I've been digging. https://bugs.php.net/bug.php?id=74004 came up
[LewisCowles] joined the channel
# [LewisCowles] nice one fluffy
# [LewisCowles] how is the new job?
gRegorLove, dopplergange and [dmitshur] joined the channel
# [dmitshur] What do people think of https://news.ycombinator.com/item?id=23362149 ? Has it been discussed earlier?
[John_Payne] and [snarfed] joined the channel
# [snarfed] vulnerabilities seem like outages. they happen. nothing is perfect. individual ones don't necessarily mean anything bigger about whether any product or service is "good" or not. details (and broader techniques) can definitely be interesting, but probably more for other communities than us, right?
[tantek], [schmarty], [fluffy], [Ramiro_Ruiz], nickodd, KartikPrabhu, geoffo, dogfart, [LewisCowles], Mikaela and [Aaron_Klemm] joined the channel; nickodd left the channel
# [Aaron_Klemm] Does OIDC even support logging in via URL? Googling hasn't got me there.
# [Aaron_Klemm] yes
# [Aaron_Klemm] That’s what I mean.
superkuh and [chrisaldrich] joined the channel
[dmitshur] joined the channel
# [dmitshur] haha. looking forward to the blog post Aaron.
# [dmitshur] woot
# [dmitshur] I already have a guess as to what the "real cause" is; curious if my guess will match... hmm, yeah, I think it was close. my guess was that the cause was the complexity of the OAuth spec as it is today making it harder to implement it fully and consider all the things (and serving as motivation for simplifying/consolidating it in future versions, rather than just adding more on top). i.e., the OAuth 2.1 initiative.
# [dmitshur] "take a very careful look at all of the OAuth RFCs and make sure you know what you’re getting in to before you start."
# [dmitshur] that's a lot of work.
# [dmitshur] "Rule number 1 of authentication: Never roll your own authentication."
# [dmitshur] valid advice, but really only viable until you _really_ need to invent your own thing. just be prepared for the possibility of mistakes.
# [dmitshur] haha yeah.
# [dmitshur] i'm reading the whole thing now.
# [dmitshur] > The original writeup heavily mentions JWTs and emphasizes the OAuth exchange, and I’ve seen many reactions suggesting that the problem was in the JWT creation or validation, or some poor implementation of OpenID Connect. But instead, the problem was much actually much simpler than that.
# [dmitshur] oh, I hadn't seen that. I was already under the impression it was a really simple/trivial mistake of forgetting to validate a part of the input.
# [dmitshur] so my "root cause" analysis was looking for an explanation of how such a mistake could've happened... and I attributed it to them taking the risk of creating their own implementation, which needed to be since they weren't implementing OAuth precisely, but a small spin off from it.
# [dmitshur] I wonder if there are any obvious-in-hindsight forgetting-to-validate-input bugs in my IndieAuth implementation. 🙂
# [dmitshur] I made that kind of a mistake two times in a row in another place:
# [dmitshur] it wasn't security sensitive, but unpleasant nevertheless. (I got lucky that no one made use of the missed validation before I patched it.)
chimo and gRegorLove joined the channel
# jacky but then I look at https://indieweb.org/p3k
# sknebel some static analysis tools can potentially catch "you didn't validate that input" too, but that then totally depends on the tooling available for the environment you're building the app in. and to a large degree only help give more chances to surface it as a problem, not guarantee to catch it