#dev 2020-05-31

2020-05-31 UTC
#
@alfakini
A web pode ser interpretada como um grafo unidirecional navegando-se pelos seus links. Podemos voltar pro nó anterior, mas não é possível de forma fácil descobrir quais nós apontam para o nó (grafo bidirecional). Imagina que incrível seria isso! https://www.w3.org/TR/2017/REC-webmention-20170112/
(twitter.com/_/status/1266881165920698374)
vilhalmer, geoffo, lahacker, mlncn, chimo, MylesBraithwaite, wagle, [manton] and [chrisaldrich] joined the channel
#
petermolnar
Google has beta image licence data recommendations: https://developers.google.com/search/docs/data-types/image-license-metadata including an IPTC tag, "Web Statement of Rights" - had anyone used this before?
#
jacky
what is a bookshelf
#
Loqi
It looks like we don't have a page for "bookshelf" yet. Would you like to create it? (Or just say "bookshelf is ____", a sentence describing the term)
#
jacky
what are books
#
Loqi
A book is a written work typically longer than an article, on the indieweb, there are examples of publishing whole books on IndieWeb sites, and publishing lists of books https://indieweb.org/books
#
jacky
hmm I just wanna mark up a list of books
#
jacky
going to do the h-feed / h-entry approach
leg joined the channel
#
jacky
I asked about the bookshelf because I've been asked by people to build something w.r.t political education
#
jacky
and figured this would be a good chance to slowly pull from goodreads and friends
#
jacky
wikipedia++
#
Loqi
wikipedia has 1 karma over the last year
#
jacky
I'm trying to use it to link all of the books I'm building up
#
jacky
it's sad to see so few revolutionary bits of material on there
[fluffy] and [LewisCowles] joined the channel
#
[LewisCowles]
Still time yet jacky
nickodd, moppy and jeremych_ joined the channel
#
jacky
this is what I've cobbled together
#
jacky
the mf2 looks good imo
#
jacky
ideally if I exposed a websub on that page too and someone subscribed to a feed reader with websub support
#
[LewisCowles]
jacky, the abolish silicon valley... Hide it until you're done interviewing lol
#
jacky
they'd see it adjust as I go
#
jacky
[LewisCowles]: lmfaoo
#
[LewisCowles]
I too would like certain parts of VC to do one. I'm adding that to my reading list
#
jacky
I think the toughest read on that list (like page-wise) was Capital
#
jacky
it's like the size of the bible lol
#
jeremycherfas
I've gone to chat for this.
#
[LewisCowles]
!tell Zegnat I still want to know more about that LIBXML thing, while I've been waiting for one computer to compile things, I've been digging. https://bugs.php.net/bug.php?id=74004 came up
#
Loqi
Ok, I'll tell them that when I see them next
KartikPrabhu joined the channel
#
Zegnat
I saw that issue too, [LewisCowles], but as the NOWARNING flag worked in all my tests I just went with it anyway, haha
#
Loqi
Zegnat: [LewisCowles] left you a message 47 minutes ago: I still want to know more about that LIBXML thing, while I've been waiting for one computer to compile things, I've been digging. https://bugs.php.net/bug.php?id=74004 came up
#
Zegnat
Do keep us posted if you find anything. I should probably file a bug on the PHP bug tracker, just haven’t had time yet. Right now 100% on a project for work
#
[fluffy]
so, my latest Publ release seems to improve performance on my deployed site by, oh, only *900%*
#
[fluffy]
object pooling: it’s what’s for dinner
[LewisCowles] joined the channel
#
[LewisCowles]
nice one fluffy
#
[LewisCowles]
how is the new job?
#
[fluffy]
It’s pretty okay. Kind of an organizational clusterfuck. I’d say we should move this to #chat but I’m also trying to sleep (I am bad at it)
gRegorLove, dopplergange and [dmitshur] joined the channel
#
[dmitshur]
What do people think of https://news.ycombinator.com/item?id=23362149 ? Has it been discussed earlier?
#
Loqi
[masnick] Zero-day in Sign in with Apple
#
aaronpk
i’m writing up a blog post about it
#
aaronpk
because i can’t stand all the replies
[John_Payne] and [snarfed] joined the channel
#
[snarfed]
vulnerabilities seem like outages. they happen. nothing is perfect. individual ones don't necessarily mean anything bigger about whether any product or service is "good" or not. details (and broader techniques) can definitely be interesting, but probably more for other communities than us, right?
#
[snarfed]
aaronpk specifically works on oauth and directly related stuff, so details are worth looking at for him in that context
#
[snarfed]
vulnerabilities and outages seem similar to academic papers in that sense. each one matters, but science isn't any individual paper(s), it's the overall body of literature and knowledge over time
#
aaronpk
[snarfed]++
#
Loqi
[snarfed] has 52 karma in this channel over the last year (94 in all channels)
[tantek], [schmarty], [fluffy], [Ramiro_Ruiz], nickodd, KartikPrabhu, geoffo, dogfart, [LewisCowles], Mikaela and [Aaron_Klemm] joined the channel; nickodd left the channel
#
[Aaron_Klemm]
Does OIDC even support logging in via URL? Googling hasn't got me there.
#
aaronpk
you mean like openid 1 did?
#
[Aaron_Klemm]
yes
#
[Aaron_Klemm]
That’s what I mean.
superkuh and [chrisaldrich] joined the channel
#
aaronpk
theoretically yes, using the "self-issued.me" provider, which is what I am told every time I mention indieauth
#
aaronpk
however I do not know of anyone actually using that
#
aaronpk
tho now that I think about it, this seems slightly different
[dmitshur] joined the channel
#
[dmitshur]
haha. looking forward to the blog post Aaron.
#
aaronpk
just finished it!
#
Loqi
woot
#
[dmitshur]
I already have a guess as to what the "real cause" is; curious if my guess will match... hmm, yeah, I think it was close. my guess was that the cause was the complexity of the OAuth spec as it is today making it harder to implement it fully and consider all the things (and serving as motivation for simplifying/consolidating it in future versions, rather than just adding more on top). i.e., the OAuth 2.1 initiative.
#
aaronpk
hm no not at all
#
[dmitshur]
"take a very careful look at all of the OAuth RFCs and make sure you know what you’re getting in to before you start."
#
[dmitshur]
that's a lot of work.
#
[dmitshur]
"Rule number 1 of authentication: Never roll your own authentication."
#
[dmitshur]
valid advice, but really only viable until you _really_ need to invent your own thing. just be prepared for the possibility of mistakes.
#
aaronpk
did you just skip to the end? :)
#
[dmitshur]
haha yeah.
#
[dmitshur]
i'm reading the whole thing now.
#
aaronpk
i'm gonna add a sentence to the last paragraph then :)
#
[dmitshur]
> The original writeup heavily mentions JWTs and emphasizes the OAuth exchange, and I’ve seen many reactions suggesting that the problem was in the JWT creation or validation, or some poor implementation of OpenID Connect. But instead, the problem was much actually much simpler than that.
#
[dmitshur]
oh, I hadn't seen that. I was already under the impression it was a really simple/trivial mistake of forgetting to validate a part of the input.
#
[dmitshur]
so my "root cause" analysis was looking for an explanation of how such a mistake could've happened... and I attributed it to them taking the risk of creating their own implementation, which needed to be since they weren't implementing OAuth precisely, but a small spin off from it.
#
aaronpk
that works
#
[dmitshur]
I wonder if there are any obvious-in-hindsight forgetting-to-validate-input bugs in my IndieAuth implementation. 🙂
#
jacky
I know there's some in mine
#
jacky
I'm working to refactor it far from my site tbh lol
#
[dmitshur]
I made that kind of a mistake two times in a row in another place:
#
[dmitshur]
it wasn't security sensitive, but unpleasant nevertheless. (I got lucky that no one made use of the missed validation before I patched it.)
chimo and gRegorLove joined the channel
#
sknebel
aaronpk: are you aware of any work on finding this kind of thing automatically? I guess some kinds of static analysis can catch this kind of thing, but I'm also not sure that's actually used and effective in practice
#
jacky
that's a trade secret lol
#
aaronpk
gosh it's not even in the owasp top 10?
#
jacky
ah yes
#
jacky
the one thing I hate to do lol
#
jacky
you know sometimes I feel bad for how much stuff I think I might have write in elixr
#
jacky
and realize that it's not that bad lol
#
sknebel
ah yes, the "just remember to do the right thing" method of automation
#
jacky
lmfao
#
sknebel
(I'll take this as "no, not aware of anything". Which doesn't particularly surprise me, sadly)
#
aaronpk
yeah i can't even imagine how you'd pull that off
#
jacky
tbh that might be something that indieauth.rocks could do?
#
jacky
manipulating fields in the flow (but that smells like something under a headless web browser)
#
jacky
under the work of a headless web browser
#
aaronpk
indieauth.rocks can test and poke the oauth parts
#
aaronpk
but this bug was not in those parts
#
jacky
ah right right
#
aaronpk
and yeah it'd definitely be a good idea for indieauth.rocks to include some tests where it throws bad data at the client and server
#
sknebel
yeah, for this specific thing the testing needs to be application-specific. I guess random input/fuzzying could catch it - i.e. validating that whatever is done to the untrusted requests they either fail or produce a known-good result
#
sknebel
some static analysis tools can potentially catch "you didn't validate that input" too, but that then totally depends on the tooling available for the environment you're building the app in. and to a large degree only help give more chances to surface it as a problem, not guarantee to catch it
#
sknebel
i.e. unless you told something "this has to be one of the original choices", it'll have accept if you tell it "this code that checks if it is a valid email address is validation", even if thats not the validation you were supposed to do
#
aaronpk
yeah that seems tough