#dev 2020-06-22

2020-06-22 UTC
#
[Murray]
Hmm, interesting. I'd agree with Tufte (that looks great btw, thanks for sharing) but Shoelace feels more like a bootstrap or similar. It's got a bunch of utility classes, a whole class-based grid system, and even JS bundled with it; it's way more than just creating a consistent theme for "default" HTML layouts
geoffo, wombelix, cjw6k_, beko, j and nickodd joined the channel
KartikPrabhu, leg and [fluffy] joined the channel; nickodd left the channel
#
[fluffy]
tufte-css makes me realize that I should add configuration to publ to let folks use sidenotes instead of footnotes, although gosh that would be hard to architect with the particular markdown parser I use.
#
[fluffy]
I already had to do a bunch of other crap for handling footnotes correctly in a multi-article blog context, though, might be worth looking into further.
swentel joined the channel
#
Loqi
[fluffy-critter] #395 Allow for sidenotes instead of footnotes
jjuran and moppy joined the channel
#
petermolnar
(plumbing topic warning) because of some cursed desire, I want my site made to work with old or less feature-full browsers. One of the troubling point of this is SVG and SVG support across browsers. Those of use who use SVG: are those as image or inline? Do you have some kind of fallback, either to text or to images?
KartikPrabhu, treora and [KevinMarks] joined the channel
#
[KevinMarks]
It varies; I mostly use as images, but if I'm graphing something inline works. With images alt text is good.
#
@derhess
↩️ Eine Übersicht über Ansätze das Web zu öffnen. Stichworte: OpenWeb, Federated Web, Dezentrales Web - Interoperabilität für Websiten (JSON-LD, http://schema.org, Microformats..) - Interoperabilität für APIs (Webmentions, Mastadon ActivityStream,ActivityPub, DAT, Scuttlebut)
(twitter.com/_/status/1274999662311878656)
jeremy- joined the channel
#
@jgmac1106
↩️ Wait to teach with webmentions. Sharing the cheating is soo much fun. (https://quickthoughts.jgregorymcverry.com/s/1DXx5B)
(twitter.com/_/status/1275002159483027456)
[jgmac1106], [itsjustk] and KartikPrabhu joined the channel
#
[KevinMarks]
also lol I would so do this “I also find myself mixing template languages within the same file: there’s nothing to stop you including nunjucks tags in a markdown file, or swapping out yaml-based frontmatter for JavaScript, but this can can break syntax-highlighting, linting and autoformatting.”
#
vilhalmer
I have that problem a lot at work but it's just because of the terrifying nature of current orchestration tech
#
vilhalmer
so many levels of template
#
[KevinMarks]
I did one with my son where js code was generating one template inside another one for email sending orchestration
#
petermolnar
I generated PHP from Python from jinja2 templates...
#
@jgmac1106
↩️ Yeah you read botton up on tweetdeck and top down on twitter. but all my poems originate on my site and I POSSE to twitter with webmentions. (https://quickthoughts.jgregorymcverry.com/s/laMDY)
(twitter.com/_/status/1275031715581513728)
[grantcodes], KartikPrabhu and [tantek] joined the channel
#
[tantek]
Haha confusing syntax highlighters, I think I have to rename CASSIS with file extensions to see the JS vs PHP paths
#
[tantek]
design << Apple design principles presented in an uplifting video: https://twitter.com/schlaf/status/1275047612215889921
#
Loqi
ok, I added "Apple design principles presented in an uplifting video: https://twitter.com/schlaf/status/1275047612215889921" to the "See Also" section of /design https://indieweb.org/wiki/index.php?diff=70464&oldid=70332
douno, geoffo and [KevinMarks] joined the channel
#
[KevinMarks]
You could create a cassis linter ruleset in VS
#
petermolnar
[KevinMarks] I think you managed to word a classic curse that'll bring sorrow for those case upon.
#
petermolnar
s/case/cast wtf is wrong with my typing
#
[KevinMarks]
just because you can doesn't mean that you should, as this video demonstrates https://www.youtube.com/watch?v=A6bo_mIOto0
[LewisCowles] joined the channel
#
jacky
I don't know if this is a focus in the indieweb but I'm looking into message integrity (namely if I share something with a particular reply context, how can a third party viewer insure that it's the actual message being shown)
#
aaronpk
click through to the original?
#
jacky
right but how do you know if the clicked-through link is the original content that was posted
#
jacky
phrased differently, how do you prevent (or at least warn when) someone changes up-stream content? (the whole thing against editing posts on Twitter)
#
aaronpk
oh that's a different problem
#
aaronpk
and there are arguments on both sides about whether it should be allowed
#
jacky
I figured the label "message integrity" was a short moniker for it
#
aaronpk
i think "non-repudiation" is the term you're looking for
#
jacky
oh this is entering the land of PKI lol
#
jacky
(kinda)
[snarfed] joined the channel
#
[snarfed]
the fact that this is technically a user feature, but we're still (correctly) discussing it in #-dev, is just...brilliant. love it
#
[snarfed]
made my morning
#
aaronpk
hahaha
#
Loqi
aaronpk: lol
#
jacky
lmfao
#
[snarfed]
ideally, would salmentions help this? the source would send wms downstream when it changes, so you'd get a chance to update (or clear or whatever) your response?
#
[snarfed]
doesn't help the malicious case, but still
#
[snarfed]
caveat, i don't actually understand salmentions
#
jacky
re-reads salmention page
#
[snarfed]
iirc more of the salmention work was on upstream though, not downstream
#
jacky
oh salmentions are like when you like a reposted page, no?
#
jacky
like I don't intend to like someone's repost but the content they were reposting
#
aaronpk
well if i make a post, and you reply to it, then I go and update my post, without some sort of signature there's no way for you to prove that you aren't faking the content of my post in your reply context
#
jacky
^ that's one thing I want to prevent
#
jacky
tbh this might be work within a reader more than one's site
#
aaronpk
but that then begs the question of whether I actually want to sign posts in a way that can be used fto prove i said something in the past
#
[LewisCowles]
KevinMarks++ those GAN examples are getting more and more impressive, but seem to be currently limited to static images, using what looks like a 90's face-morph
#
Loqi
KevinMarks has 16 karma in this channel over the last year (67 in all channels)
#
[LewisCowles]
If they ever do become much more mature and people can get a randomly generated thing, I think I might make fake people and seed social media and the web with them, just to mess with those who fetishise data
#
aaronpk
maybe I _want_ to be able to revoke things
#
jacky
hahahaha aaronpk _that's_ the other statement
#
jacky
like in the case of having bad posts from like 2009 resurface
#
jacky
you can't revoke your authorship
#
jacky
but you can delete them
#
aaronpk
i say this is a key management problem because this really just pushes the problem down the stack
#
aaronpk
let's say i want to disassociate myself from all posts from 2009
#
aaronpk
if I delete the key I used to sign it, then you can't prove that the signature you have from me is actually from me
#
[snarfed]
let's just solve it the way we solve all hard decentralized problems in practice: throw a SPOF at it
#
[snarfed]
in this case archive.org
#
aaronpk
yup, a trusted third party
#
[snarfed]
cue wailing and gnashing of teeth
KartikPrabhu joined the channel
#
aaronpk
that wikipedia text is deeeense
#
jacky
it is
#
jacky
but that term gave me a good place to begin looking into this
#
jacky
I was thinking about this all weekend and leaned on "just" using HTTP signatures
#
jacky
but I was like how do you get the keys for that? do I _need_ to sign it? (
#
jacky
I was about to say "I think this can work in a federated fashion" but then I remembered SSL/TLS certs today lol
#
jacky
the act of having to 'approve' a CA is not fun
#
jacky
> Because of this, data integrity is best asserted when the recipient already possesses the necessary verification information
#
jacky
from that page, it makes sense
#
jacky
like if you've already "met" this author before, there's a chance you have some sort of verifiable info about them so you can assert using that
#
jacky
this is def a hard problem; I do want _some_ sense of trust that can be given to people though (but highlighting that it's not a metric to use for absolute trust)
#
aaronpk
i would think very hard about what problem you're actually trying to solve, and then think about counterarguments, before actually building anything
#
[snarfed]
ugh. having implemented HTTP sigs a couple different times, interop was harder than it should have been, and libs were pretty poorly maintained 😢
#
[snarfed]
aaronpk++
#
Loqi
aaronpk has 64 karma in this channel over the last year (228 in all channels)
#
jacky
oh I'm not trying to build _anything_ yet
#
[snarfed]
i suspect user demand for this is pretty minimal
#
jacky
this is me looking at the space yet
#
[snarfed]
but hey, that's the beauty of indieweb, if you want something, you get to build it for yourself, and no one can stop you
#
jacky
well it's one of those "why wasn't there a way to counteract it?" things. Like Twitter avoids this completely by just not letting you edit posts (this is the real case I want to solve for - preventing forgery of content)
#
jacky
I posed it (as best as I could) on AP: Because of this, data integrity is best asserted when the recipient already possesses the necessary verification information
#
Loqi
[https://v2.jacky.wtf/] What prevents someone from editing a Note sent out over ActivityPub and making what people see be different than what was originally posted?
#
jacky
pleroma seems to fake links
#
jacky
ugh there's a response I wanna link that's good but the domain name is NSFK
#
jacky
this is interesting stuff
justache joined the channel
#
[KevinMarks]
well, mention.tech sends both urls in a webmention to archive.org because that seems useful
#
[KevinMarks]
the web bundles stuff is another potential answer
#
[KevinMarks]
that's a way of detaching the content from a specific server
#
Loqi
[WICG] webpackage: Web packaging format
#
[snarfed]
the difficulty arguably isn't capturing/storing the original post, it's the multi-party proof(s). ie as the responder, proving that the original poster wrote exactly this post
nickodd joined the channel
#
[snarfed]
(and turning that into a reasonable UX is maybe even harder)
#
[KevinMarks]
Indeed - the webpackage stuff does have signing as well as integrity hashes, but that's optional by the provider
#
Zegnat
booksmarks non-repudiation for later reading.
#
[snarfed]
sounds like it's either archive.org or PKI tar pit 😱
#
Zegnat
I wonder if you somehow could hijack HTTPS for this. As the responder you can then say “I am responding to X which is signed by the webserver and therefor I take that as proof”
[georgenancejr] and KartikPrabhu joined the channel
#
Zegnat
And then the trusted third-party ends up being Certificate Transparency where you could point to and sat “this was the right cert for the original poster’s server”
#
Zegnat
(Basically I am wondering if everyone is already unintentionally signing their content because of the move to HTTPS.)
#
[KevinMarks]
you could do something like Certificate Transparency where you sign the hash of your crawl
#
[KevinMarks]
I still want IA to give a 'lookup by hash' API
#
Zegnat
The problem is not me signing it, the problem is getting the person who made the post to provide a signature that proofs they wrote the post. If I understand the point correctly.
#
sknebel
Zegnat: no, TLS doesn't sign the message content
#
sknebel
I've seen proposals to extend TLS to do that, but it doesn't by default
#
Zegnat
Gotcha
#
Zegnat
sknebel++ for quickly filling in the gaps in what I know vs what I hope to be possible
#
Loqi
sknebel has 18 karma in this channel over the last year (46 in all channels)
#
[snarfed]
but Zegnat is still onto something. DNS (eg DKIM) and CAs (eg SSL certs) are two classic ways to get around the PKI chicken and egg problem
#
[snarfed]
and TLS encrypts the response, even if it may not sign it, and that's good enough, since only the private key holder could generate that ciphertext
#
sknebel
(details: the asymmetric bits are used to establish a per-session master key. and everything handling content is derived from that and symmetric, so I can take a recording of a TLS session with you and have the payload be whatever I want)
#
[snarfed]
ah right true. you'd have to capture the whole session. still, that's doable, and is a proof that the server generated the contents
#
[snarfed]
if you capture the initial session key setup, i don't see how you could fake the final payload
#
Zegnat
Guess after step 1, master key negotiation, I can start faking payloads as if they come from the server?
#
sknebel
the key generated during initial setup is shared by both sides
#
[snarfed]
oh right
#
[snarfed]
sigh, so close
#
sknebel
I can just encrypt whatever I want with "your key" (thats directly derived from the master key)
#
Zegnat
Makes sense. Lots of pubkey-enc is actually symmetric with just the key encrypted in pubkey. Could have guessed TLS was the same
#
[snarfed]
archive.org it is
#
sknebel
there was this, but their main project website is down and not seen any actual spec work, so also under "failed attempts": https://eprint.iacr.org/2017/578.pdf
#
[KevinMarks]
that's where a CT approach could work - multiple crawlers that sign hashes of the content at a time and add to a merkle tree
#
[snarfed]
oof, multiple trusted third parties
#
[KevinMarks]
in practice, CT is mostly trusting google's crawler, but it was designed to allow multiple ones
#
sknebel
huh? CT has explicit submissions by the CAs
#
sknebel
a crawler can find and document non-logged certs, but that's not a special role in the system
#
[KevinMarks]
hm, maybe I'm misnaming the roles, it's been a while since I read the protocol.
#
jacky
okay re: JSON over XML for data, that was one of the _worst_ transitions I've ever experienced tbh
#
jacky
like the number of times I've had to do data validation in JSON and XML came with that for FREE made me grumble
#
jacky
gRPC tries to do that but also forces you to _never_ change things unless you want to break the world
#
jacky
(this slowed down so many projects at Lyft)
#
vilhalmer
heh, I don't think I've ever worked on something involving xml that actually used schemas
#
jacky
I do agree that we can look into better ways of building the Web that doesn't necessarily require people to directly interface with HTML
#
jacky
I don't know of another declarative format that gives me the forgiving yet objective nature of HTML tho
#
[georgenancejr]
I see your point there Jacky. But I also have never seen xml that used a schema strictly with the exception of rss.
#
jacky
It's definitely a case of "it's used when it's used"
#
vilhalmer
html also isn't really xml
#
vilhalmer
which is a good thing imo, writing html by hand is reasonable and writing xml by hand is the worst
#
[KevinMarks]
for those kinds of encapsulation would capnproto be better?
#
vilhalmer
html is designed to be human-crafted, at least original
#
vilhalmer
*originally
#
[KevinMarks]
yes, html is a lot terser than people think it is
#
[KevinMarks]
because we spent too long pretending it was html and closing things that didn't need to be closed
KartikPrabhu joined the channel
#
jacky
JSON schema tooling is probably more approachable because there's a smaller surface space to introduce erros and because it's written in a typed(ish) language versus markup; there's a lot less you have to test for and more than you gain
#
jacky
*errors
#
jacky
that I can't contest for sure
#
[georgenancejr]
Also one other flaw with HTML is the lack of real structure for writing text . You can write text in divs, p tags, spans, or not use any tag at all .
[fluffy] joined the channel
#
jacky
but that's similar to writing in real world scenarios? you can write using ink, pencil or berry juice; you can write by breaking every other word or following the structure of an AP guide
#
jacky
the fluidity and flexibility of it is more of a strength than a weakness and allows for expression
#
jacky
(omg am I a HTML advocate? lol)
#
[georgenancejr]
You are definitely right . But it’s a bit confusing.
#
[georgenancejr]
It makes parsing webpages harder
#
[georgenancejr]
Don’t get me wrong , I respect every engineer that has built HTML . I think they never knew it would blow up and be used at such a large scale like it is today . And I know maintaining backwards compatibility is a priority too
#
vilhalmer
luckily no one but google writes code to parse web pages anymore ;)
#
vilhalmer
but yeah, it's a challenging format
#
vilhalmer
that's sort of the universal tradeoff: easy for human == hard for computer
#
[georgenancejr]
That’s not entirely true . Any web browser with a reader view . And Pocket + instapaper
#
vilhalmer
yes I'm mostly kidding about the fact that almost everything is chromium now
#
[georgenancejr]
Hahaha very true .
#
Loqi
[georgenancejr]: lol
swentel joined the channel
#
[georgenancejr]
I would love to work on an alt Internet . Even if it never catches main stream appeal , it could be a fun project
#
[georgenancejr]
Ooooo
#
Zegnat
I did not know about Gemini
#
[georgenancejr]
Gemini looks really interesting
#
vilhalmer
it's cute
#
vilhalmer
which I don't mean in a disparaging way, it's intentionally small
#
Zegnat
I just wonder if the world wants a new gopher, or wants to go the way of hypercore
#
vilhalmer
an excellent question
#
vilhalmer
I find the trade between developer and user control based on the design of the protocol very interesting
#
vilhalmer
gopher/gemini/very early html gave the user control over how to display the content, but at the cost of the content having to be fairly limited in structure
#
vilhalmer
current html+css+js gives all the power to the developer
#
vilhalmer
in that you can make a website which is completely non-functional unless the user grants you permission to run arbitrary code on their machine
#
vilhalmer
I prefer the former, personally, but also acknowldge that it would have shaped the development of the tech in a very different and probably limiting way
#
vilhalmer
and in a different way it just gives all the power to the browser devs
#
vilhalmer
(not that they don't have a lot now)
#
Zegnat
Browsers with a reader mode show that consumers can still take control. The big limiter here is web apps, I think, where behaviour outside of what a browser will offer is offered by the site publisher through JS
#
vilhalmer
and the push culturally for everything to become a webapp by default
#
vilhalmer
because if you're not webpacking and reacting, do you really have a blog?
#
vilhalmer
the indieweb is also a great example of the flexibility still existing, as almost all of the protocols depend on web pages being parsable
#
vilhalmer
the dream is creating incentives to make your site interoperable which normal users see value in
#
vilhalmer
like reader mode
#
vilhalmer
let the user agent be an agent for the user!
#
Zegnat
I am not looking forward to the day where everyone starts encrypting their content page-by-page … https://blog.amp.dev/2020/04/27/introducing-the-fastest-and-most-user-friendly-content-encryption/
#
vilhalmer
amp -_-
#
vilhalmer
that reminds me, I was going to turn off my https redirect and forgot
[grantcodes], gRegorLove, gRegorLove_ and KartikPrabhu joined the channel; nickodd left the channel
#
@AndreJaenisch
↩️ I don't have comments. I want people to use WebMentions instead.
(twitter.com/_/status/1275122536133640192)
[tantek] joined the channel
#
[fluffy]
Wow that client side encryption thing sounds a lot like my half-baked “atom but encrypted” idea which aaronpk criticized which led to me joining this community in the first place. :)
#
aaronpk
oh no lol i don't remember that at all
#
[fluffy]
“Criticize” is a bit strong, more “poke holes in” :)
#
[fluffy]
Oh and I guess I had already joined in on indieweb stuff at the time since the conversation took place via webmention
#
Zegnat
As someone who loves an open web, writing web extensions, and has a not-so-standard computer setup, websites starting to encrypt their content terrifies me.
#
Zegnat
As someone whos job includes working on a paywall, I think the encrypted thing is very interesting.
douno joined the channel
#
petermolnar
Zegnat: I'm with you
#
petermolnar
http is the next gopher :(
#
[fluffy]
yeah the focus of my idea was on using atom as a platform for safe private social networking
#
[fluffy]
not to do something at scale but to make it so that people cna do friends-only stuff without needing the contortions that they have to go through
#
[fluffy]
but I was also coming at it from a POV of atom’s original design goals, where the content would be free-floating in a sea of potentially-detached items with just a reference to where it came from, and I was concerned about what happens if someone tries to share an item using the native intended atom sharing mechanism (which nobody does anyway)
[Rose] joined the channel
#
[snarfed]
ostatus was atom, did it handle private/non-public posts?
#
[KevinMarks]
Only by having them encrypted. Iirc there was no per feed auth
#
[KevinMarks]
There was a gdata/atom +OAuth mechanism in the opensocial/as1 model that I think some things built on. Early buzz maybe?
#
[KevinMarks]
Though that wasn't end to end private, it was silo mediated groups
gRegorLove_, yeet1, [schmarty], gRegorLove__, jjuran and [LewisCowles] joined the channel
#
@JmacDotOrg
Releasing a couple of new goodies this week, ahead of both #IndieWeb Camp West and #TPRCiC… First, a new page about Webmention, pulling together introductory information, live examples, and links to further resources: https://jmac.org/webmention/
(twitter.com/_/status/1275170781744566273)
#
@JmacDotOrg
↩️ And I’ve released Whim, a command-line multitool for sending, receiving, managing, and displaying webmentions: https://jmac.org/whim/
(twitter.com/_/status/1275171266195075072)
#
aaronpk
wow it's like an IndieWWDC!
#
Loqi
jmac has 3 karma in this channel over the last year (13 in all channels)
#
jmac
Sadly the IndieCar and IndieHome modules have been delayed
gRegorLove_ and [georgenancejr] joined the channel
#
[georgenancejr]
So in this theoretical alt Internet , how could you build web mentions into it by default without a central server ? Would blockchain be the only way ?
#
KartikPrabhu
"theoretical alt internet" is not very useful. Better to build off of concrete use-cases and implementations
[KevinMarks] joined the channel
#
[schmarty]
"App Clips but IndieWeb" probably appeals to me deeply
[tantek] joined the channel
#
[tantek]
Lololololol all this talk about non-repudiation and no one brought up the blokechain (cc [schmarty] )
#
[tantek]
Until the theoretical question.
#
[tantek]
Oooooh I have a template for that!
#
[KevinMarks]
We did talk about Certificate Transparency and its more sensible use of Merkle chains
#
[tantek]
“In this theoretical .... Would X be the only way?”
#
[schmarty]
Nopechain
#
[tantek]
IndieWWDC++
#
Loqi
IndieWWDC has 1 karma over the last year
#
[tantek]
On another positive subject, anyone know where this states-as-squares infogeographic design came from and/or has anyone implemented it with data from their own site?
#
[tantek]
Eg location based post archive page
#
aaronpk
instagram-- for requiring login tho
#
Loqi
instagram has -1 karma in this channel over the last year (-2 in all channels)
#
[tantek]
Whoa really? That’s messed up
#
[tantek]
Wonder when that changed
[manton] joined the channel
#
aaronpk
pretty recently
#
vilhalmer
huh, it let me through
#
vilhalmer
must be a slow rollout
#
vilhalmer
I knew they took away being able to click through from profiles
gRegorLove joined the channel
#
[tantek]
petermolnar++ that’s amazing. I need to try it ASAP!
#
Loqi
petermolnar has 1 karma in this channel over the last year (23 in all channels)
#
[georgenancejr]
[tantek] it was a simple question . No need to be a jerk about it .
#
[tantek]
Sorry, bad habit from theory trolls in #microformats
[jgmac1106] joined the channel
#
[tantek]
Now about JSON vs XML for APIs hooo that’s a pit. I’ll just say i18n and JSON strings of user data and leave it at that for now
#
[tantek]
[georgenancejr]++ you’re in a good place to chat about alternative internet approaches
#
Loqi
[georgenancejr] has 1 karma over the last year
#
[tantek]
I think the SSB approach has some promise in that regard, certainly more so that anything blokechain
#
[tantek]
what is SSB
#
Loqi
Secure Scuttlebutt is a P2P system to sync message feeds, used to build (among others) social applications that work in off-grid/sneakernet scenarios https://indieweb.org/SSB
#
[tantek]
What is a singleton
#
Loqi
singleton is in the context of the indieweb, or decentralized web in general, a shared (effectively centralized) data structure (like a blockchain ledger) or database (like the consequence of assuming a specific hashing algorithm) being used by (and thus a limitation of) an otherwise seemingly distributed system https://indieweb.org/singleton
#
[tantek]
[georgenancejr] some good expansions / links to check out on those two pages ^^^
justache and [fluffy] joined the channel