#dev 2020-06-22

2020-06-22 UTC
#
[Murray] Hmm, interesting. I'd agree with Tufte (that looks great btw, thanks for sharing) but Shoelace feels more like a bootstrap or similar. It's got a bunch of utility classes, a whole class-based grid system, and even JS bundled with it; it's way more than just creating a consistent theme for "default" HTML layouts
geoffo, wombelix, cjw6k_, beko, j and nickodd joined the channel
#
@BillSeitz ↩️ Maybe we should use WebMentions to pull in from Twitter? http://webseitz.fluxent.com/wiki/2020-05-28-ImplementingWebMention (twitter.com/_/status/1274902746433454081)
KartikPrabhu, leg and [fluffy] joined the channel; nickodd left the channel
#
[fluffy] tufte-css makes me realize that I should add configuration to publ to let folks use sidenotes instead of footnotes, although gosh that would be hard to architect with the particular markdown parser I use.
#
[fluffy] I already had to do a bunch of other crap for handling footnotes correctly in a multi-article blog context, though, might be worth looking into further.
swentel joined the channel
#
[fluffy] https://github.com/PlaidWeb/Publ/issues/395
#
Loqi [fluffy-critter] #395 Allow for sidenotes instead of footnotes
jjuran and moppy joined the channel
#
petermolnar (plumbing topic warning) because of some cursed desire, I want my site made to work with old or less feature-full browsers. One of the troubling point of this is SVG and SVG support across browsers. Those of use who use SVG: are those as image or inline? Do you have some kind of fallback, either to text or to images?
KartikPrabhu, treora and [KevinMarks] joined the channel
#
[KevinMarks] It varies; I mostly use as images, but if I'm graphing something inline works. With images alt text is good.
#
@derhess ↩️ Eine Übersicht über Ansätze das Web zu öffnen. Stichworte: OpenWeb, Federated Web, Dezentrales Web - Interoperabilität für Websiten (JSON-LD, http://schema.org, Microformats..) - Interoperabilität für APIs (Webmentions, Mastadon ActivityStream,ActivityPub, DAT, Scuttlebut) (twitter.com/_/status/1274999662311878656)
jeremy- joined the channel
#
@jgmac1106 ↩️ Wait to teach with webmentions. Sharing the cheating is soo much fun. (https://quickthoughts.jgregorymcverry.com/s/1DXx5B) (twitter.com/_/status/1275002159483027456)
[jgmac1106], [itsjustk] and KartikPrabhu joined the channel
#
[KevinMarks] eleventy << why it's better than gatsby for personal sites https://iainbean.com/posts/2020/your-blog-doesnt-need-a-javascript-framework/
#
Loqi ok, I added "why it's better than gatsby for personal sites https://iainbean.com/posts/2020/your-blog-doesnt-need-a-javascript-framework/" to the "See Also" section of /Eleventy https://indieweb.org/wiki/index.php?diff=70463&oldid=66713
#
[KevinMarks] also lol I would so do this “I also find myself mixing template languages within the same file: there’s nothing to stop you including nunjucks tags in a markdown file, or swapping out yaml-based frontmatter for JavaScript, but this can can break syntax-highlighting, linting and autoformatting.”
#
vilhalmer I have that problem a lot at work but it's just because of the terrifying nature of current orchestration tech
#
vilhalmer so many levels of template
#
[KevinMarks] I did one with my son where js code was generating one template inside another one for email sending orchestration
#
petermolnar I generated PHP from Python from jinja2 templates...
#
@jgmac1106 ↩️ Yeah you read botton up on tweetdeck and top down on twitter. but all my poems originate on my site and I POSSE to twitter with webmentions. (https://quickthoughts.jgregorymcverry.com/s/laMDY) (twitter.com/_/status/1275031715581513728)
[grantcodes], KartikPrabhu and [tantek] joined the channel
#
[tantek] Haha confusing syntax highlighters, I think I have to rename CASSIS with file extensions to see the JS vs PHP paths
#
[tantek] design << Apple design principles presented in an uplifting video: https://twitter.com/schlaf/status/1275047612215889921
#
@schlaf “There are a thousand no’s for every yes.” Well done @apple. https://twitter.com/jsngr/status/1275037058638192642/video/1 (twitter.com/_/status/1275047612215889921)
#
Loqi ok, I added "Apple design principles presented in an uplifting video: https://twitter.com/schlaf/status/1275047612215889921" to the "See Also" section of /design https://indieweb.org/wiki/index.php?diff=70464&oldid=70332
douno, geoffo and [KevinMarks] joined the channel
#
[KevinMarks] You could create a cassis linter ruleset in VS
#
petermolnar [KevinMarks] I think you managed to word a classic curse that'll bring sorrow for those case upon.
#
petermolnar s/case/cast wtf is wrong with my typing
#
[KevinMarks] just because you can doesn't mean that you should, as this video demonstrates https://www.youtube.com/watch?v=A6bo_mIOto0
[LewisCowles] joined the channel
#
jacky I don't know if this is a focus in the indieweb but I'm looking into message integrity (namely if I share something with a particular reply context, how can a third party viewer insure that it's the actual message being shown)
#
aaronpk click through to the original?
#
jacky right but how do you know if the clicked-through link is the original content that was posted
#
jacky phrased differently, how do you prevent (or at least warn when) someone changes up-stream content? (the whole thing against editing posts on Twitter)
#
aaronpk oh that's a different problem
#
aaronpk and there are arguments on both sides about whether it should be allowed
#
jacky I figured the label "message integrity" was a short moniker for it
#
aaronpk i think "non-repudiation" is the term you're looking for
#
jacky oh this is entering the land of PKI lol
#
jacky (kinda)
[snarfed] joined the channel
#
[snarfed] the fact that this is technically a user feature, but we're still (correctly) discussing it in #-dev, is just...brilliant. love it
#
[snarfed] made my morning
#
aaronpk hahaha
#
Loqi aaronpk: lol
#
jacky lmfao
#
[snarfed] ideally, would salmentions help this? the source would send wms downstream when it changes, so you'd get a chance to update (or clear or whatever) your response?
#
[snarfed] doesn't help the malicious case, but still
#
jacky I'm reading https://www.wikiwand.com/en/Non-repudiation
#
[snarfed] caveat, i don't actually understand salmentions
#
jacky re-reads salmention page
#
aaronpk lol
#
[snarfed] iirc more of the salmention work was on upstream though, not downstream
#
jacky oh salmentions are like when you like a reposted page, no?
#
jacky like I don't intend to like someone's repost but the content they were reposting
#
aaronpk well if i make a post, and you reply to it, then I go and update my post, without some sort of signature there's no way for you to prove that you aren't faking the content of my post in your reply context
#
jacky ^ that's one thing I want to prevent
#
jacky tbh this might be work within a reader more than one's site
#
aaronpk but that then begs the question of whether I actually want to sign posts in a way that can be used fto prove i said something in the past
#
[LewisCowles] KevinMarks++ those GAN examples are getting more and more impressive, but seem to be currently limited to static images, using what looks like a 90's face-morph
#
Loqi KevinMarks has 16 karma in this channel over the last year (67 in all channels)
#
[LewisCowles] If they ever do become much more mature and people can get a randomly generated thing, I think I might make fake people and seed social media and the web with them, just to mess with those who fetishise data
#
aaronpk maybe I _want_ to be able to revoke things
#
jacky hahahaha aaronpk _that's_ the other statement
#
jacky like in the case of having bad posts from like 2009 resurface
#
jacky you can't revoke your authorship
#
jacky but you can delete them
#
aaronpk i say this is a key management problem because this really just pushes the problem down the stack
#
aaronpk let's say i want to disassociate myself from all posts from 2009
#
aaronpk if I delete the key I used to sign it, then you can't prove that the signature you have from me is actually from me
#
[snarfed] let's just solve it the way we solve all hard decentralized problems in practice: throw a SPOF at it
#
[snarfed] in this case archive.org
#
aaronpk yup, a trusted third party
#
[snarfed] cue wailing and gnashing of teeth
#
aaronpk https://en.wikipedia.org/wiki/Non-repudiation#Trusted_third_parties_(TTPs)
KartikPrabhu joined the channel
#
aaronpk that wikipedia text is deeeense
#
jacky it is
#
jacky but that term gave me a good place to begin looking into this
#
jacky I was thinking about this all weekend and leaned on "just" using HTTP signatures
#
jacky but I was like how do you get the keys for that? do I _need_ to sign it? (
#
jacky I was about to say "I think this can work in a federated fashion" but then I remembered SSL/TLS certs today lol
#
jacky the act of having to 'approve' a CA is not fun
#
jacky > Because of this, data integrity is best asserted when the recipient already possesses the necessary verification information
#
jacky from that page, it makes sense
#
jacky like if you've already "met" this author before, there's a chance you have some sort of verifiable info about them so you can assert using that
#
jacky this is def a hard problem; I do want _some_ sense of trust that can be given to people though (but highlighting that it's not a metric to use for absolute trust)
#
aaronpk i would think very hard about what problem you're actually trying to solve, and then think about counterarguments, before actually building anything
#
[snarfed] ugh. having implemented HTTP sigs a couple different times, interop was harder than it should have been, and libs were pretty poorly maintained 😢
#
[snarfed] aaronpk++
#
Loqi aaronpk has 64 karma in this channel over the last year (228 in all channels)
#
jacky oh I'm not trying to build _anything_ yet
#
[snarfed] i suspect user demand for this is pretty minimal
#
jacky this is me looking at the space yet
#
[snarfed] but hey, that's the beauty of indieweb, if you want something, you get to build it for yourself, and no one can stop you
#
jacky well it's one of those "why wasn't there a way to counteract it?" things. Like Twitter avoids this completely by just not letting you edit posts (this is the real case I want to solve for - preventing forgery of content)
#
jacky I posed it (as best as I could) on AP: Because of this, data integrity is best asserted when the recipient already possesses the necessary verification information
#
jacky oof
#
jacky https://playvicious.social/users/jalcine/statuses/104385365619088712
#
Loqi [https://v2.jacky.wtf/] What prevents someone from editing a Note sent out over ActivityPub and making what people see be different than what was originally posted?
#
jacky pleroma seems to fake links
#
jacky ugh there's a response I wanna link that's good but the domain name is NSFK
#
jacky this is interesting stuff
justache joined the channel
#
[KevinMarks] well, mention.tech sends both urls in a webmention to archive.org because that seems useful
#
[KevinMarks] the web bundles stuff is another potential answer
#
[KevinMarks] that's a way of detaching the content from a specific server
#
[KevinMarks] https://github.com/WICG/webpackage
#
Loqi [WICG] webpackage: Web packaging format
#
[snarfed] the difficulty arguably isn't capturing/storing the original post, it's the multi-party proof(s). ie as the responder, proving that the original poster wrote exactly this post
nickodd joined the channel
#
[snarfed] (and turning that into a reasonable UX is maybe even harder)
#
jacky ^
#
[KevinMarks] Indeed - the webpackage stuff does have signing as well as integrity hashes, but that's optional by the provider
#
Zegnat booksmarks non-repudiation for later reading.
#
[snarfed] sounds like it's either archive.org or PKI tar pit 😱
#
Zegnat I wonder if you somehow could hijack HTTPS for this. As the responder you can then say “I am responding to X which is signed by the webserver and therefor I take that as proof”
[georgenancejr] and KartikPrabhu joined the channel
#
Zegnat And then the trusted third-party ends up being Certificate Transparency where you could point to and sat “this was the right cert for the original poster’s server”
#
Zegnat (Basically I am wondering if everyone is already unintentionally signing their content because of the move to HTTPS.)
#
[KevinMarks] you could do something like Certificate Transparency where you sign the hash of your crawl
#
[KevinMarks] I still want IA to give a 'lookup by hash' API
#
Zegnat The problem is not me signing it, the problem is getting the person who made the post to provide a signature that proofs they wrote the post. If I understand the point correctly.
#
sknebel Zegnat: no, TLS doesn't sign the message content
#
sknebel I've seen proposals to extend TLS to do that, but it doesn't by default
#
Zegnat Gotcha
#
Zegnat sknebel++ for quickly filling in the gaps in what I know vs what I hope to be possible
#
Loqi sknebel has 18 karma in this channel over the last year (46 in all channels)
#
[snarfed] but Zegnat is still onto something. DNS (eg DKIM) and CAs (eg SSL certs) are two classic ways to get around the PKI chicken and egg problem
#
[snarfed] and TLS encrypts the response, even if it may not sign it, and that's good enough, since only the private key holder could generate that ciphertext
#
sknebel (details: the asymmetric bits are used to establish a per-session master key. and everything handling content is derived from that and symmetric, so I can take a recording of a TLS session with you and have the payload be whatever I want)
#
[snarfed] ah right true. you'd have to capture the whole session. still, that's doable, and is a proof that the server generated the contents
#
sknebel no
#
[snarfed] if you capture the initial session key setup, i don't see how you could fake the final payload
#
Zegnat Guess after step 1, master key negotiation, I can start faking payloads as if they come from the server?
#
sknebel the key generated during initial setup is shared by both sides
#
[snarfed] oh right
#
[snarfed] sigh, so close
#
sknebel I can just encrypt whatever I want with "your key" (thats directly derived from the master key)
#
Zegnat Makes sense. Lots of pubkey-enc is actually symmetric with just the key encrypted in pubkey. Could have guessed TLS was the same
#
[snarfed] archive.org it is
#
Zegnat Haha
#
sknebel there was this, but their main project website is down and not seen any actual spec work, so also under "failed attempts": https://eprint.iacr.org/2017/578.pdf
#
[KevinMarks] that's where a CT approach could work - multiple crawlers that sign hashes of the content at a time and add to a merkle tree
#
[snarfed] oof, multiple trusted third parties
#
[KevinMarks] in practice, CT is mostly trusting google's crawler, but it was designed to allow multiple ones
#
sknebel huh? CT has explicit submissions by the CAs
#
sknebel a crawler can find and document non-logged certs, but that's not a special role in the system
#
[KevinMarks] hm, maybe I'm misnaming the roles, it's been a while since I read the protocol.
#
jacky okay re: JSON over XML for data, that was one of the _worst_ transitions I've ever experienced tbh
#
jacky like the number of times I've had to do data validation in JSON and XML came with that for FREE made me grumble
#
jacky gRPC tries to do that but also forces you to _never_ change things unless you want to break the world
#
jacky (this slowed down so many projects at Lyft)
#
vilhalmer heh, I don't think I've ever worked on something involving xml that actually used schemas
#
jacky I do agree that we can look into better ways of building the Web that doesn't necessarily require people to directly interface with HTML
#
jacky I don't know of another declarative format that gives me the forgiving yet objective nature of HTML tho
#
[georgenancejr] I see your point there Jacky. But I also have never seen xml that used a schema strictly with the exception of rss.
#
jacky It's definitely a case of "it's used when it's used"
#
vilhalmer html also isn't really xml
#
vilhalmer which is a good thing imo, writing html by hand is reasonable and writing xml by hand is the worst
#
[KevinMarks] for those kinds of encapsulation would capnproto be better?
#
vilhalmer html is designed to be human-crafted, at least original
#
vilhalmer *originally
#
[KevinMarks] yes, html is a lot terser than people think it is
#
[KevinMarks] because we spent too long pretending it was html and closing things that didn't need to be closed
KartikPrabhu joined the channel
#
jacky JSON schema tooling is probably more approachable because there's a smaller surface space to introduce erros and because it's written in a typed(ish) language versus markup; there's a lot less you have to test for and more than you gain
#
jacky *errors
#
jacky that I can't contest for sure
#
[georgenancejr] Also one other flaw with HTML is the lack of real structure for writing text . You can write text in divs, p tags, spans, or not use any tag at all .
[fluffy] joined the channel
#
jacky but that's similar to writing in real world scenarios? you can write using ink, pencil or berry juice; you can write by breaking every other word or following the structure of an AP guide
#
jacky the fluidity and flexibility of it is more of a strength than a weakness and allows for expression
#
jacky (omg am I a HTML advocate? lol)
#
[georgenancejr] You are definitely right . But it’s a bit confusing.
#
[georgenancejr] It makes parsing webpages harder
#
[georgenancejr] Don’t get me wrong , I respect every engineer that has built HTML . I think they never knew it would blow up and be used at such a large scale like it is today . And I know maintaining backwards compatibility is a priority too
#
vilhalmer luckily no one but google writes code to parse web pages anymore ;)
#
vilhalmer but yeah, it's a challenging format
#
vilhalmer that's sort of the universal tradeoff: easy for human == hard for computer
#
[georgenancejr] That’s not entirely true . Any web browser with a reader view . And Pocket + instapaper
#
vilhalmer yes I'm mostly kidding about the fact that almost everything is chromium now
#
[georgenancejr] Hahaha very true .
#
Loqi [georgenancejr]: lol
swentel joined the channel
#
[georgenancejr] I would love to work on an alt Internet . Even if it never catches main stream appeal , it could be a fun project
#
vilhalmer https://git.sr.ht/~julienxx/castor
#
[georgenancejr] Ooooo
#
Zegnat I did not know about Gemini
#
[georgenancejr] Gemini looks really interesting
#
vilhalmer it's cute
#
vilhalmer which I don't mean in a disparaging way, it's intentionally small
#
Zegnat I just wonder if the world wants a new gopher, or wants to go the way of hypercore
#
vilhalmer an excellent question
#
vilhalmer I find the trade between developer and user control based on the design of the protocol very interesting
#
vilhalmer gopher/gemini/very early html gave the user control over how to display the content, but at the cost of the content having to be fairly limited in structure
#
vilhalmer current html+css+js gives all the power to the developer
#
vilhalmer in that you can make a website which is completely non-functional unless the user grants you permission to run arbitrary code on their machine
#
vilhalmer I prefer the former, personally, but also acknowldge that it would have shaped the development of the tech in a very different and probably limiting way
#
vilhalmer and in a different way it just gives all the power to the browser devs
#
vilhalmer (not that they don't have a lot now)
#
Zegnat Browsers with a reader mode show that consumers can still take control. The big limiter here is web apps, I think, where behaviour outside of what a browser will offer is offered by the site publisher through JS
#
vilhalmer and the push culturally for everything to become a webapp by default
#
vilhalmer because if you're not webpacking and reacting, do you really have a blog?
#
vilhalmer the indieweb is also a great example of the flexibility still existing, as almost all of the protocols depend on web pages being parsable
#
vilhalmer the dream is creating incentives to make your site interoperable which normal users see value in
#
vilhalmer like reader mode
#
vilhalmer let the user agent be an agent for the user!
#
Zegnat I am not looking forward to the day where everyone starts encrypting their content page-by-page … https://blog.amp.dev/2020/04/27/introducing-the-fastest-and-most-user-friendly-content-encryption/
#
vilhalmer amp -_-
#
vilhalmer that reminds me, I was going to turn off my https redirect and forgot
[grantcodes], gRegorLove, gRegorLove_ and KartikPrabhu joined the channel; nickodd left the channel
#
@AndreJaenisch ↩️ I don't have comments. I want people to use WebMentions instead. (twitter.com/_/status/1275122536133640192)
[tantek] joined the channel
#
[fluffy] Wow that client side encryption thing sounds a lot like my half-baked “atom but encrypted” idea which aaronpk criticized which led to me joining this community in the first place. :)
#
aaronpk oh no lol i don't remember that at all
#
[fluffy] https://beesbuzz.biz/blog/6128-Federated-access-control-with-Atom-and-WebSub
#
[fluffy] “Criticize” is a bit strong, more “poke holes in” :)
#
[fluffy] Oh and I guess I had already joined in on indieweb stuff at the time since the conversation took place via webmention
#
Zegnat As someone who loves an open web, writing web extensions, and has a not-so-standard computer setup, websites starting to encrypt their content terrifies me.
#
Zegnat As someone whos job includes working on a paywall, I think the encrypted thing is very interesting.
douno joined the channel
#
petermolnar Zegnat: I'm with you
#
petermolnar http is the next gopher :(
#
[fluffy] yeah the focus of my idea was on using atom as a platform for safe private social networking
#
[fluffy] not to do something at scale but to make it so that people cna do friends-only stuff without needing the contortions that they have to go through
#
[fluffy] but I was also coming at it from a POV of atom’s original design goals, where the content would be free-floating in a sea of potentially-detached items with just a reference to where it came from, and I was concerned about what happens if someone tries to share an item using the native intended atom sharing mechanism (which nobody does anyway)
[Rose] joined the channel
#
[snarfed] ostatus was atom, did it handle private/non-public posts?
#
[KevinMarks] Only by having them encrypted. Iirc there was no per feed auth
#
[KevinMarks] There was a gdata/atom +OAuth mechanism in the opensocial/as1 model that I think some things built on. Early buzz maybe?
#
[KevinMarks] Though that wasn't end to end private, it was silo mediated groups
gRegorLove_, yeet1, [schmarty], gRegorLove__, jjuran and [LewisCowles] joined the channel
#
@JmacDotOrg Releasing a couple of new goodies this week, ahead of both #IndieWeb Camp West and #TPRCiC… First, a new page about Webmention, pulling together introductory information, live examples, and links to further resources: https://jmac.org/webmention/ (twitter.com/_/status/1275170781744566273)
#
@JmacDotOrg ↩️ And I’ve released Whim, a command-line multitool for sending, receiving, managing, and displaying webmentions: https://jmac.org/whim/ (twitter.com/_/status/1275171266195075072)
#
aaronpk wow it's like an IndieWWDC!
#
vilhalmer jmac++
#
Loqi jmac has 3 karma in this channel over the last year (13 in all channels)
#
jmac Sadly the IndieCar and IndieHome modules have been delayed
gRegorLove_ and [georgenancejr] joined the channel
#
[georgenancejr] So in this theoretical alt Internet , how could you build web mentions into it by default without a central server ? Would blockchain be the only way ?
#
KartikPrabhu "theoretical alt internet" is not very useful. Better to build off of concrete use-cases and implementations
[KevinMarks] joined the channel
#
[schmarty] "App Clips but IndieWeb" probably appeals to me deeply
[tantek] joined the channel
#
[tantek] Lololololol all this talk about non-repudiation and no one brought up the blokechain (cc [schmarty] )
#
[tantek] Until the theoretical question.
#
[tantek] Oooooh I have a template for that!
#
[KevinMarks] We did talk about Certificate Transparency and its more sensible use of Merkle chains
#
[tantek] “In this theoretical .... Would X be the only way?”
#
[tantek] No.
#
[schmarty] Nopechain
#
[tantek] IndieWWDC++
#
Loqi IndieWWDC has 1 karma over the last year
#
[tantek] On another positive subject, anyone know where this states-as-squares infogeographic design came from and/or has anyone implemented it with data from their own site?
#
[tantek] https://www.instagram.com/p/CBvWcWEg7JY/
#
[tantek] Eg location based post archive page
#
aaronpk cute
#
aaronpk instagram-- for requiring login tho
#
Loqi instagram has -1 karma in this channel over the last year (-2 in all channels)
#
[tantek] Whoa really? That’s messed up
#
[tantek] Wonder when that changed
[manton] joined the channel
#
aaronpk pretty recently
#
vilhalmer huh, it let me through
#
vilhalmer must be a slow rollout
#
vilhalmer I knew they took away being able to click through from profiles
#
petermolnar https://addons.mozilla.org/en-US/firefox/addon/instagram-guest/ - in case anyone needs it
gRegorLove joined the channel
#
[tantek] petermolnar++ that’s amazing. I need to try it ASAP!
#
Loqi petermolnar has 1 karma in this channel over the last year (23 in all channels)
#
[georgenancejr] [tantek] it was a simple question . No need to be a jerk about it .
#
[tantek] Sorry, bad habit from theory trolls in #microformats
[jgmac1106] joined the channel
#
[tantek] Now about JSON vs XML for APIs hooo that’s a pit. I’ll just say i18n and JSON strings of user data and leave it at that for now
#
[tantek] [georgenancejr]++ you’re in a good place to chat about alternative internet approaches
#
Loqi [georgenancejr] has 1 karma over the last year
#
[tantek] I think the SSB approach has some promise in that regard, certainly more so that anything blokechain
#
[tantek] what is SSB
#
Loqi Secure Scuttlebutt is a P2P system to sync message feeds, used to build (among others) social applications that work in off-grid/sneakernet scenarios https://indieweb.org/SSB
#
[tantek] What is a singleton
#
Loqi singleton is in the context of the indieweb, or decentralized web in general, a shared (effectively centralized) data structure (like a blockchain ledger) or database (like the consequence of assuming a specific hashing algorithm) being used by (and thus a limitation of) an otherwise seemingly distributed system https://indieweb.org/singleton
#
[tantek] [georgenancejr] some good expansions / links to check out on those two pages ^^^
justache and [fluffy] joined the channel