#dev 2020-07-21

2020-07-21 UTC
sp1ff` and strugee joined the channel
#
GWG
Can I prevail on someone to approve a PR?
#
GWG
I want to push this, and pfefferle usually does my approvals, but he's likely asleep
#
GWG
gRegorLove: Could you?
#
Loqi
[dshanske] #178 Need capitalization
[tw2113] joined the channel
#
[tw2113]
got you covered GWG
#
GWG
Thank you
#
GWG
It isn't a code change at least
#
[tw2113]
brb, heard a really loud boom just now 😄 jk
#
GWG
[tw2113]: Not till I push it
prologic joined the channel
#
prologic
jacky hi 👋
#
jacky
hey! so what's the thing you're trying to solve for prologic?
#
jacky
like discover-ability of the feed puller?
#
prologic
yeah pretty much
#
prologic
not sure if you read the issue or my own twtxt.net posts on this
#
prologic
btu the technical details are easy to solve
#
prologic
just rip the data out of `User-Agent` of fetches of feeds from the instance
#
prologic
My point of discussion however is how to present this in some meaningful/useful way
#
prologic
I'll copy/paste my ideas:
#
prologic
2020-07-21T00:20:42Z [Discovering new twtxt users User-Agent data](https://github.com/prologic/twtxt/issues/14) is something I want to discuss with the wider community. The technical impl details are easy, but I'm not sure how to present the data on [twtxt](https://twtxt.net). Thoughts?
#
prologic
2020-07-21T00:22:33Z (re Discovering new twtxt users): Some ideas: 1) A new dedicated view/page 2) A "special" internal/builtin feed you can follow 3) Inject discovered users directly into the [/discover](https://twtxt.net/discover) view 4) Something else?
#
jacky
is proof-of-delivery important? because someone can just throw an address in a user-agent (the problem with them today)
#
jacky
I just read the issue
#
prologic
Good question
#
prologic
That's the same/similar problem I have with feeds.twtxt.net which I haven't solved yet
#
prologic
effectively fighting "bad data"
#
jacky
I would say that verification is a non-problem but can result in bad stats
#
jacky
right
#
prologic
So... What do we do?
#
prologic
Try to contact the TwtURI see if its valid?
#
prologic
I'd basically run it through a Twtxt parser fully
#
prologic
and if there was no error its valid
#
jacky
so I need to learn a bit more about the flow / mannerism of twtxt tbh
#
prologic
sure :)
#
prologic
Also play with https://twtxt.net/ too if you aren't already
#
prologic
And you can poke about the source code too
#
prologic
some of which is directly borrowed from quite's (on #twtxt)'s twet CLI client
#
jacky
hm okay
#
jacky
https://twtxt.net/u/jackyalcine 500's (I thought that was my username but it's not lol)
#
jacky
so https://twtxt.net/u/jacky seems like a feed of plain text updates?
#
prologic
Hmm depends what you signed up with :)
#
prologic
I had some bad data in the first version versions and so wrote automated mgiration code to migrate bad account data and feeds transparenelt
#
prologic
I may not have done this as perfectly as I wanted :)
#
prologic
Anyway...
#
prologic
Yes the URI https://twtxt.net/u/<user> is the twtxt.txt feed itself
#
prologic
I'm considering breaking this though with https://github.com/prologic/twtxt/issues/15
#
prologic
And making it in line with feeds.twtxt.net whereby all twtxt.txt feeds are of the form schema://<domain>/<user>/twtxt.txt
#
Loqi
[prologic] #15 [BREAKING CHANGE]: Profile page vs. Twtxt feed URL?
#
prologic
anyway I assume you're just trying to get familiar and up-to-speed so we can actually discuss things at the same level :)
#
jacky
yup yup
#
prologic
*nods*
#
jacky
ah I followed myself and now I can't unfollow D:
gRegorLove joined the channel
#
prologic
you actually cannot unfollow yourself :)
#
prologic
its an implied thing with twtxt.net
#
jacky
hmm okay
#
prologic
I didn't think it was necessary to make that configurable :)
#
prologic
i.e: when you post, it updates youru won feed right there
#
prologic
so you don't have to wait for the next feed update (~5m by default)
#
jacky
I was wondering what would be classed as a client, I'm guessing https://github.com/buckket/twtxt does?
#
prologic
the twtxt spec itself is very light
#
prologic
mostly just a file format really
#
Loqi
[buckket] twtxt: Decentralised, minimalist microblogging service for hackers.
#
prologic
so clients/servers are free (within reason) to do what they want or present things in interesting ways :)
#
prologic
at least this is my understanidn :D
#
prologic
jacky yes that's the cannonical client way back when
#
prologic
there is also https://github.com/quite/twet
#
prologic
and a few others
#
Loqi
[quite] twet: A client in go for twtxt -- the decentralised, minimalist microblogging service https://twtxt.readthedocs.org/en/stable/
#
prologic
I put more (maintained) clients on that IndieWeb twtxt page :)
#
prologic
of the ones I know are still maintained and work
#
Loqi
[prologic] twtxt: 📕 a twtxt client in the form of a web application and hosted service that provides a self-hosted, decentralised micro-blogging platform. No ads, no tracking, your content!
#
prologic
Yes thank you Loqi :)
#
prologic
good 'lil bot :)
#
prologic
Oh I just realized a minor cache bug
#
prologic
and worked out why/how it happens
#
prologic
I'll fix it (embarrasing) and redeploy shortly
#
jacky
will reply with thoughts on the GitHub issue
#
jacky
but tbh I think that discoverability, in general, is hard
#
jacky
and I also do think that placing it in the user agent will potentially allow for spoofing :(
[tantek] joined the channel
#
[tantek]
yup, can't depend on UA for anything like that
#
aaronpk
the trick is to stop thinking about the user agent header as something special, it's just unvalidated external input when it's received, just like anything else
#
prologic
jacky Thanks!
#
prologic
Yeah youre all right of course
#
prologic
But the spec does say to put the twtxt client in the UA header
#
prologic
this is optional on some (most?) clients
#
prologic
But its nonetheless useful/valid if you can trust that most people won't be "bad actors" and fuck with it
#
prologic
so IHMO its "okay" from that perspective
#
prologic
And yes its hard to solve for perfectly, but maybe we don't have to?
nickodd, gxt, cweiske and prologic joined the channel; nickodd left the channel
#
Zegnat
I think UA is as valid as any HTTP header, as aaronpk said, if you are on the receiving end you just need to treat it as any other random input.
#
Zegnat
Feed fetchers have been using UA to both identify themselves but also give information about how many singular subscribers a feed has on their end, that has been working well from what I understand. Have not heard of anyone spoofing those.
swentel, gRegorLove, dckc and gxt joined the channel
#
Ruxton
the addition of github profile readme's is gonna allow even more rel="me" links :O
gRegorLove joined the channel
#
prologic
Zegnat I agree
#
Zegnat
Ruxton: oooh, I had not thought of that! They do not strip the attribute?
#
Ruxton
yeah they do :(
#
Ruxton
they replace it wth rel="nofollow"
#
Ruxton
just tried it after writing it
moppy joined the channel
#
Zegnat
Not too surprising, but a little sad.
#
Zegnat
Thinking they go the better-safe-than-sorry route when it comes to embedding content on profile pages
GWG_ and [KevinMarks] joined the channel
#
[KevinMarks]
Twtxt.net does that too
cjw6k, KartikPrabhu and jjuran joined the channel
#
prologic
Does what?
[KevinMarks] joined the channel
#
[KevinMarks]
turns rel="me" into rel="nofollow"
#
[KevinMarks]
maybe in the markdown library you're using?
[pfefferle] joined the channel
#
Zegnat
Now I am wondering, are there any unsafe rel values that absolutely must be sanitised?
#
[KevinMarks]
it depends on how you're using it - you do want to remove rel="me" and rel="canonical" etc if its, say, someone else's comment embedded on your blog
#
prologic
I'm not familiar enough with the rel attr sorry
#
prologic
But yes its configurable behaviour for sure
#
prologic
if you use twtxt.net or want to use the software itself and run it yourself
#
prologic
please by all means files issues or contribute via PRs :)
deltab, jeremych_ and [tantek] joined the channel
#
[tantek]
prologic, if you check your web access logs, you'll likely see that most "people" are bad actors, that is bots lying with their user agent string. it's basically noise.
#
prologic
I'm not talking about UA in general
#
prologic
but for a specific purpose
#
prologic
twtxt defines the standard such that clients _should_ identify themselves with a special sring in the UA
#
prologic
often clients make this an option feature
#
prologic
I think therefore it can be relied on as long as people use well-formed/written client software
#
aaronpk
But that's the problem :-)
#
aaronpk
if everyone used well written software there would be no spam
#
aaronpk
as soon as you give people a mechanism that can be gamed people will take advantage of it
#
aaronpk
Mastodon stats are another example of this. There's a special url a server can host that describes the instance reporting things like number of users and number of posts. That gets aggregated on some websites to show total mastodon users. But it's trivial to make a fake one and report 1,000,000,000 users if you wanted to
#
prologic
I see what you're saying :)
#
prologic
Nevertheless this is as good as it gets I think for the time being
#
prologic
twtxt.net is already a nice client
#
prologic
so if everyone in thw twtxt community just used it or ran their own problem half solved :)
#
aaronpk
As long as you trust that everyone will play nice
#
aaronpk
and not modify it for fun or personal gain
#
aaronpk
and no bad actors will try to mimic the software to insert their own messages
#
prologic
those are all valid concerns
#
prologic
especially the last one
dckc and [schmarty] joined the channel
#
craftyphotons
I tend to follow a paranoid approach when it comes to this stuff, even for personal projects if they're internet-accessible
#
craftyphotons
Never trust the client and all that
#
aaronpk
☝️
#
craftyphotons
Fun side thing I'd like to do with my personal stuff is add webauthn to everything of mine for MFA so I can use my Yubikeys
#
craftyphotons
The Ruby world has a good reference Webauthn gem out there it looks like so it should be pretty easy to add to anything on Rails/Sinatra/etc
KartikPrabhu, nickodd and [tantek] joined the channel
#
[tantek]
craftyphotons++ for skepticism and defensive design thinking
#
Loqi
craftyphotons has 1 karma over the last year
#
@0daysfordays
Whenever something I've written ends up on the HackerNews front page, I get blasted with Webmentions from sites that seem to repost scraped content. Is that... profitable? Is there some cool SEO scam I'm missing out on?
(twitter.com/_/status/1285609773686304768)
#
jjuran
I heard if you do that you get double the webmentions back
cjw6k joined the channel
#
GWG_
I am thinking of writing a post on how people don't understand what IndieAuth is
jeremych_ joined the channel
#
jeremycherfas
I'd read it!
[Jose_Leiva] joined the channel
#
[Jose_Leiva]
+1
[tw2113] joined the channel
#
[tw2113]
it’s very likely a needed thing
#
[tw2113]
bonus points for straddling easy to understand for “joe user” while also getting technical where needed
nickodd left the channel
#
[tantek]
GWG, maybe start by documenting IndieAuth misconceptions on the wiki? We can help with the copy-editing
#
[tantek]
dev folks, you may be interested in this (just hearing about it myself, openly on the Twitters, no direct involvement) https://twitter.com/brennan_mike/status/1285575787349975040
#
@brennan_mike
We are launching a new effort w/ @mozilla @SloanFoundation @OpenSociety @opencollect to fund research & implementation of open source digital infrastructure! The RFP is now live. Join us Thursday @ 12:30pm ET to learn more: https://www.fordfoundation.org/digitalinfrastructure
(twitter.com/_/status/1285575787349975040)
#
GWG_
[tantek]: I may do both
#
[tantek]
jacky, fluffy in particular ^
gRegorLove, KartikPrabhu and [pfefferle] joined the channel
#
craftyphotons
Whoa Netlify just cut their pricing by more than half
[chrisaldrich], [manton] and KartikPrabhu joined the channel
#
@RubygemsN
indieweb-endpoints (4.0.0): Discover a URL’s IndieAuth, Micropub, Microsub, and Webmention endpoints. https://rubygems.org/gems/indieweb-endpoints
(twitter.com/_/status/1285679654511226886)
[jgmac1106] and [arush] joined the channel
#
kiero_
hi, what free landing page builder service do you recommend? Can output website to host on own server
[KevinMarks] joined the channel
#
[KevinMarks]
Not sure we have a category for that - maybe static site generators
#
[KevinMarks]
What is static site generator?
#
Loqi
Static site generators are programs that take a set of flat text files on disk and transforms them into a set of static html files ready to be served by a standard web server, or some variation of this example https://indieweb.org/static_site_generator
#
[KevinMarks]
Is that what you mean, or are you thinking more about a single page creator?
#
kiero_
[KevinMarks]: it can be static site generator but I'm looking for something with predefined templates
#
kiero_
so I can build website from blocks
#
kiero_
it can be html snippets
#
kiero_
so I can change text and some elements
#
kiero_
but css need to make it nice and look like landing page
geoffo joined the channel
#
kiero_
[KevinMarks]: something like Froala Design Blocks, but they set of blocks are poor
[chrisaldrich], gbmor and [tw2113] joined the channel; prologic left the channel