#dev 2021-06-16

2021-06-16 UTC
samwilson joined the channel
#
Saphire Oof those arguments
#
angelo four years ago a feedparser issue was created to support JSON Feed.. it just landed; apparently newsblur uses feedparser
tonz joined the channel
#
@dshanske Working on expiring tokens for the WordPress IndieAuth endpoint. This would be a breaking change, as currently, tokens issued by the endpoint never expire. This is a security concern, if you keep issuing tokens without ever expiring them. With the new… https://di5.us/t/1Qg (twitter.com/_/status/1405028295134126084)
pinkie and [snarfed] joined the channel
#
[snarfed] angelo got a link? I’m not seeing that in https://github.com/kurtmckee/feedparser/pulls
#
angelo https://github.com/kurtmckee/feedparser/pull/109
#
Loqi [bbolli] #109 Add support for JSON feeds
#
[snarfed] ah Nov 2020
#
[snarfed] (and opened May 2017, wow)
tonz, capjamesg, hendursa1, jeremycherfas, reed, calebjasik, BinyaminGreen[m], Abhas[m], batkin[m], LaBcasse[m] and nekr0z joined the channel
#
Saphire Wait what
#
Saphire ... I'm guessing those tokes can't be revoked either?
jeremy and jeremycherfas joined the channel
#
capjamesg doosboox how do you access your usbs via the /mnt directory?
#
capjamesg I don't work with usbs on the CLI haha.
#
doosboox https://lounge.warmedal.se/uploads/19108506a320c22d/fstab.txt
#
doosboox Not sure if that explains it for you, but feel free to ask for clarifications :D
#
capjamesg Will take a look. Thanks!
#
doosboox my /home dir is 75GB, and my currently 44 weeks of backups total 78GB
[Murray] joined the channel
#
[Murray] Okay, I feel like people here may have some interesting insights, so does anyone know if it's better to use an `<a>` element or a `<button>` element for third-party authorisation flows? Specifically for social login buttons
#
[Murray] Is this something that's come up with IndieAuth at all?
#
doosboox capjamesg: what kind of file system is the drive you're attempting to mount?
#
capjamesg I am just formatted the drive and everything looks good now.
#
capjamesg I had to recreate the file system w/ mkfs.ext2.
#
doosboox 👍 I use ext4. I have no idea what the difference is :D
#
capjamesg I just needed a file system to which I could write haha. I'm not sure how the USB was initially set up.
#
capjamesg How long does rsync take? :D
#
capjamesg Just realised I'm backing up 47G.
#
doosboox that depends on the speed of your USB bus and the write speed of the USB drive :)
#
capjamesg It's probably going to be a while :)
#
doosboox use --progress for rsync if you want it to show you that it's actually doing something
#
Loqi use has -1 karma over the last year
#
doosboox hahaha
#
Loqi awesome
#
capjamesg doosboox++
#
Loqi doosboox has 1 karma in this channel over the last year (2 in all channels)
#
capjamesg use++
#
Loqi use has 0 karma over the last year
#
capjamesg haha
#
doosboox :D
#
doosboox Loqi is by far the best IRC bot I've ever encountered
#
capjamesg * gives loqi a cookie
#
Loqi eyes the cookie
#
Saphire gives Loqi a pat
#
Loqi enjoys the pat
#
sknebel gives Loqi a bug report
#
Loqi enjoys the bug report
#
sknebel (https://github.com/aaronpk/Loqi/issues/43)
#
Loqi [sknebel] #43 Karma: do not trigger on `x --y` pattern
#
sknebel (happened twice recently)
#
doosboox I'm sure "use" doesn't mind
#
doosboox still a good fix :D
#
sknebel one before afaik was curl, that was unfair :D
#
doosboox yeah, that does sound unfair
#
doosboox Uhm. Random question about backups: How old backups are reasonable to keep? In my case I'm afraid of tossing old backups because file corruption may creep in over time. I'm not sure that's a legitimate concern, however. And I've found that a not-insignificant fraction of my incremental changes are actually git garbage collection
#
capjamesg Good question. I was just thinking about deleting the old backup after I make a new one.
#
sknebel one thing you can do is thin out the increments
#
sknebel git repos also can of course be backed up by using git tools to push them somewhere, not as a file backup
#
sknebel (e.g. a backup system might keep daily snapshots for 2 weeks, weekly snapshots 2 months and just monthly or yearly ones, depending on what you need)
#
capjamesg What's the advantage of incremental vs. full backups doosboox?
#
capjamesg Saving space?
#
doosboox capjamesg: a full backup takes a lot longer and takes up more space
#
capjamesg Are you able to easily find your files with the incremental backup?
#
doosboox If I were to run a full backup I'd have to delete the old backup first to make room. And then rsync would have to churn through all 75GB.
#
doosboox oh, absolutely.
#
capjamesg Here's my very rudimentary implementation of a full backup: https://gist.github.com/capjamesg/3d3326abaf3a0a9b8f26b533a477b824
#
capjamesg But incremental might be the way to go. It takes quite a long time.
#
doosboox The file tree is just a couple of levels deeper. "/mnt/usb2/latest/users/" looks exactly like "/mnt/usb1/users/" did last Sunday morning
#
capjamesg What is rsync?
#
Loqi rsync is a command line tool to copy files from one server to another, which can be used for incremental backups or migrating web hosts https://indieweb.org/rsync
#
capjamesg rsync << https://warmedal.se/~bjorn/posts/simple-incremental-backup-with-rsync.html
#
Loqi ok, I added "https://warmedal.se/~bjorn/posts/simple-incremental-backup-with-rsync.html" to a new "See Also" section of /rsync https://indieweb.org/wiki/index.php?diff=76089&oldid=58101
#
doosboox yeah, time and space are the big problems with a full backup. If I were to go that way I'd rather have a RAID 0 setup (mirrored disks)
#
capjamesg petermolnar what's your setup?
#
doosboox capjamesg++ ❤️
#
Loqi capjamesg has 1 karma in this channel over the last year (2 in all channels)
#
petermolnar similar to the full rsync example, but instead of snapshotting, I use `--backup --backup-dir="../deleted_$(date +%Y-%m-%dT%H:%M)/"` as rsync arguments
#
petermolnar so anything that gets deleted gets moved
#
petermolnar this, however, doesn't take care of altered content
#
petermolnar I do have daily/weekly/monthly zfs snapshots on the backup server though
#
capjamesg This seems to work pretty well for incremental backups rsync -a --progress --delete /home/james/ /mnt/myusb/
#
capjamesg (well, for my setup anyway!)
#
capjamesg Good idea re: storing deleted content.
#
doosboox capjamesg: check out the --delete-before and --delete-after flags. I'm not sure what the default behaviour of --delete is, but if you have a power outage in the middle of the rsync it would suck if it had removed a big file but then not put a new copy in place. I mean, the risk is small, but worth reading the rsync man pages for :)
jeremycherfas joined the channel
#
capjamesg "delete extraneous files from dest dirs" doosboox
#
capjamesg rsync doesn't delete files from the source directory, right?
#
capjamesg (obv. not with the --delete because it says dest)
#
doosboox nope
#
capjamesg Doesn't look like it. Reading the man page examples now.
#
capjamesg doosboox++ for all your help!
#
doosboox but if you have file A in src and in dest, but the one in src is newer, then the one in dest will be deleted either *before*, *during*, or *after* transfer of the newer version :)
#
doosboox you're welcome!
hendursaga and shoesNsocks joined the channel
#
petermolnar --delete is delete on the spot
chenghiz_, [Murray], jeremycherfas and [snarfed] joined the channel
#
aaronpk wow, my website storage is 29gb and this is making me question whether i actually need a local copy of it on my 256gb laptop
#
@willtmonroe TEST WordPress post to Twitter using http://Brid.gy and http://micro.blog (twitter.com/_/status/1405171508100714500)
#
petermolnar > 256gb laptop - this combination of words is sad. It used to be 256gb hdd or ssd, replace-able. Now it's a 256gb laptop. One of the reasons why I don't want a new laptop and certainly will never have one with soldered-on storage.
#
aaronpk yeah i really wish i could drop a 2tb nvme in here, that'd be well worth the cost of the drive
#
aaronpk also it's silly that i have a 256gb microsd card in my camera and it's the same space as the drive in the laptop
#
aaronpk i would even take the slower storage speed and stick a microsd card in the laptop too. oh well
#
sknebel lol
#
sknebel I'm sure there's an SDcard dongle you can buy :P
#
sknebel (sorry, but fish/barrel, couldn't resist)
#
petermolnar aaronpk: https://www.notebookcheck.net/Lenovo-ThinkPad-P52-i7-P1000-FHD-Workstation-Review.322974.0.html 2x M.2-2280 + 2.5" drive space.
#
petermolnar but I've been wondering for a while to make a docking-tray like thing for macs that could accept multiple devices, like extra m.2s and such, with a clamp-on mechanism, that keeps it in place constantly
#
petermolnar iThicc would be a good name for it
#
aaronpk lol
#
aaronpk there are some of those
#
petermolnar I mean like the ultrabase for the older X series thinkpads: https://www.thinkwiki.org/wiki/ThinkPad_X200_UltraBase
#
sknebel petermolnar: welded to the bottom, with nice thick welding seams, would be a fun look ;)
#
petermolnar now I want something like this, both to make apple fans cry, and to make oldschool laptop fans envy it
barnaby joined the channel
#
barnaby [snarfed]: thanks for deploying the fix! it didn’t work, but it looks like it’s twitter’s problem this time, not yours ;) https://brid.gy/log?start_time=1623855361&key=agdicmlkLWd5ckwLEg1QdWJsaXNoZWRQYWdlIiVodHRwczovL3dhdGVycGlncy5jby51ay9ub3Rlcy81RDlOY0ovDAsSB1B1Ymxpc2gYgIDI9K-58QoM
jeremycherfas joined the channel
#
barnaby “the attempts to upload hamster will continue until twitter’s morale improves”
[manton] joined the channel
#
[manton] I think I saw a mention here of Mastodon switching from Atom to RSS but I didn’t pay much attention to it until today… It looks like the old Atom feed URLs are returning an HTTP 406 instead of a redirect, effectively breaking all the old feeds? Confused why they would do this.
#
barnaby cue flashbacks to the feed wars :/
#
@call_user_func taproot/indieauth PHP PSR-7-compliant IndieAuth Server and Client implementation. https://github.com/Taproot/indieauth (twitter.com/_/status/1405179044178563081)
#
barnaby uh
#
barnaby okay
#
sknebel bot that posts new packages
[tantek] joined the channel
#
doosboox I’m butting my head against CSS. I want to align elements on a page like this: https://lounge.warmedal.se/uploads/616ec43eb3b8a45a/F989968E-97C8-4D70-936E-B010CD317BEF.jpeg
#
doosboox I just can’t get it to work :(
#
mgdm what are you using to do it? I've been playing a bit with CSS grid recently, which worked out for me
#
doosboox I can’t get the lower input field to stretch all the way to the button, nor can I get the large textarea to fill up the available space vertically
#
doosboox I’ve mostly tried stuff with flexbox, but I’m open to any solutions
#
mgdm This isn't quite the layout you're after but it describes something in that direction: https://www.freecodecamp.org/news/how-to-quickly-prototype-apps-with-css-grid-and-css-variables-8d3d96d68eaa/
#
doosboox one problem I’ve identified is that the body element doesn’t fill the viewport vertically, but even when I manage to make it higher I can’t get the elements within to be placed right
#
doosboox mgdm: definitely worth looking at! Thank you
#
[Murray] So flex or grid would both work here. Grid is perhaps a little more precise in this layout. Either way, you can use `100vh` on a parent container to get the height bit sorted (though *huge* asterisk around mobile/Safari/the whole stupid ordeal around what counts as the viewport 😄 so YMMV to some degree)
#
[Murray] In terms of getting textareas and inputs to behave, make sure they're not pure `inline` elements. Then you should be able to just 100% width to get them to go the whole way across.
#
[Murray] As for vertical space, viewport relative units like `vh` or `fr` (if using Grid) is probably your best bet
#
[Murray] If you have a CodePen or something I'm happy to take a look 🙂
#
[Murray] (I can also recommend https://every-layout.dev/ for learning Grid/Flex/modern CSS, though minor paywall. Plus anything Jen Simmons/Rachel Andrews have put out 😉)
[chrisaldrich], [fluffy], [schmarty] and [snarfed] joined the channel
#
[snarfed] barnaby thanks for trying! here’s my successful test from early today: https://twitter.com/snarfed_org/status/1405162885521629185 . feel free to try again later I guess
#
@snarfed_org testing 1 2: http://localhost/post.html https://twitter.com/snarfed_org/status/1405162885521629185/video/1 (twitter.com/_/status/1405162885521629185)
barnaby joined the channel
#
capjamesg What are you testing snarfed?
[aciccarello] joined the channel
#
[aciccarello] I think syndicating video posts to twitter
#
barnaby yeah we’re having trouble with my hamster video
#
capjamesg petermolnar where you do back up your content? I meant to ask earlier. I'm going to do my backups on a USB drive. Is that sufficient or is a hard drive a better idea?
#
capjamesg aciccarello I see. Thanks!
#
barnaby twitter Does Not Want my hamster video https://waterpigs.co.uk/img/screenshot-2021-06-16-at-192320.png
[tw2113_Slack_] joined the channel
#
[tw2113_Slack_] how rude
barnaby joined the channel
#
[snarfed] wow seriously
#
[snarfed] all 503s
#
[snarfed] and their status page is…thin…and not exactly confidence inspiring https://status.twitterstat.us/
#
barnaby yeah I checked it out already
#
barnaby very strange
#
barnaby [snarfed]: this status page is a bit more detailed, but has nothing relevant to my issue https://api.twitterstat.us/
#
barnaby the other one is a bit of a joke
#
GWG Wondering who I can talk into a reference implementation of refresh tokens for an IndieAuth client
#
GWG Barryf? Swentel? aaronpk?
#
aaronpk I could be convinced
#
GWG aaronpk: jamietanna already has an endpoint that supports it, and I would write it into WordPress in a heartbeat if I had something that used it
#
GWG Remember when you added PKCE to Quill that people started adding it to their backends
#
GWG aaronpk: I could try an incentive... but not sure what.
[KevinMarks] joined the channel
#
GWG aaronpk: I could try to track down Hydrox
#
[KevinMarks] [manton] are the h-feeds on mastodon usable? You could atomize them with granary.io worst case
#
[KevinMarks] @barnaby I had another friend whozw video twitter kept rejecting recently too
#
barnaby [KevinMarks]: interesting, good to know it’s not just me
#
barnaby if the bridgy side of the problem is fixed now then there’s no more debugging value left in that post, so I’ll just POSSE it manually
#
[snarfed] barnaby: sgtm
[schmarty] and [manton] joined the channel
#
[manton] [KevinMarks] Good question. On first glance, the h-feeds for a profile page look pretty good. I didn’t actually need anything specific from Atom, so RSS is fine, I was just kind of annoyed that Mastodon broke all existing feed URLs. I still can’t believe it. 🙂
#
[manton] I auto-discover the Mastodon feed so everything worked fine for new users, but if I had already cached the Atom URL, I wasn’t attempting to rediscover the feed URL if an HTTP 406 came back. It never really occurred to me to do that or that the URLs would stop working.
KartikPrabhu joined the channel
#
[KevinMarks] I think the h-feeds are richer than the RSS - the Atom used extensions for more details, the RSS is pretty thin. Not sure if you can distinguish boosts in rss
#
petermolnar !tell capjamesg I have a laptop, which is synced to a home server, which is synced to a rented server in Germany; the servers run FreeBSD on ZFS filesystem, which takes care of the snapshots. Given that most of my life's content - photos, documents, etc - are digital these days, and that once we had been burglered, I don't feel OK without off-site backups.
#
Loqi Ok, I'll tell them that when I see them next
#
barnaby welp, looks like I found a reason to add support for indieauth requests without code_challenge
#
barnaby https://micropub.rocks/ doesn’t seem to use them
Seirdy joined the channel
#
barnaby from #chat:
#
barnaby although I’m a little concerned about the never-expiring access tokens being redeemable without the client secret which indieauth necessarily lacks
#
barnaby I assume that the refresh token requests would require client_id and redirect_uri exactly matching those from the original request
#
barnaby but not the PKCE code_verifier? or would that be required too?
#
aaronpk PKCE isn't needed for using refresh tokens
#
aaronpk this isn't unique to IndieAuth, it's the same problem with OAuth for mobile apps and SPAs
#
barnaby I guess it’s fine to leave out PKCE provided the client_id and redirect_uri match
#
barnaby as they’re already verified
#
aaronpk PKCE is just a mechanism to protect the use of the front channel redirects
#
aaronpk Here actually I talked about this last week https://youtu.be/uwbqqRA7wbI
#
barnaby oooh a livestream with timestamps
#
barnaby very nice
#
aaronpk I try
#
barnaby it’s appreciated
#
barnaby those timestamps are one of the best user-facing UI decisions YT’s made in a long time IMO
#
barnaby they *almost* make up for inexplicably putting the “picture-in-picture” button right behind the “1.25x” speed control, leading to me activating it far more regularly than I want to
#
aaronpk Now that I'm thinking about it, I wonder if it would actually make sense to use the PKCE code verifier with the refresh token
#
aaronpk I'm going to bring this up on the OAuth list
#
barnaby I’d be interested to hear responses to it
#
barnaby oooh who did the OAuth kitten illustrations?
#
aaronpk I hired an illustrator!
#
barnaby nice
#
aaronpk There's still a few different concerns with stealing refresh tokens, so adding the code verifier wouldn't solve any attacks where the attacker would also be able to steal that out of the app at the same time as stealing the refresh token
#
aaronpk eg XSS stealing data from local storage
#
barnaby makes sense
#
aaronpk but for mobile apps where XSS isn't really a concern it might help in some cases, although I'm struggling to find an example of when someone would be able to steal the refresh token but not the code verifier
#
barnaby when I think it through, provided the client_id and redirect_uri match the verified, stored ones from the initial exchange, I don’t see any other issues with the refresh token exchange
#
barnaby I was just a bit freaked out when reading through the description here https://www.oauth.com/oauth2-servers/access-tokens/refreshing-access-tokens/ where you just have this eternal refresh token which can be exchanged for access tokens potentially without a client secret
#
aaronpk Yep that's a classic OAuth problem
#
barnaby okay yeah the front-channe/back-channel concept cleared it up for me. PKCE protects the front-channel authorization flow, and refresh tokens are all in the back channel, so it’s no longer necessary
#
aaronpk 👍
#
barnaby aaronpk++ nice explanation. the people who hire you to do OAuth workshops are getting their money’s worth!
#
Loqi aaronpk has 50 karma in this channel over the last year (148 in all channels)
#
GWG So, if I wanted to add refresh_tokens, other than my need for at least one client that uses them, what do I need to keep in mind
barnaby, [aciccarello] and sebbu joined the channel