#dev 2022-03-03

2022-03-03 UTC
tetov-irc, Darius_Dunlap[d], jacky, jzeneto, [jgmac1106], justAstache, Seirdy, tbbrown, Fe, jamietanna1, superkuh, gerben, strugee, mro, [Francesco_Impr], polezaivsani, [tw2113_Slack_], [tantek], sayanarijit[d], rrix, Silicon[d], Eddy04[d] and Saphire joined the channel
# 13:45 
@ton_zylstra ↩️ I have a WordPress blog, with the IndieWeb plugin for webmention (twitter.com/_/status/1499379579601014784)
kinduff_, kinduff__, jacky, tbbrown, sp1ff and mro_ joined the channel
# 15:07 
sp1ff aaronpk: ah, I think I see-- the template author includes them?
# 15:08 
aaronpk Yea, it's meant to be built in to the site rather than something a user would ever see
# 15:09 
aaronpk the docs and tutorials and such of course mention how to add them to HTML because they're written for the people who are writing the HTML
mro joined the channel
# 15:12 
sp1ff Got it. I just use Emacs org-mode to publish my site, so shouldn't be too hard to add 'em. Thanks.
mro and tbbrown joined the channel
# 16:14 
[tantek] there has to be more people that support "offline first" besides me and Jeremy right? https://indieweb.org/offline_first#IndieWeb_Examples
# 16:18 
[schmarty] 🤔 can it really be offline _first_ if you have to visit the site at least once while online to get the serviceworker installed? 😂
# 16:22 
[aciccarello] offline second? 😁
mro joined the channel
# 17:08 
sknebel "offline-usable"?
# 17:10 
[tantek] [schmarty] worth adding to the FAQ. "visiting the site at least once" is a web equivalent of "install the app", so yes, in as much as people treat any piece of software as "offline first", you can't use it offline without first installing it 🙂
# 17:11 
[schmarty] glances towards the few pieces of physical software install media in his home
# 17:13 
[tantek] hah. whether you install from physical media or the network, you still have to take that install step. even that "physical software install media" had to traverse the slow network known as the "global supply chain" 🙂
# 17:14 
[schmarty] a network from which one can rarely truly be "offline"
jacky, justAstache and barnaby joined the channel
# 19:05 
[KevinMarks] Though Russia is getting there
antrdnv[d], mro, angelo and tbbrown joined the channel
# 20:46 
jacky [schmarty]: heh one day!
# 20:46 
jacky indieweb amongst the people in front of you
mro joined the channel
# 21:13 
[KevinMarks] Thats what scuttlebutt was like for me - it didn't work until I was in the same room as people using it
kimberlyhirsh[d] joined the channel
# 21:14 
[KevinMarks] Hm you could go back to the mDNS .local approach
# 21:15 
[KevinMarks] Though that can be harder now with devices having other networks than the shared WiFi
# 21:16 
sknebel annoyingly android doesnt do mdns
# 21:17 
jacky ^ super annoying
# 22:07 
jacky has anyone considered integrating https://www.hcaptcha.com/privacy-pass into their site?
# 22:07 
jacky mainly for content submission
# 22:07 
jacky I noticed discord using it
# 22:08 
jacky I'm looking at things I'd want to incorporate into my Webmention submission form to prevent bad links (already restricting it to URLs known to my site for inbound)
# 22:14 
sknebel hm, I feel like rate-limiting that feature would be enough and non-intrusive?
# 22:17 
[tantek] I think the thread model is drive-by manual spamming and other opportunistic attacks, not automated (at least at first)
# 22:45 
jacky yeah actually that's what I'm thinking about (drive-by attacks_
# 22:45 
jacky but I should also make a very clearly defined threat model
[chrisaldrich] joined the channel
# 22:46 
sknebel yeah. i.e. someone plugging in random URLs for fun isnt stopped by doing it in a browser
# 22:47 
sknebel captcha just slows them a tiny bit
# 22:47 
sknebel automated struggles more with it
# 22:49 
sknebel but also whats the damage. a) resource use b) fetching other stuff b.1) resource use on other sites b.2) your server talks to sites you wouldnt let it talk to?
Saphire joined the channel
# 22:50 
sknebel a) and b.1) are not too bad if slowed down enough, b.2) you can't prevent with captcha either
# 22:50 
sknebel would be my first thoughts
# 22:51 
sknebel (if I'm scripting an attack I also can just use your WM endpoint directly, so the captcha there I can easily circumvent)
# 22:51 
sknebel so you primarily stop dumb pots putting urls in random fields?
# 22:57 
sknebel -> afk, sleep
tetov-irc, marksuth[d] and P1000[d] joined the channel