#dev 2022-09-21

2022-09-21 UTC
geoffo joined the channel
# 02:43 
[schmarty] barnaby++ woo, thanks! migrated. i'll see if any tokens broke for 0.1.0 tomorrow when i post caturday.
# 02:43 
Loqi barnaby has 16 karma in this channel over the last year (29 in all channels)
# 02:44 
[schmarty] had to polyfill `str_contains` because I have PHP7.4 on the box where I run all this 😅
# 02:45 
[schmarty] that clears up my main concern w/ updating taproot\indieauth to 0.2.0, which is exciting. i can also undo my `client_id` wrapping now that unfetchable `client_id` is no longer fatal.
geoffo and strugee joined the channel
# 06:10 
@Naln1theVampire Does anyone/thing use IndieAuth? Is it worth hosting my own IndieAuth provider? (twitter.com/_/status/1572466927515365378)
smudge-the-cat and oodani joined the channel; smudge-the-cat left the channel
# 08:17 
barnaby [schmarty] oops sorry about the str_contains thing, I had no idea that was a PHP 8 only feature! I’ll replace that with something compatible with earlier versions, then release version 0.2.1
# 08:17 
barnaby good catch, thanks for testing! [schmarty]++
# 08:17 
Loqi [schmarty] has 15 karma in this channel over the last year (32 in all channels)
[KevinMarks], tetov-irc and jjuran joined the channel
# 12:19 
[schmarty] Ehehe an unexpected upside to my foot dragging
geoffo joined the channel
# 14:26 
barnaby if I had written tests which actually ran the script rather than just testing the migration function, it would have been picked up in the CI, but that seemed like too much effort for a tiny script. Perhaps I should get that codesniffer we use for php-mf2 working to check stuff like that statically
geoffo joined the channel
# 16:05 
[tantek]4 Pretty sure CASSIS still only depends on PHP5+ functions
# 17:01 
GWG I do a polyfill on str_contains because it's really useful
# 17:24 
IWDiscordGateway <corlaez> Regarding h-entry/h-feed microformat. Has it been considered to assume the u-url to be the link rel="cannonical" if it is missing?
# 17:24 
IWDiscordGateway <corlaez> I am capable of generating my own u-url but for some pages I will like to not show it (not even as a hidden link because a anchors with href aren't supposed to be hidden.
# 17:24 
IWDiscordGateway <corlaez> And with all my pages having a cannonical I was wondering if the u-url could be assumed to be the cannonical if present.
# 17:24 
IWDiscordGateway <corlaez> If there is no u-url and no cannonical I guess we could fail the validation
# 17:25 
IWDiscordGateway <corlaez> Regarding h-entry/h-feed microformat. Has it been considered to assume the u-url to be the link rel="cannonical" if it is missing?
# 17:25 
IWDiscordGateway <corlaez> I am capable of generating my own u-url but for some pages I will like to not show it (not even as a hidden link because a tags with href aren't supposed to be hidden)
# 17:25 
IWDiscordGateway <corlaez> And with all my pages having a cannonical I was wondering if the u-url could be assumed to be the cannonical if present.
# 17:25 
IWDiscordGateway <corlaez> If there is no u-url and no cannonical I guess we could fail the validation
# 17:26 
IWDiscordGateway <corlaez> (not even as a hidden link because a tags with href aren't supposed to be hidden)*
# 17:27 
aaronpk one problem with that is when you have multiple h-entrys on a single page, any kind of list of posts
# 17:27 
[snarfed]1 also we can easily think of examples where the u-url isn't actually canonical
# 17:27 
[snarfed]1 eg all Mastodon POSSEd posts
# 17:28 
aaronpk oh yeah, i was assuming you meant canonical within the context of the site, but not actually what rel=canonical means
# 17:28 
IWDiscordGateway <corlaez> ah ok, I am not into POSSE that much but I see how taking that into consideration makes u-ul a requirement. Ok thanks!
# 17:30 
IWDiscordGateway <corlaez> and multiple h-entrys make sense too. I mean if I was publishing them together it may be my responsibility but if someone else is aggregating them the lack of u-url is problematic.
[marksuth], jacky and gxt joined the channel
# 19:02 
[tantek]4 not sure if this is worth adding to our /privacy page but perhaps for consideration (interesting chart for those that run websites that may retain information from others, e.g. caching data from webmentions) https://twitter.com/jtrevorhughes/status/1571952116733825025
# 19:02 
@jtrevorhughes Hey #privacy folk: PRINT THIS CHART. The uncertainty around the #ADPPA means that many -- MANY -- state privacy laws will likely come into force. We have a busy year ahead. https://pbs.twimg.com/media/FdCyFNmXkAAE51I.jpg (twitter.com/_/status/1571952116733825025)
jacky joined the channel
# 19:34 
[schmarty] chart (with links) comes from here: https://iapp.org/resources/article/key-dates-from-us-comprehensive-state-privacy-laws/
# 19:34 
[schmarty] twitterlinks--
# 19:34 
Loqi twitterlinks has -1 karma over the last year
jacky and gxt joined the channel
# 20:18 
[schmarty] barnaby: seems like the migration script worked fine btw. i've just updated to 0.2.0 and i'll let you know if anything blows up when i next post (which is: whenever)
# 20:19 
[schmarty] one thing that is still a bit of a struggle is Owncast's indieauth client integration which provides a path-less URL and taproot still rejects this. give it a shot if you have a test site set up. it's authentication-only: https://watch.owncast.online/
# 20:37 
barnaby [schmarty] thanks! I’ll release a new version with the script in then
# 20:38 
barnaby re the owncast thing, I’m still waiting on clarification for how to handle the normalizations https://github.com/Taproot/indieauth/issues/12
# 20:38 
Loqi [martymcguire] #12 Normalize client_Id
# 20:39 
barnaby the client_id and redirect_uri comparisons are an important part of the spec so I don’t want to make changes to them until it’s at least unofficially official
# 20:39 
barnaby and ideally I’d wait until the spec is updated, then change the library based on that
jacky and gRegor joined the channel
# 21:35 
gRegor aaronpk, did you ever hear back on that OAuth vulnerability article from Detectify?
# 21:35 
aaronpk oh shoot, that was on me to send him some corrections, which I promptly forgot about
# 21:41 
[schmarty] thanks barnaby. i left my unsolicited 0.02¢ in the PR. i believe it's important to always be consistent but don't particularly think there's a risk from storing/comparing the normalized version only.
# 21:42 
[schmarty] that said, i also think it's fine to only compare and store the non-normalized version and treat it as an opaque string until it is to be "used" either to validate it or fetch it and only normalize it at those times.
# 21:42 
barnaby that’s probably the case, but it also sounds like exactly the kind of thing which accidentally causes some obscure vulnerability, so I wanted to get some additional opinions about it
# 21:43 
barnaby yeah lazy normalization could be a good approach too
# 21:44 
barnaby it wouldn’t introduce too much additional complexity either, which I definitely want to avoid when it’s not mandated by the spec
tetov-irc, jacky, geoffo and neceve joined the channel