#dev 2022-10-27

2022-10-27 UTC
#
gRegor Running post-process.php appears to be it. I think a composer script will work, with `post-install-cmd`: https://getcomposer.org/doc/articles/scripts.md
#
gRegor Or just make sure to run post-process.php and commit the final cassis.php before each new release.
#
[tantek] it's been long enough that if you wanted to file a PR with one you just generated, that would be fine for now (especially since it addresses a PHP8 issue)
geoffo joined the channel
#
aaronpk you should be able to use github actions to completely automate the release including running that script now
#
Loqi yea
jacky joined the channel
#
gRegor sweet
jacky, rhiaro_, [manton], lagash, dckc, [jgmac1106], [pfefferle], jonnybarnes, jbove, lanodan, rrix, kushal, [cowglow], geoffo, mro, [jeremycherfas], gRegorLove_, gRegor, barnaby and jjuran joined the channel; jacky left the channel
#
@IamSchulz ↩️ Got RSS and Webmentions? (twitter.com/_/status/1585552127417540608)
barnaby joined the channel
#
capjamesg [James_Van_Dyne] angelo Please review this PR: https://github.com/capjamesg/indieweb-utils/pull/88 I'll merge it when we're all happy.
#
Loqi [capjamesg] #88 Change license to 0 BSD (source code) and CC BY-SA 4.0 (documentation)
petermolnar and romzx joined the channel
#
barnaby indieauth question: what is the security advantage of short-lived access tokens plus refresh tokens when used by public clients (i.e. the request to redeem a refresh token is not required to be authenticated)?
#
barnaby surely it just transfers all the token leakage risk to the refresh token, and depending on how short-lived the access tokens are, a little-used client might end up making more refresh token exchange requests than API requests with the access token in
Seirdy, pmlnr and angelo_ joined the channel
#
Saphire barnaby: okay so when you have access tokens, you can limit them to something very short but usable, and allow your api stuff to not even need to check if it was revoked or not?
lanodan, gRegor, jacky and AramZS joined the channel
#
@DavidDarnes ↩️ …and I suppose with things like webmention you can interact somewhat (twitter.com/_/status/1585622095526076416)
jacky, geoffo and [Sam_Butler] joined the channel; romzx left the channel
#
[schmarty] GWG: i figured out how i have my emoji input set up on my laptop. it's the ibus-table-emoji package, which essentially creates an emoji "language". i switch between English (US) and Other (unimoji) with the key combo meta+space
#
[schmarty] (ugh that key is now either named after facebook if you call it the "Meta key" or after a microsoft product if you call it the "Windows key". is there another option?? lol)
#
vikanezrimaya [schmarty]: why was Meta even given the trademark? It's way too generic!
#
[schmarty] riiiiiiiiiight??
jacky joined the channel
#
jacky [schmarty]: I've used "super key"!
gRegorLove_ joined the channel
#
jacky this reminds me to eventually swap out my laptop keyboard with https://frame.work/products/input-cover-kit-clear?v=FRANFC000C so it's completely void
#
vikanezrimaya Also for me Meta is always Alt because I am an Emacs user, the forbidden logo key is Super
#
vikanezrimaya M-x butterfly RET
#
[schmarty] oh yeah i forgot about Super! i maybe thought that was _yet another key_
jacky joined the channel
#
vikanezrimaya [schmarty]: Hyper is _yet another key_ that is actually not present on modern keyboards for some reason. What a shame. So many cool combos could be made with yet another layer, as mechanical keyboard enthusiasts do it all the time
jonnybarnes joined the channel
#
capjamesg What is IPv4?
#
Loqi It looks like we don't have a page for "IPv4" yet. Would you like to create it? (Or just say "IPv4 is ____", a sentence describing the term)
#
capjamesg What is IPv6?
#
Loqi IPv6 is version 6 of the Internet Protocol https://indieweb.org/IPv6
#
capjamesg Is it okay to only offer your site over IPv6?
#
[tantek] Doesn't seem very spirit of the IndieWeb
#
[tantek] I'd guess that would cut out lots of less wealthy areas
#
[snarfed] reminds me of Zegnat's similarly stringent site(s), or rhiaro's stringent conneg
#
capjamesg My question was more about support for IPv6.
#
[snarfed] (which, of course, conneg--)
#
[snarfed] sure, but similar ideas in spirit
#
capjamesg [tantek] Can you elaborate?
#
capjamesg (I'm not as familiar with IPv6.)
#
[snarfed] their sites' config choices make them inaccessible to a sizeable chunk of users (and agents) that don't support them
#
[snarfed] IPv6-only would be the same
#
[tantek] HTTPS-only can also do that. It will cut-off some number of older devices
#
[snarfed] also iirc IPv6 adoption is largely ISP, telco, and region, and hasn't clearly correlated with income/wealth. much more by country, regional NIC, etc. https://www.potaroo.net/ has a number of good analyses
#
[snarfed] HTTPS-only, yes! way smaller impact size, but also similar in spirit
#
[tantek] huh that article needs some work
#
sknebel capjamesg: I'd set up a proxy somewhere that handles ipv4 if your Backend etc goes ipv6-only
#
sknebel There is plenty users for which ipv6 is the better experience, but that's far from universal and really only an argument to have both, not to drop v4
#
[snarfed] agreed. also reminds me of the debate over whether to serve both HTTPS and HTTP or redirect or only HTTPS
#
sknebel since there was some "why should websites bother with ipv6, cant people that want it use tunnels" recently when it came to e.g. Github not offering it: the case where IPv4 is worse are ISPs that run the customer-side entirely IPv6 and then translate it centrally to IPv4 for stuff thats needs it. and unsurprisingly central middleboxes like that are easily a bottleneck or broken in weird ways
#
sknebel and that tends to be new/quickly growing ISPs, especially mobile
#
[snarfed] true! somewhat surprisingly
#
sknebel where "new" is to be seen in contrast with large old telcos that have all the IPv4 space they need, back from the days they handed it out like candy
#
[snarfed] although in terms of user visible impact, I expect most other choices (asset size, JS, CDN, etc) have more of an effect than IPv4 vs v6, tunnels, etc. esp with happy eyeballs
#
sknebel so less a thing in the US, more places where internet came later
#
sknebel true. but large global sites should really have both, IPv6 is not *that* hard :D
#
sknebel which reminds me, I think I didnt set up ipv6 after moving to my current VPS
#
sknebel I should fix that
tbbrown joined the channel
#
[tantek] IPv6 << Blog that posts good analyses of IPv6: https://www.potaroo.net/ (feel free to find & add specific posts from that blog to this page)
#
Loqi ok, I added "Blog that posts good analyses of IPv6: https://www.potaroo.net/ (feel free to find & add specific posts from that blog to this page)" to a new "See Also" section of /IPv6 https://indieweb.org/wiki/index.php?diff=84038&oldid=84037
#
vikanezrimaya I personally do not have a reliable IPv6 connection (as my VPN which I use to escape government censorship doesnt support IPv6)
#
vikanezrimaya Additionally my ISP at home doesn't support static IPv6 allocations for some dumb reason
[jgarber] joined the channel
#
epoch I've been using a hurricane electric IPv6 tunnel for quite a while now.
#
epoch more stable address on it than what my ISP gives me.
#
tommorris copied over from #indieweb...
#
tommorris now passkeys are going mainstream (Safari support in iOS16 and the recently released macOS Ventura, Android support in beta), I'm curious how indieauth's gonna play with passkeys/webauthn. [[Web Authentication]] says "WebAuthn doesn't replace the need for IndieAuth" but how feasible is it for someone to use a passkey to login (e.g. on the indieweb wiki or elsewhere). it'd be nice to have a non-silo option for indieauth.
#
[schmarty] tommorris (from main #indieweb channel) i think my big hangup about webauthn is that it is still just an anonymous credential without some registration step that ties it to an identity.
#
[schmarty] so if you set up your own indieauth provider, you could do some kind of behind-the-scenes registration to associate your webauthn passkey
#
[schmarty] but there's no way to do the equivalent of a rel=me for webauthn because there's no identity there.
#
[schmarty] err, I guess I mean RelMeAuth rather than rel=me there.
#
[snarfed] sounds right. or, if you delegate your auth provider, you could set it up with that provider and associate it to your domain out of band
gRegorLove_ joined the channel
#
tommorris yeah, guess it's just a matter of implementing a little microservice. I guess I'll add it to my ever growing list of things I won't get around to :)
#
[snarfed] (btw tommorris indieauth has supported PGP, email, and other non-silo options for a while!)
#
[schmarty] i started down the road of playing with this on iOS but my iPhone SE2 only has the fingerprint reader, which i have never used before, and i absolutely failed to get it working with my fingers 😭
#
[snarfed] [schmarty] it's possible WebAuthN has a rel-me-able public key or other token style identity, like PGP. it'd likely be domain-specific, but could still be usable
#
[schmarty] snarfed: my understanding from reading about webauthn is that it generates keypairs that are unique per site that requests them.
#
[snarfed] right, hence "domain-specific" above
#
[snarfed] so you'd change the rel-me contents when you change indieauth providers
#
[snarfed] (again though, just speculation)
#
[schmarty] i think i see what you are saying. that is a kind of clever way to do registration, honestly.
#
[schmarty] it would let a single service support self-serve registration
#
aaronpk the "does webauthn replace oauth" section here also applies to indieauth https://oauth.net/webauthn/
#
[schmarty] aaronpk++
#
Loqi aaronpk has 32 karma in this channel over the last year (109 in all channels)
tbbrown joined the channel
#
[KevinMarks] https://tailscale.com/blog/ssh-console/
#
capjamesg "At Tailscale we believe the main reason for the slow IPv6 rollout is that it simply has not been able to provide enough direct value, when deployed as a hybrid in parallel with IPv4. The intention was to deploy IPv6, then retire IPv4 completely, in which case IPv6 would have made the Internet overall simpler and cheaper to manage, which is a big benefit."
#
capjamesg "Unfortunately, this value doesn’t materialize until the very end, after IPv6 has been fully deployed to billions of devices. This means companies usually will not recoup the costs of IPv6 deployment on a predictable timeline, which makes investment hard."
#
capjamesg ale.com/kb/1134/ipv6-faq/
#
capjamesg Eek.
#
capjamesg I meant https://tailscale.com/kb/1134/ipv6-faq/.
#
[tantek] add it to /IPv6 perhaps?
#
capjamesg Will do.
#
capjamesg What is IPv6?
#
Loqi IPv6 is version 6 of the Internet Protocol (this definition needs IndieWeb-specific relevance) https://indieweb.org/IPv6
#
capjamesg IndieWeb Utils is now licensed under 0 BSD: https://github.com/capjamesg/indieweb-utils
#
capjamesg (Docs are under CC BY-SA 4.0)
#
Loqi [capjamesg] indieweb-utils: Utilities to aid the implementation of various IndieWeb specifications and functionalities. Built with Python.
mro joined the channel
#
[tantek] 🎉 capjamesg++
#
Loqi capjamesg has 32 karma in this channel over the last year (96 in all channels)
[Murray] and jacky joined the channel
#
gRegor !tell [manton] FYI, found a broken m.b help link from the wiki: https://help.micro.blog/2018/instagram-import/
#
Loqi Ok, I'll tell them that when I see them next
[manton] joined the channel
#
[manton] gRegor: Thanks, fixed now.
jeremycherfas joined the channel
#
[aciccarello] Instagrams export content is a mess. I keep meaning to post the script I wrote to hack together some missing information.
jacky, AramZS, Seirdy and neceve_ joined the channel