#dev 2023-02-17

2023-02-17 UTC
geoffo joined the channel
#
prologic Does bridgy implicitly trust the user's website ?
#
[tantek] what do you mean by "trust"?
bterry1 joined the channel
#
@amoration RT @tantek.com@fed.brid.gy Nineteen years ago last Saturday, http://KevinMarks.com & I introduced¹ #microformats OReillyMedia ETech 2004, building on “semantic (x)html”. We’ve come a long way since, from methodologies to #microformats2, from publishing to peer-to-peer (1/27) (twitter.com/_/status/1626398759033663489)
[tw2113_Slack_], IWSlackGateway, gRegor, [tantek], mro, superkuh, omz13 and mro_ joined the channel
#
prologic Looks like Self URIs for AP required a HTTP Signature of some kind
#
prologic hmm
mro joined the channel
#
prologic bloody hell ActiityPub is complicated and hard to use
#
prologic :/
lockywolf, jjuran, mro, geoffo and [snarfed] joined the channel
#
[snarfed] inbox delivery POSTs generally require HTTP Signatures, yes, and some Mastodon instances also require them on object GETs
gxt and mro joined the channel
#
[snarfed] btw prologic, noticed a minor typo, link to https://twtxt.nreadthedocs.org/ (note the n) on https://twtxt.net/about
#
[snarfed] (I started to file a PR, but couldn't easily find whether/where that was in eg https://git.mills.io/yarnsocial/yarn )
[pfefferle], [KevinMarks], mro and [dave] joined the channel
#
[snarfed] We need a days-since-web-actions-were -last-reinvented page: https://github.com/activitypub-schema/proposal/blob/main/PROPOSAL.md
#
[snarfed] (previously: https://socialhub.activitypub.rocks/t/suggestion-a-custom-url-scheme-handler-as-a-streamlined-ux-for-cross-instance-interactions-on-the-web/504 )
[schmarty] joined the channel
#
[schmarty] I'm always coping [with] URLs (typo in that GitHub summary)
#
[pfefferle] sadly they limit it to activitypub... I would love to see web+follow, web+like, web+...
#
[snarfed] pfefferle++
#
Loqi pfefferle has 5 karma in this channel over the last year (21 in all channels)
[Tim_Nolte] and [aciccarello] joined the channel
#
[tantek] [pfefferle]++
#
Loqi [pfefferle] has 6 karma in this channel over the last year (22 in all channels)
#
[tantek] though note that the design is very similar to web+action approach of IndieConfig https://indieweb.org/indie-config
#
[tantek] [snarfed] do you have suggestions or ideas for how we could re-explore Web Actions and prototypes and iterate on the proposals / drafts?
#
[tantek] I have a feeling the folks doing the reinventing have not heard of Web Actions or don't even know what to search for in order to find it
#
[snarfed] no I don't, I'm not very close to that space
#
[snarfed] I'd defer to you all
gRegor joined the channel
#
gRegor FYI, if you use PHP package firebase/php-jwt < 6.0.0 there's a vulnerability https://github.com/advisories/GHSA-8xf4-w7qw-pjjw
#
gRegor About a year old I guess, though I just got a dependabot notification about it
#
prologic [snarfed] if its the /about page, yeah it's in the yarn codebase
#
prologic And thanks! 🙏
[asuh] joined the channel
#
prologic That first request to an activitypub actor's rel=Self type=application/activity+json
#
prologic What is that JSON document called?
#
Loqi It looks like we don't have a page for "that JSON document called" yet. Would you like to create it? (Or just say "that JSON document called is ____", a sentence describing the term)
#
[snarfed] it's just an AS2 object that happens to be an actor
#
[snarfed] AS2 objects are generally expected to be fetchable at their id via HTTP/conneg and occasionally an HTTP Sig
#
prologic right I'm having a lot of trouble with this
#
prologic As per https://github.com/superseriousbusiness/gotosocial/issues/1513 for example
#
Loqi [preview] [prologic] #1513 Should the application/activity+json Self document require a HTTP signature?
#
prologic Looks like gotosocial instances are a bit more strict than some public mastodon instances :/
#
prologic no idea atm how to construct the request properly (thought I'd figured it out, but still get a 401 Unauthorized from gotosocial instances)
#
[snarfed] right, Mastodon and most AP implementations don't require HTTP Sigs for fetches by default
#
prologic Oh is that what GtS stands for
#
prologic ffs 3-hetter worlds :( 🤦‍♂️
#
[snarfed] if GTS does, it's in the minority
#
prologic well fuck :)
#
Loqi it'll be okay
#
[snarfed] but you'll need to implement them to deliver to AP users' inboxes anyway
#
[snarfed] Loqi++ 😆
#
Loqi Loqi has 5 karma in this channel over the last year (27 in all channels)
#
prologic So in any the Self A2S response needs to be an Actor right? Like https://pkg.go.dev/github.com/go-ap/activitypub#Actor ?
#
[snarfed] yes, https://www.w3.org/TR/activitystreams-core/#actors , and its id should be the same URL that you're serving it on
#
prologic well this is gonna get interesting :)
#
prologic Any ideas what I'm doing wrong in my sample cli that attempts to send a signed req?
#
prologic I really don't want to have to hack GTS's codebase to find out :)
#
[snarfed] whee yeah http sig debugging is notoriously difficult
#
prologic AFAIK it's just a RSA-SHA256 sig
#
[snarfed] does the GTS response body say anything?
#
prologic not really no
#
[snarfed] yeah but constructing the plaintext is delicate. I'd recommend using a lib that takes your request, including headers etc, instead of rolling it yourself
#
prologic https://files.mills.io/download/Screenshot%202023-02-18%20at%2005.02.12.png
#
prologic that's what this fucking library was suppose to be doing lol :D
#
prologic 🤦‍♂️
#
[snarfed] hah ok!
#
[snarfed] easy on the language
#
[snarfed] but agreed, sigs are definitely annoying!
#
prologic You know... I have to say... ActivityPub is over-engineered and way too complicated for what it needs to be, and the Go libraries that exist are utter garbage :D
#
prologic sorry :)
#
prologic You should see the other Go lib
#
prologic uggh, its basically got the entire RDF for the JSON+LD streams auto-generated to Go
#
prologic who knew the vocav was so large
#
prologic :(
#
[snarfed] ah, your keyId points to a plain text key. I think AP implementations generally expect to fetch an AS2 actor at that URL, and then extract publicKey.publicKeyPem (and check that publicKey.id matches)
#
prologic Ahh!
#
prologic I wish that was documented somewhere!
#
prologic I might end up rewriting the indieweb wiki page on this if I succeed at this
#
[snarfed] yeah sigs are famously underspecified in AP
#
prologic with your help :)
#
prologic its kind of critical/key to the whole thing really
#
prologic and yet, let's just leave the details out 🤦‍♂️
#
[snarfed] also I won't apologize too much for AP, but it does try to do a substantial amount, and notably it's push, not pull, which needs more plumbing specified
#
[snarfed] so it's understandable that it's bigger than eg twtxt
#
prologic yeah
#
[snarfed] also you probably need to include the Digest header in the sig
#
prologic I might need to construct a temporary static web server for this
#
prologic just to serve a static A2S
#
prologic for testing
#
[snarfed] yup
#
prologic apparently the digest header is/can be nil if there is no body
#
prologic hmm
#
[snarfed] ah true. but the server may still check that the header list satisfies their req'ts
#
[snarfed] I think eg Mastodon requires Digest, Host, Date, (request-target)
#
[tantek] prologic, feel free to append your criticisms to /ActivityPub, there's a bunch there already and we eventually need to garden that page
#
[snarfed] yes!
#
prologic yup
#
[snarfed] sadly AP's push-with-fat-pings design does end up requiring some form of client auth like HTTP Sigs
#
prologic I might open up a doc now and start taking some notes
#
prologic its also quite susceptible to self DDoS'ing too allegedly
#
[snarfed] which highlights the nice simplicity of IndieWeb's thin ping model, where SSL certs are enough on their own
#
prologic agreed
#
[snarfed] yeah https://github.com/mastodon/mastodon/issues/4486 is well known
#
Loqi [preview] [valentin2105] #4486 Mastodon can be used as a DDOS tool
#
prologic Oh man
#
prologic https://www.w3.org/TR/activitypub/#actor-objects
#
prologic This keyID properties are literally not in the spec at all
#
prologic 🤦‍♂️
#
[snarfed] right, underspecified
#
[snarfed] actually I think those are in some AS2 extension, https://w3id.org/security/v1 ? not sure how that all connects
#
[snarfed] https://docs.joinmastodon.org/spec/activitypub/#sec
#
[snarfed] notably https://docs.joinmastodon.org/spec/security/ if you haven't already read it
#
prologic I haven't, no
#
prologic I'm almost reverse engineering this :)
#
[snarfed] you don't have to
#
[snarfed] you may end up a bit for the last mile of interop, I did, but you don't have to reverse engineer the whole thing
#
prologic anyway that page helps thanks!
#
[snarfed] welcome!
#
prologic Oh I asked this before but didn't see a response to this
#
prologic Does bridgy implicitly trust the content from a user's site as-is?
#
prologic I assume so
#
gRegor prologic, afaik yes. If you have the redirects set up for the .well-known to BF and include a link to fed.brid.gy in the post and send a webmention, that's all that's needed to post or follow
#
gRegor Without the redirects it wouldn't work
#
gRegor I think the only thing behind authentication is if you use the dashboard option to follow accounts, which requires signing in with IndieAuth. I haven't tried that, I still post /follow posts from my site.
#
[snarfed] yup, and that's beyond Bridgy [Fed]. trusting data authenticity/provenance fetched from a given domain over HTTP is a pretty central tenet for IndieWeb. in practice that means trusting DNS and SSL certs
#
prologic yup
#
prologic oh man I can see this thing requesting my static A2S actor JSON
#
prologic but I still get a 401 Unauthorized
#
prologic I'm testing to see if its because its not served as application/json
#
[snarfed] application/activity+json
#
prologic well I can't exactly do that :)
#
prologic static site and all
#
prologic let's see if its really that finicky
#
prologic bah
#
prologic https://prologic.shortcircuit.net.au/@prologic.json
#
Loqi [preview] James Mills
#
prologic I wish it would tell me why it doesn't like it :)
#
[snarfed] your publicKey.id may need to resolve to the same object, eg https://prologic.shortcircuit.net.au/@prologic
#
[snarfed] AP implementations often use a fragment to distinguish it but serve the same object over HTTP, eg https://prologic.shortcircuit.net.au/@prologic#main-key
#
[snarfed] also are you using that as the keyId in your sig?
#
[snarfed] er sorry, to clarify, publicKey.id and signature keyId need to be the same, and id and publicKey.owner probably need to be the same, and all four probably need to resolve to the same object over HTTP
gxt joined the channel
#
prologic hmmm
[jeremycherfas] joined the channel
#
[0x3b0b] <[snarfed]> "if GTS does, it's in the..." <- If I'm remembering correctly, it does, it is, and that's one of their deliberate changes, along with being one of the server implementations that support "local only" posts ("don't federate this," essentially, as I understand it).
#
[0x3b0b] I went looking into those at one point a little while back in one of my abandoned attempts to figure out how to set some of my posts not to federate...but still to be publicly accessible.
#
[snarfed] yup. https://github.com/superseriousbusiness/gotosocial/issues/1513#issuecomment-1434518406
#
Loqi [preview] [tsmethurst] > Should the application/activity+json Self document require a HTTP signature? Yes, this is one of the core values of GtS: http signatures required by default. It's one component in our approach to protecting users from scraping, and enforcing str...
#
[0x3b0b] The beginning of this story is I had noticed that microblog.pub rendered the post I'm replying to, when viewing the permalink of one of my notes that is an ActivityPub reply, in a div with the classes u-comment h-cite. I thought that seemed incorrect for a reply context so I modified it to render u-in-reply-to instead of u-comment. I have since concluded that the reason it was rendered that way to begin with is because it's the
#
[0x3b0b] same rendering that's used for displaying replies to my note as comments. My tentative conclusion is that the more correct way to handle it would be to have that rendering block recognize whether it is up-thread or down-thread of the note that the permalink is for, and render with u-in-reply-to or u-comment respectively; and that until I figure out how to do that, u-in-reply-to is probably better because the most likely
#
[0x3b0b] consumer of that markup is the recipient of a webmention sent at the time I posted the note, at which point the things I'm replying to obviously exist already, but it's unlikely that any comments replying to me already exist to be rendered wrong. Therefore, until I can do better, I am better served to leave my change in place than to roll it back. Does that seem sensible? Did I even articulate it comprehensibly?
#
[snarfed] that thinking sounds in line with https://indieweb.org/reply-context and https://indieweb.org/comments
#
[snarfed] also I doubt many or any mf2 consumers currently do anything with the text contents (apart from the URLs) of either u-in-reply-to or u-comment, so don't stress too much
#
[tantek] prologic, since you’re working on ActivityPub PUSH support, did you already add support for WebSub PUSH?
AramZS and [tw2113_Slack_] joined the channel