#dev 2023-02-17
2023-02-17 UTC
geoffo joined the channel
# prologic Does bridgy implicitly trust the user's website ?
bterry1 joined the channel
# @amoration RT @tantek.com@fed.brid.gy
Nineteen years ago last Saturday, http://KevinMarks.com & I introduced¹ #microformats OReillyMedia ETech 2004, building on “semantic (x)html”.
We’ve come a long way since, from methodologies to #microformats2, from publishing to peer-to-peer (1/27) (twitter.com/_/status/1626398759033663489)
[tw2113_Slack_], IWSlackGateway, gRegor, [tantek], mro, superkuh, omz13 and mro_ joined the channel
# prologic Looks like Self URIs for AP required a HTTP Signature of some kind
# prologic hmm
mro joined the channel
# prologic bloody hell ActiityPub is complicated and hard to use
# prologic :/
lockywolf, jjuran, mro, geoffo and [snarfed] joined the channel
gxt and mro joined the channel
# [snarfed] btw prologic, noticed a minor typo, link to https://twtxt.nreadthedocs.org/ (note the n) on https://twtxt.net/about
# [snarfed] (I started to file a PR, but couldn't easily find whether/where that was in eg https://git.mills.io/yarnsocial/yarn )
[pfefferle], [KevinMarks], mro and [dave] joined the channel
# [snarfed] We need a days-since-web-actions-were -last-reinvented page: https://github.com/activitypub-schema/proposal/blob/main/PROPOSAL.md
[schmarty] joined the channel
# [schmarty] I'm always coping [with] URLs (typo in that GitHub summary)
# [pfefferle] sadly they limit it to activitypub... I would love to see web+follow, web+like, web+...
[Tim_Nolte] and [aciccarello] joined the channel
# [tantek] though note that the design is very similar to web+action approach of IndieConfig https://indieweb.org/indie-config
gRegor joined the channel
# gRegor FYI, if you use PHP package firebase/php-jwt < 6.0.0 there's a vulnerability https://github.com/advisories/GHSA-8xf4-w7qw-pjjw
# prologic And thanks! 🙏
[asuh] joined the channel
# prologic That first request to an activitypub actor's rel=Self type=application/activity+json
# prologic What is that JSON document called?
# Loqi It looks like we don't have a page for "that JSON document called" yet. Would you like to create it? (Or just say "that JSON document called is ____", a sentence describing the term)
# prologic right I'm having a lot of trouble with this
# prologic As per https://github.com/superseriousbusiness/gotosocial/issues/1513 for example
# prologic Looks like gotosocial instances are a bit more strict than some public mastodon instances :/
# prologic no idea atm how to construct the request properly (thought I'd figured it out, but still get a 401 Unauthorized from gotosocial instances)
# prologic Oh is that what GtS stands for
# prologic ffs 3-hetter worlds :( 🤦♂️
# prologic well fuck :)
# prologic So in any the Self A2S response needs to be an Actor right? Like https://pkg.go.dev/github.com/go-ap/activitypub#Actor ?
# [snarfed] yes, https://www.w3.org/TR/activitystreams-core/#actors , and its id should be the same URL that you're serving it on
# prologic well this is gonna get interesting :)
# prologic Any ideas what I'm doing wrong in my sample cli that attempts to send a signed req?
# prologic I really don't want to have to hack GTS's codebase to find out :)
# prologic AFAIK it's just a RSA-SHA256 sig
# prologic not really no
# prologic that's what this fucking library was suppose to be doing lol :D
# prologic 🤦♂️
# prologic You know... I have to say... ActivityPub is over-engineered and way too complicated for what it needs to be, and the Go libraries that exist are utter garbage :D
# prologic sorry :)
# prologic You should see the other Go lib
# prologic uggh, its basically got the entire RDF for the JSON+LD streams auto-generated to Go
# prologic who knew the vocav was so large
# prologic :(
# prologic Ahh!
# prologic I wish that was documented somewhere!
# prologic I might end up rewriting the indieweb wiki page on this if I succeed at this
# prologic with your help :)
# prologic its kind of critical/key to the whole thing really
# prologic and yet, let's just leave the details out 🤦♂️
# prologic yeah
# prologic I might need to construct a temporary static web server for this
# prologic just to serve a static A2S
# prologic for testing
# prologic apparently the digest header is/can be nil if there is no body
# prologic hmm
# [tantek] prologic, feel free to append your criticisms to /ActivityPub, there's a bunch there already and we eventually need to garden that page
# prologic yup
# prologic I might open up a doc now and start taking some notes
# prologic its also quite susceptible to self DDoS'ing too allegedly
# prologic agreed
# [snarfed] yeah https://github.com/mastodon/mastodon/issues/4486 is well known
# prologic Oh man
# prologic This keyID properties are literally not in the spec at all
# prologic 🤦♂️
# [snarfed] actually I think those are in some AS2 extension, https://w3id.org/security/v1 ? not sure how that all connects
# [snarfed] notably https://docs.joinmastodon.org/spec/security/ if you haven't already read it
# prologic I haven't, no
# prologic I'm almost reverse engineering this :)
# prologic anyway that page helps thanks!
# prologic Oh I asked this before but didn't see a response to this
# prologic Does bridgy implicitly trust the content from a user's site as-is?
# prologic I assume so
# prologic yup
# prologic oh man I can see this thing requesting my static A2S actor JSON
# prologic but I still get a 401 Unauthorized
# prologic I'm testing to see if its because its not served as application/json
# prologic well I can't exactly do that :)
# prologic static site and all
# prologic let's see if its really that finicky
# prologic bah
# prologic I wish it would tell me why it doesn't like it :)
# [snarfed] your publicKey.id may need to resolve to the same object, eg https://prologic.shortcircuit.net.au/@prologic
# [snarfed] AP implementations often use a fragment to distinguish it but serve the same object over HTTP, eg https://prologic.shortcircuit.net.au/@prologic#main-key
gxt joined the channel
# prologic hmmm
[jeremycherfas] joined the channel
# [0x3b0b] The beginning of this story is I had noticed that microblog.pub rendered the post I'm replying to, when viewing the permalink of one of my notes that is an ActivityPub reply, in a div with the classes u-comment h-cite. I thought that seemed incorrect for a reply context so I modified it to render u-in-reply-to instead of u-comment. I have since concluded that the reason it was rendered that way to begin with is because it's the
# [0x3b0b] same rendering that's used for displaying replies to my note as comments. My tentative conclusion is that the more correct way to handle it would be to have that rendering block recognize whether it is up-thread or down-thread of the note that the permalink is for, and render with u-in-reply-to or u-comment respectively; and that until I figure out how to do that, u-in-reply-to is probably better because the most likely
# [0x3b0b] consumer of that markup is the recipient of a webmention sent at the time I posted the note, at which point the things I'm replying to obviously exist already, but it's unlikely that any comments replying to me already exist to be rendered wrong. Therefore, until I can do better, I am better served to leave my change in place than to roll it back. Does that seem sensible? Did I even articulate it comprehensibly?
# [snarfed] that thinking sounds in line with https://indieweb.org/reply-context and https://indieweb.org/comments
AramZS and [tw2113_Slack_] joined the channel