#dev 2023-03-12

2023-03-12 UTC
#
prologic
Q: Is there anything stopping an actor from sending activities to your inbox? at a server/protocol level?
#
prologic
I don't recall reading anything in the specs ore recommendations
#
prologic
I'm not sure I can trust Activity Pub (the protocol) at this point?
#
sknebel
what do you mean by "trust"? its a HTTP endpoint, of course everybody can send whatever they want, its on the server to verify that it wants to do something with what it gets sent
#
sknebel
a protocol can't prevent people trying to send you stuff you dont want
#
prologic
That's why I asked about recommendations πŸ˜†
#
sknebel
as I understand it theres two parts: a) verifying that whoever sent something is actually a legitimate sender - that's the signatures part
#
prologic
And more to the point ... How is it even possible to receive activities from actors never interacted with before? 😳
#
sknebel
and b) deciding if and how it fits in what your server knows or want to know
#
sknebel
e.g. if someone replies to a post on your server, your server might not have ever known about them before
#
sknebel
but its still something it is probably interested in
#
prologic
Yeah where b) could be: does anyone here actually follow this actor?
#
sknebel
right, thats a case where the server would know about them already
strugee joined the channel
#
prologic
What other legitimate case might there be?
#
sknebel
reply to someone on the server. there might be some implementations that push out comments a post receives to all followers of the original poster (I dont think most do, but it'd have a use case to provide a more complete view of threads everywhere)
#
sknebel
(i.e. it not doing so is a regularly voiced criticism of mastodon :D)
#
sknebel
AP relays do it by design, although they are something your server is supposed to have signed up for
#
prologic
sorry I'm a bit confused
#
prologic
how would I reply to someone on my server the server has never seen before?
#
sknebel
user 1 on server A has a follower 2 on server B.
#
sknebel
1 posts -> A sends post to B (so that 2 sees the post)
#
sknebel
if the post is public and B is e.g. mastodon, then B will also show the post on the global timeline
#
sknebel
user 3, also on server B, could see it in the global timeline and reply to the post
#
sknebel
despite A not knowing that 3 exists
#
sknebel
or 2 could boost the post, and then 3 could be any follower of 2, on any server
#
prologic
Ahh yes in Yarn.social we do this too somewhat
#
prologic
but only relaly for root twts (the root of a thread)
#
prologic
But for me that would not warrent accepting activities from AP in that case
#
sknebel
or if A shows posts publicly anyone could just randomly find it on the web, decide to reply and do so (e.g. in mastodon you can put a post URL in the search UI and it'll try to fetch it as an AP post, if it can it lets you interact with it)
#
prologic
I see
#
prologic
So... back to my other concern I have (https://twtxt.net/twt/sxpknnq) how would this have happened in the first place?
#
Loqi
[preview] [prologic] ↳ In-reply-to Β» @prologic It seems to me this distinction is pedantic and mostly at the server level. I have a mastodon account and I have no impression that I am being forced to read things I don't want to read. I follow the people I want to foll...
#
prologic
I don't understand how an actor on a server starts sending activities where no-one on my server has ever interacted or followed before
#
prologic
Oooh, is that a bug in our Open Graph tags or a bug in Loqi ? :D
#
sknebel
that could be something like from above " there might be some implementations that push out comments a post receives to all followers of the original poster (I dont think most do, but it'd have a use case to provide a more complete view of threads everywhere)"
#
sknebel
I didnt think mastodon did tht, but maybe it does
#
sknebel
or maybe someone is just randomly doing that to see what happens :D
#
sknebel
although I guess if it passed signature check thats unlikely
#
prologic
Hmm interesting
geoffo joined the channel
#
Soni
we wish we could have (more/better) cross-app interactions :<
#
Soni
(well, we suppose we can have it... we just need there to be interest. and we feel like there's not actually as much as we thought there was.)
#
prologic
Soni what't this in context of?
[aciccarello] joined the channel
#
Soni
<Soni> uh we don't think there is a best approach. something like cehttps/content-enabled http makes more sense from a "what's a protocol" point of view, but it does lack this... uh, well, we can't easily push it on browser developers like we can with fedicraft.
#
Soni
<Soni> just a bunch of tradeoffs and an increasingly user-hostile platform
#
Soni
<Soni> for what it's worth, something like https://modrinth.com/mod/fedicraft can be done entirely without browser support, as we currently do, which enables us to push it on browser developers. however, it requires website support instead. it also might not be the best approach.
#
Soni
(this got swallowed from the logs due to a netsplit)
#
prologic
Hmmm
#
prologic
I have no idea what you're talking about, so gll good :)
#
Soni
:(
#
Soni
the web is an increasingly user-hostile platform, we don't know how y'all manage to not lose your minds
#
prologic
Oh if that's the topic of discussion I completely agree
#
Soni
no but it's related
#
Soni
<Soni> we wish we could have (more/better) cross-app interactions :<
#
Soni
browser devs don't trust users with privacy-preserving cross-app interactions, they think any cross-app interactions are too dangerous yet it's fine to do it using a centralized service instead
#
prologic
I see
#
Soni
we also have this rant about how fedi is bleeding users we guess https://fedi-to.net/
#
Soni
but we digress
#
Soni
we should probably go sleep, trans rights o/
#
[aciccarello]
I'm not sure I'm onboard with the solution described on fedi-to.net but the problem space seems interesting
#
[aciccarello]
Like, I think it'd be cool if we didn't need to stay within the feed but could still like/comment/share from the browser. That's what's cool to me about the indieweb and tools like omnibear.
Ruxton_, [snarfed], benji, jeremycherfas, bterry, gxt__, vilhalmer, angelo, tiim, jjuran, petermolnar, mouse[d], IWDiscordRelay, pmlnr1, micheledm[m], jbrr[m], jan6, totertats, omz13, joshproehl, JaeBeep[m], oxtyped, sivoais, saptaks, Kaja, M85CD[m], cambridgeport90[, chenghiz_, [0x3b0b], chee, voxpelli, willnorris, jbove, GWG, Seirdy_, starrwulfe[m], Zegnat, mcint, rrix, aaronpk, tommorris, sebsel, laker, Saphire, jonnybarnes_, BinarySavior, Gorro_Rojo[m], ross[m]123, rocto, kandr3s, oodani, Xe, benatkin, aynish, vladimyr, pharalia, prologic, lagash, cellular, oenone, rubenwardy, [tantek], [pfefferle] and [KevinMarks] joined the channel
#
[snarfed]
omnibear++
#
Loqi
omnibear has 1 karma over the last year
gxt__, voxpelli, jeremycherfas, willnorris, mcint, oodani, chenghiz_, laker, aaronpk, [snarfed], IWDiscordRelay, sivoais, Xe, prologic, lagash, jbove, Saphire, tommorris, chee, GWG, totertats, rubenwardy, jonnybarnes_, vilhalmer, angelo, jjuran, petermolnar, mouse[d], tiim, omz13, joshproehl, rocto, Kaja, saptaks, oxtyped, benji, bterry, jan6, pharalia, BinarySavior, M85CD[m], kandr3s, geoffo, Seirdy_, [0x3b0b], pmlnr1, aynish and JaeBeep[m] joined the channel
#
aaronpk
https://fedidocs.org/ Possibly interesting to those who have attempted to interop with other ActivityPub software
ross[m]123, benatkin, micheledm[m], starrwulfe[m], Gorro_Rojo[m], geoffo, vladimyr, cambridgeport90[, jbrr[m], cellular and [jamietanna] joined the channel
#
Soni
[aciccarello]: tools like that seem to train the user to give their interests away to other websites. which is extremely phishable. just give the user a plausible-looking phishing page that looks exactly like what they'd see with such a tool and they'll happily just give away all of that info without knowing any better.
#
Soni
but opening the user's instance is phishing-proof
#
Soni
also avoids any issues related to theming, as the user gets their own theme instead of some whacko theme or a different language entirely even
[schmarty] joined the channel
#
[KevinMarks]
Well, it can be a little confusing if they primarily use an app to interact with their own instance
#
prologic
Just released v0.1.0 of my static site generator zs: https://twtxt.net/twt/vcxsi3q
#
Loqi
[preview] [prologic] πŸŽ‰ NEW: zs v0.1.0 zs is an extremely minimal static site generator written in Go
#
prologic
Loqi ++
#
Loqi
Loqi has 5 karma in this channel over the last year (23 in all channels)
[marksuth], jeremycherfas, aaronpk, [tantek]1, [schmarty], [pfefferle], [chrisbergr], [jamietanna], [KevinMarks], [aciccarello], [snarfed], bterry and [felix_wenzel73] joined the channel
#
[felix_wenzel73]
↩️ For future reference: `<p class="p-bridgy-twitter-content">Whatever you would like to say in the tweet goes here.</p>`
jonnybarnes joined the channel
#
[felix_wenzel73]
↩️ My template allows me to hide this, so that it’s not showing in the post, only on Twitter when posting via brid.gy
#
[felix_wenzel73]
↩️ .p-bridgy-twitter-content {
#
[felix_wenzel73]
}
#
[felix_wenzel73]
display: none;
geoffo joined the channel
#
[tantek]
prologic++ congrats on the release!
#
Loqi
prologic has 1 karma over the last year
geoffo joined the channel
#
[pfefferle]
[aaronpk] do you crosspost to bluesky via ATProtocol?
#
aaronpk
yeah, i built it into my site real quick the other day
#
[pfefferle]
do you have something on github?
#
aaronpk
no, it's just a post request really
#
aaronpk
i don't have photo support yet, that gets slightly more complicated. but the most helpful part was reading the atproto tests, not their docs
#
[pfefferle]
nice hack! πŸ˜‰
#
[pfefferle]
thanks for the link!
#
[pfefferle]
That was really easy! Maybe I could build a simple WordPress plugin tomorrow!
#
aaronpk
sadly the password login is the only way it works now. they said they're planning on adding oauth support later
#
aaronpk
also i heard that only one device can be logged in to an account at the same time, so as soon as you post, your phone will get logged out πŸ˜‚
#
[pfefferle]
😒 saving a plain text password in a WP table is not a very good idea
#
aaronpk
nope nope
#
[pfefferle]
Is it possible to simply work with the access and refresh token
#
aaronpk
in theory you sohuld be able to use the refresh token to get a new access token. i haven't actually tried that yet or seen whether logging in on the phone revokes that refresh token too
#
[pfefferle]
I tried to re-use the access token from my first api call experiments, following your post to change the handle and that seemed to be revoked
#
[pfefferle]
I had to generate a new one
#
aaronpk
they only last like an hour i think
#
[pfefferle]
Then I will try to find out how to refresh a token, so that I only need username and password for the first call and do not have to persist them
chee joined the channel
#
[pfefferle]
Just read you post about Bluesky and authentication! [aaronpk]++
#
Loqi
[aaronpk] has 31 karma in this channel over the last year (89 in all channels)
GWG and geoffo joined the channel
#
[pfefferle]
[aaronpk] you have to really "upload" images before embedding them? that's nuts!
#
aaronpk
nah it's reasonable, same as twitter, and micropub's media endpoint, and frankly wordpress too
#
[pfefferle]
Ah, I see... can't compare it with ActivityPub, because it is not about federation, but crossposting! my mistake!
#
[pfefferle]
at least in this case
#
aaronpk
right, this is the client API. i have no idea what the federation API looks like
bterry and gRegor joined the channel