#dev 2023-03-12

2023-03-12 UTC
#
prologic Q: Is there anything stopping an actor from sending activities to your inbox? at a server/protocol level?
#
prologic I don't recall reading anything in the specs ore recommendations
#
prologic See: https://twtxt.net/twt/sxpknnq
#
prologic I'm not sure I can trust Activity Pub (the protocol) at this point?
#
sknebel what do you mean by "trust"? its a HTTP endpoint, of course everybody can send whatever they want, its on the server to verify that it wants to do something with what it gets sent
#
sknebel a protocol can't prevent people trying to send you stuff you dont want
#
prologic That's why I asked about recommendations πŸ˜†
#
sknebel as I understand it theres two parts: a) verifying that whoever sent something is actually a legitimate sender - that's the signatures part
#
prologic And more to the point ... How is it even possible to receive activities from actors never interacted with before? 😳
#
sknebel and b) deciding if and how it fits in what your server knows or want to know
#
sknebel e.g. if someone replies to a post on your server, your server might not have ever known about them before
#
sknebel but its still something it is probably interested in
#
prologic Yeah where b) could be: does anyone here actually follow this actor?
#
sknebel right, thats a case where the server would know about them already
strugee joined the channel
#
prologic What other legitimate case might there be?
#
sknebel reply to someone on the server. there might be some implementations that push out comments a post receives to all followers of the original poster (I dont think most do, but it'd have a use case to provide a more complete view of threads everywhere)
#
sknebel (i.e. it not doing so is a regularly voiced criticism of mastodon :D)
#
sknebel AP relays do it by design, although they are something your server is supposed to have signed up for
#
prologic sorry I'm a bit confused
#
prologic how would I reply to someone on my server the server has never seen before?
#
sknebel user 1 on server A has a follower 2 on server B.
#
sknebel 1 posts -> A sends post to B (so that 2 sees the post)
#
sknebel if the post is public and B is e.g. mastodon, then B will also show the post on the global timeline
#
sknebel user 3, also on server B, could see it in the global timeline and reply to the post
#
sknebel despite A not knowing that 3 exists
#
sknebel or 2 could boost the post, and then 3 could be any follower of 2, on any server
#
prologic Ahh yes in Yarn.social we do this too somewhat
#
prologic but only relaly for root twts (the root of a thread)
#
prologic But for me that would not warrent accepting activities from AP in that case
#
sknebel or if A shows posts publicly anyone could just randomly find it on the web, decide to reply and do so (e.g. in mastodon you can put a post URL in the search UI and it'll try to fetch it as an AP post, if it can it lets you interact with it)
#
prologic I see
#
prologic So... back to my other concern I have (https://twtxt.net/twt/sxpknnq) how would this have happened in the first place?
#
Loqi [preview] [prologic] ↳ In-reply-to Β» @prologic It seems to me this distinction is pedantic and mostly at the server level. I have a mastodon account and I have no impression that I am being forced to read things I don't want to read. I follow the people I want to foll...
#
prologic I don't understand how an actor on a server starts sending activities where no-one on my server has ever interacted or followed before
#
prologic Oooh, is that a bug in our Open Graph tags or a bug in Loqi ? :D
#
sknebel that could be something like from above " there might be some implementations that push out comments a post receives to all followers of the original poster (I dont think most do, but it'd have a use case to provide a more complete view of threads everywhere)"
#
sknebel I didnt think mastodon did tht, but maybe it does
#
sknebel or maybe someone is just randomly doing that to see what happens :D
#
sknebel although I guess if it passed signature check thats unlikely
#
prologic Hmm interesting
geoffo joined the channel
#
Soni we wish we could have (more/better) cross-app interactions :<
#
Soni (well, we suppose we can have it... we just need there to be interest. and we feel like there's not actually as much as we thought there was.)
#
prologic Soni what't this in context of?
[aciccarello] joined the channel
#
Soni <Soni> uh we don't think there is a best approach. something like cehttps/content-enabled http makes more sense from a "what's a protocol" point of view, but it does lack this... uh, well, we can't easily push it on browser developers like we can with fedicraft.
#
Soni <Soni> just a bunch of tradeoffs and an increasingly user-hostile platform
#
Soni <Soni> for what it's worth, something like https://modrinth.com/mod/fedicraft can be done entirely without browser support, as we currently do, which enables us to push it on browser developers. however, it requires website support instead. it also might not be the best approach.
#
Soni (this got swallowed from the logs due to a netsplit)
#
Soni but this is what it spawned off of https://mailarchive.ietf.org/arch/msg/art/mSMesj-cPOSUavZ3-79JOcqyFXI/
#
prologic Hmmm
#
prologic I have no idea what you're talking about, so gll good :)
#
Soni :(
#
Soni the web is an increasingly user-hostile platform, we don't know how y'all manage to not lose your minds
#
prologic Oh if that's the topic of discussion I completely agree
#
Soni no but it's related
#
Soni <Soni> we wish we could have (more/better) cross-app interactions :<
#
Soni browser devs don't trust users with privacy-preserving cross-app interactions, they think any cross-app interactions are too dangerous yet it's fine to do it using a centralized service instead
#
prologic I see
#
Soni we also have this rant about how fedi is bleeding users we guess https://fedi-to.net/
#
Soni but we digress
#
Soni we should probably go sleep, trans rights o/
#
Loqi +1
#
[aciccarello] I'm not sure I'm onboard with the solution described on fedi-to.net but the problem space seems interesting
#
[aciccarello] Like, I think it'd be cool if we didn't need to stay within the feed but could still like/comment/share from the browser. That's what's cool to me about the indieweb and tools like omnibear.
Ruxton_, [snarfed], benji, jeremycherfas, bterry, gxt__, vilhalmer, angelo, tiim, jjuran, petermolnar, mouse[d], IWDiscordRelay, pmlnr1, micheledm[m], jbrr[m], jan6, totertats, omz13, joshproehl, JaeBeep[m], oxtyped, sivoais, saptaks, Kaja, M85CD[m], cambridgeport90[, chenghiz_, [0x3b0b], chee, voxpelli, willnorris, jbove, GWG, Seirdy_, starrwulfe[m], Zegnat, mcint, rrix, aaronpk, tommorris, sebsel, laker, Saphire, jonnybarnes_, BinarySavior, Gorro_Rojo[m], ross[m]123, rocto, kandr3s, oodani, Xe, benatkin, aynish, vladimyr, pharalia, prologic, lagash, cellular, oenone, rubenwardy, [tantek], [pfefferle] and [KevinMarks] joined the channel
#
[snarfed] omnibear++
#
Loqi omnibear has 1 karma over the last year
gxt__, voxpelli, jeremycherfas, willnorris, mcint, oodani, chenghiz_, laker, aaronpk, [snarfed], IWDiscordRelay, sivoais, Xe, prologic, lagash, jbove, Saphire, tommorris, chee, GWG, totertats, rubenwardy, jonnybarnes_, vilhalmer, angelo, jjuran, petermolnar, mouse[d], tiim, omz13, joshproehl, rocto, Kaja, saptaks, oxtyped, benji, bterry, jan6, pharalia, BinarySavior, M85CD[m], kandr3s, geoffo, Seirdy_, [0x3b0b], pmlnr1, aynish and JaeBeep[m] joined the channel
#
aaronpk https://fedidocs.org/ Possibly interesting to those who have attempted to interop with other ActivityPub software
ross[m]123, benatkin, micheledm[m], starrwulfe[m], Gorro_Rojo[m], geoffo, vladimyr, cambridgeport90[, jbrr[m], cellular and [jamietanna] joined the channel
#
Soni [aciccarello]: tools like that seem to train the user to give their interests away to other websites. which is extremely phishable. just give the user a plausible-looking phishing page that looks exactly like what they'd see with such a tool and they'll happily just give away all of that info without knowing any better.
#
Soni but opening the user's instance is phishing-proof
#
Soni also avoids any issues related to theming, as the user gets their own theme instead of some whacko theme or a different language entirely even
[schmarty] joined the channel
#
[KevinMarks] Well, it can be a little confusing if they primarily use an app to interact with their own instance
#
prologic Just released v0.1.0 of my static site generator zs: https://twtxt.net/twt/vcxsi3q
#
Loqi [preview] [prologic] πŸŽ‰ NEW: zs v0.1.0 zs is an extremely minimal static site generator written in Go
#
prologic Loqi ++
#
Loqi Loqi has 5 karma in this channel over the last year (23 in all channels)
[marksuth], jeremycherfas, aaronpk, [tantek]1, [schmarty], [pfefferle], [chrisbergr], [jamietanna], [KevinMarks], [aciccarello], [snarfed], bterry and [felix_wenzel73] joined the channel
#
[felix_wenzel73] ↩️ For future reference: `<p class="p-bridgy-twitter-content">Whatever you would like to say in the tweet goes here.</p>`
jonnybarnes joined the channel
#
[felix_wenzel73] ↩️ My template allows me to hide this, so that it’s not showing in the post, only on Twitter when posting via brid.gy
#
[felix_wenzel73] ↩️ .p-bridgy-twitter-content {
#
[felix_wenzel73] }
#
[felix_wenzel73] display: none;
geoffo joined the channel
#
[tantek] prologic++ congrats on the release!
#
Loqi prologic has 1 karma over the last year
geoffo joined the channel
#
[pfefferle] [aaronpk] do you crosspost to bluesky via ATProtocol?
#
aaronpk yeah, i built it into my site real quick the other day
#
[pfefferle] do you have something on github?
#
aaronpk no, it's just a post request really
#
aaronpk i don't have photo support yet, that gets slightly more complicated. but the most helpful part was reading the atproto tests, not their docs
#
aaronpk https://github.com/bluesky-social/atproto/blob/main/packages/pds/tests/crud.test.ts#L74
#
[pfefferle] nice hack! πŸ˜‰
#
[pfefferle] thanks for the link!
#
[pfefferle] That was really easy! Maybe I could build a simple WordPress plugin tomorrow!
#
aaronpk sadly the password login is the only way it works now. they said they're planning on adding oauth support later
#
aaronpk also i heard that only one device can be logged in to an account at the same time, so as soon as you post, your phone will get logged out πŸ˜‚
#
[pfefferle] 😒 saving a plain text password in a WP table is not a very good idea
#
aaronpk nope nope
#
[pfefferle] Is it possible to simply work with the access and refresh token
#
aaronpk in theory you sohuld be able to use the refresh token to get a new access token. i haven't actually tried that yet or seen whether logging in on the phone revokes that refresh token too
#
[pfefferle] I tried to re-use the access token from my first api call experiments, following your post to change the handle and that seemed to be revoked
#
[pfefferle] I had to generate a new one
#
aaronpk they only last like an hour i think
#
[pfefferle] Ok
#
[pfefferle] Then I will try to find out how to refresh a token, so that I only need username and password for the first call and do not have to persist them
chee joined the channel
#
[pfefferle] Just read you post about Bluesky and authentication! [aaronpk]++
#
Loqi [aaronpk] has 31 karma in this channel over the last year (89 in all channels)
GWG and geoffo joined the channel
#
[pfefferle] [aaronpk] you have to really "upload" images before embedding them? that's nuts!
#
aaronpk nah it's reasonable, same as twitter, and micropub's media endpoint, and frankly wordpress too
#
[pfefferle] Ah, I see... can't compare it with ActivityPub, because it is not about federation, but crossposting! my mistake!
#
[pfefferle] at least in this case
#
aaronpk right, this is the client API. i have no idea what the federation API looks like
bterry and gRegor joined the channel