#prologicI'm not sure I can trust Activity Pub (the protocol) at this point?
#sknebelwhat do you mean by "trust"? its a HTTP endpoint, of course everybody can send whatever they want, its on the server to verify that it wants to do something with what it gets sent
#sknebela protocol can't prevent people trying to send you stuff you dont want
#prologicThat's why I asked about recommendations π
#sknebelas I understand it theres two parts: a) verifying that whoever sent something is actually a legitimate sender - that's the signatures part
#prologicAnd more to the point ... How is it even possible to receive activities from actors never interacted with before? π³
#sknebeland b) deciding if and how it fits in what your server knows or want to know
#sknebele.g. if someone replies to a post on your server, your server might not have ever known about them before
#sknebelbut its still something it is probably interested in
#prologicYeah where b) could be: does anyone here actually follow this actor?
#sknebelright, thats a case where the server would know about them already
strugee joined the channel
#prologicWhat other legitimate case might there be?
#sknebelreply to someone on the server. there might be some implementations that push out comments a post receives to all followers of the original poster (I dont think most do, but it'd have a use case to provide a more complete view of threads everywhere)
#sknebel(i.e. it not doing so is a regularly voiced criticism of mastodon :D)
#sknebelAP relays do it by design, although they are something your server is supposed to have signed up for
#sknebelor 2 could boost the post, and then 3 could be any follower of 2, on any server
#prologicAhh yes in Yarn.social we do this too somewhat
#prologicbut only relaly for root twts (the root of a thread)
#prologicBut for me that would not warrent accepting activities from AP in that case
#sknebelor if A shows posts publicly anyone could just randomly find it on the web, decide to reply and do so (e.g. in mastodon you can put a post URL in the search UI and it'll try to fetch it as an AP post, if it can it lets you interact with it)
#prologicSo... back to my other concern I have (https://twtxt.net/twt/sxpknnq) how would this have happened in the first place?
#Loqi[preview] [prologic] β³
In-reply-to
Β»
@prologic It seems to me this distinction is pedantic and mostly at the server level. I have a mastodon account and I have no impression that I am being forced to read things I don't want to read. I follow the people I want to foll...
#prologicI don't understand how an actor on a server starts sending activities where no-one on my server has ever interacted or followed before
#prologicOooh, is that a bug in our Open Graph tags or a bug in Loqi ? :D
#sknebelthat could be something like from above " there might be some implementations that push out comments a post receives to all followers of the original poster (I dont think most do, but it'd have a use case to provide a more complete view of threads everywhere)"
#sknebelI didnt think mastodon did tht, but maybe it does
#sknebelor maybe someone is just randomly doing that to see what happens :D
#sknebelalthough I guess if it passed signature check thats unlikely
#Soni<Soni> uh we don't think there is a best approach. something like cehttps/content-enabled http makes more sense from a "what's a protocol" point of view, but it does lack this... uh, well, we can't easily push it on browser developers like we can with fedicraft.
#Soni<Soni> just a bunch of tradeoffs and an increasingly user-hostile platform
#Soni<Soni> for what it's worth, something like https://modrinth.com/mod/fedicraft can be done entirely without browser support, as we currently do, which enables us to push it on browser developers. however, it requires website support instead. it also might not be the best approach.
#Soni(this got swallowed from the logs due to a netsplit)
#Soni<Soni> we wish we could have (more/better) cross-app interactions :<
#Sonibrowser devs don't trust users with privacy-preserving cross-app interactions, they think any cross-app interactions are too dangerous yet it's fine to do it using a centralized service instead
#[aciccarello]I'm not sure I'm onboard with the solution described on fedi-to.net but the problem space seems interesting
#[aciccarello]Like, I think it'd be cool if we didn't need to stay within the feed but could still like/comment/share from the browser. That's what's cool to me about the indieweb and tools like omnibear.
#aaronpkhttps://fedidocs.org/ Possibly interesting to those who have attempted to interop with other ActivityPub software
ross[m]123, benatkin, micheledm[m], starrwulfe[m], Gorro_Rojo[m], geoffo, vladimyr, cambridgeport90[, jbrr[m], cellular and [jamietanna] joined the channel
#Soni[aciccarello]: tools like that seem to train the user to give their interests away to other websites. which is extremely phishable. just give the user a plausible-looking phishing page that looks exactly like what they'd see with such a tool and they'll happily just give away all of that info without knowing any better.
#Sonibut opening the user's instance is phishing-proof
#Sonialso avoids any issues related to theming, as the user gets their own theme instead of some whacko theme or a different language entirely even
[schmarty] joined the channel
#[KevinMarks]Well, it can be a little confusing if they primarily use an app to interact with their own instance
#[pfefferle]Is it possible to simply work with the access and refresh token
#aaronpkin theory you sohuld be able to use the refresh token to get a new access token. i haven't actually tried that yet or seen whether logging in on the phone revokes that refresh token too
#[pfefferle]I tried to re-use the access token from my first api call experiments, following your post to change the handle and that seemed to be revoked
#[pfefferle]Then I will try to find out how to refresh a token, so that I only need username and password for the first call and do not have to persist them
chee joined the channel
#[pfefferle]Just read you post about Bluesky and authentication! [aaronpk]++
#Loqi[aaronpk] has 31 karma in this channel over the last year (89 in all channels)
GWG and geoffo joined the channel
#[pfefferle][aaronpk] you have to really "upload" images before embedding them? that's nuts!
#aaronpknah it's reasonable, same as twitter, and micropub's media endpoint, and frankly wordpress too
#[pfefferle]Ah, I see... can't compare it with ActivityPub, because it is not about federation, but crossposting! my mistake!