#dev 2023-03-29

2023-03-29 UTC
lagash, sebbu2 and gRegor joined the channel
#
benatkin
I use srcdoc. srcdoc works with the combination of offline and sandboxing without allow-same-origin, that's why I'm using it, and it works pretty well.
#
benatkin
but there's something new coming that will allow me to keep allow-same-origin - credentialless - but it's Chromium-based-only and nonstandard currently https://developer.mozilla.org/en-US/docs/Web/Security/IFrame_credentialless
#
benatkin
I dunno if offline is off-topic for indieweb...
#
benatkin
I guess it depends on if I have any application of it
#
Loqi
[preview] [mikewest] #582 "credentialless" embedder policy.
lagash and bterry joined the channel
#
[tantek]
what is offline
#
Loqi
offline is anytime you're not online and connected to the internet; on the IndieWeb, a personal site can have offline support by implementing an offline first approach https://indieweb.org/offline
lagash, [jeremycherfas] and [pfefferle] joined the channel
#
IWDiscordRelay
<c​apjamesg#4492> How can I join the SWICG meeting today?
#
IWDiscordRelay
<c​apjamesg#4492> It looks like there was a bit of a conflict over the venue.
gRegor, lagash, lagash-, geoffo and IWSlackGateway joined the channel
#
IWDiscordRelay
<c​apjamesg#4492> It looks like I'll be skipping that meeting. It conflicts with London / Europe HWC.
[tantek] joined the channel
#
[tantek]
capjamesg, I saw Gregor updated the IndieWeb event for the meeting
lagash joined the channel
#
Loqi
Social Web Incubation Community Group informal meeting 2023-03-29 10am PDT per https://lists.w3.org/Archives/Public/public-swicg/2023Mar/0124.html
#
Loqi
Countdown set by [tantek] on 2023-03-23 at 5:45pm PDT
#
[tantek]
Weird conflict/drama. W3C groups regularly use zoom
#
[tantek]
Tbh I’m ok with folks that are that argumentative opting out. That's a feature not a bug
#
[tantek]
My experience in web standards / collaboration is that's the most efficient (least community labor) way to help sustain a more positive community. See the reading / citations here for more: https://microformats.org/wiki/mailing-lists#Why_to_avoid_negative_behaviors
lagash, [snarfed] and [dave] joined the channel
#
prologic
This is pretty cool :D https://zs.mills.io/#we-can-even-do-slides
lagash joined the channel
#
IWDiscordRelay
<c​apjamesg#4492> [tantek] Yeah. Weird indeed
lagash, [pfefferle] and [manton] joined the channel
#
[manton]
[snarfed] Great demo at FediForum. 👍
#
[snarfed]
thanks [manton]!
lagash, gRegor, [tw2113_Slack_], [KevinMarks], [schmarty] and bkil joined the channel
#
[tantek]
[snarfed]++ thanks for helping bridge communities, you're always so good at that. you too [manton]++
#
Loqi
[snarfed] has 84 karma in this channel over the last year (130 in all channels)
#
Loqi
[manton] has 23 karma in this channel over the last year (39 in all channels)
#
[snarfed]
aww thanks! looking forward to [manton]'s demo tomorrow!
#
[pfefferle]
[snarfed]++ [manton]++
#
Loqi
[manton] has 24 karma in this channel over the last year (40 in all channels)
#
Loqi
[snarfed] has 85 karma in this channel over the last year (131 in all channels)
geoffo joined the channel
#
[manton]
Thanks for chairing that session [tantek]. Seemed like a great start to making some progress.
#
[manton]
I would love to see more Mastodon API clients move to Micropub + Microsub, although I’m not sure I articulated that well. Also not sure if that is realistic given the widespread use of the Mastodon API.
#
[manton]
I’m more confident about a minimal profile for ActivityPub server to server, though. Seems like there was good consensus on the need for it.
#
[pfefferle]
[manton] Is it possible to send activities like "follow, unfollow, ..." via Micropub?
lagash joined the channel
#
[snarfed]
[pfefferle] yes with the right mf2, eg u-follow-of
#
[snarfed]
tantek++
#
Loqi
tantek has 27 karma in this channel over the last year (86 in all channels)
#
[tantek]
[pfefferle], [snarfed] is being humble, you can even send activities like "follow, unfollow, ..." via BridgyFed by posting a /follow or /unfollow post with microformats on your blog and sending a Webmention
#
[pfefferle]
I think I have to dig into Microsub a bit, which seems to be the "following" list provider then?!?
#
[pfefferle]
so micropub+microsub == C2S && ActivityPub/Webmentions == S2S
[jacky] joined the channel
#
[jacky]
tbh yeah in a way
lagash joined the channel
#
[KevinMarks]
Also websub is s2s
#
[KevinMarks]
Also I think the "mastodon could force us to change things" is overstated, given that a) mastodon does respond to github issues often and b) they did the work to adopt AP s2s in the first place.
#
[pfefferle]
I see it similar... if mastodon is a biggest player and produces working code, why not adopt it... working code over spec 😉
#
[tantek]
Sure, I would presume good faith on behalf of Mastodon implementers with respect to open standards.
#
[KevinMarks]
Eugen managed to implement Salmon, for goodness sake
#
[KevinMarks]
So you know that pain first hand
#
[KevinMarks]
I do think if we can document the odd chatty deletes etc as github issues mastodon could take that onboard
#
[manton]
[pfefferle] Yeah, I think actions like follow, unfollow, download a timeline feed, etc. are best handled by Microsub. Micropub can be just for the posting side of things, creating new posts, bookmarking, etc.
#
[manton]
One concern I have with everyone adopting the Mastodon API is that it may lead to servers and clients not being able to differentiate much. I expect most Mastodon clients assume that the full API is available. But maybe my server platform doesn’t have exactly the same features, so I want clients to be able to gracefully adapt to what is available.
#
[pfefferle]
true! and an interesting idea!
#
[pfefferle]
now that I may be able to work full time on ActivityPub, maybe I can run some experiments here.
#
[manton]
Awesome! Congrats by the way on the progress with the WordPress plug-in and Automattic.
#
[pfefferle]
thanks a lot 🙂
#
[KevinMarks]
I do feel we need a bit of a whatwg approach here - document what the various implementations actually do, and work out where they vary.
#
[KevinMarks]
The mastodon c2s api reminds me of the twitter api when al3x was running it - they would change the api first, document that, then update their own clients, so 3rd party ones could keep up
lagash and geoffo joined the channel
#
[schmarty]
ahahaha whatttt
#
Loqi
[schmarty]: lol
#
[schmarty]
a very bold way of reinventing `<meta name="twitter:card" content"...">`
lagash joined the channel
#
[snarfed]
^ wow cohost went so far as to serve its posts as valid AS2
#
[schmarty]
i wonder if they have tests for that internally so those sidefiles don't break over time 😅
#
[snarfed]
looks like it's not full AP though, eg they're not serving AS2 actors or webfinger
#
[tantek]
neither AP nor AS2 needs webfinger--
#
Loqi
webfinger has -4 karma in this channel over the last year (-5 in all channels)
#
[schmarty]
i'm not thrilled about this "promise a rel-alternate for activitypub json to get a better iMessage preview" hack propagating!
lagash joined the channel
#
[snarfed]
Sure, s/full AP/full fediverse/
#
epoch
I've been working on some activity pub software, and I noticed some servers won't let me request actor objects unless the request has an http signature.
#
epoch
does anyone know how two of those servers trying to talk to each other ever actually start talking?
[James_Van_Dyne] and lagash joined the channel
#
aaronpk
You don't need a preexisting relationship to send a signed request
lagash joined the channel
#
epoch
but I'll send the signed request
#
epoch
then they want to verify it
#
epoch
so they ask me for my public key... in my actor object
#
epoch
and I require signed requests too
#
epoch
so, before I respond with my key, I try to verify their signed request
#
epoch
by asking them for the actor that signed it...
#
epoch
with a signed request, that they then try to verify, by getting my key again...
#
epoch
nobody wants to be the first to give up the public key
#
epoch
will one of them eventually just reply without actually doing a signature verification first?
#
aaronpk
The public key is just at a URL I thought
#
[snarfed]
for http sigs it's inside an AS2 actor object
#
[snarfed]
that circular dependency is an interesting point. I wonder why I've never hit it
#
aaronpk
seems like you won't hit it when delivering activities since you're sending the actor object in that payload
#
aaronpk
but for plain GET requests...
#
[snarfed]
afaik it's more common for activities to have string actor ids than complete objects
#
[snarfed]
definitely rare to have an actor object with public key inside
#
aaronpk
why haven't I hit this before either then
#
[snarfed]
epoch are you seeing this problem in practice? or just wondering about it?
#
epoch
I figure I'd start seeing if I enabled signature verification for my own actor objects to be pulled.
#
epoch
guess I'll try it out and see if I cause a loop with other servers.
#
[snarfed]
ok. oddly in practice it sounds like this problem doesn't happen, even though theoretically it should
#
epoch
I figure the first request eventually times out
#
epoch
and then the rest get cleaned up
#
epoch
and nobody notices the silence
#
[snarfed]
also aaronpk re actor string ids vs objects, BF sending actor objects has been the main cause of interop failing with other implementations, many of them assume string id actors and choke on objects
#
sknebel
I suspect they use the instance actor, and fetching that doesnt require a signed request?
#
sknebel
but thats a guess
#
[snarfed]
sknebel what's an instance actor? I mean I can imagine, but I've never heard of it
#
sknebel
<instancedomain>@<instancedomain>, gets used as a general representation of the instance
#
[snarfed]
fascinating, news to me
#
sknebel
and used to make actions that arent tied to a user
#
[snarfed]
oh man they use the same @[domain]@[domain] naming scheme as Bridgy Fed 😐
#
[KevinMarks]
So you sign it as root? How do you get the root key though?
#
[snarfed]
exactly 😁 hence this still-open issue https://github.com/mastodon/mastodon/issues/10486
#
[snarfed]
entertaining set of usual suspect options there, including hard-coded URL paths that aren't under .well-known 😆