#dev 2023-09-05

2023-09-05 UTC
rhiaro, btrem, IWDiscord, jonnybarnes, [jeremycherfas], lockywolf, BinarySavior, thenickname, [campegg] and barnaby joined the channel
#
barnaby
has anyone else ever encountered issues with shared web hosts restricting access to .well-known folders?
#
barnaby
I just ran into issues setting up nextcloud caldav and carddav on hostinger, because they don’t allow rewriterules or PHP files in .well-known for some reason. apparently it’s not uncommon for shared web hosts, but as usual it’s almost impossible to figure out which ones have this issue and which don’t
#
barnaby
if it’s widespread then it’s a huge argument against webfinger and any other protocols which rely on .well-known IMO. I’m surprised I haven’t seen it discussed anywhere before
#
[tantek]
I've heard about that Barnaby, thank you for documenting a specific example
#
barnaby
it looks like I can put static files in the root .well-known folder, but nothing else
#
[tantek]
We must keep documenting real world examples like this so we can keep pushing back at IETF and other places when people keep making up new .well-known things
#
[tantek]
.well-known--
#
[tantek]
well-known--
#
Loqi
well-known has -8 karma in this channel over the last year (-11 in all channels)
#
[tantek]
aaronpk probably has some insight as to the latest proposal to depend on well-known
#
[tantek]
Also at some point I want to escalate it to the W3C TAG and have them issue an architectural finding against .well-known.
#
[tantek]
Reminds of the folks who make up specs that depend on conneg--
#
Loqi
conneg has -24 karma in this channel over the last year (-31 in all channels)
#
[tantek]
It's like they just don't care about static sites or the wide variety of web hosting out there
#
barnaby
ugh this probably means I can’t use bridgy fed with my site either 😥
#
c​apjamesg
Why is .well-known adopted?
#
barnaby
I added instructions and a .htaccess code snippet for testing .well-known support on apache shared hosts. hopefully we can get some more data on this to a) help people choose web hosts and b) provide evidence that .well-known simply isn’t accessible for a large swath of web hosting companies
#
superkuh
Not that this fixes the issue, but maybe it's time for a VPS instead of shared hosting?
#
barnaby
superkuh: I moved away from a VPS after years of hassle, expense and admin tax. nobody should be required to manage a VPS in order to support webfinger
#
superkuh
nods.
#
superkuh
A legit viewpoint.
#
barnaby
(or zero-config CAL/CARDDAV setup, which is what I was actually trying to do when I found this limitation. fortunately there were workarounds for that — not so for webfinger afaik)
#
[tantek]
capjamesg because a small subset of outspoken people hate writing code to retrieve/parse HTML to do discovery
#
[tantek]
here's a recent example of this discovery debate: https://github.com/privacycg/proposals/issues/39
#
Loqi
[preview] [mikewest] #39 Privacy policy discovery.
#
[tantek]
capjamesg, aaronpk is probably more familiar with the actual arguments that folks at IETF etc. make to push for using .well-known because I'm sure he hears them all the time.
#
[tantek]
we need to clean up https://indieweb.org/.well-known into a crisp list of blocking issues
#
aaronpk
i've started to have good luck with the argument against .well-known that often times the root domain of a website is run by the marketing team at a company and isn't "owned" by the ops team that is providing whatever service is being discovered
#
[tantek]
aaronpk++
#
Loqi
aaronpk has 38 karma in this channel over the last year (99 in all channels)
#
[tantek]
.well-known << Marketing vs ops: another reason it is bad to depend on .well-known in practice: <blockquote>often times the root domain of a website is run by the marketing team at a company and isn't "owned" by the ops team that is providing whatever service is being discovered</blockquote>
#
Loqi
ok, I added "Marketing vs ops: another reason it is bad to depend on .well-known in practice: <blockquote>often times the root domain of a website is run by the marketing team at a company and isn't "owned" by the ops team that is providing whatever service is being discovered</blockquote>" to the "See Also" section of /.well-known https://indieweb.org/wiki/index.php?diff=89190&oldid=89189
#
barnaby
not usually an issue on indieweb sites, thankfully! but definitely worth documenting in a list of .well-known criticisms
#
[manton]
[snarfed] Just linked to your blog post, but just an extra shout-out here that it’s a really useful grid. I’m still very interested in Nostr but I do worry about it being exclusively WebSockets. It’s clever but can it really even be IndieWeb-friendly without some kind of basic HTTP GET layer?
#
barnaby
[snarfed]: speculative question about bridgy fed: are the .well-known redirects absolutely required to point to bridgy fed (e.g. due to having dynamic content on) or could I in theory host a static version of whatever bridgy fed is serving there on my web host, which allows static files in .well-known but no PHP or redirect rules?
#
[snarfed]
thanks [manton]! yeah websocket is different, but it's still kinda half HTTP, not something totally different like gRPC or BitTorrent etc. I wondered about it too, but it was straightforward to ramp up on, and libraries are widespread and mature
#
[snarfed]
the main concern seems more ops than development: you have to maintain long-lived connections, which is sometimes a bit trickier to configure servers for well
#
[snarfed]
barnaby yeah you could probably do it with static files! feel free to look at the .well-known responses for an example BF user and try. let me know if it works out!
#
[snarfed]
happy to answer q's
#
barnaby
thanks! got a fair amount of work to do on my site before it’s ready for bridgy fed set up, but knowing that it might still be possible (without changing web hosts again…) is a good motivation!
#
[snarfed]
barnaby++
#
Loqi
barnaby has 28 karma in this channel over the last year (42 in all channels)
#
[snarfed]
oh also [manton] fwiw ATProto also requires websockets for federation, so it's not just Nostr
#
[tantek]
does anything else IndieWeb related use WebFinger besides Mastodon? If not, then we should document that limited scope explicitly rather than saying "for example, Mastodon"
#
[tantek]
I figure [snarfed] might know off the top of his head 🙂
#
[snarfed]
not that I know of
#
barnaby
webfinger and nodeinfo are the two “fediverse” .well-known endpoints I’ve seen, I don’t have a good overview of exactly how required they are for what functionality though
#
barnaby
I think nextcloud supports them too, but I don’t know exactly what for
#
[tantek]
barnaby, that placing of "fediverse" in quotes is exactly why I want to document them as "only" a Mastodon thing until people provide additional specific examples which we can then also document, instead of making it sound like Mastodon is just one example of many
#
barnaby
tbh I kinda assume that “fediverse” means “mastodon-compatible” at this point, but yes, more specific data would be useful
#
[snarfed]
oh wait no, plenty of (I think most) fediverse servers use Webfinger, not just Mastodon
#
[snarfed]
off the top of my head, definitely Pleroma and Friendica
#
[snarfed]
I'm sure many/most others. @-@ identifiers are pretty universal in the fediverse, and that's how those are resolved, right?
#
[tantek]
nah, my auto-linker resolves them as @user@host.example -> https://host.example/@user through string manipulation
#
[tantek]
and frankly, enough other folks are going to code it that way that it's going to make it a defacto required thing to support (at least a redirect from such paths)
#
[snarfed]
sure but you're not a fediverse implementation, and that URL structure is definitely not universal
#
[tantek]
pretty sure I blogged about that
#
[snarfed]
in my experience not as universal as webfinger
#
[tantek]
for the sites that don't use that URL structure, they're adding redirects
#
[snarfed]
sure. regardless, that's for human-usable URLs. the need for webfinger is to find an AP actor URL
#
[snarfed]
with conneg, you can guess that URL, and you may sometimes get redirected to the right actor URL, but only sometimes, and that "guess and assume" heuristic doesn't give me as an implementor anywhere near enough confidence to use it
#
[tantek]
right, so the specs should be flipped around and depend on the human-usable URLs, not vice versa
#
[tantek]
"need for webfinger is to find an AP actor URL" and if we keep asking, for what human use-case, I believe we eventually end up at "human-usable URLs"
#
[snarfed]
sure. I was describing how all this _does_ work right now. if the question is, how _should_ all this work instead, happy to follow along!
#
[tantek]
yes, this is literally about "how _should_ all this work instead" for any and all future specs
#
[tantek]
my point is, we should treat .well-known as only required for "legacy" or "compat" support with Mastodon (and the others you listed), not as an example to build upon
#
[tantek]
we must not add anything else that depends on .well-known, and if we see people proposing it, push back strongly
#
[snarfed]
btw of the handful of non-Mastodon implementations I've tried in the last few mins - Guppe, Pleroma, Akkoma, Firefish (nee Misskey I think?), Hubzilla - only Hubzilla redirects @ URL requests with conneg to the AP actor URL
#
[snarfed]
so I doubt we can frame current Webfinger usage/need in the fediverse as exceptional to Mastodon and just a few others
#
[tantek]
we can because "fediverse" (quotes deliberate) is not well defined, as it were
#
[tantek]
and thus we must list a set of exceptions instead
#
[snarfed]
I'm all for a different standard for resolving @-@s to AP actors! and I have no particular love for .well-known. but if you want to interop with current fediverse/AP instances, I guess I disagree that we should assume "they don't need Webfinger except for a few exceptions." that's not true based on both my experiments just now and my experience banging my head against interop with many more existing implementations
#
[snarfed]
and again, that's just _current_ interop on the ground. I'm with you on what we should advocate for in the future!
#
[tantek]
right, and this is why I'm actively auto-linking @-@s without using webfinger, as proof that it is "good enough" and that implementations will adapt to support that
#
[tantek]
it is one area where we can break the assumed dependence on webfinger for the future
#
[tantek]
e.g. works for Threads 🦆
#
[tantek]
and non-"fediverse" things like Medium, Twitter
#
[tantek]
so I would say that my auto-link @-@ algorithm is actually BETTER than webfinger (supports more profiles on the web 😛 )
#
[snarfed]
so then the machine-usable equivalent, eg resolving to an AP actor, would be that an AS2 conneg request to the same /@username URL either returns or redirects to that user's AP actor?
#
[tantek]
Medium, Twitter don't support AP so I'm not sure that follows
#
[snarfed]
I'm still talking about the fediverse
#
[tantek]
if you want something machine-readable at the profile, our answer is representative h-card
#
[tantek]
I'd like to understand what "AP actor" provides that is missing from representative h-card so we can fill that hole
#
[snarfed]
heh ok. that's an expansion of what we're advocating here, but sure
#
[snarfed]
I'm thinking of much more incremental steps. you're thinking much bigger, eg "use mf2 instead of AS2"
#
[snarfed]
which, ok 😁
#
[tantek]
I mean, you put it in your table 😄
#
[tantek]
so I figure we should make it true 😂
#
[snarfed]
lol, I'm just trying to keep track of what we're talking about. I started out at, how much of the (AP) fediverse uses/needs Webfinger, and what do they need it for: resolving @-@s to AP actors
#
[snarfed]
but yes. we like mf2 more than AS2, understood, agreed
#
[snarfed]
unrelated, anyone know of a good reference for "every indieweb object (post, person, etc) is identified by a URL"? looking for a link to cite in the comparison table
angelo, sp1ff` and chenghiz_ joined the channel
#
[KevinMarks]
Rather than @-@, how do you resolve the profile url to an app actor?
#
[tantek]
[KevinMarks] "apps" aren't actors, they're tools
#
[KevinMarks]
We had a proposal at socialwg for a URL template telling you where to put the username rather than using webfinger
#
[KevinMarks]
That was autocarrot, I typed AP
#
[KevinMarks]
I think it was too simple to write as a spec:
#
[KevinMarks]
One extremely simple solution is with a rel header for the template to map back and forth between user@host and url. rel="accountmap" template="https://example.social/@{user}"
#
c​apjamesg
Rel discovery would benefit from being a spec or a note, right?
#
[KevinMarks]
[snarfed] that assumption is so core we don't seem to state it on the wiki. We should fix that.
#
[tantek]
As long as you avoid httprange14 🦆
[davidmead], btrem and angelo joined the channel
wagle joined the channel