#dev 2023-09-21

2023-09-21 UTC
btrem, [manton], slyduda, sebbu2, ra, gerben, gnoo and geoffo joined the channel
#
c​apjamesg [snarfed] What will be demo'd today?
#
c​apjamesg I have a fully-booked afternoon.
gerben joined the channel
#
[KevinMarks] interesting https://dev.to/tigt/why-not-react-2f8l
albertogalca joined the channel
#
albertogalca Hi Kevin! What do you use instead of React?
IWSlackGateway and [KevinMarks] joined the channel
#
[KevinMarks] I do multipage apps with server side rendering and a templating library like jinja2 or nunjucks
sp1ff, pharalia and [snarfed] joined the channel
#
[snarfed] capjamesg got me
[catgirlinspace] joined the channel
#
c​apjamesg [snarfed] what do you mean? 😅
#
[snarfed] oh sorry, maybe "[You've] got me" is an American-ism, it means "I don't know"
AramZS, btrem, [pfefferle], [tantek] and geoffo joined the channel
#
c​apjamesg Ah, I haven't heard that before!
jonnybarnes and [aciccarello] joined the channel
#
[aciccarello] Sounds like changes are coming to hashtags in mastodon 4.2
#
[aciccarello] https://shlee.fedipress.au/2023/mastodon-4-2-0-post-toots-everybody/
#
Loqi [preview] Mastodon 4.2.0 – Post Toots Every Day
#
[aciccarello] [snarfed] I wonder how this will affect bridgy fed.
#
s​tarrwulfe wait, what?
#
IWDiscord <s​tarrwulfe#0>
#
s​tarrwulfe > Pixelfed Dansup is making an app called Sup dedicated to direct messages (with encryption).
#
IWDiscord <s​tarrwulfe#0>
#
s​tarrwulfe Is that something we need to thing about supporting in the indieweb world too?
#
[snarfed] [aciccarello] ugh who knows
#
s​tarrwulfe [edit] wait, what?
#
IWDiscord <s​tarrwulfe#0>
#
s​tarrwulfe > Pixelfed Dansup is making an app called Sup dedicated to direct messages (with encryption).
#
IWDiscord <s​tarrwulfe#0>
#
s​tarrwulfe Is that something we need to think about supporting in the indieweb world too?
#
[snarfed] people who are interested in fediverse hashtags, feel free to learn the Mastodon 4.2 changes and see if they need corresponding Bridgy Fed changes
#
[snarfed] starrwulfe maybe? maybe not? I don't actually think we need to try to do every possible software feature (eg chat) from our web sites
#
[snarfed] but we do have https://indieweb.org/chat#How
#
s​tarrwulfe Agree <@1114282188880494602> -- Just wondering from a linking POV as some of us do run our sites as one-account AP instances instead of joining a Masto/Pleroma/Misskey instance. Edge case stuff right now though but maybe needs to be on the radar 🤷‍♂️
#
[aciccarello] I'm hoping the hashtag changes will make mastodon more forgiving. Sounds like they will support hashtags outside the text content. Maybe we'll get hashtags on articles too.
#
[snarfed] starrwulfe: you're thinking fediverse-bridged DMs to/from your web site?
#
AramZS I don't think DMs are a pattern that is generally working well on fediverse
#
capjamesg I was talking about this yesterday. Should DMs be out of scope for the Fediverse?
#
s​tarrwulfe @aciccarello -- especially the "hidden" OOB ones that are "account-wide" and don't necessarily show up in every toot by the posting party.
#
capjamesg It feels to me like DMs in Mastodon, etc. is like trying to replicate the big social platforms on functionality without considering what having DMs on your server means.
#
capjamesg Unless they are E2E encrypted presumably an instance owner could read someone's DMs?
#
[snarfed] right
#
capjamesg Which, if true, feels like an unnecessary security risk.
#
[snarfed] eh. E2EE is still the exception, not the rule, across all DM/chat services
#
capjamesg Yeah indeed.
#
s​tarrwulfe [snarfed]: Was thinking about a way to make a notification that I received one. Not sure if there's a Matrix bridge that could handle the heavy lifting of chatting that way yet but it would be nice since I've bridged every other IM method that way so far.
#
capjamesg I think the dynamic is different between Fedi vs. "big social"
#
capjamesg On the fediverse, someone you have never met could be reading all the DMs on the server, right? Whereas Facebook _can_ do that, but there are probably a lot of internal procedures preventing against most employees doing that.
#
[snarfed] eh maybe. but I was thinking DMs in small forums and other non-"big tech" too. E2EE is still hard and the exception, and afaik mostly just in chat platforms, not social networks
#
capjamesg You have to put *a lot* of trust in an instance owner.
#
capjamesg (Correct me if any of my assumptions are wrong. I'm very much learning!)
#
AramZS Yeah, but I don't think E2E encryption is an expected setup for fediverse setups, but I agree your assumptions around instance owners are as I understand them as well
#
[snarfed] yup, but that's how the fediverse is, both culturally and technically. very instance/server-centric. your identity is tied to a server, server admins, moderate, etc.
#
capjamesg DMs have an expectation of more privacy by their very name.
#
capjamesg "Direct message"
#
AramZS I have basically directed all DMs to keybase atm. Not that I distrust my instance manager, but it seems like a general bad idea in terms of setup. DMs on Fediverse are not really conceptually the same as on other platform. They're intended for *focused communication* not for *private communication*
#
AramZS Like it is also very easy to add a user to a DM conversation by mentioning their username
#
[snarfed] capjamesg yes, but again, private is different than hidden from the server admin. E2EE really is relatively new to all this
#
capjamesg > private is different than hidden from the server admin -- say more?
#
AramZS Mastodon especially is not really set up to do DMs as *private* messages, just *direct* messages.
#
[tantek] capjamesg, yes, in that regard, DMs are a bit misleading, because admins on systems both open (Mastodon), and closed (Slack), and silos (Twitter) can read all your DMs
#
capjamesg Yeah.
#
s​tarrwulfe AramZS: ⬆️ This is key and shouldn't be conflated
#
[tantek] AramZS, it's not helpful to try to put such a fine semantic distinction between "private" and "direct"
#
capjamesg The question becomes: will the average user understand what "direct message" means?
#
AramZS I 100% agree the distinction is not helpful, but it *is* how Mastodon understands it.
#
[tantek] as capjamesg said, "direct" implies ONLY between you and DIRECTLY with who you send to
#
s​tarrwulfe But the implication to the average user is that it also means private
#
[snarfed] I think user/technical expectations of what "private" means have shifted. 10-20y ago, basically nothing had E2EE, so no one reasonably expected that "private" included from sysadmins. we've now moved the goalposts to include that. which is ok! I'm just saying it's a relatively new shift, not true across tech history
#
AramZS I do not consider Mastodon DMs to be fit for use tbh
#
capjamesg [snarfed]++
#
Loqi [snarfed] has 103 karma in this channel over the last year (157 in all channels)
#
capjamesg That's true. I think if Mastodon is emulating the feel of a traditional social network and has DMs, it is not necessarily going to be intuitive that one person who you have never met could read your DMs.
#
capjamesg And what that means for security.
#
s​tarrwulfe People coming into this space from the mainstream social media nets will think DM = private message too. So it does need to be spelt out from time to time.
#
[tantek] [snarfed] indeed! In the past, people "knew" that unless they used their own crypto(graphy), messages were readable in-transit (including on servers). Hence PGP in email etc.
#
AramZS Also, the ease of accidentally pulling in another user for what is supposed to be a DM is ... not great
#
capjamesg And the legal obligations too.
#
[tantek] AramZS, you mean like the ease of pulling in another To: address when replying to an email?
#
[snarfed] eh, maybe technical people. non-technical people probably often didn't "know" that email wasn't fully private. so they similarly might not "know" now that fediverse DMs are fully private. that hasn't change.d 🤷
#
[tantek] IMO the "another user for what is supposed to be a DM" hand-wringing is kinda laughable since email has worked that way since, - checks notes -, ever
#
AramZS tantek: I think new systems have made that easier but I don't think it matches well with that at all. You mostly don't refer people by their email address, but you do refer to people on social media by their handle.
#
[tantek] neither really. both systems now auto-complete given names into "handles" with either one @ or two @-@s
#
[snarfed] more on topic, we don't really have a design for indieweb chat, and personally I'm not sure it's a high priority for the community to work on. I don't know how natural a use case it is to chat to/from our web sites. but we'd definitely need to design that first if we eventually want to bridge fediverse DMs to indieweb. https://indieweb.org/chat#How is where we'd start!
#
AramZS Also, the UI of most email systems make it *very* clear when they implement a setup that mentioning a user's email in the body puts it in the To:. In my experience that is not as clear in Mastodon.
#
[tantek] [snarfed] to turn that around, for anyone here that IndieWeb chat *is* a priority, please take a look at existing work and then design/prototype something yourself!
#
capjamesg [snarfed] Me and Angelo scoped that out :D
#
[tantek] you don't need to work on something that is "a high priority for the community" or not
#
capjamesg We spent like 2 hours talking about it over the last week.
#
[tantek] if it's a high priority for *you* and *your website*, then please work on it and document what you figure out / build!
#
capjamesg [tantek]++
#
Loqi [tantek] has 30 karma in this channel over the last year (100 in all channels)
#
[snarfed] [tantek] true! better framing, thank you
#
capjamesg We decided that it is cool in theory but anyone using it would have to be absolutely okay with their messages on plain text on their servers.
#
[tantek] trying not to discourage people with what may seem like more out there, fringe, or even "wacky" ideas of what they want to use their website for 🙂
#
[snarfed] capjamesg awesome! I'd love to see a proof of concept chat between two separate indieweb chat implementations
#
[tantek] we're all about encouraging the plurality of the wacky 😉
#
capjamesg Which I am okay with but when designing a general system the calculus is different.
#
AramZS I think Mastodon's DMs are particularly useful for me and my risk model in regard to what and how I communicate via DMs. They might be useful for others. But personally I just push people who want to DM me to Keybase or Signal.
#
capjamesg [tantek] I want that on a t-shirt.
#
[tantek] lol
#
capjamesg [snarfed] My implementation got... convoluted.
#
capjamesg Want some notes?
#
AramZS s/DMs are particularly useful/DMs are not particularly useful/
#
[snarfed] capjamesg for the subset of indieweb people who admin their own servers, indieweb chat over SSL is arguably E2EE!
#
[tantek] capjamesg, get 1:1 indieweb chat working first since that's an "easier" problem, and then worry about "a general system calculus"
#
capjamesg https://gist.github.com/capjamesg/559395b17b62d97a74e3272b887175e5
#
capjamesg (the repo is private right now but that's the README)
#
capjamesg "The Flow" describes the system.
#
capjamesg I'd ask: how can it be made simpler :D
#
capjamesg My code makes use of IndieAuth, WebSub, and Ticket Auth.
#
AramZS Oh, that's cool!
#
[snarfed] capjamesg awesome! link it on the wiki!
#
c​apjamesg I'll see if I can get the repo cleaned up first.
#
c​apjamesg I accidentally committed the `sqlite` db 🤦 😂
#
[tantek] what is a private message
#
Loqi ✉️ messaging refers to one user sending another user a message (memo, letter, txt, photo …) that they read sometime later; on the IndieWeb, either directly via a personal site, or from one site to another https://indieweb.org/private_message
#
[tantek] capjamesg, create a new subsection inside https://indieweb.org/messaging#Brainstorming (with whatever label you want) and summarize / link to your thoughts / README there so it's discoverable
#
[snarfed] hmm do we need to merge or disambiguate https://indieweb.org/messaging and https://indieweb.org/chat ?
#
[KevinMarks] That was a bit confusing as we have http://chat.indieweb.org
#
[snarfed] yeah that's https://indieweb.org/discuss
#
[KevinMarks] Also, I think the assumption that big silos aren't reading your messages is optimistic.
#
[KevinMarks] Read The Boy Kings by Kate Losse
#
[KevinMarks] https://chat-uploads.indieweb.org/files/2023/09/dev-20230921-181532-screenshot_20230921-191457.png
#
capjamesg Oof.
#
capjamesg Is the risk for harm not greater in a decentralized system though?
#
[tantek] depends on the harms you are measuring and who is being harmed perhaps
#
capjamesg I mean if an instance is taken over (i.e. password leak, bad password, all other vectors), all of those DMs would be readable.
#
capjamesg Whereas with a big social provider you would have to compromise Facebook, which I assume has a lot of security policies in place to prevent that.
#
capjamesg You need both secure instances and secure systems.
#
[snarfed] not necessarily. you could just compromise your target user, which will be way easier
#
[snarfed] threat models are useful! threatmodels++
#
Loqi threatmodels has 1 karma over the last year
#
capjamesg Yeah.
#
[KevinMarks] read about the Saudi infiltration at Twitter https://www.theguardian.com/us-news/2022/aug/09/twitter-saudi-arabia-dissident-spying
#
[tantek] Reminder to all devs here who implement IndieWeb specs, there's only 3 people signed up far on https://events.indieweb.org/2023/09/september-2023-swicg-community-meeting-TA731v5tOpFY — can we get some more RSVPs by active implementers here? [KevinMarks] [snarfed] aciccarello [manton] aaronpk omz13
#
aaronpk 👍
#
aaronpk early morning
#
[tantek] (aside: this is much more important in the next 24h than rabbitholing DMs / encryption etc.)
#
[tantek] aaronpk, I hear you. :yawning_face:
#
aaronpk i will need to stock up on coffee
#
capjamesg Yes indeed!
#
capjamesg [tantek] You haven't heard about my adventure into ActivityPub yet :D
#
capjamesg But in all seriousness, signing up would be appreciated to all of those who are able to make it!
#
aaronpk I don't see where this meeting exists in the official w3c web pages anywhere 😂
#
capjamesg Apologies for the early time in US Pacific. We are trying to be as accommodating as possible to different time zones.
#
aaronpk it's not on the socialhub forum, it's not on the w3.org community page
#
capjamesg Will add to w3.org.
[manton] joined the channel
#
[manton] I’ll be at the Social Web CG meeting too.
#
[manton] Thankful for the reminder because I’m having trouble keeping track of everything.
#
capjamesg Done aaronpk++
#
Loqi aaronpk has 38 karma in this channel over the last year (99 in all channels)
starrwulfe, geoffo, btrem, Fisher2445995, AramZS, btrem2, gRegor and [chrisaldrich] joined the channel; btrem2 left the channel