#dev 2024-04-29

2024-04-29 UTC
geoffo and [qubyte] joined the channel
#
aaronpk Maybe it was a mistake to call it passkeys, because people then equate it to a password. In reality you shouldn't have only one passkey to log in to a website, you should have multiple enrolled. That way you don't need to be able to export them, they can be device bound, but you're also not at risk of platform lock-in
#
aaronpk Who decided your account should have only a single password anyway? In practice that isn't even true, since account recovery flows are sometimes so frictionless you can use them as a login flow
[snarfed] joined the channel
#
[snarfed] yeah the discourse has been disappointing. sure the transition so far hasn't been perfect. but email/password is such a ubiquitous entrenched pattern, migrating to anything else will be nontrivial and have roadbumps
#
[snarfed] ...but email/password login is so dangerously insecure, we clearly _have_ to migrate to something better, and security keys/passkeys are clearly the best options
#
[snarfed] ("least bad" 😁)
[campegg] and Fsrk joined the channel
#
Tiffany I feel like they add a lot of complexity though, so the only sites that will end up supporting them will be places like big silos
#
[tantek] [snarfed] is that worth the centralization trade off though? "Security" is often used as an excuse for why you should "just trust us" where the "us" refers to a small number of companies and governments
#
[tantek] If passkeys end up locking you into more things, then they're not really "more secure", in that they're not really *yours, securely*
#
superkuh I don't think there's any problem with emailing passwords.
#
superkuh It may be a problem in some corporate or institutional contexts, but not for human people.
#
aaronpk It's not intentionally lock-in either, it's just that the export format hasn't been finished yet
#
aaronpk and no, passwords are not good for human people either
#
superkuh They really are. For interacting with other humans.
#
aaronpk I have never once used a password to interact with another human. That practice died out in the Middle Ages trying to get access to the castle across a draw bridge
#
superkuh All the complaints about them come from a threat model that just doesn't apply to most cases.
[tw2113] joined the channel
#
[tw2113] 12345 is my goto human interaction password
#
[tw2113] always makes me think about my luggage
#
superkuh Oh, here I'm separating out corporate persons and human persons because they have different needs.
#
[tantek] rotating passwords work quite well in practice (IRL) for speakeasies
#
[tantek] and yes, I've used them multiple times, person to person with zero devices in between
#
[tantek] aaronpk, this "not intentionally lock-in" is frankly irrelevant. negligence (unintentional lock-in) is exactly the problem that the Passkeys takedown is taking about
#
[tantek] it's like saying, we didn't intend this API that has high entropy to be used for fingerprinting. it's BS, because people know it will be abused that way.
#
superkuh Emailing a password for a forum where people gather to post about growing petunias is 100 okay. Emailing a password for a login for medical results probably isn't. Requiring centralized auth is okay for that. But it hurts the human use cases and is not justified. So you have to decide which context you are going to develop for. Profit making, or other human people.
#
[tantek] also the "people have a bad *experience* with passwords, so of course the new thing we design will be better" style of reasoning is an example of the Nirvana fallacy
#
[tantek] https://en.wikipedia.org/wiki/Nirvana_fallacy
#
aaronpk someone just sent me this which feels weirdly specific to this conversation πŸ˜… https://www.theguardian.com/technology/2024/apr/29/devices-with-weak-passwords-to-be-banned-uk
#
aaronpk "Tech that comes with weak passwords such as β€œadmin” or β€œ12345” will be banned in the UK"
#
Tiffany the article doesn't say, does this also prevent them from reusing the same password for every unit? or is "correct horse battery staple" a perfectly fine password?
#
Tiffany oh I see, it says they should prompt to change a common password
PuercoPop and gRegor joined the channel
#
gRegor !tell [manton] I've had a few replies to m.b posts show up in the json feed for a permalink, e.g. https://micro.blog/webmention?target=https://micro.blog/xxxx/36385148, but it's not in the conversation view itself: https://micro.blog/xxxx/36385148
#
Loqi Ok, I'll tell them that when I see them next
geoffo, gruetzhaxe, [KevinMarks], IWSlackGateway, [Joe_Crawford], [snarfed], [tw2113], [campegg], gRegor, gRegorLove_, Guest6 and [contact898] joined the channel
#
capjamesg I am working on a personal website "trading card" generator.
#
IWDiscord <c​apjamesg>
#
capjamesg https://cdn.discordapp.com/attachments/866577430886350869/1234440704785121291/Screenshot_2024-04-29_at_10.46.28.png?ex=6630bdfe&is=662f6c7e&hm=4fce4c37b66766de9c22841eaabf0ea31e23fd90fd6ed34e74ce1862cd3c12a3&
rrix, [Scout], gruetzhaxe, juju2 and oxtyped joined the channel
#
[Joe_Crawford] Pretty sweet James
#
capjamesg [Joe_Crawford]
#
capjamesg https://cdn.discordapp.com/attachments/866577430886350869/1234489208282943549/artlung-com_1.png?ex=6630eb2a&is=662f99aa&hm=91c6153c93985e3c6a43343468721bcddfe954a89f9f55ad3d22bec1dd8e9b5e&
#
ryokagriffin That's a cool idea. Will it come with a directory? The stats along the bottom could be really neat... like a pokemon card but for a website. Indieweb reputation, recent activity, post frequency, topics... hrm
#
ryokagriffin Hey, you could ride the hype and make them NFTs to trade around and... oh wait, the hype died. nevermind.
#
capjamesg I plan to print out the blogs I follow so I can shuffle the deck in the morning and get a random blog I know I like to check in on.
#
ryokagriffin love it πŸ˜„
#
capjamesg Your comment about NFTs made me laugh πŸ˜‚
#
capjamesg Source code in case anyone is interested: https://github.com/capjamesg/website-trading-cards
#
capjamesg The HTML is a bit of a mess. I created the design in Figma and used an export plugin.
#
ryokagriffin I had a quick go but hit python errors due to environment config. I'll try this later.
#
capjamesg Let me know if there is anything that isn't working with the script. It's still a WIP!
#
ryokagriffin Mind if i PM you?
#
capjamesg Sure thing!
#
ryokagriffin Now I gotta make my site compatible with this funky tool!
#
ryokagriffin https://cdn.discordapp.com/attachments/866577430886350869/1234504818979246150/image.png?ex=6630f9b4&is=662fa834&hm=515c1e14d29aa0b067e207716390463abe1fcd811253ecc06b6e849df59495fb&
jonnybarnes joined the channel
#
jeremycherfas !tell capjamesg Can you tell me more (or point me to) using Figma to export HTML?
#
Loqi Ok, I'll tell them that when I see them next
#
capjamesg jeremycherfas It was an extension. The markup is not semantic 😦
#
Loqi capjamesg: jeremycherfas left you a message 8 minutes ago: Can you tell me more (or point me to) using Figma to export HTML?
#
capjamesg https://www.figma.com/community/plugin/851183094275736358/figma-to-html
#
capjamesg My original idea was to make an SVG that I could programmatically edit, but Figma doesn't give you good SVG for that (probably for technical reasons).
#
capjamesg I didn't want to lose the Figma design so I used that plugin to export the code.
#
capjamesg I wouldn't use it in production.
#
capjamesg *for a web site
#
jeremycherfas Gotcha. Thanks. I'm looking for a way to take an overly complex ClassicPress theme modified from an existent non-IndieWeb theme and somehow strip it to its bare minimum, so I can indiewebify it from there.
gruetzhaxe joined the channel
#
[KevinMarks] the downside of SVG is that you can't really do text-wrap in it.
#
[KevinMarks] that's what I found when I was trying to use it to make hovercards anyway
#
capjamesg Yeah. I was worried about wrapping too.
#
[KevinMarks] you can do condense/stretch to fit, but that looks very 90s retro
#
[KevinMarks] I need to revisit these https://unmung2.appspot.com/hovercard?url=https://jamesg.blog/
#
[KevinMarks] https://unmung2.appspot.com/hovercard?url=https://werd.io
#
capjamesg Haha the stretched text in the heading looks cool.
#
[KevinMarks] <svg width="100%" height="100%"><text x="0%" y="80%" font-size="30vh" textLength="100%" lengthAdjust="spacingAndGlyphs">Ben Werdmuller</text></svg>
#
[KevinMarks] it gets very odd when people have super short or super long names
[tantek], [Ros], gRegorLove_, gruetzhaxe and lifeofpablo joined the channel
#
[tantek] I love the idea of a trading card template for a personal website! Ah, I should have read this first before espresso live-stream chat!
#
[tantek] This sounds like such a fun project
#
[tantek] It could also be an adaptive design easter egg, that is, when you resize your blog/site home page window down to the size of a trading card, you have media queries that apply and restyle it to look like a trading card!
#
[tantek] Also, this makes me wonder what would various post types look like in "trading card" design form?
#
[Joe_Crawford] One thing on my long todo list is to implement this cardflip css mechanic somewhere fiun. Was thinking of doing it for my toy robots collection but when I first looked it involved too many markup changes than I could deal with. But I rather like it. https://codepen.io/edeesims/pen/wvpYWW
#
[tantek] next level easter egg: when your blog/site home page shows a "trading card" design, it also hides all the posts by default and you have to "flip the card over" (insert gesture) to see the most recent post, which then has further prev arrows to flip to the next post etc.
[KevinMarks] joined the channel
#
[tantek] happy Too Many Requests day!
#
[tantek] what is 429?
#
Loqi 429 is the HTTP status code returned from a server when the client is making too many requests and the server is throttling the client https://indieweb.org/429
gruetzhaxe joined the channel
#
ryokagriffin Lol 429 day πŸ˜‚
#
ryokagriffin tantek that's a great idea for the trading card thing, a version that is customised for the view via trading card. James you'll have to standardise on a resolution or provide some other way of identifying that it's your trading card tool capturing the site that's static-site compatible
#
[tantek] gosh darnit I need to look up some 1980s era trading cards to start making some CSS now
#
[tantek] like as long as your home page as a reasonably obvious top level h-card
#
[tantek] πŸ˜‚
[schmarty] joined the channel
#
[schmarty] `top: var(--topps)`
#
[Joe_Crawford] `text-transform: var(--upper-deck)`
[aciccarello], influous and DejaOffice joined the channel
#
gRegor hahah
#
gRegor IndieWeb: The Gathering
barnabywalters joined the channel
#
ryokagriffin [tantek]: I should look into h-cards more, I thought it was just meta stuff in the <head> but it looks like it isn't that at all
#
gRegor what is h-card
#
Loqi h-card is the microformats2 vocabulary for marking up people, organizations, and venues on web sites, and supersedes hCard https://indieweb.org/h-card
#
gRegor Yeah, one of the main ideas with h-cards and microformats in general is marking up information that's already visibly published on the page rather than invisible <meta>
#
gRegor https://indiewebify.me/ has some tools to help set up and verify h-card and h-entry
#
gRegor https://microformats.io/ also has some info and parsers if you want to see everything a microformats2 parser finds.
#
ryokagriffin Thanks for this. Very new to all this stuff πŸ™‚
barnaby, [Joe_Crawford] and bret joined the channel
#
ryokagriffin I have added a basic h-card! πŸ₯³
#
capjamesg ryokagriffin[d]++
#
Loqi ryokagriffin[d] has 1 karma over the last year
jujudario joined the channel
#
[tantek] woohoo! ryokagriffin++
#
Loqi ryokagriffin has 2 karma over the last year
#
Loqi 😊
ttybitnik joined the channel