#dev 2024-05-11

2024-05-11 UTC
prologic joined the channel
#
prologic Q: Is ?me= no longer a required query string parameter in the auth endpoint call?
#
prologic My old indieauth handler accepts it, but hecdias's indielib toolkit (https://github.com/hacdias/indielib) doesn't send it
#
prologic it also appears unused anyway yin my code, was it kind of useless information?
geoffo, [naturestudy], [Jo], [schmarty], [benatwork], [tantek], [Murray], [snarfed], [marksuth], [Joe_Crawford], [KevinMarks], [pfefferle], IWSlackGateway and strugee_ joined the channel
#
capjamesg [snarfed] Do you know why https://granary.io/url?input=jsonfeed&output=rss&url=https://jamesg.blog/google-research.json?d doesn't load properly?
jeremycherfas joined the channel
#
prologic Can anyone answer my IndieAuth question?
[Paul_Robert_Ll] joined the channel
#
[Paul_Robert_Ll] Yes it is now optional. This post is a good summary of the more recent IndieAuth spec changes https://aaronparecki.com/2020/12/03/1/indieauth-2020
#
prologic Thank you! 🙏
#
sandra [snarfed]: I understand a little bit of Elixir and Akkoma's architecture so I might be able to help. I've had patches included in Akkoma before.
#
sandra The problem is that I don't understand the ActivityPub protocol fully, and http signatures I don't understand at all. I've tried reading that part of Akkoma's code but I still didn't understand it. (I'm not the sharpest tool in the proverbial.)
#
sandra I might not be smart enough to ever understand it
#
sandra I know how PGP works though, so hope springs etc.
barnaby joined the channel
#
[tantek] Any chance of getting h-entry + author h-card added to Akkoma post permalinks?
#
sandra [tantek]: That might be possible. Why would we want that?* I don't even use a lot of those microformats on my regular blog
#
sandra *: Not rhetorical/snarky. Genuine question.
#
prologic sandra activitypub and signed requests aren't hard to understand
#
[tantek] Yes Sandra! Always good to ask why as in what is use case?
#
prologic I can probably help clear up your understanding
#
prologic the worst part of activitypub isn't how it works, it's the unexpected side effects of "federating" IMO
#
[tantek] Hey prologic, it's not helpful to say things "aren't hard" because everyone has different levels of understanding of different things and also why it is good to avoid saying things are "simple" or "simply do ..." etc
#
prologic umm yeah sure, you're right
#
[tantek] Sandra, the use case is webmentions, that is, both sending & receiving, with the rest of the web!
#
prologic I'm just emphasising with sandra , I was in the same boat too not that long ago :)
#
sandra prologic: Mainly my questions revolve around whether it uses keys the way GPG and SSL does (or DKIM which I also understand) and where keys are stored/generated, which I know for GPG, SSL and DKIM but don't for http signatures.
#
[tantek] ^ yes, all of that
#
prologic sandra Ahh no, it does not. It uses HMAC + either RSA or ED25519 and SHA
#
sandra [tantek]: I had the same reaction initially and was gonna go into a "well I guess I'm not smart enough to understand even simple things" but then I was relieved that he followed up by trying to explain it
#
prologic I believe most implements actually usa ESA + SHA
#
prologic Err RSA I mean
#
sandra prologic: So I know how RSA and ED25519 work, and I know that SHA can make hashes, but not what HMAC is
#
sandra I know RSA and ed25519 in other contexts I mean. Such as PGP
#
sandra [tantek]: In other words, thank you♥︎
#
prologic a HMAC is essentially a shared secret key and hash function
#
prologic used for authenticating messages
#
sandra prologic: So there are keys. RSA keys for example. I couldn't figure out how they were exchanged
#
prologic Worth reading: https://datatracker.ietf.org/doc/html/draft-cavage-http-signatures
#
sandra Tried reading that part of the source code of Pleroma, Honk, GTS and Mastodon. This was a while ago. I was like "I'm missing something foundational in my understanding here"
#
[tantek] sandra, cheers! We are all beginners at something so it's good to keep that in mind 🙏
#
sandra It's 40000 pages. I'll put it on my e-reader and get to it once I'm done with Monte Cristo
#
prologic I'm trying to find a web page that really helped me understand this myself
#
[tantek] lol
#
prologic it was like mastodon by hand or activity pub from scratch or something
#
[tantek] I think Evan is also working on a draft of AP+httpsigs
#
sandra I think I have that web page link saved somewhere, prologic. From last I tried to understand this stuff
#
sandra prologic: thank you for this
#
prologic Also if you prefer to understand from reading code you're welcome to pull apart what I did here: https://git.mills.io/yarnsocial/yarn/src/branch/main/internal/activitypub
#
prologic It's written in Go for the yarnd (part of Yarn.social); but I'm going to drop this code soon™ in favour of building something more akin to and like bridy
#
prologic I mean Bridgy Fed: https://indieweb.org/Bridgy_Fed
#
[tantek] Sandra here's the spec that Evan and [snarfed] have written up: https://www.w3.org/wiki/ActivityPub/Primer/Authentication_Authorization
#
sandra prologic: Yeah, that might be more my speed, thank you for that. English is my third language and I understand golang so that might be easier
#
prologic Ahh brilliant!
#
prologic IT's also not a lot of code to wrap your head around, so it might help you :)
#
prologic Although it's also not "feature complete" by any means or even "spec compliant"
#
prologic I found interoperability is hard in practise, because the spec isn't exactly followed (when is it ever?) and Mastodon does it's own thing and other implementation do their own things and other fit somewher ein-bwetween
#
sandra I think I'll try to start with that ietf draft since this is about trying to fix a difficult interaction between Akkoma and Bridgy
#
prologic I also found GotoSocial to be the best server to stand up locally to test my own implementation against: https://github.com/superseriousbusiness/gotosocial
#
sandra prologic: I know some of the GTS folks and sometimes read GTS code to try to understand the protocol. Although I grok Elixir more than golang
#
sandra Elixir is so easy
#
sandra Not sure why it was invented, it's a little bit too good
#
sandra prologic: Wait a minute… Why was that draft 12? There seems to be a full rfc: https://datatracker.ietf.org/doc/draft-cavage-http-signatures/
#
prologic Oh I probably linked to an old version
#
prologic sorry :)
#
sandra I went down a li'l bit of a yak shaving trip trying to find an rfc2epub converter but now that's done and the book is on the device and I'll get to it when I get to it. The distant future—the year two thousand
GuestZero joined the channel
#
[tantek] [KevinMarks] [snarfed] got an error between mention.tech and Bridgy Fed: "http://tantek.com/2024/131/t1/mozilla-origin-trials
#
[tantek] mentioned http://fed.brid.gy/ ✅ a second ago could not fetch https://fed.brid.gy/ '555' "
#
Loqi [preview] [Tantek Çelik] For #webDevelopers who like to try out pre-release features in #browsers, in addition to the numerous #Firefox experimental features which everyone has access to in Nightly Builds (as documented by MDN¹) did you know that #Mozilla also has Origin Tr...
#
[tantek] [snarfed] is http://fed.brid.gy blocking mention.tech?
#
[tantek] also http://webmention.app is failing to find any links to webmention in my post https://tantek.com/2024/131/t1/mozilla-origin-trials which is obviously false since there's a link to http://fed.brid.gy in that post
#
[tantek] what are tools for sending webmentions
#
Loqi It looks like we don't have a page for "tools for sending webmentions" yet. Would you like to create it? (Or just say "tools for sending webmentions is ____", a sentence describing the term)
#
[tantek] what are services for sending webmentions
#
Loqi It looks like we don't have a page for "services for sending webmentions" yet. Would you like to create it? (Or just say "services for sending webmentions is ____", a sentence describing the term)
#
[tantek] hmm
#
[tantek] now trying telegraph
#
[tantek] telegraph is also failing to find any links to webmention from my post: https://telegraph.p3k.io/dashboard/send?url=https%3A%2F%2Ftantek.com%2F2024%2F131%2Ft1%2Fmozilla-origin-trials&account=993
#
[tantek] my post has a link to https://fed.brid.gy/ which if you view source does have a rel=webmention endpoint so both http://webmention.app and telegraph are failing here
#
[tantek] cc: aaronpk
#
[tantek] so 3 out of 3 webmention sending services are failing right now 😞
#
[tantek] ok finally mention.tech after three tries said "http://tantek.com/2024/131/t1/mozilla-origin-trials
#
[tantek] mentioned http://fed.brid.gy/ ✅ 2 seconds ago mention sent '202' "
#
Loqi [preview] [Tantek Çelik] For #webDevelopers who like to try out pre-release features in #browsers, in addition to the numerous #Firefox experimental features which everyone has access to in Nightly Builds (as documented by MDN¹) did you know that #Mozilla also has Origin Tr...
#
[tantek] to-do << [[Webmention]] page needs a specific subsection for services for sending webmentions and then redirects from https://indieweb.org/s/12Uj and https://indieweb.org/s/12Ui to that specific subsection fragment identifier, for easier discoverability to help folks who have a static site or similar send webmentions without having to setup webmention sending directly on their website
#
Loqi ok, I added "[[Webmention]] page needs a specific subsection for services for sending webmentions and then redirects from https://indieweb.org/s/12Uj and https://indieweb.org/s/12Ui to that specific subsection fragment identifier, for easier discoverability to help folks who have a static site or similar send webmentions without having to setup webmention sending directly on their website" to the "See Also" section of /to-do https://indieweb.org/wiki/index.php?diff=95034&oldid=95033
[tantek] joined the channel
#
[KevinMarks] I think they're both hosted on appengine so if may be Google failing at self routing
#
[tantek] I'll try to get around to filing issues if I can figure out where to do so
Smi, stefan1, sonja, nikkin, cophee, barnaby and [Joel_Auterson] joined the channel
#
[Joel_Auterson] Hi all, kind of struggling to work out what to do with images in MF2. For example, this post: https://www.joelotter.com/notes/2024/05/10-lights/
#
[Joel_Auterson] All renders fine, Bridgy can interpret things great, but when it comes to mf2 parsing for other things like webmentions it whacks the image alt text into the content directly
#
[Joel_Auterson] e.g https://indiewebify.me/validate-h-entry/?url=https%3A%2F%2Fwww.joelotter.com%2Fnotes%2F2024%2F05%2F10-lights%2F
#
[Joel_Auterson] has anyone managed to solve this on their own site? Thanks 😄
#
[Joel_Auterson] i swear this used to work differently but i may be misremembering
#
[Joel_Auterson] another weird note is the validator says i'm not using `e-content`, but i definitely am and have tried this on a few posts from other folks, same result
#
[Paul_Robert_Ll] Not sure what parser IndieWebify uses; here’s the output from Node, Ruby and PHP parsers:
#
[Paul_Robert_Ll] http://node.microformats.io/?url=https%3A%2F%2Fwww.joelotter.com%2Fnotes%2F2024%2F05%2F10-lights%2F
#
[Paul_Robert_Ll] https://php.microformats.io/?url=https%3A%2F%2Fwww.joelotter.com%2Fnotes%2F2024%2F05%2F10-lights%2F
#
[Paul_Robert_Ll] https://ruby.microformats.io/microformats?utf8=✓&url=https%3A%2F%2Fwww.joelotter.com%2Fnotes%2F2024%2F05%2F10-lights%2F
prologic left the channel
#
[Joel_Auterson] Mm I think it’s the PHP one, I tried it on pin13 too. Seems like they’re all consistent then ?
#
[Paul_Robert_Ll] Looks like the Ruby one doesn’t include `alt` text from photos in `value`; the other’s do. I’d expect alt text not to be included in the `value`, wonder if it’s a bug with the PHP and Node parsers?
#
[Joel_Auterson] I wonder if it’s because u-photo is on the img and not the surrounding a tag
cophee joined the channel
#
[Paul_Robert_Ll] I tested it on one of my photo posts, which doesn’t link photos, and the `alt` text is still pulled through to the `value` property: https://php.microformats.io/?url=https%3A%2F%2Fpaulrobertlloyd.com%2F2024%2F131%2Fp1%2F
#
[Joel_Auterson] Hmm I was wondering how the comment on this post got interpreted correctly https://www.joelotter.com/posts/2023/10/bridgy-bluesky/
#
[Joel_Auterson] As in it has images in, not the alt text
#
[Joel_Auterson] Webmention presumably uses the PHP one
#
[Joel_Auterson] So I wonder if something has perhaps changed
#
[Joel_Auterson] Because I ran that post through the validator and the same thing happens
stefan1, win0err and [qubyte] joined the channel
#
aaronpk ok i just got my fedcm demo working
#
aaronpk now i am very tempted to make a linktree-like service to replace indieauth.com which also supports fedcm
#
aaronpk this basically solves all the UX issues
#
[tantek] like somenewdomain/userdomain
#
[tantek] rather than linktreedomain/username?
#
aaronpk no, you'd point your own domain or subdomain to it
#
aaronpk i mean i *could* provide a version at myindieauth.com or whatever, but I'd feel better about it if people bring their own domains
#
aaronpk the difference is that the domain of this service will appear in the browser prompt
#
aaronpk imagine "authorization-server.com" is the domain of the new service https://media.aaronpk.com/2024/05/11065916-9131.png
#
capjamesg aaronpk++
#
Loqi aaronpk has 36 karma in this channel over the last year (118 in all channels)
#
cophee aaronpk: This would be so epic
#
aaronpk the first RP i'd launch this on is webmention.io, which actually gets enough traffic it might be a legitimate test of it
#
cophee aaronpk: I can make some cool designs/promo vids for it over the winter break here (starting in a week in Australia)
#
aaronpk 👀
#
[snarfed] phew, morning all!
#
[snarfed] [tantek] Bridgy Fed definitely isn't blocking mention.tech. I don't know what the 555 response was; not an HTTP status code at least
[Joe_Crawford] joined the channel
#
[snarfed] [capjamesg] https://granary.io/url?input=jsonfeed&output=rss&url=https://jamesg.blog/google-research.json?d doesn't work because granary doesn't (yet) support the `description` JSON Feed field. it's an optional field, and from my reading of https://www.jsonfeed.org/version/1.1/#top-level , maybe only expected if `title` is also there, which it isn't
#
[snarfed] I think you want `title` instead
[Al_Abut] and stefan1 joined the channel
#
aaronpk well this is promising https://media.aaronpk.com/2024-05-11-fedcm-indieauth.mp4
#
aaronpk no JWTs needed
[dominik] joined the channel
#
aaronpk now i need to think about what this would take to make it "real"
[KevinMarks] joined the channel
#
[KevinMarks] Looks like json feed used the ambiguous rss field names?
#
aaronpk opened an issue suggesting DNS option instead of hosting the .well-known file required https://github.com/fedidcg/FedCM/issues/580
#
aaronpk oh lol that's going to link to the wiki archive now
#
aaronpk i'm thinking about what it would take for someone to delegate the indieauth/fedcm hosting to a service running on a subdomain
#
pcarrier aaronpk: What's the thought behind it? How would you discover identities for example?
#
[tantek] Obligatory wellknown--
#
Loqi wellknown has -2 karma over the last year
#
pcarrier What is the objection to .well-known? Figure DNS would be similarly namespaced, using a single h2/h3 for arbitrary lookups and not requiring touching something most people don't fully understand (like SRV, TXT, HTTP, etc. records) is a big benefit?
#
pcarrier [edit] What is the objection to .well-known? Figure DNS would be similarly namespaced, using a single h2/h3 for arbitrary lookups and not requiring touching something most people don't fully understand (like SRV, TXT, HTTP, etc. records) are big benefits?
#
pcarrier [edit] What is the objection to .well-known? Figure DNS would be similarly namespaced, using a single h2/h3 for arbitrary lookups and not requiring touching something most people don't fully understand (like SRV, TXT, HTTP, etc. records) and isn't easy to reproduce in your dev env are big benefits?
#
aaronpk gentle reminder that editing your message in discord sends the full edited message each time
#
aaronpk https://chat.indieweb.org/dev/2024-05-11#bottom
#
aaronpk it's actually often easier to set a DNS record than it is to put a file at a .well-known path
#
aaronpk for example that file has to be served with content-type: application/json so i had to go edit my nginx config to set the HTTP header
#
aaronpk pretty sure it's easier to tell someone to add a DNS entry than to do that
#
[tantek] Certainly easier to add a rel value or http header than futzing with well-known and conneg--
#
Loqi conneg has -19 karma in this channel over the last year (-23 in all channels)
#
[tantek] pcarrier I summarized in a recent post also a half dozen or so problems (from experience) with well-known
#
[tantek] Pretty sure if you search my home page for well-known you will find it
#
[tantek] It's a really bad pattern that's screwing up all kinds of web standards proposals
[capjamesg] and [pfefferle] joined the channel
#
pcarrier > pretty sure it's easier to tell someone to add a DNS entry than to do that
#
pcarrier Wasting a lot of time on every change in a lot of organizations. And I worked in fairly agile / devopsy ones.
#
[dominik] Yeah, I have horror stories about "just add a DNS entry" as well
barnaby and GuestZero joined the channel
#
pcarrier [tantek] what I could find is:
#
IWDiscord <p​carrier>
#
pcarrier > Warning: the proposed use of .well-known therein is IMO a bad mistake. Unnecessary reinvention (most handled by existing rel values¹⁴), more complex to author (requires sidefiles¹⁵), harder to publish (requires site admin root access), likely to become inaccurate (Ruby’s postulate¹⁶), and fragile (site admins frequently break .well-known for individual pages). A full critique likely requires its own blog post.
#
IWDiscord <p​carrier>
#
pcarrier Problem I see with `rel` is that a lot of folks just don't want to carry an HTML parser in their tools/backends (large and complex and hence more bug-prone than JSON / CBOR / etc.), and Ruby's postulate is even more true with DNS than with files served over HTTP on the same domain?
#
capjamesg We should be at a point where HTML parsers are stable across all major programming languages.
#
aaronpk HTML parsers are really not as big of a deal as people make them out to be
#
pcarrier and yet CVE-2018-17848
#
aaronpk especially when all you're looking for is a rel value
#
pcarrier [edit] and yet CVE-2018-17848, CVE-2018-17847, CVE-2018-17846, CVE-2018-17143, CVE-2018-17142, etc. in golang are about go's go-to HTML parser
#
capjamesg pcarrier[d] please note every time you edit a message it gets sent twice to Slack and IRC.
#
capjamesg We would disable editing in Discord but we can't 😦
#
aaronpk right, and there have been no vulnerabilities in any JSON/CBOR parser either 🙄
[Stefan_Rudersd] joined the channel
#
pcarrier aaronpk[d] is your point that JSON parsers aren't always perfect either, or that they're roughly as error-prone as HTML? if it's the latter I have no words
#
aaronpk your words not mine
#
pcarrier my words were "more bug-prone", I very much stand by them
#
aaronpk anyway i do not care about debating html vs non-html discovery right now, i am talking about .well-known vs DNS
#
pcarrier right.
#
pcarrier in my very limited user testing with a few individual web devs, making DNS changes is a bigger barrier than editing an nginx config.
#
pcarrier in my limited experience working for tech companies, making a change to DNS involves longer review+release processes and repos/file formats many backend devs aren't familiar with
#
aaronpk i think it depends entirely on the size of the company
#
aaronpk which is why both options are good, which is what letsencrypt ended up doing
#
pcarrier I'm willing to bet 90+% of users of DNS-based verification use it solely because they need wildcard certs
#
aaronpk i know for a fact that it would take me longer to get the marketing agency that runs the home page to configure their server to serve the .well-known path with the right content type vs getting our ops team to add the DNS entry
barnaby joined the channel
#
pcarrier oh ok. never been in that situation (my employers only ever trusted marketing agencies to marketing campaign subdomains), fair enough.
geoffo, GuestZero, chimo and rrix joined the channel
#
pcarrier https://signali.ng has the body height adjust to its content, but https://0pw.me doesn't. I can't figure out why. driving me a bit nuts.
#
pcarrier [edit] https://signali.ng has the body height adjust to its content, but https://0pw.me doesn't. I can't figure out why. driving me a bit nuts.
barnaby, amyiscoolz, JadedBlueEyes and Tiffany joined the channel