#dev 2024-05-20

2024-05-20 UTC
geoffo joined the channel
# 00:11 
aaronpk reillypascal: I just pushed a change to webmention.io that might be causing this
# 00:11 
aaronpk log in and look at the "sites" page, make sure you have a site created there
# 00:12 
aaronpk it no longer accepts webmentions for arbitrary domains on your account anymore, you have to add a domain specifically now
# 00:13 
reillypascal Ok good to know!
# 00:16 
reillypascal OK it's working now for the receiver test!
# 00:18 
reillypascal Thanks, I appreciate the help!
# 00:19 
aaronpk yay glad it's working now
# 00:19 
Loqi giggles
[snarfed] joined the channel
# 00:20 
[snarfed] 😢 👍 https://github.com/aaronpk/webmention.io/issues/182
# 00:22 
reillypascal Just to clarify, do I have to explicitly add the individual blog posts, or can I just add my home url?
# 00:22 
aaronpk no just the domain
geoffo, gerben, Renfield, box464, WhatDidYouExpect, jeremycherfas, [Joschi_Kuphal] and [KevinMarks] joined the channel
# 10:21 
[KevinMarks] [snarfed] mention.tech does that - it stores webmentions for any target domain but also passes them through if a webmention endpoint is found.
# 11:28 
capjamesg morganwebdev++
# 11:28 
Loqi morganwebdev has 2 karma in this channel over the last year (3 in all channels)
# 11:29 
capjamesg I appreciate the background on your project!
Guest6 and GuestZero joined the channel
# 13:30 
[snarfed] [KevinMarks]++ awesome!
# 13:30 
Loqi [KevinMarks] has 17 karma in this channel over the last year (31 in all channels)
[Jo] joined the channel
# 13:31 
[Jo] I'd like to get MicroPub on my site, is there any server for it that's easy to just slap on top of a static site?
# 13:34 
aaronpk what is micropub servers?
# 13:34 
Loqi Micropub servers are existing endpoint implementations of Micropub https://indieweb.org/Micropub/Servers
# 13:35 
aaronpk depends on the static site generator but there are some options there ^^
GuestZero, [byJP], [Paul_Robert_Ll] and Guest6_ joined the channel
# 15:37 
pcarrier Mhmm are there features I can build in a static site hosting service to enable the indie web?
# 15:43 
aaronpk A big one would be a service that accepts webmentions and provides some JS people can use to show the comments
# 15:43 
aaronpk if they're already logging in to your service you have a perfect place to show a feed of recent comments to them
# 15:44 
pcarrier aaronpk[d] do you get any value from having that be provided by your host rather than a third-party?
# 15:45 
sebbu wonder if some service like discourse could be compatible webmention
# 15:46 
aaronpk A better user experience
# 15:46 
aaronpk this is actually kind of what micro.blog is, since it's also a static site hosting platform under the hood
# 15:47 
sebbu https://webmention.io/ exists
# 15:48 
aaronpk It leaves a lot to be desired, and also having more than one option for people would be better
[schmarty] joined the channel
# 15:58 
[schmarty] oh wow i missed some good passkeys and indieauth talk. glad y'all are figuring out the passkeys-for-indieauth implementations instead of me. my eyes absolutely rolled back in my head trying to load all that in.
# 15:59 
[schmarty] aaronpk re https://github.com/indieweb/indieauth/issues/133 it feels somewhat cursed to me to have the `client_id` point directly to a document about that client but i also kind of get it, since we're assuming most indieauth systems will need to take that `client_id` value and do some lookups about it. so, i guess i'm for it?
# 15:59 
[schmarty] i guess i should write that on the issue 😂
# 16:01 
[tantek] capjamesg++ for https://jamesg.blog/2024/03/14/spring-cleaning/
# 16:01 
Loqi capjamesg has 41 karma in this channel over the last year (191 in all channels)
# 16:01 
[tantek] appreciate the thought put into trimming of services to maintain, recognizing ongoing admintax etc.
# 16:11 
[Joe_Crawford] learning to live within a budget is not just money, it's time, it's effort, and it's a very good practice capjamesg++
# 16:11 
Loqi capjamesg has 42 karma in this channel over the last year (192 in all channels)
Guest6 joined the channel
# 16:16 
aaronpk i need to do some of that spring cleaning myself heh
# 16:16 
aaronpk [schmarty]: "cursed"?? hahaha
# 16:16 
Loqi hahaha
# 16:16 
[schmarty] _cursed!_
# 16:17 
[schmarty] coming from the current IndieAuth spec, where "client_id" is a URL for which I expect human-readable stuff, it feels cursed to say "client_id just for computers now"
# 16:18 
aaronpk yeah,it's a difference, but i think it's the least bad compromise that could lead to a lot more adoption
# 16:19 
aaronpk (one of the more-bad options being client_id is the human-readable URL and the AS fetches the client metadata from a .well-known path)
barnaby joined the channel
# 16:25 
[schmarty] totally agree about avoiding a new .well-known, the lawful evil option. maybe its presence is making me feel weirder about the client_id change which, honestly, is probably only a little weird.
# 16:28 
aaronpk i was hoping to get the email client community on board with this, but they have an even stronger aversion to hosting web services entirely, and opted for dynamic client registration instead
# 16:28 
aaronpk the irony being that mastodon already went down the dynamic client registration path and it made kind of a mess of things, and switching to this client_id URL option simplifies a lot
# 16:30 
[schmarty] as someone who maintains a pile of messy indieauth clients and a messy indieauth provider, the transition concerns me a bit.
# 16:31 
[schmarty] if i flip all my clients before providers are updated, users will see "some-url-to-a-json-file wants you to log in!!!"
# 16:32 
aaronpk true, i guess the good news is there aren't _that_ many indieauth providers at the moment 😂
# 16:33 
[schmarty] and providers probably need to support 🕯 the old ways :rock: as a fallback if the client_id isn't a JSON document. a write-up of that algorithm would be appreciated!
# 16:34 
[schmarty] that we know of! i mean... selfauth is out there in the wild!
# 16:34 
aaronpk i would probably recommend the fallback behavior of showing the domain name of the client_id, whether that's because it's an old client or because there's an error fetching the metadata document
# 16:35 
aaronpk or an error with the contents of the metadata document even
# 16:40 
[schmarty] interestingly we don't appear to have fallback advice in the current spec https://indieauth.spec.indieweb.org/#client-information-discovery
# 16:41 
aaronpk oh hm it's kind of implied in the first sentence
# 16:41 
aaronpk "it will often want to display some additional information about the client beyond just the client_id URL"
# 16:41 
[schmarty] right, but that specifies the full client_id URL, not just the domain name.
# 16:42 
aaronpk not sure if we used to have something more specific than that, i feel like we did?
# 16:42 
[schmarty] i'm thinking of attacks where two clients are hosted on the same domain
# 16:43 
aaronpk yeah, but in that case your browser would already be sharing cookies with the two clients because they're on the same domain
# 16:44 
[schmarty] "fails enough existing security practices that no one should be doing this"
# 16:44 
aaronpk pretty much
# 16:44 
aaronpk or at least shouldn't be thinking of them as separate clients from a security boundary perspective
# 16:46 
[schmarty] still feels a bit like hiding potentially meaningful information from the user in the name of conveniently hiding meant-for-computers information from the user.
# 16:47 
aaronpk well it _should_ provide meaningful information to the user
Zegnat joined the channel
# 16:49 
[schmarty] sorry, yes, i'm still talking about a case where we have something like http://example.com/good_client/info.json and http://example.com/bad_client/info.json and if the bad client JSON info is broken or missing our advice to indieauth providers would be "just show http://example.com"
sknebel and oenone joined the channel
# 16:50 
[schmarty] yes people shouldn't do this, cookies, etc., but someone will and a user won't be able to differentiate them.
# 16:50 
aaronpk the other way to look at it is that those two clients aren't *actually* different clients because they're on the same domain
# 16:51 
aaronpk so it's actually more helpful to tell the user they are about to authorize the domain name of the client because their data isn't actually limited to just one of those clients
# 16:53 
[schmarty] i feel that model requires keeping too narrow of a perspective on cookies / local storage sharing.
# 16:55 
aaronpk another piece of advice could be to recommend clients use as short of a path as possible for the times where servers might display the full URL, so recommend "https://example.com/client" rather than "https://example.com/the_client_name/info.json"
# 16:56 
[schmarty] i don't have my head around the complexity of that, but it feels better!
# 16:57 
[schmarty] i just want it to be easier to make micropub clients lol
# 16:58 
aaronpk FedCM actually makes it quite a bit easier since it removes the indieauth server discovery step from what the client has to do
# 17:00 
[schmarty] yeah i _think_ i'm excited about that work. my daily drivers are Firefox and mobile Safari and they're all Nos on FedCM currently 😓
# 17:00 
aaronpk safari is officially "supportive"
# 17:00 
aaronpk it'll get there
# 17:02 
[schmarty] aaronpk++ thanks for all the efforts to make this stuff indieweb friendly
# 17:02 
Loqi aaronpk has 44 karma in this channel over the last year (128 in all channels)
[keithjgrant], Saphire, [aciccarello], [qubyte], barnaby and jeremycherfas joined the channel
# 18:50 
[KevinMarks] Bridgy fed as spam vector https://conspirator0.substack.com/p/federation-and-political-spam
# 18:51 
aaronpk oh dear
# 18:54 
[Joe_Crawford] > _"Learn about Nostr: A simple, open protocol that enables a truly censorship-resistant and global social network."_
sadome joined the channel
# 18:55 
[Joe_Crawford] it seems Nostr hasn't totally sorted out their complaint about social media being _"overrun with spam and bots"_
# 18:55 
[Joe_Crawford] https://nostr.com
# 19:26 
Saphire [Joe_Crawford]: The entire point of Nostr is to not have moderation, or at least the entire appeal of Jack Dorsey
# 19:26 
Saphire *for JD
[Joe_Crawford] joined the channel
# 20:07 
[Joe_Crawford] 😕 yes.
# 20:11 
[Joe_Crawford] In an actual dev question vein: I was looking at what I might do for testing for blogofthe.day I was looking at adding unit tests or integration tests or both. Any recommendations on best practices for testing 11ty-based sites? I don't see unit tests on the http://11ty.dev site but maybe I'm not looking for the right thing.
# 20:12 
[Joe_Crawford] I mean, the continuous deployment is de-facto validation of fitness but I do like a belt and suspenders.
# 20:16 
Saphire What is 11ty?
# 20:16 
Loqi Eleventy is a JavaScript based static site generator that allows the user to select their own preferred template engine and theme, which in practice can and does enable use of microformats2 https://indieweb.org/11ty
# 20:17 
Saphire Okay it's not another acronym like k8s or i18n, yay. Not yay that I thought it was one x'D
barnaby, [pfefferle] and [tantek] joined the channel
# 21:54 
[tantek] or a11y or s12y. thus 11ty should really be 6ty 😉
Inc and geoffo joined the channel
# 23:29 
[schmarty] ok aaronpk! i tried to capture my concerns on the GH issue https://github.com/indieweb/indieauth/issues/133#issuecomment-2121389944
# 23:29 
Loqi [preview] [martymcguire] After some discussion [in the #indieweb-dev chat today](https://chat.indieweb.org/dev/2024-05-20#t1716220750926700) between aaronpk and myself, some things I'm considering are:
Avoiding a new `.well-known` feels like a good goal.
Changing the m...
# 23:30 
aaronpk [schmarty]++
# 23:30 
Loqi [schmarty] has 12 karma in this channel over the last year (25 in all channels)
# 23:32 
[tantek] well-known--
# 23:32 
Loqi well-known has -7 karma in this channel over the last year (-10 in all channels)