#dev 2024-08-31

2024-08-31 UTC
jonnybarnes joined the channel
#
[KevinMarks]
The Tufte principle you want here is small multiples - stack the 2 charts for different terms instead of overlaying them where the one in front dominates. Consider doing them as bars rather than lines too.
ttybitnik joined the channel
[qubyte] joined the channel
#
[qubyte]
I’m a diehard system font stack guy. In lieu of a sense of design I choose to simply ship no font files at all and boil the oceans and data plans a little more slowly.
to2ds joined the channel
#
to2ds
[qubyte] - Same here. For me it feels similar to the "batteries included" philosophy of Python :)
#
[qubyte]
Oh, I hadn’t thought of it like that, but I like it.
#
to2ds
Question about rel="alternate". Can it reference the same physical URL, just specify a different Mime type?
#
ptramo[d]
to2ds[d] not that I know of. And conneg--
#
Loqi
conneg has -15 karma in this channel over the last year (-18 in all channels)
#
ptramo[d]
to2ds[d] you _can_ specify link type= to indicate a mime type
#
[tantek]
to2ds, it can, yes by adding the type attr per ptramo[d]! That's literally how you advertise conneg for discovery
#
to2ds
I was hoping I didn't paint myself in a corner with my AP prototype.
#
ptramo[d]
ah yup, https://pcarrier.com/conneg totally causes a second request with `Accept: text/css,*/*;q=0.1`
#
to2ds
Ah! It's getting a little clearer :)
#
to2ds
I debugged a bit by dumping the request headers, and most if not all were acceptiong activity+json and ld+json.
#
to2ds
Most of the confusion started with the url attribute in an AS(2?) JSON object.
#
to2ds
Not sure if this is a Mastodon thing or not.
#
to2ds
At least in the browser, if you typed the full status' object ID, Mastodon will redirect to an @ prefixed URL which matches the url attribute in the JSON object.
#
to2ds
So does this mean Mastodon is doing conneg, or is there some magic happening in the web browser?
#
aaronpk
mastodon definitely does conneg
rozenglass joined the channel
#
to2ds
Even clearer now :)
#
to2ds
Now it's time to understand why /conneg is problematic.
#
ptramo[d]
to2ds[d] which /conneg sorry?
#
to2ds
On the wiki.
#
to2ds
Do the relative links work differently in Discord?
#
ptramo[d]
there was no link.
#
aaronpk
yeah sadly the discord bridge doesn't translate `/slash` to wiki links. only web and slack
#
to2ds
Ah! Maybe better to include the full URL to avoid ambiguity?
#
ptramo[d]
ah! I was considering designing a solution for conneg on xmit.co but if even cloudflare doesn't support it… no thanks
#
to2ds
So does rel="alternate" help to smooth out some of the complexity associated with conneg?
#
to2ds
Insofar as cloudflare would be concerned?
#
ptramo[d]
not as far as I understand no
#
ptramo[d]
[edit] cloudflare simply won't take the Accept header into account for the caching of anything but images according to https://simonwillison.net/2023/Nov/20/cloudflare-does-not-consider-vary-values-in-caching-decisions/
#
ptramo[d]
cloudflare simply won't take the Accept header into account for the caching of anything but images according to https://simonwillison.net/2023/Nov/20/cloudflare-does-not-consider-vary-values-in-caching-decisions/
#
ptramo[d]
[edit] cloudflare simply won't take the Accept header into account for the caching of anything but images according to https://simonwillison.net/2023/Nov/20/cloudflare-does-not-consider-vary-values-in-caching-decisions/
mattbcool[d] and [Pierre_Carrier] joined the channel
#
to2ds
That is really interesting.
#
to2ds
If I understand correctly, the rel="alternate" could be helpful for services sitting behind cloudflare?
#
to2ds
Rather than the source endpoint relying upon conneg alone.
#
pcarrier
no, rel="alernate" href="…" type="foo/bar" tells the browser to fetch with (in short) Accept: foo/bar
#
pcarrier
but then cloudflare might have cached the URL with type text/html and decide to serve that regardless of what your server would do
#
pcarrier
What you really want is to have every payload on its own url, even if they represent the same resource, and everything is dandy
#
pcarrier
So no conneg--
#
Loqi
conneg has -16 karma in this channel over the last year (-19 in all channels)
#
to2ds
Ok. That makes a lot of sense now.
#
to2ds
conneg--
#
Loqi
conneg has -17 karma in this channel over the last year (-20 in all channels)
#
pcarrier
Almost want to implement the Gemini protocol on xmit but I really can't get over tofu for certificates
#
to2ds
What is tofu?
#
Loqi
It looks like we don't have a page for "tofu" yet. Would you like to create it? (Or just say "tofu is ____", a sentence describing the term)
#
to2ds
TOFU is an acronym for Trust On First Use.
reno_ joined the channel
#
superkuh
TOFU is the way.
#
superkuh
Way better than CA TLS.
#
superkuh
For human persons.
#
pcarrier
Humans don't speak tls, it's all tools
#
aaronpk
there's nothing inherently wrong with TOFU for certificates
#
superkuh
Yes, but humans use them. And CA TLS is designed for the needs of corporate persons, not human ones.
#
pcarrier
What do you do when your private key is compromised?
#
superkuh
What do you do when the CA enclave secrets are leaked?
#
aaronpk
the question is what are you trying to protect against?
#
aaronpk
most people do not need to protect against the things CAs are solving for
#
pcarrier
superkuh: CA bundle distributors handle those extremely rare occurrences (compared to random server keys being compromised)
#
aaronpk
the one major exception being TLS intercepting proxies on public wifi
#
superkuh
pcarrier, both are so rare as to not be a significant worry.
#
aaronpk
since the proxy can serve its own cert for any domain in a TOFU model
#
pcarrier
I've had to rotate secrets many times in my career
#
pcarrier
It's a significant worry to me.
#
superkuh
In a personal context?
#
superkuh
Or at work?
#
pcarrier
GitHub ssh keys changing was a huge hassle for a lot of users. It's not harmless.
#
superkuh
I've never had my home webserver's keys stolen. Well, except that time the FBI stole all my machines in 2011.
#
superkuh
But what can you do about that... not much.
#
pcarrier
superkuh: both. I assume zero days are exploited though.
#
pcarrier
Also I use letsencrypt for everything now. My private keys are rotated every 2 months if I do nothing.
#
superkuh
My self-signed cert expires in 2050. Different strokes for different folks I guess.
#
pcarrier
Yeah some people don't really care about security by industry standards.
#
superkuh
I worry more about the political and social pressures applied to full centralized CAs than getting hacked.
#
pcarrier
Worst case scenario you have to change provider and your customers stop being impacted. With tofu our customers are screwed unless there's a sensible UI around rotation (which there clearly isn't for ssh, I haven't reviewed Gemini clients)
#
superkuh
I don't have customers.
#
pcarrier
I call people I provide a service to customers, whether paying or not
#
to2ds
pcarrier++ I never knew why LE was rotated every few months :)
#
Loqi
pcarrier has 2 karma in this channel over the last year (13 in all channels)
#
pcarrier
If you build things for nobody but yourself, no offense but your own UX is your own choice, whatever
#
superkuh
My "customers" (in that sense) would not be screwed or even impacted at all because I do the proper HTTP+HTTPS setup,
#
superkuh
HTTPS only is so fragile.
#
superkuh
Only really called for if you're dealing in sensitive information, money, etc.
#
aaronpk
or if you want to stop proxies on public wifi from inserting ads in your site
#
superkuh
I hope all my visitors have JS whitelist only and disabled by default.
#
pcarrier
ads can be injected at the HTML level
#
superkuh
Can, but aren't. For-profit only knows how to js.
#
superkuh
What value is merely advertising? The value is in the spying and tracking with JS.
#
superkuh
And with HTTPS only you've basically given control over to a corporation. Every 90 days they either approve you or don't.
#
superkuh
Unvisitable without their approval.
#
superkuh
There are no non-corporate CAs.
#
superkuh
At least not with cert stores in everyone's browser.
#
pcarrier
you consider https://www.abetterinternet.org/ a corporation?
#
superkuh
It's the least worst of them. And as LE's value goes up and more and more centralize in LE it becomes more of a target for legal and social pressures.
#
superkuh
It is definitely a corporation though, technically.
#
superkuh
Just like .net was/is.
#
superkuh
Enough value and it'll get corrupted in time.
#
superkuh
HTTP+HTTPS is a way to mitigate that eventuality.
#
superkuh
Not for a bank, but for personal websites.
#
superkuh
And HTTPS TOFU is even better.
#
pcarrier
I mean honestly, if you're concerned about the pressure that can be applied to vendors, I wouldn't worry about CAs, I'd worry about DNS
#
superkuh
One can always use an IP address.
#
pcarrier
so much more effective and so fewer points of pressure
#
pcarrier
one can. does one?
#
superkuh
But yeah, I use alternate addressing systems like tor to.
#
superkuh
pcarrier, I used my IP address for my webserver literally 30 minutes ago.
#
superkuh
So a friend from IRC could upload a file to me.
#
superkuh
Anyway, I've once again dragged the chat off-topic onto my pet peeve. Sorry. Just wanted to say I like TOFU.
#
pcarrier
and I want secrets to rotate. seems irreconcilable.
#
[mattl]
IP addresses will become more and more valuable and harder to get sooner or later
reno_ left the channel
#
superkuh
Up to about $50/ipv4 now.
#
pcarrier
[mattl]: IPv4 maaaybe, so the evidence so far is that we've found a peak (https://ipv4.global/wp-content/uploads/2023/02/pricing1-revised-2.png)
#
[mattl]
[Pierre_Carrier] I've yet to see anyone promote their website via a bare IPv6-only address.
#
pcarrier
unless they're dedicated to IPv6 in some way, agreed
#
pcarrier
I wouldn't be shocked if a lot of sites served over CDNs like cloudflare today didn't have IPv4s for their origin
#
superkuh
The modern AOL.
#
pcarrier
I'm a bit shocked that only about 15% of my traffic defaults to IPv6, a number that hasn't moved much in years
#
[mattl]
I don't think I have any traffic over IPv6 and nobody seems to mind
#
[mattl]
I'd imagine that sadly most Cloudflare CDN traffic comes from one of about 5 ISPs, all of whom use IPv4
#
pcarrier
cloudflare is a global operation
#
pcarrier
top 5 network operators represent ~31% of traffic of ident.me, looking at a 1-hour slice. I expect it'd be a lot less looking at a 24-hour window
#
to2ds
I have enough trouble remembering 4 octets which makes IPv6 a scary proposition :)
#
aaronpk
did github turn off git clones of the github wikis?
#
aaronpk
oh, gitea is just incorrectly trying to use the github api for it
#
aaronpk
guess i have to do it manually
#
[mattl]
[aaronpk] looks like they moved the URL to the bottom of the wiki page but I'm still seeing for example https://github.com/openmelody/melody.wiki.git
#
aaronpk
thx, yeah git clone works, "migrate" in gitea fails for it
#
aaronpk
i couldn't even find the git url on github for it
#
aaronpk
oh i see it's at the bottom of the sidebar, which might be somewhere in the middle of the page 😂
#
aaronpk
is doing some server cleanup and moving old things from github to a private gitea install
#
[mattl]
nice. I was surprised to see that GitHub has private repos for free now.
#
aaronpk
guess that's the microsoft money at work
#
[mattl]
yup. it was one of http://GitLab.com's things they had over GitHub for a while
#
[mattl]
I need a TODO list, I keep failing to get anywhere with projects as a result.
#
aaronpk
clearly you should start by making a todo app
#
[mattl]
finding one that doesn't have "AI-powered" on its website is also increasingly hard
#
Loqi
[preview] [Ryan Barrett] Content negotiation considered harmful https://snarfed.org/matilda-used-car-salesman-harry-wormwood.jpg
#
to2ds
[snarfed]++ - Thank you. I really didn't understand the pitfalls associated with conneg.
#
Loqi
[snarfed] has 52 karma in this channel over the last year (101 in all channels)
AramZS joined the channel
#
[morganm]
Im currently working on a demo about web components, its going to be a small portion of a talk about that topic. https://bc-web-component.netlify.app/ . Ive added a few features Im going to use to describe the features of web components, its very hacky right now, anyone have any great ideas or suggestions?
#
[mattl]
morganm: there was a little talk about it at the frond end study hall and that’s up on the wiki now
#
ben
sebbu: ahh fair i've soured a bit on ligatures and font icons
#
ben
ligatures in programming fonts to be specific
#
[morganm]
mattl++
#
Loqi
mattl has 1 karma in this channel over the last year (3 in all channels)
#
sebbu
well, i like it :)
#
sebbu
but i also do aspect oriented programming (the exact opposite of (pure) functional programming)
#
sebbu
and in code you generally don't have thoses unicode character you concern yourself with, and if you do it's in strings (which might be in the code), not in code (such as different elements)
#
sebbu
i know many languages allow to use unicode for variables/class/methods/function names, but almost nobody does :D
#
sebbu
(i mean, if your native language don't use ascii, that's fine, use it, but don't use other unicode cahracters for names)
#
aaronpk
is ruthlessly deleting old projects from his server that have been inactive/broken for years
benatkin and rrix joined the channel
#
aaronpk
for example, ownyourgram.com
#
[morganm]
✂️ is the season at my household
#
[tantek]
What is ownyourgram?
#
Loqi
OwnYourGram.com is a service which streams your Instagram photos to your own site in real-time https://indieweb.org/OwnYourGram
#
[tantek]
aaronpk if you're letting the domain expire we should probably purge links before to avoid zombie linking
#
aaronpk
it's currnetly registered through feb 2025
#
aaronpk
i don't see any reason to renew it at this point
#
aaronpk
umm, apparently 9 years ago i removed the need for indieauth.com to use a sql database
#
aaronpk
i thought it was still using the old deprecated datamapper ORM, but apparently it hasn't for the last 9 years
[schmarty] joined the channel
#
[schmarty]
Well that's fun!!
#
[tantek]
🫗 for ownyourgram++
#
Loqi
ownyourgram has 1 karma over the last year
JadedBlueEyes joined the channel
#
aaronpk
wow there are a lot of castopod instances