#dev 2024-08-31

2024-08-31 UTC
#
ben i found https://modernfontstacks.com/ recently
jonnybarnes joined the channel
#
[KevinMarks] The Tufte principle you want here is small multiples - stack the 2 charts for different terms instead of overlaying them where the one in front dominates. Consider doing them as bars rather than lines too.
ttybitnik joined the channel
#
sebbu ben, i prefer https://www.nerdfonts.com/
[qubyte] joined the channel
#
[qubyte] I’m a diehard system font stack guy. In lieu of a sense of design I choose to simply ship no font files at all and boil the oceans and data plans a little more slowly.
to2ds joined the channel
#
to2ds [qubyte] - Same here. For me it feels similar to the "batteries included" philosophy of Python :)
#
[qubyte] Oh, I hadn’t thought of it like that, but I like it.
#
to2ds Question about rel="alternate". Can it reference the same physical URL, just specify a different Mime type?
#
ptramo[d] to2ds[d] not that I know of. And conneg--
#
Loqi conneg has -15 karma in this channel over the last year (-18 in all channels)
#
ptramo[d] to2ds[d] you _can_ specify link type= to indicate a mime type
#
[tantek] to2ds, it can, yes by adding the type attr per ptramo[d]! That's literally how you advertise conneg for discovery
#
to2ds I was hoping I didn't paint myself in a corner with my AP prototype.
#
ptramo[d] ah yup, https://pcarrier.com/conneg totally causes a second request with `Accept: text/css,*/*;q=0.1`
#
to2ds Ah! It's getting a little clearer :)
#
to2ds I debugged a bit by dumping the request headers, and most if not all were acceptiong activity+json and ld+json.
#
to2ds Most of the confusion started with the url attribute in an AS(2?) JSON object.
#
to2ds Not sure if this is a Mastodon thing or not.
#
to2ds At least in the browser, if you typed the full status' object ID, Mastodon will redirect to an @ prefixed URL which matches the url attribute in the JSON object.
#
to2ds So does this mean Mastodon is doing conneg, or is there some magic happening in the web browser?
#
aaronpk mastodon definitely does conneg
rozenglass joined the channel
#
to2ds Even clearer now :)
#
to2ds Now it's time to understand why /conneg is problematic.
#
ptramo[d] to2ds[d] which /conneg sorry?
#
to2ds On the wiki.
#
to2ds Do the relative links work differently in Discord?
#
ptramo[d] there was no link.
#
aaronpk yeah sadly the discord bridge doesn't translate `/slash` to wiki links. only web and slack
#
to2ds Ah! Maybe better to include the full URL to avoid ambiguity?
#
ptramo[d] ah! I was considering designing a solution for conneg on xmit.co but if even cloudflare doesn't support it… no thanks
#
to2ds So does rel="alternate" help to smooth out some of the complexity associated with conneg?
#
to2ds Insofar as cloudflare would be concerned?
#
ptramo[d] not as far as I understand no
#
ptramo[d] [edit] cloudflare simply won't take the Accept header into account for the caching of anything but images according to https://simonwillison.net/2023/Nov/20/cloudflare-does-not-consider-vary-values-in-caching-decisions/
#
ptramo[d] cloudflare simply won't take the Accept header into account for the caching of anything but images according to https://simonwillison.net/2023/Nov/20/cloudflare-does-not-consider-vary-values-in-caching-decisions/
#
ptramo[d] [edit] cloudflare simply won't take the Accept header into account for the caching of anything but images according to https://simonwillison.net/2023/Nov/20/cloudflare-does-not-consider-vary-values-in-caching-decisions/
mattbcool[d] and [Pierre_Carrier] joined the channel
#
to2ds That is really interesting.
#
to2ds If I understand correctly, the rel="alternate" could be helpful for services sitting behind cloudflare?
#
to2ds Rather than the source endpoint relying upon conneg alone.
#
pcarrier no, rel="alernate" href="…" type="foo/bar" tells the browser to fetch with (in short) Accept: foo/bar
#
pcarrier but then cloudflare might have cached the URL with type text/html and decide to serve that regardless of what your server would do
#
pcarrier What you really want is to have every payload on its own url, even if they represent the same resource, and everything is dandy
#
pcarrier So no conneg--
#
Loqi conneg has -16 karma in this channel over the last year (-19 in all channels)
#
to2ds Ok. That makes a lot of sense now.
#
to2ds conneg--
#
Loqi conneg has -17 karma in this channel over the last year (-20 in all channels)
#
pcarrier Almost want to implement the Gemini protocol on xmit but I really can't get over tofu for certificates
#
to2ds What is tofu?
#
Loqi It looks like we don't have a page for "tofu" yet. Would you like to create it? (Or just say "tofu is ____", a sentence describing the term)
#
to2ds TOFU is an acronym for Trust On First Use.
#
Loqi ok
reno_ joined the channel
#
superkuh TOFU is the way.
#
superkuh Way better than CA TLS.
#
superkuh For human persons.
#
pcarrier Humans don't speak tls, it's all tools
#
aaronpk there's nothing inherently wrong with TOFU for certificates
#
superkuh Yes, but humans use them. And CA TLS is designed for the needs of corporate persons, not human ones.
#
pcarrier What do you do when your private key is compromised?
#
superkuh What do you do when the CA enclave secrets are leaked?
#
aaronpk the question is what are you trying to protect against?
#
aaronpk most people do not need to protect against the things CAs are solving for
#
pcarrier superkuh: CA bundle distributors handle those extremely rare occurrences (compared to random server keys being compromised)
#
aaronpk the one major exception being TLS intercepting proxies on public wifi
#
superkuh pcarrier, both are so rare as to not be a significant worry.
#
aaronpk since the proxy can serve its own cert for any domain in a TOFU model
#
pcarrier I've had to rotate secrets many times in my career
#
pcarrier It's a significant worry to me.
#
superkuh In a personal context?
#
superkuh Or at work?
#
pcarrier GitHub ssh keys changing was a huge hassle for a lot of users. It's not harmless.
#
superkuh I've never had my home webserver's keys stolen. Well, except that time the FBI stole all my machines in 2011.
#
superkuh But what can you do about that... not much.
#
pcarrier superkuh: both. I assume zero days are exploited though.
#
pcarrier Also I use letsencrypt for everything now. My private keys are rotated every 2 months if I do nothing.
#
superkuh My self-signed cert expires in 2050. Different strokes for different folks I guess.
#
pcarrier Yeah some people don't really care about security by industry standards.
#
superkuh I worry more about the political and social pressures applied to full centralized CAs than getting hacked.
#
pcarrier Worst case scenario you have to change provider and your customers stop being impacted. With tofu our customers are screwed unless there's a sensible UI around rotation (which there clearly isn't for ssh, I haven't reviewed Gemini clients)
#
superkuh I don't have customers.
#
pcarrier I call people I provide a service to customers, whether paying or not
#
to2ds pcarrier++ I never knew why LE was rotated every few months :)
#
Loqi pcarrier has 2 karma in this channel over the last year (13 in all channels)
#
pcarrier If you build things for nobody but yourself, no offense but your own UX is your own choice, whatever
#
superkuh My "customers" (in that sense) would not be screwed or even impacted at all because I do the proper HTTP+HTTPS setup,
#
superkuh HTTPS only is so fragile.
#
superkuh Only really called for if you're dealing in sensitive information, money, etc.
#
aaronpk or if you want to stop proxies on public wifi from inserting ads in your site
#
superkuh I hope all my visitors have JS whitelist only and disabled by default.
#
pcarrier ads can be injected at the HTML level
#
superkuh Can, but aren't. For-profit only knows how to js.
#
superkuh What value is merely advertising? The value is in the spying and tracking with JS.
#
superkuh And with HTTPS only you've basically given control over to a corporation. Every 90 days they either approve you or don't.
#
superkuh Unvisitable without their approval.
#
superkuh There are no non-corporate CAs.
#
superkuh At least not with cert stores in everyone's browser.
#
pcarrier you consider https://www.abetterinternet.org/ a corporation?
#
superkuh It's the least worst of them. And as LE's value goes up and more and more centralize in LE it becomes more of a target for legal and social pressures.
#
superkuh It is definitely a corporation though, technically.
#
superkuh Just like .net was/is.
#
superkuh Enough value and it'll get corrupted in time.
#
superkuh HTTP+HTTPS is a way to mitigate that eventuality.
#
superkuh Not for a bank, but for personal websites.
#
superkuh And HTTPS TOFU is even better.
#
pcarrier I mean honestly, if you're concerned about the pressure that can be applied to vendors, I wouldn't worry about CAs, I'd worry about DNS
#
superkuh One can always use an IP address.
#
pcarrier so much more effective and so fewer points of pressure
#
pcarrier one can. does one?
#
superkuh But yeah, I use alternate addressing systems like tor to.
#
superkuh pcarrier, I used my IP address for my webserver literally 30 minutes ago.
#
superkuh So a friend from IRC could upload a file to me.
#
superkuh Anyway, I've once again dragged the chat off-topic onto my pet peeve. Sorry. Just wanted to say I like TOFU.
#
pcarrier and I want secrets to rotate. seems irreconcilable.
#
[mattl] IP addresses will become more and more valuable and harder to get sooner or later
reno_ left the channel
#
superkuh Up to about $50/ipv4 now.
#
pcarrier [mattl]: IPv4 maaaybe, so the evidence so far is that we've found a peak (https://ipv4.global/wp-content/uploads/2023/02/pricing1-revised-2.png)
#
[mattl] [Pierre_Carrier] I've yet to see anyone promote their website via a bare IPv6-only address.
#
pcarrier unless they're dedicated to IPv6 in some way, agreed
#
pcarrier I wouldn't be shocked if a lot of sites served over CDNs like cloudflare today didn't have IPv4s for their origin
#
superkuh The modern AOL.
#
pcarrier I'm a bit shocked that only about 15% of my traffic defaults to IPv6, a number that hasn't moved much in years
#
[mattl] I don't think I have any traffic over IPv6 and nobody seems to mind
#
[mattl] I'd imagine that sadly most Cloudflare CDN traffic comes from one of about 5 ISPs, all of whom use IPv4
#
pcarrier cloudflare is a global operation
#
pcarrier top 5 network operators represent ~31% of traffic of ident.me, looking at a 1-hour slice. I expect it'd be a lot less looking at a 24-hour window
#
to2ds I have enough trouble remembering 4 octets which makes IPv6 a scary proposition :)
#
aaronpk did github turn off git clones of the github wikis?
#
pcarrier aaronpk: nope. https://github.com/…/….wiki.git right?
#
aaronpk oh, gitea is just incorrectly trying to use the github api for it
#
aaronpk guess i have to do it manually
#
[mattl] [aaronpk] looks like they moved the URL to the bottom of the wiki page but I'm still seeing for example https://github.com/openmelody/melody.wiki.git
#
aaronpk thx, yeah git clone works, "migrate" in gitea fails for it
#
aaronpk i couldn't even find the git url on github for it
#
aaronpk oh i see it's at the bottom of the sidebar, which might be somewhere in the middle of the page 😂
#
aaronpk is doing some server cleanup and moving old things from github to a private gitea install
#
[mattl] nice. I was surprised to see that GitHub has private repos for free now.
#
aaronpk guess that's the microsoft money at work
#
[mattl] yup. it was one of http://GitLab.com's things they had over GitHub for a while
#
[mattl] I need a TODO list, I keep failing to get anywhere with projects as a result.
#
aaronpk clearly you should start by making a todo app
#
[mattl] heh
#
[mattl] finding one that doesn't have "AI-powered" on its website is also increasingly hard
#
aaronpk lol
#
[snarfed] to2ds you may be interested in https://snarfed.org/2023-03-24_49619-2
#
Loqi [preview] [Ryan Barrett] Content negotiation considered harmful https://snarfed.org/matilda-used-car-salesman-harry-wormwood.jpg
#
to2ds [snarfed]++ - Thank you. I really didn't understand the pitfalls associated with conneg.
#
Loqi [snarfed] has 52 karma in this channel over the last year (101 in all channels)
AramZS joined the channel
#
[morganm] Im currently working on a demo about web components, its going to be a small portion of a talk about that topic. https://bc-web-component.netlify.app/ . Ive added a few features Im going to use to describe the features of web components, its very hacky right now, anyone have any great ideas or suggestions?
#
[mattl] morganm: there was a little talk about it at the frond end study hall and that’s up on the wiki now
#
ben sebbu: ahh fair i've soured a bit on ligatures and font icons
#
ben ligatures in programming fonts to be specific
#
ben https://practicaltypography.com/ligatures-in-programming-fonts-hell-no.html
#
[morganm] mattl++
#
Loqi mattl has 1 karma in this channel over the last year (3 in all channels)
#
sebbu well, i like it :)
#
sebbu but i also do aspect oriented programming (the exact opposite of (pure) functional programming)
#
sebbu and in code you generally don't have thoses unicode character you concern yourself with, and if you do it's in strings (which might be in the code), not in code (such as different elements)
#
sebbu i know many languages allow to use unicode for variables/class/methods/function names, but almost nobody does :D
#
sebbu (i mean, if your native language don't use ascii, that's fine, use it, but don't use other unicode cahracters for names)
#
aaronpk is ruthlessly deleting old projects from his server that have been inactive/broken for years
benatkin and rrix joined the channel
#
[tantek] Yikes
#
aaronpk for example, ownyourgram.com
#
aaronpk RIP
#
[morganm] ✂️ is the season at my household
#
[tantek] What is ownyourgram?
#
Loqi OwnYourGram.com is a service which streams your Instagram photos to your own site in real-time https://indieweb.org/OwnYourGram
#
[tantek] aaronpk if you're letting the domain expire we should probably purge links before to avoid zombie linking
#
aaronpk it's currnetly registered through feb 2025
#
aaronpk i don't see any reason to renew it at this point
#
aaronpk umm, apparently 9 years ago i removed the need for indieauth.com to use a sql database
#
aaronpk i thought it was still using the old deprecated datamapper ORM, but apparently it hasn't for the last 9 years
[schmarty] joined the channel
#
[schmarty] Well that's fun!!
#
[tantek] 🫗 for ownyourgram++
#
Loqi ownyourgram has 1 karma over the last year
JadedBlueEyes joined the channel
#
aaronpk well this explains why there are so many active podcast feeds in my websub hub https://github.com/ad-aures/castopod/blob/53232d3b616877e0db87c7f01e2f199f03a0c357/modules/WebSub/Config/WebSub.php#L21
#
aaronpk hey cool https://websubhub.com/
#
aaronpk wow there are a lot of castopod instances