#dev 2025-01-03

2025-01-03 UTC
# 01:17 
[tantek] For the folks here who are creating (aciccarello?), publishing, or using Chrome extensions, apparently it was not that difficult to phish (via OAuth! No user/pass. cc: aaronpk) sufficient credentials for a supply-chain attack on dozens of them: https://thehackernews.com/2024/12/16-chrome-extensions-hacked-exposing.html
gRegor joined the channel
# 01:35 
aaronpk Ouch
# 01:35 
aaronpk OAuth phishing is no joke
# 01:36 
gRegor So many AI extensions in that list too. And the one web3 password manager, heh
# 01:53 
[tantek] I kinda blame the OAuth providers a bit too, for not having OAuth screens where you can UNCHECK write access
# 01:53 
[tantek] and maybe even tell your OAuth provider "please always uncheck write access by default even if an app requests it"
# 01:53 
[tantek] providers should do better in their OAuth UX
# 01:54 
[tantek] I mean it's only a 14 year old idea 🙄 https://indieweb.org/OAuth#Twitter_Mockup
# 02:25 
aaronpk Google actually has that now!
# 02:37 
aaronpk not for every scope though, i'm not sure exactly what the criteria are
# 02:40 
[tantek] basically there should be an option on any account with an OAuth provider to always default OFF checkboxes for any OAuth permissions that can write or delete data
# 02:40 
[tantek] not sure why that's not obvious
# 02:40 
aaronpk well it's a balancing act
# 02:40 
aaronpk as always, friction vs security
# 02:48 
[tantek] I mean, for something that touches a supply-chain, I would think that "balancing act" would be quite obviously weighted towards much more security.
# 02:49 
[tantek] You don't need to coddle browser add-on developers with low friction, they're willing to put up with plenty of friction (especially if it is all automated, not requiring human support) to get things done.
# 02:49 
[tantek] Especially if any/all such friction has very specific security reasons
# 02:51 
aaronpk yeah I'm surprised the scope to manage extensions didn't default that way
# 02:51 
aaronpk the list is loooooong tho https://developers.google.com/identity/protocols/oauth2/scopes
# 02:52 
aaronpk and a lot of the google scopes require approval after an extensive (and expensive) review process, after the google docs oauth phishing worm thingy
MyNetAz, Ben2 and grufwub joined the channel
# 04:18 
carrvo[d] That was one thing I immediately liked about all the IndieAuth screenshots. Never seen the ability to choose scope approvals before.
# 04:51 
[tantek] Does anyone run a home server (https://indieweb.org/home_server), I mean, at home, and if so, what do you do with it (what problems is it solving for you)? Do you host your/a personal site on it? Seeing if we have IndieWeb examples because right now there's A LOT of generic (not particular to indieweb) content there
# 04:51 
[tantek] page could probably use some trimming / gardening to remove "generic" material which is already covered by https://en.wikipedia.org/wiki/Home_server for example
# 04:52 
[tantek] home server << [[wikipedia:Home server]]
# 04:52 
Loqi ok, I added "[[wikipedia:Home server]]" to the "See Also" section of /home_server https://indieweb.org/wiki/index.php?diff=99411&oldid=83980 
# 04:52 
[0x3b0b] I have my own Matrix homeserver, which I run on the same Oracle Cloud instance as my website. I was amused earlier by the thought of a disambiguation page.
# 04:54 
[tantek] no need since the Matrix "homeserver" has no space. whereas the general concept "home server" is two words.
# 04:54 
[tantek] the Wikipedia "home server" page doesn't even mention Matrix
# 05:25 
aaronpk I run a gitea instance on a home server because it's a lot cheaper to buy a 2tb SSD than it is to rent 2tb from a hosting provider
# 06:03 
GWG I run a mix of home and VPS stuff as well. Most heavy storage is at home, with distributed backups around my relative's homes
# 06:13 
carrvo[d] I am running a home server because I value offline and internal usage.
# 06:17 
carrvo[d] aaronpk++ I was going to look into a self-hosted GOT in a few months. Now I don't have to.
# 06:17 
Loqi aaronpk has 43 karma in this channel over the last year (128 in all channels)
# 06:17 
carrvo[d] *GIT, not GOT...
# 06:17 
doesnm carrvo: why not game of trees?
# 06:22 
carrvo[d] doesnm Because I have never heard of it, thanks! That is still part of my much longer term plan.
[snarfed] joined the channel
# 06:28 
doesnm oh, it't typo? i'm thinking you're about this project
# 06:53 
carrvo[d] It was a typo. I is next to O on my keyboard.
geoffo joined the channel
# 07:49 
Lars-Christian @[tantek] I run a home server to keep my site generator running and update my website. And to backup all of my docs and media locally. And to seed torrents (all legal stuff, of course).
# 07:51 
Lars-Christian Vague goal for 2025 of using it to host my website as well (but currently rent a VM for that purpose)
roffi joined the channel
# 09:16 
[tantek] home server << IndieWeb Examples: several in chat here: https://chat.indieweb.org/dev/2025-01-03#t1735881904784900
# 09:16 
Loqi ok, I added "IndieWeb Examples: several in chat here: https://chat.indieweb.org/dev/2025-01-03#t1735881904784900" to the "See Also" section of /home_server https://indieweb.org/wiki/index.php?diff=99415&oldid=99411 
[jeremycherfas], Dryusdan, fishcoder and ttybitnik joined the channel
# 12:35 
fishcoder Hey people :-)
# 12:36 
fishcoder at the moment I am looking for jobs with vue.js, do you know any freelance channels for that?
# 13:20 
_pi_r2_0[d] fishcoder: the indieweb community probably isn't the best fit for job hunting, it's more about individuals making personal sites. have you checked https://discord.com/invite/vue ?
roffi, nemonical, scattershot, [Sophia_wood] and ttybitnik joined the channel
# 17:33 
[tantek] Social Web CG meeting in <30min btw
# 17:45 
carrvo[d] tantek++ will be my first.
# 17:45 
Loqi tantek has 25 karma in this channel over the last year (141 in all channels)
gRegor joined the channel
# 19:09 
[tantek] Social Web CG meeting went fairly well
# 19:09 
[tantek] there's a call for PRs to help resolve open issues if anyone has ideas, suggestions: https://github.com/swicg/potential-charters/issues
GuestZero, Ed, [manton] and scattershot joined the channel
# 20:15 
GuestZero I'm thinking of maybe adopting a 'posse' workflow currently – does anybody know of a neat tool that can disperse links between protocols/services?
# 20:31 
[snarfed] GuestZero there are lots! often your web server/CMS can do it. more options on https://indieweb.org/POSSE#Software and nearby
sebbu joined the channel
# 20:42 
Ed [mattl] here I am!
# 20:43 
[mattl] hey...
# 20:43 
Ed (and I also will need to figure out how to use an account here instead of a guest one :D)
# 20:44 
Ed My main Ghost annoyances are given because I'm not fully self-hosting, but I'm using PikaPods so I don't have FULL control on the Ghost installation
# 20:44 
[mattl] https://mat.tl/blog/2024/10/29/migrating-from-wordpress-com-to-self-hosted-eleventy-via-ghost/ has my set up. Uses Ghost for editing, but everything winds up static.
# 20:44 
[mattl] This may well work with your Pikapods
# 20:44 
Loqi [preview] [Dr. Matt Lee] Longest title ever? Maybe. I just migrated a small WordPress.com hosted blog to a self-hosted Eleventy blog with Ghost as the CMS. If this sounds confusing, it is a bit, but here goes.
Why do this? I want a site that’s not hosted in the same place...
# 20:45 
Ed Nice, thanks!
# 20:45 
GuestZero thx snarfed! checking out...
Dryusdan, ttybitnik, gRegor, [Sophia_wood]1, [snarfed]1, [aciccarello]1 and rossabaker joined the channel