#dev 2025-02-18

2025-02-18 UTC
bterry, NaomiAmethyst3, pka, grufwub, [Murray], CRISPR, xgpt, jak2k, GuestZero, streety and ttybitnik joined the channel
# 10:45 
capjamesg[d] aaronpk Where is a good place to learn about implementing SSO? I have auth logic in my web reader and I'd ideally like for people to be able to sign in to other services I make using the reader login instead of re-implementing things.
# 10:48 
capjamesg[d] Or maybe SSO isn't even what I want 🙃
# 10:48 
capjamesg[d] My outcome is that I create an account on Service A then I can use that account to sign into Service B and Service C.
# 10:58 
capjamesg[d] I guess OAuth is what I want?
karjala, bterry and [jeremycherfas] joined the channel
# 14:56 
[snarfed] if you want something that independent entities can implement, then yes
# 14:56 
[snarfed] if you plan to own all of the services yourself, then you can do whatever you want
# 14:58 
capjamesg[d] [Joe_Crawford] I'd love to discuss CSS subgrid in a FrESH!
# 15:02 
[Joe_Crawford] Definitely.
# 15:03 
aaronpk Sounds like you want your reader to be an IndieAuth server?
# 15:11 
capjamesg[d] Maybe?
# 15:12 
capjamesg[d] My reader supports logging in with a username/password too though.
Pixi joined the channel
# 15:31 
[tantek] sounds like you want your reader to be an IndieAuth consumer (relying party)
[manton] joined the channel
# 15:39 
[manton] Put some thoughts down about Mastodon quote posts that some folks here might find interesting… Still trying to digest it but writing a post helped me. https://www.manton.org/2025/02/18/mastodon-quote-posts-draft.html
# 15:42 
[manton] tl;dr: can we just do more with blog posts and IndieWeb protocols that work with the web on its own terms, please? 🙂
# 16:23 
GuestZero as a micro.blog non-user, i fully agree with that reasoning. technology aside, there's a whole toxic callout culture evolved around that 'feature'.
# 16:26 
doesnm not having quote posts is feature!
# 16:26 
doesnm > For example, Micro.blog does not show follower counts,[21][14] does not have hashtags,[22][23][5][24] public likes[21][14] or trending topics,[23] does not have equivalents of retweeting[21][23][25][14] or quote tweeting, does not algorithmically recommend users and like Mastodon, and does not have full-text search as part of the service[24] or client apps.
Pixi joined the channel
# 16:50 
[snarfed] [manton] I think you called out a broader culture shift over the last few decades pretty well
# 16:50 
[snarfed] "So what is special about Mastodon that requires so much technical infrastructure to support something so simple? ...There is also a culture in Mastodon of treating posts as semi-protected..."
# 16:51 
[snarfed] ^ captures a tension we've talked about some here. Many of us may have grown up with the 90s and 2000s web, which culturally was much more permissionless - feed readers, mashups, embeds, etc.
# 16:51 
[snarfed] technically protocols like AP are still largely that, but culturally they're often not, which is often one direct cause for orgs like Mastodon moving so slow and haltingly
# 16:51 
[snarfed] I think some of that culture shift was good, but some feels like too much. still hard for me to understand crisply
# 16:52 
[snarfed] Erin Kissane thought through a similar issue in https://www.wrecka.ge/bridges-scruples/
# 16:54 
[snarfed] ...specifically, the tension that the fediverse has a strong *culture* of consent and opt-in, but the way it actually works, AP federation, is by default opt-out and not consent-based
# 16:54 
[snarfed] 🤷
GuestZero_ joined the channel
# 16:59 
[manton] [snarfed] That sounds right. We often think about this in purely technical terms, like “you know your post is being copied to thousands of Mastodon servers, right?”
# 16:59 
[manton] Even features like posting to “followers only” is really tricky to get right.
# 17:06 
[manton] Good post from Erin Kissane. I hadn’t seen that before.
GuestZero, jak2k, gRegor, MyNetAz and btrem joined the channel; dusted_ left the channel
# 19:37 
trwnh re: [manton] "You don’t need permission to quote something on the web", sometimes you would still do well to ask for explicit consent. "can i copy your text onto my page" is the mechanical aspect, but "can i quote you in this article" might reasonably be answered with "no". it's more of an integrity thing where you can "prove" that someone gave their consent or at least acknowledged it in some way.
# 19:38 
trwnh now, do you care to check for this ack or not? that's a policy matter. but you have a signal to go off of
# 19:40 
[snarfed] yeah, the question of whether you need someone's consent to respond to them, or to talk about them, is kind of complicated. the answer isn't clearly always yes, but it's maybe also not clearly always no
# 19:40 
trwnh similar longstanding issue, some people don't want their posts to be embeddable.
# 19:40 
trwnh i think you absolutely always should have consent, but the thing about consent is that in some cases it might be implied
# 19:41 
[snarfed] hmm I don't think it's an always. eg I don't think I need a politician's consent to talk about them, or many other "big" public figures
# 19:42 
[snarfed] or companies or orgs, etc
# 19:42 
trwnh another thing that feels like it should be fine is a reply-context, but if someone doesn't consent to having their resource embedded on your page, then this can be seen as a violation of their consent
# 19:44 
trwnh i think ultimately consent is about respect, like if you want to talk about a politician without getting their approval first, you could say that the journalistic aspect outweighs any respect you have for that politician. but most people are not public figures, even if they are posting in public
# 19:45 
[snarfed] true. but even then, I don't even think the consent-first wing of fediverse thinks you need to ask permission first every time you reply to someone, right?
# 19:47 
trwnh in principle you ask every time but you can have a policy to auto-grant based on certain conditions (per person, per post, whatever)
ttybitnik joined the channel
# 19:48 
carrvo capjamesg, if your goal is not re-implementing (and you can live with logging in independently) then an short-term alternative is to pull your auth into a library that you can import into other projects. Then you can loop back and give a "login once" experience in the long-term.
# 19:49 
[snarfed] trwnh you mean, when the OP's instance receives the AP `Create`, it can choose whether or not to handle it, based on blocks etc.
# 19:49 
[snarfed] true, but that's very far away from UX or cultural expectations
# 19:50 
[snarfed] anyway. I'm pro consent, I just think the fediverse's expectations for it often seem incomplete and inconsistent, at best
# 19:51 
trwnh no, the Create is separate from the Quote -- you are basically notifying someone that you quoted them, and then they can respond with a stamp or otherwise ignore or reject you
# 19:52 
trwnh but the stamp doesn't have to be manually approved on a case-by-case basis. a policy can auto-grant just like with Follow
# 19:53 
[snarfed] oh I said reply, not quote
# 19:53 
[snarfed] np
# 19:53 
trwnh i think the closest thing on the web outside mastodon is basically like how someone might put up a web page that attests some claim. "these are my socials" and then they claim rel-me. or they say "i'm doing a reddit ama and this is my verification"
# 19:54 
capjamesg[d] carrvo That idea did cross my mind, but I think I need more time to sit and think about what's best.
# 19:54 
capjamesg[d] Building that library is going to take a fair but of time. I'm figuring out where is best to invest my energy.
# 19:54 
trwnh [snarfed] well a Reply activity might make sense actually, in the same way as a Quote, you use it to trigger being added to the replies collection
# 19:56 
trwnh this is again assuming you care what an authority acknowledges in "their" replies
# 19:58 
trwnh one thing i was discussing with claire is that conceptually when an Accept "happens", it in effect can be verified by two things: either you have presence in a special collection, or you can grant a stamp. or both!
# 20:01 
trwnh aside from that though, there is still the fundamental issue of no one owning the reply tree. this is where something like explicit context helps
nemonical and MyNetAz joined the channel
# 20:30 
carrvo capjamesg: fair enough. For my setup that is why I spent so much time coming up with a server-level auth strategy instead of an application-level strategy.
# 20:30 
carrvo Part of why, anyway.
# 20:45 
aaronpk conneg-- bites again https://github.com/aaronpk/p3k/issues/121
# 20:45 
Loqi conneg has -22 karma in this channel over the last year (-25 in all channels)
Pixi joined the channel
# 21:28 
Loqi connegg has -1 karma over the last year
# 21:28 
[snarfed] connegg-- always
# 21:31 
[snarfed] oops conneg--
# 21:31 
Loqi conneg has -23 karma in this channel over the last year (-26 in all channels)
# 21:32 
[manton] @trwnh: I remember once years ago I asked a blogger if I could quote something from one of their posts, and their response was something like. “of course, it’s on the web and I want people to quote and link to it”. I’ve never asked anyone since then. I get what you’re saying about consent but if we all asked before quoting another blog post, it would crush what is good and open about the web. Mastodon is more complicated, though, a
# 21:32 
[manton] to get at… There are different expectations around privacy for some people.
# 21:34 
btrem I'm late to this discussion, but I sort of go by the fair use doctrine. That's a U.S. law, but seems like a good set of guidelines on quoting.
# 21:35 
[manton] Yep. And like fair use, I usually think about how much of something I’m quoting. So if there is a 5-paragraph blog post, I’m not going to quote more than a couple sentences. Quoting the entire thing would be too much.
# 21:37 
[manton] In other words, you’re not just duplicating something, you’re creating a derivative work with your own text added to it.
# 21:38 
btrem or doing parody, or criticism, etc.
# 21:48 
[snarfed] yeah in general western freedom of speech and fair use doctrines seemed to match (or drive) a lot of the traditional open web's norms around responding, quoting, etc
# 21:53 
btrem I'm not really on social media, so I suppose I don't know much about that. At least, not much about fediverse. As for the corporate silos, well, those are corporations, which don't have much accountability to democratic principles, or elected officials, or really anyone but their investors.
# 21:56 
btrem In the U.S., at least, there's a distinction between public persons -- politicians, celebrities, etc. -- regarding libel. As in, it's harder for a public person to prove libel than a non-public person.
# 21:56 
catgirlin.space not a problem for me quite yet, but are there any recommendations when it comes to changing domains? when i have my new website i'm planning to move to saige.ink instead...
# 21:57 
btrem <c​atgirlin.space> not sure what you mean. Recommendations for email forwarding? Website forwarding? More general advice?
# 21:58 
gRegor what is migration?
# 21:58 
Loqi migration in the context of the indieweb refers to the process of moving your indieweb site from any one or more of one CMS / web host / DNS provider / URL design / domain name to another https://indieweb.org/migration
# 21:58 
gRegor Might be some brainstorming discussion on there
# 22:04 
catgirlin.space btrem i guess more like, general advice? i didn't know if there was much as far as like, dealing with indieauth and stuff when changing domains (i hope that makes sense somewhat...)
# 22:06 
btrem The wiki link that gRegor posted has some info on that. The thing to be mindful of is if you use your domain to log into services (e.g., the wiki, webmention.io, etc.). If your domain changes, you'll have to figure how to migrate your logins.
# 22:07 
btrem Or if you should migrate them. For webmention.io, probably not. The point of the service is to provide incoming webmentions for a domain. But if you migrate your content, you might very well want your replies, likes, etc., to come with it.
# 22:10 
btrem If you want advice on forwarding from one domain to another, we'd need to know what software you use atm. Apache? Nginx? You can also do that via dns records, and in fact that might be preferable. But we'd need a bit more info. Do you have access to dns records? As in, can you change them, add new records, etc.?
# 22:14 
catgirlin.space the actual http redirects i'm not concerned about--i already have stuff for that. more just stuff you mentioned like wiki and webmentions is what i'm concerned about i think (i have some time since it's not happening anytime soon, my girlfriend and i haven't done much on our little website backend thingy)
# 22:18 
catgirlin.space it seems like everything on that wiki page is just brainstorming (for domain changes anyways). would i just have to reach out to everywhere i use indieauth and hope they manually update my domain since there doesn't seem to be a standard for that?
# 22:19 
[snarfed] probably yes
# 22:21 
gRegor If you mean the wiki, domain change won't be a big deal. You can sign in with the new domain, you'll get a new blank wiki user page, you can copy the contents of your old wiki user page and redirect it to the new one
# 22:21 
catgirlin.space [snarfed]: that sounds like i have to talk to people then (scary...)
# 22:22 
catgirlin.space gRegor: oh i forgot wiki pages can be redirected
# 22:22 
gRegor Most indieauth clients probably aren't set up to make the update. I run indiebookclub for example, and haven't run into this yet, so idk how I'd do it.
# 22:23 
gRegor With webmention.io, you should still be able to use the API to pull in mentions to the old domain if you need to archive them
# 22:23 
gRegor But you'd get a separate "account" for the new domain, so new incoming mentions would show up there
# 22:24 
catgirlin.space i would ask about writing a standard/spec for this but uh. nope that's scary idk how to write something so important >.<
# 22:26 
btrem and for webmentions, if that is a concert, you probably want to have accounts for both the old and new domains. And have your site builder/cms/whatever retrieve both accounts so you'll have your old and new webmentions. (gRegor sort of discussed this, but you don't really have to "archive" them. You can just migrate them IYSWIM.
# 22:31 
trwnh [manton] i think that we can reduce the uncertainty with people describing ahead of time what their preferences or expectations are... so for example someone might say "this post is 100% public domain i don't care what you do with it" or they might have a policy like "i very specifically do not want matt mullenweg to refer to me in any way" and beyond that point you can make some assumptions to fill in some blanks. but that kind of advisory
# 22:31 
trwnh policy is separate from what stamps are doing. stamps let you basically ack or attest "this thing is okay". and policies of course can be disrespected
# 22:33 
trwnh linking is always possible and copying/embedding is always possible but "possible" isn't equal to "good idea"
# 22:34 
trwnh wrt ahead-of-time advisory, the `acceptsQuotesFrom` property or w/e it's called should do basically that
sebbu2 joined the channel
# 22:36 
trwnh but crucially, this is separate from the Quote activity, which is separate from the Accept Quote. they progressively build on each other so that you can at baseline notify someone that they've been quoted, and then you might give them a stamp to let 3rd-party observers know that you're okay with this. those observers don't need to know your exact policy, they just check the stamp
lanodan joined the channel