#dev 2025-07-02

2025-07-02 UTC
cow_2001 and grufwub joined the channel
#
[social] Great to see this practice is still alive
#
Kolev I love my manually-edited site. No SSG, no PHP.
#
[tantek] rawcoding++
#
Loqi rawcoding has 1 karma over the last year
troojg, gRegor, Luther_Gray, KE0VVT, bugliker0 and barnaby joined the channel
#
capjamesg [snarfed] or [manton] Have you done work on signed GET requests with HTTP Signatures for Mastodon?
#
capjamesg I am trying to retrieve an inbox and got an error about the request not being signed.
#
capjamesg It looks like I need to do https://docs.joinmastodon.org/spec/security/ but the guidance is quite complicated.
#
capjamesg [edit] It looks like I need to do https://docs.joinmastodon.org/spec/security/ but the guidance is quite complicated.
vriska and ttybitnik joined the channel
#
arekenaten So do people use and trust cloudflare? I always assumed they were another shady corpo but maybe not given they seem like they're actually trying to start working toward a better situation than everything-you-make-is-now-belong-to-me ai
lanodan joined the channel
#
[artlung] I think it's not either/or. Cloudflare because of the job they are hired for (protecting sites for bandwidth, cdn, preventing abuse, etc) appears to be rising to the moment. Several community members use them.
#
[artlung] https://indieweb.org/Cloudflare
#
[artlung] We don't have a unified page on the topic of managing / blocking / throttling bots / scrapers / LLM scrapers / LLMs. But given the impact such entities are making on the web writ large we have a need for such a page.
#
[tantek] Does Wikipedia have a page on the topic? Curious to see if there's a phrase we can re-use then document indieweb specific concerns
#
[manton] [capjamesg] I have. Mastodon can be configured to require all GETs to be signed. Personally I find that totally unnecessary, but it is what it is. If a GET fails in http://Micro.blog, a re-sign the request with the user’s account if I know who the request is on behalf of, otherwise I sign it with our generic “help” user.
#
[manton] HTTP Signatures are indeed complicated. In fact, I just heard a report this week that some of my signature verification code does not work with Friendica.
#
aaronpk are they planning on switching to the RFC version of HTTP Sigs at some point?
#
capjamesg Yeah. I have been testing my code on three random servers. Two had the GET signing requirements 😭
#
[manton] [aaronpk] I have no idea. Seems like they should update it, but also I worry that it will break the fediverse. 🙂
#
[tantek] Httpsigs-- for gets. it was a horribly unnecessary addition of complexity that doesn't add anything beyond https get.
#
Loqi Httpsigs has -1 karma over the last year
#
aaronpk well it does enable fetching protected posts since it authenticates the requester
#
capjamesg My use case is wanting to follow AS2 streams in my feed reader. I want to request the user's inbox so I can get their most recent posts. The AS2 data is much richer than the RSS.
#
aaronpk other way around, you need to set up an inbox, then request that the people you want to follow send their posts to your inbox
#
capjamesg 😭
#
capjamesg I don't want my reader to also have to implement ActivityPub pieces.
#
aaronpk yeah activitypub is kind of all or nothing
#
aaronpk it doesn't lend itself well to modular design / building blocks
[snarfed] joined the channel
#
[snarfed] capjamesg here's python code for making signed requests: https://github.com/snarfed/bridgy-fed/blob/db7a71e720502377b2600889fdb1379ffd7324d0/activitypub.py#L723-L814
#
[snarfed] and yeah the value of HTTP Sigs in the fediverse is limited at best, https://swicg.github.io/activitypub-http-signature/#so-what-s-the-verdict
#
capjamesg " There's no obvious way to serve public data to anonymous, unauthenticated users, and still block access to specific people." this feels like a good conclusion to document.
#
capjamesg [snarfed] To be clear, I will need an account on the Fediverse to use the function?
#
[snarfed] capjamesg yes, you'll need to generate a keypair and serve an AP actor with that public key
#
capjamesg Can I do that with Bridgy Fed?
#
[snarfed] not self serve. I can give you your actor's private key manually if you want
#
[snarfed] that's ok temporarily, but if you want something long term you'll want to own the actor yourself
#
capjamesg Yeah, I'll probably want to run the actor.
#
[snarfed] can be just a static JSON file
#
capjamesg [snarfed]++
#
Loqi [snarfed] has 35 karma in this channel over the last year (70 in all channels)
#
capjamesg [manton]++
#
Loqi [manton] has 5 karma in this channel over the last year (33 in all channels)
#
capjamesg Thank you for all the help!
#
[snarfed] welcome!
ttybitnik and jak2k joined the channel
#
[manton] Good luck!
#
capjamesg Is there a standard way to know if a site is on the Fediverse?
#
capjamesg (And, if there are many, which one requires the least amount of web requests.)
#
[manton] The problem is a “site” isn’t really on the fediverse… A “user” is.
#
[manton] Maybe the easiest way to do a very quick check would be hitting /.well-known/nodeinfo
#
[manton] But at some point, you’re going to need to do a WebFinger call with the user you want to know about.
#
[manton] I might be confused about what you’re trying to do, though. There also might be rel=me tags in someone’s home page, but no guarantee.
#
capjamesg Right now I ask someone for a URL to subscribe to.
#
capjamesg I suppose I could say that a Fediverse handle like @example@example.com is supported in the form field.
#
[manton] I see. Yeah, you could do that, or also support entering the full actor URL, e.g. mastodon.social/users/someone.
#
[manton] This would be easier if there was a convention for single-user fediverse servers, which I’ve long wanted.
#
[manton] (I honestly gave up on.)
#
[tantek] [manton] the convention for single-user fediverse servers is `@domain@domain` e.g. `@example.com@example.com`.
#
[tantek] anyone who runs their own single-user fediverse server should be smart enough to set that up
#
[tantek] capjamesg sounds like you're asking for ActivityPub Outbox discovery, which is maybe a subset of the user-scenario? I.e. user-scenario "I want to subscribe to this site/profile!" -> enter URL -> do h-feed discovery, if found, use it, exit, else -> do feedfile discovery (JSONFeed, Atom, RSS, etc.), if found, use it, exit, else -> do a/link rel="author" type="application/activity+json" discovery, if found, use it as an ActivityPub user/outbox
#
[manton] [tantek] Sorry, I guess I meant a documented standard. I think Ghost also uses `@index@domain` by default. None of these are very appealing to me when it really should be simply `@domain`. That is the part I’ve mostly given up on.
#
[manton] Didn’t mean to open up that can of worms again.
gRegor joined the channel
#
[tantek] Yeah I should write that up into a mini-spec that implementers can cite
#
[tantek] I agree it "simply `@domain`" from the user/UI perspective. I was talking about under the hood translating @domain into an @-@ which you can then use your existing discovery code with
#
doesnm have you looked at fep612d? https://codeberg.org/fediverse/fep/src/branch/main/feps/fep-612d.md
#
[tantek] lol "Making sure you're not a bot!"
#
[tantek] no I have not bc how are those discovered?
#
[tantek] that link said "moved to /fep/612d"
#
doesnm bc?
#
[tantek] which links to https://codeberg.org/fediverse/fep/src/branch/main/fep/612d
#
doesnm sorry https://codeberg.org/fediverse/fep/src/branch/main/fep/612d/fep-612d.md
#
[tantek] right which links to https://codeberg.org/fediverse/fep/src/branch/main/fep/612d/fep-612d.md
#
doesnm i'm copied from forum
#
[tantek] I don't trust links copied from forums. better to always verify them before sharing
#
doesnm ok
#
doesnm i'm already readed them
#
[tantek] better to share the actual link than the link to a doc with a link to a folder with a link to the actual link
#
[tantek] so this is a non-starter barrier IMO: "TXT record to DNS"
#
aaronpk some things are better done in DNS
#
aaronpk i haven't read this tho
#
[tantek] lots of similar things have tried "TXT record to DNS" like libravatar and others and failed
#
[tantek] when something can be done in HTML it should be., otherwise HTTPS, otherwise DNS. principle of least power.
#
doesnm are libravatar actually failed?
#
[tantek] in this use-case, a/link rel=me is the way (or rel=author type="bunchastuff" if you only want to specify an AP endpoint) in your HTML. otherwise HTTP LINK header.
#
[tantek] what is libravatar
#
Loqi Libravatar is a protocol specification for fetching avatar images for E-Mail addresses and OpenIDs in a decentralized way https://indieweb.org/libravatar
#
[tantek] yeah libravatar is dead compared to rel=icon which is simpler and requires less power (HTML)
#
doesnm i know what is libravatar
#
doesnm at least keyoxide used it for avatars
#
[tantek] yeah no one new is bothering to support it anymore either publishing or consuming so it's dead
#
[tantek] web searching for "libravatar test suite" doesn't come up with anything so it was never really interoperable without NxM implementation/publishing testing etc.
#
[tantek] anyway it's a good example of don't use "TXT record to DNS" when HTTP header will do, and don't use HTTP header when HTML will do
#
doesnm libravatar is quite simple, why they need "test suite"?
#
[tantek] every standard needs a test suite
#
[tantek] because people read specs differently
#
[tantek] without a test suite you end up depending on the de facto behavior of a dominant implementation, and now you don't have a standard, you have an open source monoculture
#
[tantek] also nothing with DNS is "simple"
#
doesnm looking at microsub
#
doesnm i can host an libavatar avatar without hosting libravatar server xD by just placing image in /avatar/hash
#
[tantek] wellknown--
#
Loqi wellknown has -1 karma over the last year
#
doesnm huh?
#
gRegor what is well-known
#
Loqi Well-known refers to designating a common URL on domains for data to be located typically automatically by some software (like a browser or a search engine), and is generally an antipattern to be avoided, because it breaks the portability of content across directories and systems; see follow your nose instead https://indieweb.org/well-known
#
gRegor It's that pattern
#
[tantek] what is wellknown
#
Loqi It looks like we don't have a page for "wellknown" yet. Would you like to create it? (Or just say "wellknown is ____", a sentence describing the term)
#
[tantek] wellknown is /well-known
#
Loqi ok
#
[tantek] there, now fully auto-discoverable
thegreekgeek_ and barnaby joined the channel
#
capjamesg [snarfed]++
#
Loqi [snarfed] has 36 karma in this channel over the last year (71 in all channels)
#
capjamesg I made my first signed GET request!
#
[tantek] might be a good usecase for a granary service: provide an @-@ address (or masto domain/@user profile) and return a simple h-feed of posts from their outbox, letting granary do all the httpsig gymnastics etc.
#
[tantek] making every reader developer have to struggle with signed httpsig requests (which are essentially security theater) seems like a distributed waste of time
#
capjamesg Ooooh.
#
capjamesg Yes.
#
capjamesg 100%.
#
[tantek] what is granary
#
Loqi granary is an open source social web translator that converts between various feed and activity formats, used by IndieWeb community members to for example automatically generate feed files from HTML https://indieweb.org/granary
#
[tantek] capjamesg, looks like there's an issue about this: https://github.com/snarfed/granary/issues/546
#
[tantek] see in the issue for existing workarounds, e.g. go from a Mastodon profile to their RSS feed then just use that instead of the AP outbox for your reader
#
capjamesg Thank you!
#
capjamesg How do I go from @example.com@example.com to an outbox URL?
#
capjamesg I can do webfinger resource acct to get the inbox.
gRegor joined the channel
#
[tantek] capjamesg, @example.com -> https://example.com, and @example.com@example.com -> https://example.com/@example.com, then it's up to that https resource to redirect you if necessary to its preferred profile page, and then you do the aforementioned h-feed, then feedfile, then lastly rel="author" type="activityjsongobbledygook" discovery
#
[tantek] zero webfinger necessary
#
capjamesg I need that gobbledygook discovery part 😄
barnaby joined the channel
#
[tantek] what is rel-author
#
Loqi rel-author is a microformat for linking a page to a URL representing an author of that page, a brief (similar to OGP) way to indicate authorship https://indieweb.org/rel%3Dauthor
#
[tantek] that gobbledygook which I can never remember is documented here: https://indieweb.org/rel-author#How_to_link_to_ActivityPub_followable_profile
#
capjamesg [snarfed] Why is https://fed.brid.gy/tantek.com/outbox empty?
#
capjamesg I thought the outbox listed all of your posts / reactions, etc.
#
gRegor I see all my posts, reactions, and follows on the activity page ("profile" page like https://fed.brid.gy/web/gregorlove.com)
#
gRegor oh looks like different URLs, noticed the "web/" difference. nevermind.
#
capjamesg I just found https://www.gkbrk.com/2018/06/fetching-activitypub-feeds/ which explains how to find the outbox.
#
capjamesg [edit] I just found https://www.gkbrk.com/2018/06/fetching-activitypub-feeds/ which explains how to find the outbox.
bterry1 and Xe joined the channel
#
[mattl] @a​rekenaten I don’t distrust Cloudflare but I do think they wield too much power. I want to do the majority of blocking myself. Trying to avoid the AI scrapers without using something also related to another scam (cryptocurrency)
#
capjamesg [snarfed] Is there a way to get a list of posts on a bsky profile with the Granary SDK?
#
capjamesg I have a Bluesky() instance instantiated.
#
capjamesg I'm looking at https://github.com/snarfed/granary/blob/6353abbf2a2c6be1664b469bf52f453084b6a8b1/granary/bluesky.py#L2009 right now.
#
capjamesg [edit] I'm looking at https://github.com/snarfed/granary/blob/6353abbf2a2c6be1664b469bf52f453084b6a8b1/granary/bluesky.py#L2009 right now.
#
[tantek] wasn't there a bsky .link project that did this?
#
capjamesg 😅
#
capjamesg It looks like the Python ecosystem has progressed so much since then.
#
capjamesg I can get the feed from https://public.api.bsky.app/xrpc/app.bsky.feed.getAuthorFeed?actor=...
#
[tantek] what is bsky
#
Loqi https://indieweb.org/bsky
#
[tantek] bsky << How to get a feed from a profile x: https://public.api.bsky.app/xrpc/app.bsky.feed.getAuthorFeed?actor=x (needs a real example other than 'x')
#
Loqi ok, I added "How to get a feed from a profile x: https://public.api.bsky.app/xrpc/app.bsky.feed.getAuthorFeed?actor=x (needs a real example other than 'x')" to the "See Also" section of /Bluesky https://indieweb.org/wiki/index.php?diff=102642&oldid=102246
#
capjamesg https://public.api.bsky.app/xrpc/app.bsky.feed.getAuthorFeed?actor=mcuban.bsky.social
#
capjamesg Mark Cuban ^
#
capjamesg Ahhh I have it working!
#
capjamesg [bluesky.to_as1(i.get("post"), type="app.bsky.feed.defs#postView") for i in x["feed"]] from the JSON response of the app.bsky.feed.getAuthorFeed endpoint.
#
Kolev Anybody use Zola?
#
Kolev Oh wait, I can check the wiki.
#
Kolev what is zola ssg
#
Loqi It looks like we don't have a page for "zola ssg" yet. Would you like to create it? (Or just say "zola ssg is ____", a sentence describing the term)
#
capjamesg That's 90% of the work to add Bluesky to Artemis!
#
capjamesg What is Zola?
#
Loqi Zola is a static site generator written in Rust https://indieweb.org/Zola