#meta 2018-12-28

2018-12-28 UTC
eli_oat1 joined the channel
#
tantek.com edited /event (+784) "Brainstorming Cancelled, add indieweb examples, FB example, design aspects" (view diff)
Asquith, strugee and [tantek] joined the channel
#
Loqi Just generated the first draft of this week's newsletter! https://indieweb.org/this-week/2018-12-28.html I'll generate a draft again tomorrow, so please add to it before then! https://indieweb.org/this-week#How_to
[relapse] joined the channel
#
[relapse] Just tried to create an account on the microformats.org/wiki but it uses reCAPTCHA v1 for account creation and that's shut down.
#
www.amitgawande.com edited /Webmention (+185) "/* Articles */" (view diff)
strugee and ichoquo0Aigh9ie joined the channel
#
gregorlove.com created /domain_name_registrar (+47) "r" (view diff)
#
gregorlove.com created /domains (+29) "r" (view diff)
#
gregorlove.com created /domain-names (+29) "r" (view diff)
#
gregorlove.com created /registrar (+47) "r" (view diff)
sl007 joined the channel
#
Zegnat [tantek] I was specifically talking about PRs on the PHP parser, rather than any pending spec changes, before a release. Some seem to be low hanging fruits.
swentel, jjuran and [Vincent] joined the channel
#
@janboddez ↩️ Done. Added outgoing webmentions, too, after having discovered https://github.com/indieweb/mention-client-php. (Not sure if I should keep the functionality, though, or move it to another, much smaller plugin.) (twitter.com/_/status/1078594929667043330)
swentel, [jdpinto1], sl007 and [jgmac1106] joined the channel
#
@megarush1024 Achievement unlocked: I got Ditchbook installed and I have my Facebook archive. Trying to convert to MF2 but Ditchbook is throwing errors. Time for the old Google of Python debug errors. #indieweb (twitter.com/_/status/1078615600019243009)
jgmac1106 joined the channel
#
Zegnat What is Ditchbook?
#
Loqi ditchbook is a toolkit for moving your Facebook data to your own website using Micropub https://indieweb.org/ditchbook
gkbrk and sl007 joined the channel
#
robertvanbregt.nl created /robertvanbregt (+36) "Redirected page to [[User:Robertvanbregt.nl]]" (view diff)
[jgmac1106] joined the channel
#
loqi.me created /POI (+117) "prompted by KartikPrabhu and dfn added by sknebel" (view diff)
#
kartikprabhu.com edited /resumé (+30) "/* IndieWeb Examples */" (view diff)
eli_oat1, jjuran, benwerd, sebsel, [kevinmarks], [tantek], [jdpinto1] and [jgmac1106] joined the channel
#
[tantek] hey was there anyone on the Virtual HWC EU on Wednesday?
#
[tantek] or did we end up cancelling everything?
#
tantek.com created /events/2018-12-11-homebrew-website-club (+63) "r" (view diff)
#
Zegnat I think it was cancelled. Neither sknebel nor I were available.
#
tantek.com edited /events/2018-12-26-homebrew-website-club (+85) "cancelled SF" (view diff)
#
[tantek] Can you update the page accordingly ^^^
jackjamieson joined the channel
#
@jonathanprozzi Excited to be able to dedicate some time to getting caught up with @gatsby v2! Working on a very basic #IndieWeb starter that satisfies all the http://Indiewebify.me tests -- so far so good! Looking forward to sharing/writing this up when done (twitter.com/_/status/1078733258576281602)
#
[tantek] ^^^ makes me wonder, are there some easy IndieWebify issues to fix that we could do and deploy an update as an IndieWeb Challenge thing?
#
[tantek] indieweb challenge << look for easy [https://github.com/indieweb/indiewebify-me/issues IndieWebify issues] to fix, fix one, and get an update deployed
#
Loqi ok, I added "look for easy [https://github.com/indieweb/indiewebify-me/issues IndieWebify issues] to fix, fix one, and get an update deployed" to the "See Also" section of /2018-12-indieweb-challenge https://indieweb.org/wiki/index.php?diff=55079&oldid=55018
[jdpinto1], benwerd, ramin and [pfefferle] joined the channel
#
gRegorLove tantek, I have some updates in progress, let me see if I can wrap it up and PR
jjuran, [kevinmarks] and [tantek] joined the channel
#
[tantek] good plan. let's definitely merge/deploy any updates in progress before tackling new things.
kisik21 and [asuh] joined the channel
#
Loqi Just generated this week's newsletter! You still have a few minutes to make changes, and I'll re-generate it 10 minutes before it gets sent out at 3pm Pacific time. https://indieweb.org/this-week/2018-12-28.html
#
jacky looks like the christian bible thing got into the newsletter lol
#
[tantek] wat
#
[tantek] does indienews have any way to report spam?
#
[tantek] huh looks like a wordpress blog with a bunch of indieweb plugins
#
[tantek] it has a text input for manual webmentions with label "To respond on your own website, enter the URL of your response which should contain a link to this post's permalink URL. "
#
[tantek] this makes me wonder if there's some setting in an indieweb WP plugin that allows easy auto-syndication to IndieNews
#
[tantek] GWG - did you add indienews syndication as a feature to one of your WP plugins?
chrisaldrich joined the channel
#
chrisaldrich Tantek, I think GWG did build something like that into the Syndication Links plugin. It was discussed earlier this week when that post originally went up.
#
Loqi chrisaldrich: [jgmac1106] left you a message 1 week, 1 day ago: now with our color scheme: https://indieweb.org/nofacebook-badge
#
GWG [tantek]: Yes. I did.
#
[tantek] GWG, looks like it has lowered the barrier to spamming indienews unfortunately
#
GWG [tantek]: It isn't auto-syndication. You have to check affirmative each time.
#
[tantek] still, one checkbox is trivial for spammers obviously
#
GWG [tantek]: Yes. I have to figure out how to address as it made it easier for me to do it.
#
GWG Maybe it needs to be addressed on the Indienews side also.
#
chrisaldrich Though in some people's cases, they may also click that checkbox wondering what it does without knowing fully what IndieNews is or what it's readership may be.
#
[tantek] GWG, I don't think it belongs in the plugin. I don't think IndieNews was intended to be a random place to syndicate anything.
#
[tantek] [chrisaldrich] that's why it doesn't belong in the plugin
#
[tantek] since the plugin is used beyond the community
#
[tantek] !tell aaronpk anyway to report spam on indienews? looks like someone with a wordpress blog has spammed indienews - and I can't find any way to report spam.
#
Loqi Ok, I'll tell them that when I see them next
#
[tantek] !tell aaronpk looks like we'll have our first spam in the newsletter in about 5 minutes unless you can manually remove it from indienews in that time.
#
Loqi Ok, I'll tell them that when I see them next
#
chrisaldrich Perhaps having it as an extension to the plugin? or an additional side plugin within github that requires manual installation and use. That might raise the bar enough.
#
GWG [tantek]: I'll split it out. Syndication Links is a platform. So I can have that as a separate plugin on Github.
#
GWG chrisaldrich: Just what I was thinking
#
GWG chrisaldrich: I only have one thing to point out...
#
GWG https://github.com/dshanske/bridgy-publish/issues/23
#
Loqi [chrisaldrich] #23 Publish to IndieNews
#
[tantek] [chrisaldrich] GWG wouldn't even have it as a separate plugin or anything easily "installable"
#
[tantek] maybe it was something you configured with a text field for the URL to syndicate to sure
#
chrisaldrich In fact, if it's extensible that way then every silo that allows syndication could allow it... one for twitter, one for facebook, (potentially) one for Instagram or even IndieNews or Indieweb.xyz
#
GWG [tantek]: The suggestion was a...configurable arbitrary webmention syndicator
#
[tantek] !tell aaronpk this (religious) spam in particular is fairly harmless, however the next ones could be much worse, code of conduct violating stuff (hate speech etc.), so looks like it is time to put some ability to report / remove spam in indienews, or we have to remove it from the newsletter
#
Loqi Ok, I'll tell them that when I see them next
#
@ChrisAldrich According to @Pocket's account I read 766,000 words or the equivalent of about 10 books this year. Also some #IndieWeb thoughts about discovery. https://boffosocko.com/2018/12/28/chris-aldrichs-year-in-pocket/ (twitter.com/_/status/1078785029679996928)
#
GWG [tantek]: It didn't occur to me at the time that it might create an issue, to be honest
#
Loqi Generated the final version of the newsletter! This will be sent out at 3pm Pacific time. https://indieweb.org/this-week/2018-12-28.html
#
Zegnat Aw, chat search is still down so no way to quickly link to the previous discussion on this subject :(
#
[tantek] Zegnat if it was in the last week you can click "Previous" and use find in browser for a few days
#
Zegnat I think it was, I am just not sure. Neither do I remember in what channel we discussed this syndication spam
#
Zegnat I *think* we moved to wordpress after some time. Lets see
#
[tantek] good reason to use the right channel (likely this one)
#
Zegnat We were discussing possible solutions on the plugin side, which is when we moved to -wordpress
#
Zegnat If my memory isn’t failing me
#
GWG I made note of them, and was going to do something quick and dirty at minimum
#
Zegnat Yep, there we go: https://chat.indieweb.org/wordpress/2018-12-23
#
[tantek] I didn't see the discussion before - any reason we let the spam slip through knowing we had days to deal with it?
#
[tantek] GWG, the quickest fix is to drop any feature / use of IndieNews ASAP
#
Zegnat This is where I first entered the discussion: https://chat.indieweb.org/2018-12-23#t1545576866213200
#
Loqi [Zegnat] Re: Your Christian Bible and Christmas Trees being on IndieNews, looks like it uses some sort of syndication WordPress plugin? GWG, is there a plugin that comes with IndieNews support by default?
#
boffosocko.com edited /Year_in_Review (+840) "GoodReads and Pocket" (view diff)
#
Zegnat But that is in reply to earlier discussion, so others discussed it before
#
GWG I will prioritize the issue then. It is just unlinking a file.
#
[tantek] Sorry until this is addressed at multiple levels (dropping the IndieNews features from Syndication links, adding spam reporting/removal to IndieNews), I'm going to do a pull request to drop IndieNews from the newsletter.
#
[tantek] We can re-enable when fixes are in place.
#
Zegnat Does WP have some soft statistics on how many people have the current version of syndication links installed? That is how many people are in a position to (effortlessly) send (spam) posts to IndieNews. And that will not be fixable by GWG unless all of them have automatic plugin updates enabled and working
#
GWG Current, no.
#
GWG Overall, 400+
#
GWG But most not using the syndication feature
#
GWG It's off by default.
#
Zegnat Oh interesting
#
GWG You have to intentionally turn it on.
#
[tantek] which any spammer will do
#
GWG Any other things that I should avoid making easy in future without further consideration?
#
[tantek] GWG, it's not about "things", it's about mindset. You have to put yourself in the mind of a spammer and think what would they do or abuse, and then be sure to avoid enabling that
#
GWG New world for me
#
[tantek] GWG, presumably you have received spam so you understand some of the mindset already
#
chrisaldrich In mathematics there's an old saw that says during daylight hours you try to make your proofs directly and then at night you spend your time trying to prove them indirectly .
#
GWG I will address the problem
#
chrisaldrich The reframing of that here is to develop with your "white hat" on for part of the day and then with your "black hat" on the other part of the day.
#
Zegnat Interesting enough, it doesn’t look like IndieNews gives any sort of guidance as to what should and shouldn’t be submitted on https://news.indieweb.org/en/submit
#
GWG Also an oversight
#
Zegnat And according to https://news.indieweb.org/how-to-submit-a-post it will accept pingbacks just as well as webmentions, which may up the chances of it receiving spam (?)
#
@indiewebcamp This week in the #indieweb https://indieweb.org/this-week/2018-12-28.html (twitter.com/_/status/1078791465508184069)
#
[tantek] well the newsletter claims it is showing "Posts about the IndieWeb" when showing all recent posts, which clearly means *either* the expectation is that all IndieNews posts are about the IndieWeb, *or* the newsletter needs to be fixed to only pull in IndieWeb posts that specifically have an "indieweb" hashtag
#
Zegnat That could be an extra check on indienews’ side, I guess? Make sure a post has the category indieweb before accepting it.
#
Zegnat Still, spammers could easily just add that one
#
chrisaldrich As an additional extreme example, keep in mind occasional other uses of indieweb which may occur the same way we sometimes see twitter "spam" on keywords like IndieAuth when the meaning is independent author.
#
chrisaldrich Maybe this is the issue that spurs someone to build in upvoting/downvoting functionality into indienews to make it more reddit-like?
#
[tantek] !tell aaronpk I've updated https://github.com/indieweb/this-week/blob/master/generate-indienews.php to comment out the generator until it filters for indieweb at a minimum - hopefully this gets auto-deployed or is easy for you to update in production?
#
Loqi Ok, I'll tell them that when I see them next
#
chrisaldrich Though naturally upvoting would be done via means of additional webmentions....
#
[tantek] Zegnat, reasoning like "Still, spammers could easily just add that one" shows a lack of understanding of security, defense in depth etc. This is a common misconception in lots of dev circles
#
[tantek] the "could easily just" phrase is basically total bullshit in practice
#
[tantek] for so many reasons
#
Zegnat Are you saying spammers would not add #indieweb ?
#
[tantek] almost nothing is "easy"
#
[tantek] Zegnat do you not understand the actual cost of adding an extra step? and the actual effect it has?
#
[tantek] You are making an argument from "theoretically possible" which is not how you practically solve such problems
#
Zegnat If a spammer has setup webmentions and mf2, where the mf2 specifically includes either syndicate or category to point at indienews, adding 1 extra category to the mf2 is a clear example of trivial, IMO.
#
[tantek] Go read https://en.wikipedia.org/wiki/Defence_in_depth for starters
#
[tantek] Zegnat, no that's false, because we got no spam like this until a plugin was released that made it automatic with checking just one checkbox
#
[tantek] so no it was not trivial, by the very proof that no spammer did it for the *years* we had IndieNews before this
#
[tantek] this is my point, your evaluation of "clear example of trivial" is flawed
#
Zegnat 1/400 people have used that plugin to spam. Possibly unintended spam, as they may have just “checked all the boxes” without knowing that their WordPress installation was going to put the link in a newsletter down the chain
#
[tantek] because you are basing it on reasoning theoretically instead of by evidence and history
#
[tantek] who cares if it is intended or unintended? the point is the spam happened
#
[tantek] and yes, unintended is a *great* example of something that is prevented by adding an extra barrier
[Khurt] joined the channel
#
Zegnat Sure, but I am differentiating spammers (people acting with an intend to spam) from people who only syndicated to places their WP allowed them to syndicate. In the case of active spammers, requiring a hashtag feels just like security through obscurity to me *shrug*
#
[tantek] you are also thinking about security in a binary way which is also flawed
#
[tantek] go read defense in depth
#
Zegnat I’d much rather work on a solution that will keep active spammers out of IndieNews, if IndieNews is supposed to be “a community-curated list of articles”, than go and read some bloated wikipedia article that is only 2 paragraphs long in my own language.
#
Zegnat I wonder if the !rt (retweet) model would work. 2 people who have logged in to the wiki
#
Zegnat would have to bookmark a link on their site to get it accepted
#
[tantek] your choice how you prioritize, yet I'd advise prioritizing minimum necessary fixes for actual known abuses (that have happened) rather than overdesigning based on theoretical scenarios (because that can suck-in infinite time)
#
[tantek] anyway I've disabled including IndieNews in the newsletter until *some* improvement is done somewhere in the way IndieNews works and/or how the newsletter uses it
#
[tantek] FWIW we also got a random home page "spam" in IndieNews this week
[asuh] joined the channel
#
[tantek] no entry name, and the summary is mostly labels from navigation links
#
[tantek] " Music/Outdoors/Synths/Code/Projects/Learning/Sharing Main menu Skip to content Blog Search About this site Posts and pages about this project Privacy ..."
#
gRegorLove btw, there has been at least one other instance of this: https://news.indieweb.org/en/matienzo.org/2018/when-basil-has-gone-to-seed/
#
Loqi [matienzo.org] When basil has gone to seed: contemplative pesto
[cleverdevil] joined the channel
#
[tantek] huh, the post that supposedly submitted it is also a 404: https://chrisbeckstrom.com/2018/12/22/32317/
eli_oat1 joined the channel
#
[tantek] actually make that two random home page spams, the "Converting png files to jpg files" has nothing to do with indieweb either AFAIK
[kevinmarks] joined the channel
#
[tantek] looks like another WordPress submission: https://www.customerservant.com/converting-png-files-to-jpg-files-while-using-a-screen-reader/
[jgmac1106] joined the channel
#
chrisaldrich the Chris Beckstrom post actually had content earlier in the week. I think he redesigned his site and did a hello world post and syndicated to indienews. Even then it was as much a test submission as anything else.
#
[tantek] whether it was a test post or an accident home page submission, it doesn't belong in the newsletter
#
chrisaldrich Perhaps indienews should have a test page the way indieweb.xyz uses their hottubs page? https://indieweb.xyz/en/hottubs
#
[tantek] too bad that deleted post only returns a 404 not a 410 😞 https://chrisbeckstrom.com/2018/12/22/32317/
#
chrisaldrich ^^ just what I was thinking
#
[jgmac1106] I think @aruah syndicated that article on purpose...while her work is for the web in general I like stories in Indie News to up our accessibility game
#
chrisaldrich I just realized that arush must have had something wrong with the mark up on her page. I got a mention ostensibly from "Converting png files to jpg files" but just now realized it's related to https://www.customerservant.com/converting-png-files-to-jpg-files-while-using-a-screen-reader/
#
chrisaldrich Initially I had thought it related to https://png2jpg.com/, but it had no link to my site on it.
#
chrisaldrich GWG, does this odd false webmention indicate some edge-case flaw in the WordPress webmention set up?