#[tantek]Hey folks, while in Düsseldorf, a few of us there started chatting IWC Berlin options so I wanted to ask folks here who would consider traveling to please add your availability/pref to the Planning section for IWC Berlin this September: https://indieweb.org/Planning#Berlin
#[tantek]yes it may have been ~900. though considering that includes essentially a whole computer setup to do Zoom that may be worth it
#GWGI will continue to look for lower alternatives, but it may be worth having one of them if we pick up
jacky joined the channel
#IWDiscordGateway<fncll> I’d be happy to help organize something but don’t have the skills or knowledge to be more than an assistant. For online or Seattle/Tacoma or possibly Portland areas.
#omz13sknebel: yes but no: .well-known as a page should not exist. Any half-decent web server deployment would be configured to filter out /.well-known requests and serve up its content from an admin writable only folder... or the wiki engine should do it. It is mis-configuration not a problem.
#sknebela) the page .well-known is distinct from the folder, which is indeed restricted b) but our wiki anyways makes this distinction, so please put the things in the right pages anyways
#omz13Then somebody should alias well-known page to .well-known page because it is not obvious
#aaronpksaying every web server should only serve .well-known from an admin writable folder is kind of silly, that's like saying every web server should make sure they are aware of every possible mechanism anyone might use and block access to those paths. which also kind of goes to show the problem with .well-known to begin with, that if a path there enables some sort of functionality then anyone who might be
#omz13what I was trying to say was if you don't configure (harden) your server or application correctly, don't complain when people do stupid stuff if you let them play in your .well-known folder
#omz13do we need to add a trigger warning whenever .well-known is mentioned because that is how it feels around here
[Murray] joined the channel
#aaronpkthe point is .well-known is not the only way to do well-known URLs, so just blocking .well-known from being user-editable isn't enough, you have to go list out every possible well-known URL that might cause a problem if it's user-editable and block that too
#aaronpkthat's also why there are two different wiki pages
#omz13am I missing something because if request path starts with /.well-known/ then burp
#aaronpkalso robots.txt and humans.txt and whatever else anyone comes up with
#aaronpkthis is arguably the reason _for_ putting all well-known things in the .well-known folder but there's nothing stopping someone from creating something that doesn't do that
#[KevinMarks]Well there's another 2 layers of that with LRRD and webfinger
#omz13wearing my BOFH hat, it is far easier to put all that meta-thing into /.well-known/thing because it can be locked down so lusers don't twiddle with things they are not meant to twiddle with... and you can do evil things with reverse proxy or application middleware to achieve that
#petermolnarthat is certainly the BOFH hat, thinking .well-known is out of the context of the site. That is exactly why it shouldn't exist, particularly for non-web protocols, eg. mta-sts, which should be killed with fire.
#[tantek]"nothing stopping someone from creating something that doesn't do that" <-- this is exactly what happened with "security.txt" AFAIK, which was created *after* .well-known became a "thing". And yes they're both RFCs 🙄
#[tantek].well-known << Criticism: unnecessary domain-level assumption for use-cases that can by handled by resource-level discovery: it's almost always a web architecture error to design something for a domain (also includes root /noun.txt approaches) instead of designing for an arbitrary URL (HTML at some page).
#Loqiok, I added "Criticism: unnecessary domain-level assumption for use-cases that can by handled by resource-level discovery: it's almost always a web architecture error to design something for a domain (also includes root /noun.txt approaches) instead of designing for an arbitrary URL (HTML at some page)." to the "See Also" section of /.well-knownhttps://indieweb.org/wiki/index.php?diff=81415&oldid=81414
#[tantek].well-known << Alternative: instead of forcing/squatting a specific path on web server admins, use link rel for discovery. The W3C [[Social Web Working Group]] resolved on this methodology (also known as "follow your nose") years ago for all the approaches being considered, and subsequently all of the W3C Recommendations they produce used link rel discovery, without any need for ".well-known"
#Loqiok, I added "Alternative: instead of forcing/squatting a specific path on web server admins, use link rel for discovery. The W3C [[Social Web Working Group]] resolved on this methodology (also known as "follow your nose") years ago for all the approaches being considered, and subsequently all of the W3C Recommendations they produce used link rel discovery, without any need for ".well-known"" to the "See Also" section of /.well-knownhttps://indieweb.org/wiki/index.php?diff=81416&oldid=81415
#omz13"For websites, the security.txt file should be placed under the /.well-known/ path (/.well-known/security.txt) [RFC8615]. It can also be placed in the root directory (/security.txt) of a website, especially if the /.well-known/ directory cannot be used for technical reasons, or simply as a fallback. The file can be placed in both locations of a website at the same time."
#[tantek]right, so they squatted two paths with that language. really bad design
#Loqi[securitytxt] security-txt: A proposed standard that allows websites to define security policies.
jacky joined the channel
#[tantek]omz13, yeah I'm considering a blog post or at least a tweet asking "Anyone know of an effort to write-up a "/noun.txt proposals considered harmful" blog post, finding etc.? " and security.txt will likely get a mention since they were sloppy about not being strictly confined to .well-known. Also the use of "might" without citing 6919, tsk tsk tsk
#@Shoq↩️ really stupid mistakes lately, but this is one we definitely do not want to make again. I am making it my mission to remind us all of our options, and probably offering a few on my own. If you don’t know about the #POSSE and other #Indieweb concepts, learn. (twitter.com/_/status/1525175507515588610)
#[aciccarello]Thanks, my brain can't parse the See Also sections when they get overloaded like that. It's also interesting to look at what criticisms are collected. Probably could be organized more but I'm done for now.
#LoqiJust generated this week's newsletter! You still have a few minutes to make changes, and I'll re-generate it 10 minutes before it gets sent out at 3pm Pacific time. https://indieweb.org/this-week/2022-05-13.html
#[chrisaldrich]I just realized it's Friday and not Thursday. Thanks for bursting my bubble Loqi. I did want to add a few things... perhaps tomorrow when there's more time.