#social 2015-05-07

2015-05-07 UTC
#
tantek oshepherd: are there any AS1/Atom -> AS1/JSON proxies?
#
oshepherd I have no idea
#
tantek just figuring AS1/JSON consuming applications may have wanted to bootstrap by proxying existing AS1/Atom content out there
KevinMarks and KevinMarks_ joined the channel
#
ben_thatmustbeme elf-pavlik: re indieauth from a phone, Apache Cordova can capture specific URLs from the internal browser, so I just redirect to http://localhost/ and have the browser trap for that
tilgovi joined the channel
#
RRSAgent excuses himself; his presence no longer seems to be needed
bblfish, Arnaud, KevinMarks and tantek joined the channel
#
elf-pavlik tantek deiu if you get chance you could discuss how current vouch approach compares to ACL, since pretty much I see webmention as write endpoint but with 'remote payloads' which you try to access control based for example on *accept if you find author in list of my contacts* or *accept if author attended an event which i also attended etc.*
#
tantek elf-pavlik: vouch and ACL are solving completely different problems
#
elf-pavlik deiu also those 'remote payloads' (no fat pings) play role with how you would name graphs when you fetch them, would you give graph the name of webmention endpoint or the source where post got published 'remote paylod'
#
tantek fundamental problem with "fat pings" is that they're never authoritative/canonical - you must be able to always fallback to retrieving the original content.
#
tantek "fat pings" should only be an optimization, like a prefetch / cache, and never essential.
#
elf-pavlik tantek: situation may change if we have PKI in place and i sign my payloads https://twitter.com/manusporny/status/568091383686414336
#
Loqi @manusporny :: Video explanation of how Linked Data Signatures work (JSON-LD + Cryptography): https://www.youtube.com/watch?v=QdUZaYeQblY #jsonld #w3c
#
elf-pavlik deiu ^
#
elf-pavlik but let's don't count on it for now...
#
tantek elf-pavlik: disagree because either you need playback/guaranteed delivery mechanisms, or you must always be able to recreate the posts/interactions statically from the web.
#
elf-pavlik re: webmention vouch and ACL 'compleately' different - don't people use ACL on their blog postings to control who can comment?
#
tantek elf-pavlik: not really interested in video explanations of theories that aren't actually shipping on someone's personal site.
#
tantek or at least prototyped on someone's personal site.
#
tantek elf-pavlik: ACL = *access* control lists - more about *read* than write.
#
elf-pavlik tantek let's get back to that when i deploy prototype, you can already find public key using Linked Data Signatures vocab on my homepage if your Accept: application/ld-json
#
elf-pavlik also digitalbazaar published open source lib which will allow me to do such signing https://github.com/digitalbazaar/jsonld-signatures
#
elf-pavlik happy to deffer this conversation for when i deploy demo!
#
aaronpk signing payloads is interesting but often too complicated to rely on for basic building blocks
#
elf-pavlik bblfish asked by me "do you see ACL more about read than write" said NO
#
elf-pavlik aaronpk: agreed as of today, but we shouldn't assume same situation in 2 years, as well don't count on it changing
#
tantek elf-pavlik: doesn't matter what people say they "see" - it's about documenting current practice / expectations
#
elf-pavlik just STAY OPEN for such possibility
#
aaronpk i'd rather build a solid foundation that doesn't require signing requests
#
aaronpk leave the crypto to the transport layer
#
tantek agreed
#
aaronpk people much more knowledgable about crypto are working on it all the time, and i'd rather use their work rather than re-create it at the application layer in potentially dangerously fragile ways
#
elf-pavlik talking with bblfish about ACL on writes via ping https://github.com/linkeddata/SoLiD/blob/master/UserStories/PrivateSharing.md#send-a-notice
#
tantek elf-pavlik: if you're interested in things like signed content etc., please take a look at Camlistore http://camlistore.org/
#
tantek elf-pavlik: yes - private sharing is use-case for ACL - reading
#
tantek I think that's a good use-case to start with, similar to Indie messaging that's being developed via IndieAuth: http://indiewebcamp.com/indieweb-messaging
#
elf-pavlik IMO SoLiD / LDP REST approach can make read/write ACL more straight forward
#
elf-pavlik but i can't provide something to back this claim ... yet
#
elf-pavlik since you read/write to the same URI
#
elf-pavlik webmention / micropub create indirection which one needs to handle in some way
#
elf-pavlik Tsyesika, oshepherd how do you return Not Authorized when someone tries to write via ActivityPump?
#
Tsyesika 401 if they've not identified or 403 if they are but don't have access
#
Tsyesika i didn't read any of the backlog so i hope that was the kind of answer you were looking for
#
elf-pavlik let's forget 401 for now and focus on 403
#
Tsyesika nods
#
elf-pavlik it will depend on payload if server does 201 Created or 403 Not Authorized ?
#
elf-pavlik s/does/responds with/
#
elf-pavlik do you have by any chance link to any code which implements logic of such handling for ACL, activity pump.io maybe / mediagoblin ?
#
Tsyesika mediagoblin doesn't yet and i don't know where off the top of my head it is pump.io unfortunately
#
Tsyesika i don't think it depends on the payload but there maybe circumstances i can't think of right now
#
Tsyesika or that aren't yet defined in the spec
bblfish joined the channel
#
elf-pavlik it must depend on a payload if you use same URI for all writes
#
Tsyesika well i mean i guess it depends what you might do, i think pump.io would produce a 400 in a lot of the cases you're thinking of but i could be wrong this ought to be defined in the spec in what situations you should produce 400 and 403 and such
#
elf-pavlik with REST to my understanding one allows writes based on identity of agent making request not on a payload
#
elf-pavlik with RPC you need to use payload which may open surface attack based on SQL injection kind of tricks
#
elf-pavlik aaronpk ^
#
aaronpk sql injection has nothing to do with whteher authentication happens in a header or the post body...
#
aaronpk i'm really not following your line of questioning
#
elf-pavlik for ACL do we only decide based on identity of *authenticated* agent or also take into account semantics in payload { "@type": "Add", "target": "my-friends-list" }
#
elf-pavlik i can't decide just on agent identity + uri of resource
#
elf-pavlik i need to understand what RPC payload tires to do, and based on that 201 or 403
#
elf-pavlik REST seems more like unix file system permissions - who can read / write / list which resource
#
elf-pavlik RPC you need to handle a lot of logic depending on *what* you try to write - the payload of request
#
elf-pavlik Tsyesika, could you try using Move activity to move images between albums? http://www.w3.org/TR/activitystreams-vocabulary/#dfn-move
#
elf-pavlik how do you deal with ACL for such operation including 3 resources fromAlbum , image , toAlbum
#
elf-pavlik IMO logic can get pretty complex the more operations we add
#
elf-pavlik unless we just want to do 3 collections and 7 actions as current ActivityPump spec does in a way mimicking twitter
#
elf-pavlik oshepherd ^
#
Tsyesika well people can define their own collections of people or photos or posts
#
Tsyesika move seems a logical activity to support
#
Tsyesika i mean for access control i guess you'd have to check the origin can be changed by you, and the target could be changed by you and check you have access to the image
#
oshepherd move actually seems somewhat inappropriate as there are really two actions going on here: Add to new album, remove from old. The object isnt actually moving
#
oshepherd If its' just "Add to new album" you just need to check the album. Likewise for "Remove from album"
#
Tsyesika well also check access to the photo right?
#
oshepherd No, other people can add your photots to their collections
#
Tsyesika yes but not photos you don't have access
#
Tsyesika like a GET on the photo's ID
#
Tsyesika giving you a 403
#
Tsyesika right?
#
oshepherd Sure
#
oshepherd Though server can assume once had access -> always have access
#
Tsyesika this is true
#
oshepherd So from server's POV its' just "Do I know this photo?"
#
Tsyesika yep i was just wanting to the cover the case whe the client might submit a photo the server hadn't seen
#
oshepherd Hmm, should AcrtivityPump mandate CORS headers being set?
#
oshepherd It seems like a good idea
#
Tsyesika hm
#
oshepherd Maybe MUST for federated impls, SHOULD for non-federated?
#
tantek goes back to incrementally improving public use-cases
#
tantek would implementing more AS1/Atom support be considerd "hipster"?
#
elf-pavlik oshepherd, with Add Remove we need atomic transactions :)
#
oshepherd elf-pavlik: Why?
#
elf-pavlik if i can remove from A but can NOT add to B
#
oshepherd elf-pavlik: Thats why "move" doesn't make sense
#
oshepherd Also because a photo can be in N collections
#
tantek oshepherd, elf-pavlik what - we're not implementing peer-to-peer ATM like transactions? ;)
#
Tsyesika well it's not that move doesn't make sense, it's quite possible you might want to remove and add it to another? it's just if we want to explicitly support that
#
Tsyesika or if we want to keep it really simple and just say do it in two steps
#
oshepherd I think that's a bad idea, because edge cases and special cases and all that
#
Tsyesika yeah
#
Tsyesika i think i'm inclind to agree
#
Tsyesika how often does one want to do that
#
oshepherd Also because it implies that a photo is "part of" an album as opposed to "in" it
#
Tsyesika mhm
#
oshepherd I think the vocab. should be constrained so that the only parts of an activity which matter for access control purposes are actor and target or (if no target) object
#
Tsyesika mhm sounds good
#
elf-pavlik I would propose implementing ACL for 2-3 cases, preferably from existing user stories, or add additional 1-2 stories to more user stories and show imlementations
#
elf-pavlik RPC with ACL IMO can get much harder to implement than REST with ACL and we should make few proves of concept ASAP
#
elf-pavlik deiu bblfish ^
#
elf-pavlik all above IMO of course
#
elf-pavlik we just spoke IRL with rhiaro and bblfish about ACL based on Group -> member (members of Social WG) and Event -> attendee (attendees of W3C Social F2F3)
#
elf-pavlik i'll capture it on more user stories page
#
elf-pavlik selfdogfood ?
#
elf-pavlik deiu, maybe defining ACL based on ldp:DirectContainer (or ldp:IndirectContainer) would provide generic way for any Class + property pair ?
#
rhiaro elf-pavlik: http://www.w3.org/wiki/Socialwg/Social_API/User_stories#Photo_sharing_with_event_attendees
#
elf-pavlik rhiaro++
#
Loqi rhiaro has 85 karma
#
elf-pavlik deiu, to my understanding ActivityPump spec would need adding details of ACL for ldp:Container illustrated on https://github.com/w3c-social/social-vocab/tree/master/container/DirectContainer
#
elf-pavlik of course one can argue for ldp:IndirectContainer here
#
elf-pavlik oshepherd this can help us clarify similarities / differences in approach to ACL between SoLiD and ActivityPump https://github.com/w3c-social/activitypump/issues/28
#
elf-pavlik "If server doesn't create an artifact of who it send note to. When followers collection changes people added afterwards will gain access to note."
#
elf-pavlik reading https://www.w3.org/wiki/WebAccessControl
tantek joined the channel
#
elf-pavlik bblfish https://www.w3.org/wiki/WebAccessControl#Protocol
the_frey joined the channel
#
tantek W3C just announced at the AC meeting updates to the Document license and and updated Software & Document license.
#
tantek I'd like to propose we start using the Software & Document license for our specifications
#
tantek if we can get consensus on that in the WG, then the chairs can raise it to the W3C AC / Director for consideration
#
tantek as it's considered a charter modification.
#
tantek http://www.w3.org/Consortium/Legal/2015/copyright-software-and-document
KevinMarks and bblfish joined the channel
#
bblfish https://www.youtube.com/watch?v=pGFf3SRP1bE
#
bblfish Be water my friend
Arnaud joined the channel
#
elf-pavlik melvster bblfish, let's look at defining collection used in ActivityPump as value of as:following predicate and using it for ACL on direct messages inbox (just as twitter does!) http://w3c-social.github.io/activitypump/#actor-objects
#
elf-pavlik considering it a foaf:Group starts making more and more sense to me!
#
elf-pavlik Tsyesika, oshepherd what do you think about that idea ^
#
elf-pavlik then one can POST to that direct messages inbox only if followed by recipient of the message - just as twitter does
#
elf-pavlik use case for testing such ACL definitions
#
elf-pavlik Tsyesika, cwebber2 you could also take snapshot of following collection and use it as whitelist based ACL as discussed in https://github.com/w3c-social/activitypump/issues/28
#
elf-pavlik for GET on resource
Loqi joined the channel
#
tantek I just updated my legacy AS1/Atom feed to explicitly use <verb> markup for "likes"
#
tantek feedback appreciated from anyone who understands AS1 semantics (Atom or JSON) - first <entry> here http://tantek.com/updates.atom is a "like" - cc oshepherd
#
tantek (baby steps toward AS1/JSON, then maybe AS2/JSON(LD))
kaepora joined the channel
#
elf-pavlik tantek++
#
Loqi tantek has 188 karma
bblfish_, tantek, shepazu_ and Arnaud joined the channel
#
cwebber2 wow so much conversation in here!
#
cwebber2 <tantek> markdown should be called markdumb
#
cwebber2 tantek: agreed, though that's also the most rejon-esque thing I've ever heard you say :)
#
cwebber2 my favorite rejon'ism is "O.E.R. is O.V.E.R."
Arnaud and cwebber2 joined the channel
#
tantek cwebber2: I do find markdown frustrating. Have written a few more well thought-out things here: http://tantek.com/w/Markdown
#
tantek also cwebber2 while you're here (and Tsyesika too!) - do you have experience with publishing or consuming AS1/Atom?
#
tantek (and apologies if that's a dumb question)
Arnaud1 joined the channel
#
cwebber2 tantek: still going through my morning routine, but I used to work on consuming atom streams when I worked on Miro. The only AS1 experience I have is through using PyPump by Tsyesika and making a couple of small patches to it
#
cwebber2 oh hey
#
cwebber2 congrats Tsyesika on PyPump 0.6 https://io.theperplexingpariah.co.uk/Tsyesika/note/qoFrXciSQ7yit3jzaxs2wA
the_frey_ joined the channel
#
Tsyesika cwebber2: thanks :)
#
oshepherd Elf-pavlik: activity pump doesn't have a distinct direct inbox
#
ben_thatmustbeme really wishes he could have heard more of the descriptions of others methods
#
ben_thatmustbeme but getting the wife to the hospital for (false alarm) labor, takes precendence
#
elf-pavlik oshepherd, i have impression that spec have some application specific details and does not provide generic API / protocol
#
elf-pavlik how would you do https://www.w3.org/wiki/Socialwg/Social_API/User_stories#Direct_Messaging
#
oshepherd Address something to: them and post it to your outbox
#
elf-pavlik how can i restrict who can send direct messages to me?
#
tantek cwebber2 - thanks - I'll try to work on AS1/JSON support next - hopefully I can share that with you to get a review to see if it looks sensible.
#
elf-pavlik or who can post notes on event page, or group page
#
cwebber2 cool :)
#
elf-pavlik to my understanding twitter implements ~ people i follow can post to my private messages inbox
#
elf-pavlik SoLiD provides way to do ACL e.g. participants of this even can see this photo
Arnaud joined the channel
#
elf-pavlik or comment on it
#
ben_thatmustbeme so I am trying to catch up with discussion from f2f, As I understand it, in the pump.io /activitypump world, things like comments are never posted except on the post they are commenting on, correct? they would just be in your outbox, which is not html
#
oshepherd Elf, in general that's not possible, but you could always block/ignore
#
oshepherd Compare Facebook where DNs from non friends end up in another bucket
#
oshepherd Ben_thatmustbeme: comments in pump.io are just objects with inReplyTo set
#
elf-pavlik oshepherd interesting comparison to facebook filter, maybe it somehow compare it to HTTP 449 response in http://indiewebcamp.com/vouch
#
elf-pavlik oshepherd, if you message your message your fb friend and non friend (while they both stay fb friends) when your friend replies it will go to non friend standard inbox, while stay in other until that reply
#
ben_thatmustbeme elf-pavlik: I think the closer would be, in my case i still store the webmention when i get an unvouched one, it goes into a box awaiting approval. if they replied with a good vouch, or have been whitelisted, then they are automatically posted
#
ben_thatmustbeme and i think i parsed your words a little better, so i'd say, yes, its very similar to that
#
oshepherd Elf, I struggled to parse your last statement
#
ben_thatmustbeme oshepherd: i think its the idea of a group message from 2 people, one is a friend and one is not, and how that interaction works. so is the thread still unapproved even though an approved friend is in the group or not
#
ben_thatmustbeme thats the best i can parse that as anyway
#
oshepherd My take on this is that this is all your own policy
#
oshepherd Personally I'd want the thread to resurface, and as I created the thread it would be considered important
#
elf-pavlik oshepherd, can you add some links/notes on how pump.io / ActivityPump deals with spam? https://github.com/w3c-social/social-arch/issues/6
#
oshepherd It doesn't currently define any rules but a reasonable approach would be to sequester away any message from a non-follower
#
oshepherd I think offering suggestions would be reasonable but different people have different needs
#
elf-pavlik afk cooking lunch with rhiaro and bblfish_+
#
ben_thatmustbeme that model of filtering is entirely on the receiver was done for email and its been pretty well riddled with spam
jasnell and jasnell_ joined the channel
#
oshepherd Ben_that must be me: the recommended model, based upon your friend list, is basically vouch...
#
ben_thatmustbeme yeah, i'm saying its good to make a recommended model, not just leave it to implementation only
jasnell joined the channel
#
ben_thatmustbeme vouch goes to a second level social connections actually, assumes first level is auto-approved
bblfish, tilgovi and Arnaud joined the channel
#
elf-pavlik ben_thatmustbeme do you see vouch feature making it harder (sometimes not possible) to delegate webmention endpoints to services like http://webmention.io
#
Loqi Pelf made 1 edit to [[Socialwg/Social syntax]] https://www.w3.org/wiki/index.php?diff=84052&oldid=83959
#
ben_thatmustbeme elf-pavlik: I don't think its impossible. In theory, the webmention endpoint should be able to store incoming webmentions to know what sites have links directly to the site, then outgoing webmentions use that information to discover potential vouches. This actually works better the more people offload their endpoint to a single service, as it could already know usable vouch urls
#
elf-pavlik "works better the more people offload their endpoint to a single service" hmmmm
#
elf-pavlik facebook++
#
Loqi facebook has -8 karma
melvster joined the channel
#
ben_thatmustbeme s/better/easier for that service/
#
ben_thatmustbeme the idea is to put burden on the sender of the message to make sure their message gets through
#
ben_thatmustbeme rather than put the burden on a receiver to wade through the spam for what they consider good
#
ben_thatmustbeme actually "better at discovery once it has data" but its a detriment because it is a trade off as you cannot get referer headers
#
ben_thatmustbeme its no different to the user, just easier for the service to do it. everything is easier on a service when you are not doing any federation
bblfish and jaywink joined the channel
#
Loqi Rhiaro made 2 edits to [[Socialwg/2015-05-04-minutes]] https://www.w3.org/wiki/index.php?diff=84056&oldid=0
#
elf-pavlik rhiaro++
#
Loqi rhiaro has 86 karma
#
rhiaro trackbot, generate minutes
#
trackbot Sorry, rhiaro, I don't understand 'trackbot, generate minutes'. Please refer to <http://www.w3.org/2005/06/tracker/irc> for help.
#
rhiaro trackbot make minutes
#
trackbot Sorry, rhiaro, I don't understand 'trackbot make minutes'. Please refer to <http://www.w3.org/2005/06/tracker/irc> for help.
#
rhiaro grumble
#
rhiaro trackbot, end meeting
#
trackbot is ending a teleconference.
#
trackbot Zakim, list attendees
#
trackbot RRSAgent, please draft minutes
#
trackbot RRSAgent, bye
#
rhiaro >:(
#
Loqi it'll be ok
#
rhiaro to the perl scripts
#
KevinMarks to the difference engine!
#
KevinMarks http://sydneypadua.com/2dgoggles/comicsTEMP/economy_pg7.jpg
KevinMarks and LCyrin joined the channel
#
elf-pavlik following list in microformats http://hmans.io/following
#
Loqi Pelf made 1 edit to [[Socialwg/Collection Comparison]] https://www.w3.org/wiki/index.php?diff=84058&oldid=83046
LCyrin, LynnCyrin and lynn joined the channel
#
elf-pavlik bblfish https://tools.ietf.org/html/rfc3986#section-3.3
#
elf-pavlik "If a URI contains an authority component, then the path component must either be empty or begin with a slash ("/") character."
#
elf-pavlik empty sounds legit, what do you think?
#
elf-pavlik curl http://bblfish.net
LCyrin joined the channel
#
bblfish elf-pavlik: the section to look at is this one https://tools.ietf.org/html/rfc3986#section-6.2.3
LynnCyrin joined the channel
#
Loqi Rhiaro made 1 edit to [[Socialwg/2015-05-05-minutes]] https://www.w3.org/wiki/index.php?diff=84059&oldid=0
#
ben_thatmustbeme hmm, sandro had me all paranoid... the bot to generate logs does know only the scribe's "<nick>: text" actually mean that person is talkin
#
ben_thatmustbeme cwebber2: we can use : again... at least thats what it looks like to me from checking the minutes
#
aaronpk yeah that's what I thought
#
ben_thatmustbeme it may get confusing i suppose when non-scribes are noting what someone else is saying i suppose
#
rhiaro ben_thatmustbeme: yep, anyone but scribe using : is fine
#
aaronpk sandro and I were just talking about that today
#
aaronpk suggested using a double colon syntax for "scribe assists"
#
aaronpk so if I was not the scribe, but wanted to explicitly scribe someone I would say
#
aaronpk rhiaro:: a super interesting thing
#
rhiaro Having just trawled through two days of minutes line by line, I might make a wee list of irc behaviours that would help the person tidying the minutes..
#
aaronpk oh?
#
rhiaro aaronpk: double-colon could work, but I was going to suggest just saying 'person said thing'
#
aaronpk "said" is certainly more human-readable :)
#
rhiaro which can be tweaked to read person: thing by an attentive minutes-cleaner
#
rhiaro or of nobody bothers, still reads fine
#
aaronpk it would be nice if our minutes looked a little nicer in general, they are kind of a mess
#
aaronpk partly because copying to the wiki loses all the special formatting normally done to separate scribe vs irc chatter
#
rhiaro another thing I think would work is if scribe wants to make a comment in IRC (not out loud) as themselves they should include <theirnick> and no extra effort would be needed to tidy up final version
#
rhiaro aaronpk: yes, wiki minutes are awful, the html minutes are much nicer
#
rhiaro but day 2 didn't get generated for this meeting
#
rhiaro I'll see if I can work out a more readable template and add it to my converter, maybe
#
rhiaro Or someone else can, I hate mediawiki
#
rhiaro aaronpk: did you and sandro come up with anything else about irc/scribe etiquette?
#
aaronpk we were talking mostly about the post-processing of minutes
#
aaronpk omg!
#
aaronpk bill looby just described doing the exact thing I was going to recommend!
#
aaronpk https://lists.w3.org/Archives/Public/public-socialweb/2015May/0024.html
#
ben_thatmustbeme seems everyone is converging on the idea of 2 different types, actual data, and descriptions of the actions that took place
#
aaronpk that's a pretty compelling case for splitting the data from the activities, given it's an actual live implementation
#
ben_thatmustbeme activitystreams is more like the description of changes, vs h-feeds of h-entry's (in indieweb)
#
aaronpk yep
#
ben_thatmustbeme i was actually planning to move toward a split thing like this as well, and activity feed would be exactly what i want for notifications to my systems
#
rhiaro yayyy convergence
#
aaronpk this might be easier than I expected then
#
ben_thatmustbeme its actually precisely what FB, G+, LinkedIn all do, if you look at your "notifications" they just link to posts, but they contain different data than anywhere else
#
aaronpk in our case, we can use the activitystream to notify other systems about which objects have changed, so they can go fetch the new version (or maybe the new object can be in the stream too, same idea)
#
aaronpk so activitystreams solves the syncing problem of keeping multiple separate systems in sync
#
ben_thatmustbeme twitter is similar but thanks to content length limitation they can put in the entire tweet when the action is post
#
ben_thatmustbeme https://twitter.com/i/notifications for example
#
ben_thatmustbeme majority of difference between groups until now seemed to be the idea of only having one or the other, i'm rather of the opinion we need both now
#
aaronpk same
#
aaronpk and based on the IBM implementation it appears they do as well
#
elf-pavlik +1 both activities and objects have their distinct role log/journal vs. graph of social data
#
elf-pavlik also https://github.com/jasnell/w3c-socialwg-activitystreams/issues/94
#
oshepherd Here I wanted to kill the post activity in particualr (and also the share one maybe) because they're content-free and "useless" activities
LynnCyrin, lynn, Arnaud, LCyrin, tantek and bblfish joined the channel