2016-03-17 UTC
jtilles, tantek, dmitriz, nicolagreco, Arnaud and jasnell joined the channel
# 04:48 Zakim excuses himself; his presence no longer seems to be needed nicolagreco, jaywink, Arnaud1, KevinMarks, jasnell, Arnaud, KevinMarks_, tantek, dmitriz, Karli, Karli_ and eprodrom_ joined the channel
# 13:48 eprodrom_ I'm running late; there by 10:15. Karli, eprodro64 and Karli_ joined the channel
# 13:56 tantek good morning #social - my ETA this morning is 10:05ish. If y'all are ready to go, have eprodrom get us started! Karli, nicolagreco and annbass joined the channel
Karli, dmitriz and tantek joined the channel
Karli joined the channel
Zakim joined the channel
# 14:15 Zakim I do not see a conference matching that name scheduled within the next hour, trackbot shevski joined the channel
# 14:18 wilkie tantek: if nobody thinks of any other agenda items, this is all for today. which seems reasonable Karli joined the channel
# 14:19 wilkie aaronpk: no issues that need discussion. just a couple of pull requests. Karli_ joined the channel
# 14:26 wilkie annbass: I have a comment. The socialwg interest group has always been considering what it is they are do. it is still an open question if we need such a group. # 14:27 wilkie annbass: I think this should still be a community effort. I've met and talked to Syrian people who were caught and tortured and I've asked them what they use for social tools and communication and they say "whatever we can find" # 14:27 wilkie ... so I do think there are use cases we aren't aware of. # 14:28 wilkie tantek: do you want some time to talk about that? # 14:29 wilkie annbass: our interest in the consortium is to make a good place to work and so I would like some feedback, public or private, about the w3c and what could improve. # 14:29 wilkie annbass: the challenges haven't been where I thought they would be # 14:29 wilkie annbass: you would think about diversity and such but the problems have been mainly technical # 14:30 wilkie tantek: that's a problem that has made it up fairly far in the organization # 14:30 wilkie annbass: yeah, and how we can address that is something worth discussing # 14:31 wilkie tantek: yeah, there is what you could say is w3c's broad tolerance for different social behaviors. # 14:31 wilkie tantek: which are obstacles to technical discussion and finding solutions. so if we could find solutions to that. # 14:32 wilkie annbass: yeah, and certainly there are people who have a problem with this. such as women or quieter people who have a problem with people who are strongly argumentative and vocal. # 14:33 wilkie shevski: which is what tantek was saying. those people can be disruptive and at times bullies. # 14:33 wilkie shevski: the problem is when nothing happens to those people visibly, then people see that and say 'I don't want to be involved. this is not a safe space.' # 14:33 wilkie annbass: me too. I see that and I try and then I say "nah, I'm done" # 14:34 wilkie annbass: yeah. but we've all seen that. and what can we do. # 14:34 wilkie annbass: no, it has been there for 10 years I think # 14:34 wilkie annbass: but also, what we have to do is maybe training # 14:35 wilkie Karli_: the problem with a code of conduct is that people may not see it or it isn't enforced and people don't respect it # 14:35 wilkie annbass: another thing is that people don't realize even if you call it out that they have done something wrong and correct for that annbass joined the channel
# 14:36 wilkie shevski: having something from the community about what they want is good. such as "I want quick communication among many devices" and there isn't that. # 14:37 wilkie tantek: *whispers* that's not social, those are machines eprodrom_ joined the channel
# 14:37 wilkie shevski: but it is! I'm talking to people. through machines. shevski joined the channel
eprodro99 and eprodrom_ joined the channel
# 14:46 wilkie eprodrom: has everybody taken a look at the issues? # 14:46 wilkie eprodrom_: what I would like to do is work from oldest to newest and see what we can do to clarify those. # 14:47 wilkie tantek: to be clear these are ones you think need discussion # 14:47 wilkie eprodrom_: these are ones that are open... let's say that of the ones we have there are 3 that are significant changes... # 14:47 wilkie tantek: want to go through the hardest ones first? # 14:47 annbass s/I think this should still be a community effort./My suggestion is to move the IG to be a Community Group (CG), so that anyone in the world can participate, without being a W3C member or Invited Expert./ eprodro58 joined the channel
# 14:48 wilkie eprodrom_: 249. so, some of the examples don't have the properties described in the text. james is +1, I'm +1. so there isn't a problem with this. # 14:48 wilkie tantek: if you and the other editors think something is editorial then we don't need to look at it. we trust your judgment. # 14:49 wilkie eprodrom_: for the CR exit issues. we need explicit exit criteria (279), a list of separate features (280) # 14:50 annbass s/I've met and talked to Syrian people who were caught and tortured and I've asked them what they use for social tools and communication and they say "whatever we can find"/I suggest the main goal of the CG might be to collect additional social use cases that we haven't thought of, especially from people who haven't participated before, or who are from cultural environments we personally haven't experienced./ # 14:50 wilkie eprodrom_: let's just say that when these are resolved and assuming the editorial issues are solved, we're good # 14:50 wilkie tantek: these are not editorial. the conformance clause is certainly normative. the separate features may be editorial but might not so you may still want group review. # 14:51 wilkie tantek: but the group has reviewed the conformance clause and said it looks good. so anything that has been reviewed can just be dropped in. # 14:51 wilkie tantek: so there is really only one thing left to review # 14:51 annbass s/our interest in the consortium/Also, I am now co-chairing the W3C Positive Work Environment Task Force (PWET) with Amy van der Hiel. Our interest in the consortium/ # 14:52 wilkie eprodrom_: the issue is we don't have a good vocabularity around relationships # 14:52 wilkie eprodrom_: in the specification, we said there should be an external vocabulary for this # 14:52 wilkie eprodrom_: we don't refer to one but we talk about one # 14:53 wilkie eprodrom_: right. if we defer this part of the specification to a TBD section about extensions, why don't we push the relationship stuff to a future extension # 14:54 annbass s/yeah. but we've all seen that. and what can we do./I'm not sure about that. But we've all seen it in various situations. What can we do to improve?/ # 14:54 wilkie eprodrom_: james has not had a chance to comment but I feel that there isn't a reason to wait for him. my opinion as an editor is that we should just push it to extension. # 14:55 eprodrom_ s/has not/has/ jasnell joined the channel
# 14:55 wilkie cwebber2: it seems like maybe some verbs or vocab would be lost. do you know of any use-cases that may be lost by dropping this to an extension? # 14:56 wilkie eprodrom_: AS1 didn't even have relationships like this # 14:56 wilkie cwebber2: I'm +1 on this then. If people feel strongly about this as an extension then we can do that. it doesn't seem like a blocker for activity streams itself. # 14:56 annbass s/people don't realize even if you call it out /people don't realize THEY have behaved that way, even when you call it out; / # 14:56 wilkie cwebber2: just wanted to make sure we didn't drop something else as a consequence # 14:57 wilkie tantek: I would just propose the issue and see if anyone objects to the editor's proposal # 14:57 wilkie eprodrom_: ok I'll just mark that as group resolved # 14:58 wilkie eprodrom_: next one is 290. it is around transitive activities. # 14:58 wilkie eprodrom_: the idea is to add one of the classes in vocab to core. james is fine with it. I'm fine with it. it is a reasonable thing to do. # 14:59 wilkie eprodrom_: basically, transitive classes are an extended class and they are used often enough that it seems more useful in core. # 14:59 wilkie eprodrom_: the last one [is 292] which is adding a deleted tag to objects # 15:00 wilkie eprodrom_: the idea is to add a deleted timestamp to provide a tombstone for objects # 15:00 wilkie eprodrom_: so you can have an image and they say this image has been deleted # 15:01 wilkie cwebber2: this seems useful because you were already talking about 410 GONE and this would be useful certainly in activitypub and media goblin right away # 15:01 tantek aaronpk, didn't #indiewebcamp recently discuss a dt-deleted? what was the conclusion? # 15:01 wilkie eprodrom_: there are cases where you want to say this object is deleted but valid # 15:01 wilkie dmitriz: it can be as useful or not depending on your server's retention policy # 15:02 wilkie dmitriz: if you are the kind of server that commits to sending 410s whenever possible you want this, if not you may want to garbage collect and 404 # 15:02 wilkie dmitriz: so this is an option for those servers with permanent retention policies # 15:02 wilkie cwebber2: it seems this doesn't require people to do it # 15:02 aaronpk q+ to point out privacy implications of sharing the deleted timestamp # 15:03 wilkie eprodrom_: we have seen this before and then we pushed it to an extension but seeing it come up again we consider adding it to the spec # 15:03 Zakim aaronpk, you wanted to point out privacy implications of sharing the deleted timestamp # 15:03 wilkie aaronpk: I think we should have a way to specify the deletion without the timestamp for when people want to delete but not disclose when # 15:04 wilkie cwebber2: since there is already the deleted flag # 15:04 dmitriz I think chris means the deleted timestamp? # 15:04 wilkie cwebber2: the thing we are discussing. for instance we can send a 'delete' verb to servers and they might ask 'why is this gone' and people can do that but it is optional. # 15:05 wilkie eprodrom_: I think what aaronpk is saying is that it is good to have a delete property. but it being a timestamp there are privacy concerns. # 15:05 wilkie eprodrom_: people want to delete things because they don't want them to be published and thus may not want it there # 15:06 wilkie dmitriz: you can place the timestamp date but not return the data and just 404 # 15:06 wilkie aaronpk: but the problem is when you want to propagate that # 15:06 wilkie cwebber2: then you can have a timestamp or date # 15:06 jasnell this is why for Atom we came up with the deleted-entry # 15:06 wilkie eprodrom_: and if that is good we can do that. the only problem is when implementations are only checking if it is truthy, but they will likely do that anyway. # 15:07 eprodrom_ jasnell: so, deleted becomes a timestamp or boolean # 15:07 jasnell not sure I understand the privacy concerns around deleted being a date but ok # 15:08 wilkie tantek: I do think the timestamp is important especially for synchronization # 15:08 jasnell yes, having deleted as a timestamp is fairly critical for sync # 15:09 wilkie aaronpk: for the twitter api, the tweets generally come through as just the data on the tweets. there are some actions that come through for instance a scrub-geo action to remove location. # 15:09 wilkie tantek: so they are using keys as verbs sometimes # 15:09 wilkie eprodrom_: to add a deleted property to the object and its range is either a timestamp or a boolean # 15:10 wilkie cwebber2: can I request we note that it is optional to handle cases where people prefer a 404 nicolagreco joined the channel
# 15:10 wilkie aaronpk: when there is a delete action in the stream, it should be required to have that flag to know it is deleted # 15:10 jasnell however, if deleted is a boolean, it should be noted that synchronization will be difficult # 15:11 jasnell it should also be noted that just because there's a deleted property in the object, it doesn't mean implementations have to delete the content # 15:11 wilkie aaronpk: I'm thinking when a system is pulling in a feed, how does it know to delete, so it needs to see that delete to know when to get rid of it # 15:12 wilkie eprodrom_: cwebber2 is addressing the idea that there is a controversy between sending a 404 or 410 # 15:12 wilkie aaronpk: that's pulling the individual object # 15:12 aaronpk realizes he is getting confused by the use of "verb" since there are HTTP verbs and ActivityStreams verbs # 15:12 jasnell also keep in mind... {"type": "Delete", "object": {"id": "http://example.org"} work perfectly well for this too # 15:12 wilkie eprodrom_: if we don't have objections, I'm going to say this is our resolution # 15:13 wilkie eprodrom_: yeah, this is the first new property is a while # 15:13 annbass wonders if aaronpk's diff definitions of "verb" needs to be resolved? # 15:13 wilkie tantek: would you consider marking it as at-risk? # 15:13 wilkie cwebber2: we could but we are going to use it immediately in media goblin # 15:13 Zakim sees ben_thatmustbeme on the speaker queue # 15:14 wilkie tantek: that doesn't alter the fact that it is in the spec # 15:14 wilkie tantek: [to cwebber2] that is good to know. it is useful to know. eprodrom joined the channel
# 15:15 wilkie ben_thatmustbeme: jasnell says we can add a type "Delete" # 15:15 jasnell also, if you're going to go down the tombstone route, please make sure you take the additional security issues into consideration # 15:15 wilkie eprodrom: yeah, I think the idea there is that we have a "hole" # 15:15 wilkie cwebber2: you can still see the case where you have a Photo and you want that deleted # 15:16 wilkie cwebber2: we could do this but it doesn't seem as interesting when the group came to some consensus around the property # 15:16 wilkie cwebber2: adding an object doesn't seem less tricky than adding the flag # 15:16 wilkie eprodrom: the reason I like this is say you have a naive implementation and it is looking at a collection of image objects. # 15:16 wilkie eprodrom: if it is not aware of tombstoning it may show an image that has been deleted. or its metadata. # 15:17 wilkie eprodrom: however if the type has changed, the tombstone will look foreign and it will skip it. # 15:17 wilkie eprodrom: basically, naive implementations will do the wrong thing with the flag # 15:17 jasnell please keep in mind that adding a tombstone does not compel anyone to actually delete anything # 15:17 wilkie dmitriz: the argument is essentially if somebody writes something and is wrong to the spec it will break # 15:17 jasnell if the content has been syndicated, the best you can do is distribute the *intent* for it to be deleted # 15:18 wilkie aaronpk: it is worth considering since doing it wrong leaks information # 15:18 wilkie tantek: it is good practice to assume partial implementations and decide if such a thing would do bad things for users # 15:18 wilkie dmitriz: so how does it work? it replaces the id? # 15:19 wilkie dmitriz: is the worry about retrieving the collection? then it is up to the server to not send that deleted image. # 15:19 wilkie aaronpk: it is talking about synch. a server has already seen the image and now needs to remove it. # 15:20 wilkie tsyesika: it is much like a tombstone. it is in a tombstone table and it is a field in that table. # 15:20 wilkie cwebber2: there is an undelete verb but we don't handle that # 15:20 wilkie tantek: there seems to be an idea in social media: to delete and then undelete # 15:21 wilkie cwebber2: there is interest in undelete and undo actions but doesn't have bearing on this decision # 15:21 wilkie tantek: I'm just trying to see if the solution would be un-lossy for undeleting purposes # 15:21 wilkie cwebber2: I don't see how the structure of this would prevent the UI experience # 15:21 wilkie cwebber2: it seems more at the API or stream level # 15:22 jasnell this conversation is mixing two different things. (a) A server hosts it's own content, publishes at content at one point, then needs to indicate that it's been deleted. (b) A consumer has received content from someone and needs to be told that it's been deleted # 15:22 wilkie eprodrom: my experience is that deletion is something that gets implemented late and involves lots of bug squashing # 15:22 wilkie eprodrom: whereas every activity streams processor needs to handle types it doesn't recognize # 15:23 annbass s/solution would be un-lossy/solution would be lossy for privacy purposes, but un-lossy/ # 15:23 wilkie dmitriz: do we say every consumer must ignore every type it doesn't recognize? # 15:23 jasnell for both, a {"type": "Delete", "object": "http://example.org"} is sufficient. For (a) the thing being deleted simply goes away and a new activity is published indicating what happened to it. For (b) the new activity is a signal that it ought to get rid of the thing that was deleted. # 15:23 wilkie eprodrom: let's not call it type "Delete" but rather "Tombstone" that has a formertype # 15:23 wilkie cwebber2: I'm more sold on this than I thought I would be # 15:24 wilkie cwebber2: in which case there is an optional field for the date. so two fields 'when' and 'formertype' # 15:24 wilkie or formerType ?? camel case doesn't work out at loud # 15:24 jasnell for undelete, if you assign an ID to the delete activity, {"id": "http://example.org/delete/1", "type": "Delete", "object": "http://example.org/note"}, you can easily follow that up with a {"type": "Undo", "object": "http://example.org/delete/1"} # 15:24 wilkie tantek: maybe we give jasnell some time to reflect on this # 15:24 wilkie eprodrom: ok I'll take an action to review this with jasnell this afternoon # 15:24 wilkie tantek: maybe that will cause it to converge a little bit more eprodrom_ joined the channel
# 15:25 cwebber2 mainly because properties can merge and "when" could appear unclear # 15:25 wilkie tantek: how well does this mesh well with activity streams at large? # 15:26 wilkie eprodrom: the tombstone kind of blends in the noun or verb distinction # 15:27 wilkie tantek: many of these social web implementations have delete. I also like this tombstone approach. # 15:27 wilkie eprodrom: we have still a couple of questions # 15:28 wilkie eprodrom: name is a should not a must but it is not in many of our examples # 15:28 wilkie tantek: you could say the examples need to be fixed, or you could say the examples show that you don't need a name and should stay a SHOULD # 15:28 eprodrom Most of the "Activity" # 15:29 eprodrom "While all properties are optional (including the id and type), all Object instances SHOULD at least contain a name (or equivalent nameMap)." # 15:30 wilkie cwebber2: I think SHOULD should be removed since we fold the title in to name and many don't have name. why should it be there if the biggest producer of AS doesn't have them. # 15:31 wilkie eprodrom: there are many objects that have a type but not a name. I think it should remain a SHOULD. # 15:31 wilkie aaronpk: if you are going to say things SHOULD have a name, I worry that people will just throw a name into things. # 15:31 eprodrom jasnell: for Activity and IntransitiveActivity types, does it makes sense to SHOULD a name? # 15:32 wilkie cwebber2: there are cases where you don't know exactly what to put for it. # 15:32 wilkie eprodrom: what I'd like to do is recommend we leave it as a SHOULD right now and get jasnell's feedback and follow up this afternoon # 15:33 wilkie tantek: when a SHOULD is good in a spec is when it is explicit about when it is used and when it is ok to not # 15:33 wilkie cwebber2: I think I would want to know the motivation for a SHOULD in the first place # 15:34 wilkie eprodrom: the idea is you could take a collection of objects and show them in a list # 15:34 wilkie tantek: it was required in Atom I think which is where it may be coming from # 15:34 wilkie eprodrom: how about we propose to explain the reasons for this being a SHOULD # 15:34 eprodrom PROPOSAL: explain the reasons for this being a SHOULD # 15:35 wilkie tantek: I've already seen this soak up a lot of discussion time # 15:35 wilkie tantek: any objections to explaining why you should put a name and why you shouldn't in some other cases # 15:35 wilkie tantek: no objections, I think you are good to go on that proposal # 15:36 wilkie eprodrom: dmitriz, do you want to discuss 297? # 15:36 jasnell historically, with AS1, "displayName" was strongly recommended only when extension types were used, to give implementations something to use if they did not understand the type # 15:37 wilkie dmitriz: in as vocab, we have several types for representing polls and stack-overflow-like questions and answers # 15:37 jasnell "displayName" was not required, however, if the type was well known # 15:37 wilkie dmitriz: how do we handle closing polls or locking a question? # 15:37 jasnell if the object is using a core type from the vocabulary, then name is largely optional # 15:37 wilkie dmitriz: I believe jasnell's answer was "no we don't" # 15:37 jasnell if the object is using an uncommon type or an extension type, name should be provided # 15:38 eprodrom jasnell: Good example # 15:38 wilkie tantek: does anybody implement this for polls? # 15:39 wilkie tantek: this fits jasnell's answer that this can be done as extension # 15:39 wilkie eprodrom: I think it makes sense to have it be an extension # 15:41 wilkie dmitriz: I have another issue. about 'scope' and 'context' properties in the vocabularity # 15:41 jasnell fwiw, closing a question is actually an activity. one could easily imagine {"type": "Close", "object": {"type": "Question", ... } # 15:41 wilkie dmitriz: it seems like the two are fairly similar # 15:41 tantek jasnell, any objection to moving Question / Poll to an extension? # 15:42 jasnell tantek: I see no reason to move it to an extension but whatever the WG decides # 15:42 tantek (evan said it would give us a chance to give them a more proper thorough treatment that implementations that care about those would like) # 15:42 jasnell dmitriz: scope deals with scoping the intended audience for the object and relates to the to/bto/cc/bcc fields # 15:42 wilkie dmitriz: 'context' seems like reply-to and useful for comments. 'scope' seems like access control and is this appropriate at this level? # 15:42 tantek (no current implementations - in the room - have intent to implement, hence it made sense to consider as an extension) # 15:42 wilkie dmitriz: it seems to fit the same purpose as the 'to' field # 15:42 wilkie cwebber2: do we have any known uses of 'scope'? # 15:43 wilkie eprodrom: I would like to give time for jasnell to review and answer # 15:44 dmitriz what is the use case for scope? # 15:44 dmitriz it seems to be overloading access control / to: field # 15:45 wilkie tantek: alright. open the issue and note we have some consensus at the meeting. we will have to come back to it. # 15:45 tantek but we have an important outstanding objection from jasnell so we will have to come back to it to better understand it # 15:45 tantek jasnell, no problem, we are capturing the current state for future discussion # 15:46 wilkie tantek: you have a bunch of editor, not editorial, editor actions. we only have two after that? # 15:46 wilkie tantek: do we want to consider publishing a new working draft of activity streams? even before CR draft. # 15:47 wilkie eprodrom: I think that makes sense. what does that mean for going to CR. # 15:47 wilkie tantek: it doesn't harm anything. it just puts another draft out such that the changes between that draft and CR are fewer. # 15:47 wilkie tantek: and it helps to get stuff like the conformance section to get more review # 15:48 jasnell scope deals with scope the audience, it's a different role than to/bto/cc/bcc # 15:48 wilkie eprodrom: I should be able to have that by next telecon # 15:48 jasnell context is something else entirely... it describes a larger context in which the object exists # 15:48 wilkie tantek: you don't have to wait til the next telecon # 15:49 wilkie tantek: proposal is to publish new AS working drafts with outstanding edits completed # 15:49 tantek PROPOSED: publish new AS2 working drafts with outstanding (agreed, reviewed) edits completed # 15:50 tantek RESOLVED: publish new AS2 working drafts with outstanding (agreed, reviewed) edits completed # 15:50 wilkie tantek: that is completely in your camp. the sooner the edits are done, the sooner we get a new draft. so close to CR. # 15:51 wilkie tantek: we have 10 minutes but lunch is here so let's break for lunch. any objections? shevski, nicolagreco, eprodro34, nicolagreco_, melvster and Karli joined the channel
# 17:09 ben_thatmustbeme ... the first i want to show is checkins. I made a checkin client, it authenticates with indieauth, and endpoint discovery the micropub way but its an activitypub client dmitriz joined the channel
# 17:16 ben_thatmustbeme ... using another client I create an AS extension object of Consume activity with what i ate (Lunch - Free) # 17:19 ben_thatmustbeme rhiaro: all of these are posting activitystreams json object through activitypub by a micropub discovery method (as i just reused the code for it for now) # 17:20 ben_thatmustbeme ... the interesting thing was that i was able to do activitypub create without caring about the other parts of the activitypub spec eprodrom_ joined the channel
# 17:21 ben_thatmustbeme tsyesika: you said its to a micropub endpoint, do you also output the actities as microformats? # 17:22 ben_thatmustbeme rhiaro: there are some, but in my mind these are completely decoupled. The pages use accept-headers # 17:23 ben_thatmustbeme ... it is different as if you visit my endpoint (in this case the equivalent) it shows nothing # 17:24 ben_thatmustbeme ... the state of micropub is that when i created Micropub originally it was just create. That simplicity has led to many many clients. # 17:24 ben_thatmustbeme ... the main goal of micropub is to allow many clients you didn't write to post to your site # 17:24 ben_thatmustbeme ... for the majority of cases there already exists a way on your own system to edit and delete # 17:26 ben_thatmustbeme ... the form encoded is important for posting images and video at the same time by multipart # 17:27 ben_thatmustbeme ... i was looking to see if there was a way to use non-form encoding for update & delete but still allow files # 17:28 ben_thatmustbeme aaronpk: It would be more convenient if there were only one path for updates as it right now allows both # 17:29 ben_thatmustbeme ... that returns an ID and then you have to just use that ID or it gets deleted in an hour # 17:31 ben_thatmustbeme ... this is why rhiaro and I were talking about this earlier with the naming of "SocialPub" being the join of the two # 17:31 ben_thatmustbeme ... if you look at it as just updates and deletes. micropub is a special case of create # 17:32 ben_thatmustbeme ... i also have the same for flights and legs of flights, thats super ugly as form encoded nicolagreco joined the channel
# 17:33 ben_thatmustbeme ... for that one i would rather use a json object. There are plenty of cases for json format but i want that simple version for posting, thats the micro in micropub # 17:34 ben_thatmustbeme sandro: can i rephrase this? why not do it as micropub is the form encoded posting and "activity update" is the indirect way to modify the resource that has activity streams data on it? how does that not address your use case? annbass joined the channel
# 17:34 ben_thatmustbeme aaronpk: i'm not creating acitivites i'm creating posts, so its a different vocabulary # 17:35 ben_thatmustbeme ... the other major difference between the specs, activity pub expects you send the entire object but i want to just modify single properties and i think activity pub would benefit from that # 17:37 ben_thatmustbeme tantek: what if i gave you a week to discuss this asyncronously then maybe you can get consensus between you two and you can pitch it to the group # 17:38 tantek tsyesika: we discussed some of this before lunch # 17:38 ben_thatmustbeme tsyesika: presumably this would be in both our specs we would refer to this social pub document. creating is still different. in activity pub we currently require you to always create posts in an activity # 17:38 ben_thatmustbeme ... we could allow this to post a single object for client to server but not server to server # 17:39 ben_thatmustbeme aaronpk: i do support that idea, i think creating is the most important action and that should be as simple as possible # 17:40 ben_thatmustbeme ... maybe you make that exception, but the idea is that there would be 1 way to create things that would be in common # 17:40 ben_thatmustbeme cwebber2: this sounds appealing of reaching concensus on something that has previously been very different on nicolagreco joined the channel
# 17:40 ben_thatmustbeme tsyesika: i think its a good idea to make use of this time tosee if we can resolve this as we have an open issue on activytpub now # 17:41 ben_thatmustbeme cwebber2: evan was a strong objector to seeing a "pure system" of always having activity wrapped objects go away # 17:42 ben_thatmustbeme ... he didn't seem happy about it. i asked about the api only, and he didn't seem happy about it. # 17:42 ben_thatmustbeme cwebber2: i think i'm ok with it, but i think its important that tsyesika be convinced since she is the main implementor # 17:43 tantek (example of creating offline on a plane, and publishing later) # 17:43 ben_thatmustbeme tsyesika: i'm certainly in support of convergence. the create activity is useful in itself as it can contain information that is different from the object, say the offline creation is different from the publish date # 17:43 tantek (note: dt-created property has been discussed in other contexts for this reason too) # 17:44 ben_thatmustbeme tsyesika: i'm interested in seeing if on the micropub side you would be willing to have it so that the server can always accept the wrapped activity as well as the unwrapped format # 17:44 ben_thatmustbeme rhiaro: micropub doesn't say anything about what the server does with it when i gets the item, thats not part of the spec. all you have to do is have an endpoint that advertises itself as such # 17:45 ben_thatmustbeme aaronpk: we have a difference in authors, you could set the author in the object or the created date, so its assumed that the server will fill those in # 17:48 ben_thatmustbeme aaronpk: whats left in micropub is having the file uploading endpoint, form encoding .. # 17:49 ben_thatmustbeme rhiaro: there are a couple places where the two specs are unsure of things so this is great jtilles joined the channel
# 17:52 ben_thatmustbeme aaronpk: most support only creating and most already have some other storage properties that they are matching to # 17:53 ben_thatmustbeme ... when i built mine i specifically have the endpoint write directly to storage, so that it is sorted out when rendering # 17:53 ben_thatmustbeme cwebber2: i feel like where we are at a point where we are at a point where these are practically going to be shared but we need some idea of what mapping between the vocabularies means # 17:54 ben_thatmustbeme aaronpk: the problem that keeps coming up in the indiewebcamp channel is how do we propogate changes to old posts # 17:55 ben_thatmustbeme ... this is where i'm seeing activity streams being useful for this, and while i might not have a mapping on my main site, but i might use it as a stream of whats going on # 17:55 ben_thatmustbeme cwebber2: rhiaro you were working on the mapping between the two at some point i think # 17:56 ben_thatmustbeme rhiaro: there is some pages and such, but the other important part is post type discovery # 17:56 ben_thatmustbeme rhiaro: so there are some properties that map directly but there are a few places where it takes some work # 17:57 ben_thatmustbeme ... is there going to be a seperate socialpub document or will it be both specs take on some changes? # 17:58 ben_thatmustbeme rhiaro: i think since i've implemented this seperately as the create part, i'm in favor of breaking up activtypub into smaller docs # 17:59 ben_thatmustbeme tsyesika: i have to admit one of the things i want for activity pub is to break it up into smaller steps that are implementable seperately # 17:59 ben_thatmustbeme ... so if i want to use only part of it, i can, but if some larger system wants to do all of it, they can # 18:01 ben_thatmustbeme cwebber2: so heres a proposal kind of based off of what amy has done previously, would this be a reasonable restructuring of the document would be just "how to write a simple document" and then 'servers handling the client to server api' and then 3rd was server to server api # 18:01 ben_thatmustbeme rhiaro: i would see it as 'heres how to get data to the server' then 'heres what to do with it once it gets to the server' # 18:02 ben_thatmustbeme rhiaro: so if you wanted to do the second half you could do that seperately. you could do client to server just sending files for examples # 18:02 ben_thatmustbeme cwebber2: so maybe socialpub becomes client to server entirely and then activitypub becomes server to server # 18:03 ben_thatmustbeme tsyesika: well there are more ways to break this up than just client to server and server to server # 18:04 ben_thatmustbeme cwebber2: i think the simpler way is saying socialpub is client to server and activitypub becomes server to server # 18:04 ben_thatmustbeme tantek: i feel like there is part of it you are agreeing on some and others you are not # 18:05 ben_thatmustbeme tantek: i also so a number of suggestions for next steps for activity pub that could be done # 18:07 ben_thatmustbeme ... amy you have a bunch of stuff written up, do you feel you can add that to social web protocols # 18:09 ben_thatmustbeme aaronpk: it sounds like the best thing i can do is replace the whole update and replace section and assume it will be moved to the social web protocols eventually # 18:09 ben_thatmustbeme tsyesika: i think the main this for us is to update our spec to allow this simple editing # 18:10 ben_thatmustbeme tantek: i think the other idea you had to update to do this seperate sections of incremental implementations that would be great # 18:11 ben_thatmustbeme action rhiaro to incorporate your work done in to the social web protocols document for the others in the group to review # 18:11 trackbot Created ACTION-88 - Incorporate your work done in to the social web protocols document for the others in the group to review [on Amy Guy - due 2016-03-24]. eprodrom__ joined the channel
# 18:15 Loqi I added a countdown for 3/17 11:30am (#5819) Karli_ joined the channel
# 18:29 Loqi Countdown set by tantek on 3/17/16 at 11:15am jasnell joined the channel
# 18:35 ben_thatmustbeme eprodrom_: i think the idea was to put some time this afternoon in to resolving open issues # 18:37 sandro tsyesika: we have certain terms like inbox, outbox, ... and rhiaro suggested generalizing this as a stream array # 18:38 sandro .. also a way to achieve (something) about inbox and outbox # 18:39 sandro cwebber2: So the question is... Amy's suggestion is instead of followers, .... use types, .... # 18:39 sandro cwebber2: What could be true is we could have a term in activitypub that here's a term for ... # 18:40 sandro cwebber2: Amy's propositiyon soun ds interesting but I dont think object types is the right way to break it up shevski joined the channel
# 18:40 sandro cwebber2: c-s or s-s might have different streams, and maybe this is a way to do that # 18:40 tantek hey shevski you coming back for the afternoon? # 18:41 sandro cwebber2: so there could be a "likes" stream, maybe a subset of collection, or maybe it's own URI, # 18:41 sandro .. I'm not sure which, I'd like to open it for discussion # 18:41 sandro aaronpk: I have struggled with this problem. I think I understand why you have these distinctions eprodrom__ and annbass joined the channel
# 18:42 sandro .. on my homepage I have some kinds of posts, but not others, and down at the bottom I have links to the others # 18:42 sandro .. I curate the collections based on how I want people to read it, NOT on types # 18:42 sandro .. and events I'm going to that are not in Portland # 18:42 Zakim KevinMarks_, you typed too many words without commas; I suspect you forgot to start with 'to ...' # 18:43 eprodrom__ ack aaronpk # 18:43 sandro .. In an old version of my site I had them by type, but that didn't work well # 18:43 sandro eprodrom__: Certain groups, like Chris' Friends, or Chris' main feed, or Things Chris Likes, ... a core set of five predefined # 18:44 sandro cwebber2: Because followers and likes have API specific purpose # 18:44 sandro .. So just have a relationship Stream might do this # 18:45 sandro cwebber2: WIth the addition of arbitrary labeling of these new streams # 18:46 sandro cwebber2: Sounds like have consensus, which I'm recording on the issue # 18:46 sandro "So we will have special API specific collections, like likes and followers and inbox, but streams should be supported as a general bucket for interesting collections." # 18:47 sandro cwebber2: This kind of moves into Who Do You Trust # 18:47 sandro .. I think we've agreed, you trust same origin, otherwise you link back and verify # 18:47 sandro .. in which case how do you know who has authority # 18:48 sandro .. or do we just not want to permit that kind of static site thing # 18:49 sandro cwebber2: If the profile is on a static site, maybe we can trust what it points to, yes.... jasnell joined the channel
# 18:51 sandro eprodrom__: ap.io gets an UpdateOn dustyclould, and it knows how to do it. I don't see why we need to proscribe server behavior # 18:52 sandro cwebber2: If you get a message from me that there's something new, and my endpoints are on another server, should you trust them # 18:52 sandro eprodrom__: If I remember how pump.io does it, it checks to see the authentication of the actor # 18:53 sandro cwebber2: In APub you can have an update that's an update of a blog on another site. And you'd trust the author. # 18:53 sandro cwebber2: Can you fake that you're someone else? # 18:54 melvster IMHO there's nothing specific about the same origin that implies you can trust it, that's just a typical pattern used together with centralized services # 18:54 sandro cwebber2: Assuming you want to support static sites, you'd need something like this # 18:55 sandro sandro: same origin isn't relevant here. It's following trust-bearing links # 18:55 sandro tantek: CSP - content-security-policy can help if you want to do this offline # 18:56 sandro harry: So for example you could trust ... (something) nicolagreco joined the channel
# 18:56 sandro cwebber2: I think I understand how to handle this # 18:57 sandro tantek: I'm happy to answer CSP questions, since I just implemented it for my site jasnell_ and hhalpin joined the channel
# 18:57 hhalpin CSP is here Sandro # 18:57 sandro cwebber2: The main challenge for us is how to do discovery # 18:57 hhalpin Typically, you want to use it when you are authorizing Javascript from outside the same origin. # 18:58 hhalpin Would be useful if the endpoint has a feed that has some JS, and should be recommended to use. shevski joined the channel
# 18:58 hhalpin CSP support works well in browsers now # 18:58 hhalpin So any SOP exceptions, particuarly if they involve javascript, should use CSP # 18:58 KevinMarks_ if you separate the image upload from the post, and then use a URL, that implies you could use an external url for an image? # 18:58 sandro cwebber2: Is it useful to put on the user's profile page where I submit my photos # 18:59 sandro aaronpk: You see things like this on a multiuser system nicolagreco joined the channel
# 19:00 sandro tsyesika: Someone might want their media whereever they want it # 19:01 sandro tsyesika: People might have multiple endpoints # 19:01 sandro eprodrom__: Discoverable endpoints for upload? Sounds great # 19:02 sandro cwebber2: This has come up a few times. It bothers me we still don't have this # 19:03 sandro .. the main challenge that was blocking this is what happens when activities represent other activities that don't exist any more # 19:03 sandro ... transient activities, like IM or strawberry-watering. # 19:04 sandro .. one approach is to have activities with no id, and they get delivered through federation but other otherwise not interesting # 19:04 sandro eprodrom__: We talked about the 'scope' property earlier today. Would that be a way to address this? # 19:04 Loqi I added a countdown for 3/17 3:35pm (#5820) # 19:04 hhalpin in general, you need an id or some kind for HTTP REST retrieval of ids from X to X1 in terms of polling, right? # 19:04 Zakim aaronpk, you typed too many words without commas; I suspect you forgot to start with 'to ...' # 19:05 Loqi I added a countdown for 3/17 12:35pm (#5821) # 19:05 Zakim sees KevinMarks_, aaronpk on the speaker queue # 19:05 Zakim sees KevinMarks_, aaronpk on the speaker queue # 19:05 sandro eprodrom__: One of the problems with client-defined-expiry is that client lie and cheat and are bad. They say keep this forever, it's important. # 19:05 Zakim sees aaronpk, dmitriz on the speaker queue # 19:06 sandro .. Clients might have advisory info, but the server needs to decide. # 19:06 sandro .. IRC updates from the F2F, scope might be F2F # 19:07 Zakim sees aaronpk, dmitriz on the speaker queue # 19:07 Zakim sees aaronpk, dmitriz, hhalpin on the speaker queue # 19:07 sandro eprodrom__: Once again you're trying to dictate server behavior. Also this might not be that important. identica has a lot of updates, but it's not that big really # 19:07 sandro aaronpk: It sounds like you're kind of talking about a Notification, which is not an activity # 19:07 sandro cwebber2: Yes, but also a chat that you don't want to keep around eprodrom__ joined the channel
# 19:08 sandro aaronpk: Off The Record messaging is a different thing, with its own set of considerations # 19:08 sandro .. Call these notifications, and it makes sense. # 19:08 sandro aaronpk: You probably don't want to casually throw OTR into the spec Karli joined the channel
# 19:09 sandro cwebber2: Yeah, if we just put OTR in here, we'll probably get it wrong # 19:09 sandro cwebber2: In this world, there's generally an expectation that people can retrieve things, so OTR wil be hard # 19:10 sandro .. Some server-to-server notificaton, like your quota is reached # 19:10 sandro eprodrom__: Is that about too much data? I dunno what this is for. # 19:10 sandro dmitriz: This is misusing scope. James said it would be renamed to 'audience'. And access-control-like thing. # 19:11 sandro cwebber2: OpenFarmGame has its own type. So servers could garbage-collect them easily enough. # 19:11 sandro cwebber2: In an earlier version of the spec, it seemed like servers had to keep things around forever # 19:12 sandro .. that was also part of our motivation for tombstones # 19:12 sandro eprodrom__: That might be good to document. For example, twitter API only lets you go back 800 tweets, which is like a day. # 19:12 hhalpin That is a revision and fixes mpOTR issues # 19:12 hhalpin However, I agree that OTR is out of scope. # 19:13 sandro dmitriz: Agreed clients lie, but the client setting an expiry on a stream is useful. jasnell joined the channel
# 19:13 hhalpin However, happy to ask the nextleap folks (George and Karthik - https://nextleap.eu ) to see if they can staple Axolotl on top of whatever comes out of ActivityPub, since folks are going to be working on that for the next 2.5 years # 19:14 sandro eprodrom__: Like 'earliest item in colleciton is X' # 19:14 sandro .. Most social systems don't go back very far now, so we shouldn't ask that of folks. # 19:15 sandro .. "This is everything in the inbox. Note some servers limit the number of pages you cna go back." # 19:15 hhalpin +1 finding earliest item in collection shevski joined the channel
# 19:15 hhalpin Do we have some normative way of getting id numbers per feed in AS2.0 and ActivityPub? # 19:15 hhalpin [looking in spec] # 19:15 sandro "we won't support id-less notificaitons. Clarify that it's up to servers if they want to keep around objects as long as they want. If they want to delete objects, like maybe delete a bunch of game notifications, that's a-ok. # 19:15 sandro Perhaps a future extension will permit clarifying how long users might expect they can continue to access data." # 19:16 sandro tsyesika: Can we specify indieauth for authentication? # 19:16 Zakim sees aaronpk, dmitriz, hhalpin, sandro on the speaker queue # 19:17 hhalpin +1 OAuth 2.0, with a nonn-normative recommendation for use of rel="me" w/i IndieWeb melvster joined the channel
# 19:17 Zakim sees dmitriz, hhalpin, sandro on the speaker queue # 19:17 eprodrom__ ack aaronpk # 19:17 Zakim sees dmitriz, hhalpin, sandro on the speaker queue # 19:17 eprodrom__ ack dmitriz # 19:17 Zakim sees hhalpin, sandro on the speaker queue # 19:17 Zakim sees hhalpin, sandro, dmitriz on the speaker queue # 19:17 Zakim sees hhalpin, sandro, dmitriz, eprodrom__ on the speaker queue # 19:17 Zakim sees hhalpin, sandro, dmitriz, eprodrom__, cwebber on the speaker queue # 19:18 sandro .. I feel like you should normatively require oath2 and suggest indieauth # 19:18 Zakim sees hhalpin, sandro, dmitriz, eprodrom__, cwebber, aaronpk on the speaker queue # 19:18 Zakim sees hhalpin, sandro, dmitriz, eprodrom__, cwebber, aaronpk on the speaker queue # 19:18 Zakim sees sandro, dmitriz, eprodrom__, cwebber, aaronpk on the speaker queue # 19:18 sandro hhalpin: How do you do the REST call where you get X from Y # 19:18 Zakim sees sandro, dmitriz, eprodrom__, cwebber, aaronpk on the speaker queue # 19:18 hhalpin Like without re-polling everything # 19:19 hhalpin That is something Objective8 from D-CENT hit # 19:19 hhalpin We can normatively refer to OAuth 2.0 - its an IETF rec # 19:19 hhalpin In fact, OAuth 2.0 does more or less give interop # 19:19 hhalpin OAuth 2.0 is Authorization # 19:20 sandro sandro: oauth2 doesn't tell you what you need to make this work # 19:20 hhalpin +1 OAuth 2.0 and Bearer Token spec # 19:20 dmitriz bearer tokens in a federated context is not that easy # 19:20 hhalpin Authentication should be left out (WebAuth + password stuff) # 19:20 sandro aaronpk: Use oatuh2 and bearer-tokens, but that still leaves stuff underspecified # 19:20 dmitriz (this is something we've been struggling with in Solid, as well) # 19:20 wilkie identity in a federated context is not the easy # 19:20 hhalpin Identity, well, it's tough. There's some takeup of OpenID Connect (OAuth 2.0 profile) # 19:20 sandro aaronpk: Identity is what's really useful here # 19:20 hhalpin But it's not as universal in takeup as OAuth 2.0 # 19:21 Zakim sees sandro, dmitriz, eprodrom__, cwebber, aaronpk on the speaker queue # 19:21 sandro .. So "just use oauth" doesn't sove the problems # 19:21 Zakim sees dmitriz, eprodrom__, cwebber, aaronpk on the speaker queue # 19:21 Zakim sees dmitriz, eprodrom__, cwebber, aaronpk, tantek on the speaker queue # 19:21 sandro eprodrom: So Use Auth2 with Bearer-Tokens, that's clear enough, but... # 19:21 Zakim sees dmitriz, eprodrom__, cwebber, aaronpk, tantek on the speaker queue # 19:21 Zakim sees dmitriz, eprodrom__, cwebber, tantek on the speaker queue # 19:22 hhalpin JSON Web Signatures is just a way to sign the bearer token if bearer token is JWT # 19:22 sandro cwebber2: This was left in there as a to-be-worked-on jasnell_ joined the channel
# 19:22 hhalpin I'm happy to take an action to review/edit that piece. We could make it non-normative but no guidance is kinda crazy # 19:22 sandro cwebber2: Is the right thing to do to say that Auth and Ident are left as an open question # 19:22 Zakim sees dmitriz, eprodrom__, cwebber, tantek on the speaker queue # 19:22 Zakim sees dmitriz, eprodrom__, cwebber, tantek, hhalpin on the speaker queue # 19:22 Zakim sees dmitriz, eprodrom__, cwebber, tantek, hhalpin on the speaker queue # 19:23 Zakim sees eprodrom__, cwebber, tantek, hhalpin on the speaker queue # 19:23 sandro sandro: Leave it out of the spec, and put a best practice in a Note # 19:23 sandro dmitriz: In Solid, we've been looking at this, and IndieAuth is one of the things we considered. # 19:24 sandro .. but because of all the redirects, it's nice in a browser, but not so clear in an API # 19:24 sandro .. Facebook and others solve that by giving an API token, but that's non-trivial # 19:24 Zakim sees eprodrom__, cwebber, tantek, hhalpin on the speaker queue # 19:24 sandro .. So lets get something working, but yeah, leave it not in the spec for now # 19:25 sandro eprodrom: My feeling is, if you need to, Auth2+BearerTokens, but I can see lots of other ways to do this, unauth, basic auth, client certs, etc # 19:25 sandro .. Telling me I have to use a certain kind of auth messes things up for me. # 19:25 Zakim sees eprodrom__, cwebber, tantek, hhalpin on the speaker queue # 19:25 Zakim sees eprodrom__ at the head of the speaker queue # 19:25 Zakim sees cwebber, tantek, hhalpin on the speaker queue # 19:25 sandro tsyesika: So we should say "folks SHOULD use OAuth2 + BT" ? # 19:26 sandro eprodrom: Pump.io isn't going to bother with indieauth. We'll stick with username and password. barnabywalters joined the channel
# 19:26 sandro .. so it's okay as a SHOULD or a best-practice. Don't require more than you can. # 19:27 Zakim sees cwebber, tantek, hhalpin on the speaker queue # 19:27 Zakim sees tantek, hhalpin on the speaker queue # 19:27 sandro cwebber2: Implementations will probably do what the others do. # 19:27 Zakim sees tantek, hhalpin, eprodrom on the speaker queue # 19:27 Zakim sees hhalpin, eprodrom on the speaker queue # 19:28 sandro .. we can't normatively refer to indieauth, in part because of charter, but we can do an informative non-normative reference # 19:28 sandro .. one way would be to ask if there are any implementations that have an intent # 19:29 cwebber2 aaronpk, is specification of indieauth as informative / non-normative currently the state in your standards? # 19:29 sandro .. if no intends to implement both, then don't bother # 19:29 Zakim sees hhalpin, eprodrom on the speaker queue # 19:30 Zakim sees hhalpin, eprodrom, cwebber on the speaker queue # 19:30 sandro amy: my site uses indieauth, but it delegates the work to indieauth.com # 19:31 sandro aaronpk: The interesting part here is starting from your URL and ending up getting a bearer token jasnell joined the channel
# 19:32 sandro tantek: So you have an implementation to compare against ( rhiaro's ) # 19:32 Zakim sees eprodrom, cwebber on the speaker queue # 19:33 sandro hhalpin: A total stub then that's not going to work because no-one is going to read it. # 19:33 sandro hhalpin: So say O2 + BT and NOTE: try IndieAuth # 19:33 sandro hhalpin: But obviously it's not going to be usef by everyone # 19:34 Loqi Countdown set by tantek on 3/17/16 at 12:05pm # 19:34 Zakim sees eprodrom, cwebber, aaronpk on the speaker queue # 19:34 Zakim sees eprodrom, cwebber, aaronpk on the speaker queue # 19:34 sandro hhalpin: Happy to have relevant experts look over this text # 19:34 Zakim sees cwebber, aaronpk on the speaker queue # 19:34 sandro eprodrom: Does IndieAuth work in non-browser applications? # 19:35 hhalpin I would also keep authentication out of scope, server to server is OAuth # 19:35 sandro eprodrom: We should define server-to-server method # 19:35 hhalpin in terms of authorization # 19:35 hhalpin happy to review that text # 19:36 Zakim sees cwebber, aaronpk on the speaker queue # 19:36 Zakim sees cwebber at the head of the speaker queue # 19:36 sandro cwebber2: Let's aim for the same text between micropub and activitypub # 19:37 sandro sandro: that wouldn't allow client-certs that evan wants # 19:38 sandro aaronpk: I definetely want multiple ways to get the token, so I leave that open. # 19:38 sandro aaronpk: I like the requirement of Bearer-Tokens, because it's what everyone does anyway. # 19:40 sandro aaronpk: Separate out authentication from authorization # 19:40 sandro aaronpk: Separate how you get the bearer token from how you use it. # 19:41 melvster you have to separate THREE parts not TWO : 1. identity 2. authentication 3. authorization # 19:41 sandro aaronpk: SHOULD use bearer-token, SHOULD use oauth2 to get it # 19:41 sandro sandro: let's go for MAY use oauth2 to get it # 19:42 sandro sandro: since there are other perfectly legit ways # 19:42 melvster this is why oauth is not a good fit for the social web, it doesnt do identity (or doesnt do it very well at least) # 19:43 sandro cwebber2, probably down to about 22 issues, and several more we can deal with among the editors nicolagreco, jasnell and shevski joined the channel
# 20:00 rhiaro aaronpk: Source and target form parameters are not URIs, how can we convert them to URIs because it's important for some people # 20:01 rhiaro ... My thoughts are it has not caused any issues with any implementations that these are not URIs, so unless anyone has a single sentence they can describe a solution right now we can do it, but if not I propose we close # 20:02 rhiaro ... When people want to represent their data for archival or to pass to other systems they want to make unambiguous the notion of source and target # 20:02 rhiaro ... These notions are things that reasonably could have URIs # 20:02 rhiaro ... if they were in IANA we could use that, but they're not, so currently everyone has to make up their own uris for these # 20:02 rhiaro ... It's a trivial problem to solve, and it's a problem some people have # 20:03 rhiaro tantek: an alternative is a registry for form encoded parameters, like rel values, which are not uris # 20:03 rhiaro sandro: there's no conjecture that people should use the same form encoded parameter # 20:04 rhiaro sandro: not if you want interoperability with some protocol that isn't webmention # 20:04 rhiaro ... people might in theory want to see where webmentions are # 20:04 rhiaro aaronpk: there's no definition of get on a webmention endpoint # 20:04 rhiaro sandro: you should get back webmentions you're allowed to see # 20:04 rhiaro tantek: if you were to publish an activity stream of webmentions, what would that look like # 20:04 rhiaro aaronpk: implementations currently just drop webmentions on the floor after they're processed # 20:05 rhiaro ... there is an idea of status urls, which can be GET to see status, so the webmention itself has url # 20:05 rhiaro ... Implementations treat these as temporary and drop them. THere are so many that are spam that come in so they aren't kept # 20:05 rhiaro ... but status is the description fo the webmention source and target and maybe what happened to it # 20:07 rhiaro tantek: anyone who wants a uri for this you can point them to that section, don't bury it # 20:07 rhiaro aaronpk: okay, I'll comment and close the issue when it's added # 20:07 rhiaro aaronpk: I've summarised my position at the bottom # 20:08 rhiaro ... This is a description of an attack where somebody can send a webmention to a system, and if the system can cause actions to happen on a GET request, I can cause that system to make another GET request somewhere which might have undesireable requests # 20:08 rhiaro eprodrom: so I could use it for probing security holes in wordpress servers? # 20:08 rhiaro aaronpk: except the attacker doesnt' actually get a response # 20:08 rhiaro tantek: you could cause a side effect, not get information # 20:08 rhiaro aaronpk: all you can do is make the webmention receiver make a get request # 20:09 rhiaro ... which is unfortunately possible but also something that is bad practice no matter what you're doing # 20:09 rhiaro ... so it's not really something for the webmention spec: don't make your system vulnterable to get requests # 20:09 rhiaro sandro: Never install webmention if you're behind a firewall? You are endangering everything esle behind the firewall # 20:09 rhiaro aaronpk: only if yoru system has access to both sides of the firewall # 20:09 rhiaro tantek: we should call this out in the security and privacy? # 20:10 rhiaro aaronpk: what am I calling out? dont' put insecure systems on the internet? # 20:10 rhiaro sandro: this is putting a system that is perfectly secure in a .. behind a firewall which may seem reasonable because it can't do anythign except webmention, but people might not realise that a putting a blog tha timplements webmention behind a firewall in a way that it has access to the internet # 20:10 rhiaro aaronpk: it has to have server access to the internet in order to receive a webmention in the firs tplace # 20:10 rhiaro ... you'd have to put an http server inside your firewall that also listens publicly # 20:11 KevinMarks_ "In particular, the convention has been established that the GET and HEAD methods SHOULD NOT have the significance of taking an action other than retrieval. These methods ought to be considered "safe"" # 20:11 rhiaro sandro: behind the firewall you have a simple blog and the blog does a post that happens to mention something else behind the firewall and does the webmention processing, dereferences the url that the user put in the post, and that thing out there says go to this url as my webmention endpoint, does that, that was behind the firewall.. # 20:12 rhiaro hhalpin: why is this not a problem for any system that lets you put arbitrary urls as input? not just webmention # 20:12 rhiaro aaronpk: sandro described the actual attack vector shevski joined the channel
# 20:12 rhiaro ... blog inside firewall does not listen on internet, has no public endpoint # 20:12 KevinMarks_ how is this different from a hyperlink in the browser that you click inside the firewall? # 20:12 rhiaro ... a person behind firewall writes a post with a linkt o the attacker # 20:12 rhiaro ... attacker can then cause the internal system to make a request to another internal system, if the webmention endpoint of the attacker is inside the firewall Karli joined the channel
# 20:13 rhiaro aaronpk: when I was addressing this it sounded like I was describing really basic security practices and didnt' want to sound condescending # 20:13 rhiaro cwebber2: would it be possible to post to localhost? cos that sounds like the biggest risk # 20:13 rhiaro aaronpk: it could make the software that is verifying the webmention post to itself # 20:13 rhiaro cwebber2: can't post to anythign else on a different port on localhost? # 20:13 rhiaro aaronpk: the attackers url can advertise a webmention endpoint, which can be anything including localhost, a port, 0.0.0.1... # 20:14 Zakim sees annbass, eprodrom on the speaker queue # 20:14 rhiaro cwebber2: there are definitely security things with servers that allow you to access.. # 20:14 rhiaro aaronpk: it's only ever going to post source and target # 20:14 rhiaro ... I would be willing to add an exception that says if it encounters localhost or 127.* then drop it # 20:14 rhiaro ... I'd be happy to put that in security considerations # 20:14 rhiaro ... Maybe not obvoius, definitely specific to webmention # 20:14 hhalpin This seems to be a generic problem for any spec that has an 1) input and then 2) takes URLs from that input and GETs them. # 20:15 rhiaro aaronpk: definitely will put in about not sending to localhost # 20:15 hhalpin I mean, not sending webmention to localhost makes sense # 20:15 rhiaro sandro: I'm thinking of basically saying don't allow a webmention system to cross the firewall # 20:15 rhiaro tantek: someone can publish an html document that has img src="localhost.../dosomething" you load that and it accesses your localhost # 20:16 rhiaro ... or you can check the html spec and see what it says about image loading and how they treat that problem # 20:16 rhiaro ... because cross domain images obviously work # 20:16 rhiaro ... well defined, interoperable, well hardened # 20:16 rhiaro ... Those are two places you could look to see how they solve this and copy taht # 20:16 sandro +1 tantek this is like the browser fetching an image or stylesheet # 20:16 rhiaro ... if it's good enough for a browser it's good enough for webmention # 20:16 Zakim sees annbass, eprodrom on the speaker queue # 20:16 Zakim annbass, you wanted to ask same question that KevinMarks asked # 20:17 hhalpin +1 (but worth further thinking about) # 20:17 rhiaro annbass: KM asked the same question - how is this different than a regular hyperlink going out through the firewall # 20:17 rhiaro aaronpk: a hyperlink a person has to click on deiu joined the channel
# 20:17 hhalpin The trick is that the link is automatically ran # 20:17 hhalpin by the webmention spec # 20:17 rhiaro ... this is a side effect of writing a blog post that links to an attackers url, but the person doesn't have to click the link # 20:17 tantek hhalpin, just like an image is automatically loaded # 20:17 hhalpin although lots of other possible apps outside webmention could do this # 20:17 rhiaro aaronpk: but similar to receiving a phishing email and having a person click the link # 20:18 rhiaro ... The result then is I'm going to find that language and it should clear it up # 20:18 wilkie even sandboxed iframes can do cross-domain GETs for stylesheets and scripts # 20:19 rhiaro ... bengo had suggestion of discovery steps addition of having a 4th step checking a .well-known to find the webmention endpoint # 20:19 rhiaro ... which lets you delegate an entire domain to a webmention endopint without having to add it as a link header # 20:19 rhiaro ... Question is, is this worth it or is a http link header enough to support whole domain delegation # 20:20 rhiaro ... One path forward is say: the http link header can be configured at the server level so that's enough to support server-wide delegation # 20:20 rhiaro ... You're a large orgnaisation with many different subsystems, which is pretty common, wanting to have a single webmention endpoint across the whole thing # 20:20 rhiaro ... the http link header can be configured at the server, not the software, so maybe that's enough # 20:20 rhiaro ... Other option is to add this well-known and add it at-risk since ther eare no implementations right now # 20:20 rhiaro ... See if anyone implements, and if not drop it # 20:21 rhiaro tantek: last time this came up we resolved to stick with follow your nose # 20:21 rhiaro aaronpk: I think bengos' arguement that this was new information is a use case that many different kinds of software installed that we hadn't considered when making that resolution # 20:22 rhiaro ... My proposal to clos ethis with no action is justified by an http link header can be configured server wise # 20:22 rhiaro <rhiaro> DIdn't he also say something about not being able to configure the http header? # 20:23 rhiaro aaronpk: I think it's the same amount of work organisationally to add the .well-known path as it would to configure the link header # 20:23 rhiaro eprodrom: the link rel is registered and defined right? So since there is host-meta, the link is already there in http Karli joined the channel
# 20:23 rhiaro ... if someone wants to go sniffing around and wants to try some bottom of the barrel ways to try it, there are ways for them to do it already with the link-rel # 20:23 rhiaro ... The worst would be to say if you still can't find it try other ways of turning a link-rel into an endpoint # 20:24 rhiaro aaronpk: I'd rather not recommend another way for senders to find endpoints, there are already 3 and they have to do ALL of them # 20:24 rhiaro ... And if you add a 4th they'll have to do that also and it's a very different mechanism # 20:24 rhiaro ... Now you're dealing with parsing link headers (already non trivial), parsing html, then you'd have to also parse xml, also parse json # 20:25 rhiaro aaronpk: http link header, html link tag and html a tag # 20:25 rhiaro hhalpin: not being able to modify the link header is common if you don't have full control # 20:25 rhiaro aaronpk: if you do have full control you're in the same position to add .well-known as to create link header # 20:25 rhiaro hhalpin: but if you can create directoreis and put files in you can't add a link header # 20:26 rhiaro ... In the normal web development world, lots of people don't even know link headers exist # 20:26 rhiaro ... but almost everyone knows how to parse html # 20:27 rhiaro ... As long as there's a way of putting it in without link headers # 20:27 rhiaro sandro: my question si do you ever want to be able to do webmention on a jpeg withotu a link header # 20:27 rhiaro ... I think that's not worth worryign about, but I can see that someone might think it is # 20:27 hhalpin I'm going to note that this came up with Objective8 and D-CENT # 20:27 hhalpin I.e. problems with Link headers (i.e. their developers didn't know HTTP Link headers existed) # 20:27 rhiaro aaronpk: sounds like we're okay with slight limitations with current discovery # 20:27 hhalpin However, it was easy to get folks to add to the HTML # 20:27 rhiaro sandro: anything about how you have to parse html? # 20:28 rhiaro aaronpk: I think it just says to look for the rel # 20:28 rhiaro aaronpk: normatively references http link header 5988 and also says ... no doesn't reference html in discovery # 20:28 rhiaro sandro: so test suite should have corner cases about how it appears in html # 20:28 rhiaro ... and how they differ in closing angle bracket missing etc # 20:28 rhiaro aaronpk: I have a ton of that test data already # 20:30 rhiaro ... Just need to add, tried to do last night, didnt' get to it, but tantek threw some ideas my way so I should be able to do that now # 20:30 rhiaro tantek: so you have all issues with a resolution, outstanding editing to do # 20:30 rhiaro aaronpk: these three require editing that we agreed to already that I need to do # 20:30 rhiaro ... And then conformance requiremetns sectiion I don't have anything we can review right now but we're not going to cr so # 20:31 rhiaro aaronpk: if we can agree to publish a new draft I can add it in that process # 20:31 rhiaro tantek: if you commit to adding one we can say publish it with the edits we've agreed to # 20:31 rhiaro tantek: do you have a path forward on all issues? # 20:32 rhiaro tantek: we already resolved to publish new AS2 drafts with edits in the pipeline # 20:32 rhiaro ... So any of the others things that editors want to publish new drafts of? # 20:32 rhiaro ... I do have a change on micropub to register with iana, queued up, however not a lot of other changes, so I still would like to publish but it's not a huge change # 20:33 rhiaro ... Does it make sense to make a resolution right now to publish with discussed edits? # 20:33 rhiaro tantek: do you want to give the group a chacne to review your changes before doing another resolution to publish, or are there enough changes the group already agreed to that you can publish once you make them # 20:33 rhiaro ... Or do you want more time for those changes plus any others? # 20:33 rhiaro cwebber2: Okay we'll make those changes first that the group agreed to # 20:34 rhiaro tsyesika: we fix the bugs the group agreed to and publish # 20:35 rhiaro PROPOSAL: Resolve to publish webmention, micropub and activitypub pending changes agreed by the wg this face-to-face # 20:35 rhiaro RESOLVED: Resolve to publish webmention, micropub and activitypub pending changes agreed by the wg this face-to-face # 20:36 rhiaro eprodrom: we have spare time, so anything else for next 25 minutes? # 20:36 rhiaro ... I thought more about github spec labels yesterday and cut down to 10 # 20:37 hhalpin Quick notes, we have assembled a group of security/privacy experts to look at decentralization https://nextleap.eu # 20:37 hhalpin And the W3C WebAuth group is likely to have one-factor cryptographic authentication in browsers end of this-year, early-next year # 20:38 hhalpin No changes needed by specs, but just resources and new W3C work # 20:38 rhiaro sandro: Editor, or someone with write access to repo # 20:39 rhiaro eprodrom: is there an action we can take now? # 20:39 rhiaro ... Review them and deicde if we're going to apply them to our spec repos? # 20:39 rhiaro sandro: Where someone says "I don't understand how this group works" # 20:40 rhiaro tantek: I think we might need something stronger # 20:40 rhiaro cwebber2: what if it's just like "I'm not sure if this has somethign to do with it" and the editor doesn't know either # 20:40 rhiaro tantek: this is for the editor to say "this is not about my spec, this is a group issue, sending to chairs" # 20:41 rhiaro sandro: I like this being able to used by groups that aren't w3c, that's why I said 'process community' not chair, to generalise # 20:41 rhiaro annbass: but... your example where you said there were issues that were people saying they were being ignored, I was takign that to mean there's been some discomfort of different technical positions proposed and feeling like they're blown off # 20:41 rhiaro ... THat's in a different category than waiting for management approval # 20:41 rhiaro tantek: that's "commentors are unsatisfied by response", that's there Karli joined the channel
# 20:42 rhiaro ... The director will look at each one of these and see if the commetnor has merit # 20:42 rhiaro hhalpin: Do we need to note this unless there's a formal objection? # 20:42 rhiaro sandro: the director does like to knwo who is satisfied and who is unsatisfied # 20:43 rhiaro hhalpin: I've always just listed formal objections # 20:44 rhiaro eprodrom: are we comfortable with these labels? # 20:44 rhiaro tantek: "waiting for commentor" could mean two different things # 20:45 rhiaro sandro: ther'es not a lot o you can do until you hear back # 20:45 rhiaro tantek: could be differnet for open vs closed # 20:45 rhiaro sandro: if it's closed you might be waiting to see if they're satisfied or not # 20:46 rhiaro tantek: 'waiting for group input' -> 'needs group input' # 20:46 hhalpin I think we should note that people were unhappy, but if someone (unsatisfied commenter) proposes a technical solution and it doesn't meet the group's requirements (i.e. its not implemented, has no interest from more than one implementer, or has known technical flaws) then the group can argue simply than the unsatisfied commenter did not satisfiy the groups requirement. # 20:47 rhiaro aaronpk: 'happy to have this in there but I'm not gonna do it' # 20:49 rhiaro ... If we can phrase it in a way that makes it welcoming for new folks # 20:51 rhiaro tantek: can we collapse the first two? commentor needs no response and satisfied by response nicolagreco joined the channel
# 20:55 rhiaro annbass: will there be a definition documented? # 20:55 rhiaro aaronpk: are there some I can't use without group consensus? # 20:55 rhiaro sandro: talk the group before doing a commentor timeout # 20:56 rhiaro ... And expect that director will look at commentor satisifed and commentor not satisfied # 20:56 rhiaro sandro: before timeout, or waiting for more information before you can address the issue # 20:58 rhiaro ben_thatmustbeme: if anyone wants to help co-write jf2 who knows more about writing specs? # 20:58 rhiaro ... Kevin had offered to help with it I think # 20:59 rhiaro RESOLVED (by chairs): make KevinMarks a coeditor of jf2 # 21:00 rhiaro ... Any plans to do something social this evening? # 21:01 RRSAgent I'm logging. I don't understand 'please end meeting', rhiaro. Try /msg RRSAgent help # 21:02 RRSAgent I'm logging. I don't understand 'end meeting', rhiaro. Try /msg RRSAgent help shevski, jasnell_, jasnell__ and nicolagreco joined the channel
# 21:42 Zakim As of this point the attendees have been tantek, wilkie, dmitriz, rhiaro, aaronpk, shevski, ben_thatmustbeme, cwebber, tsyesika, sandro, Karli, AnnBass # 21:43 Zakim leaving. As of this point the attendees have been tantek, wilkie, dmitriz, rhiaro, aaronpk, shevski, ben_thatmustbeme, cwebber, tsyesika, sandro, Karli, AnnBass jasnell, nicolagreco, dmitriz and jasnell_ joined the channel
eprodrom_ I'm running late; there by 10:15.
Loqi Rhiaro made 1 edit to [[Socialwg/2016-03-16]] https://www.w3.org/wiki/index.php?diff=97774&oldid=97773
tantek specifically: https://www.w3.org/wiki/Socialwg/2016-03-16#March_17
ben_thatmustbeme present+
wilkie shevski: on the community group stuff. I like having /something/ is good.
annbass s/I've met and talked to Syrian people who were caught and tortured and I've asked them what they use for social tools and communication and they say "whatever we can find"/I suggest the main goal of the CG might be to collect additional social use cases that we haven't thought of, especially from people who haven't participated before, or who are from cultural environments we personally haven't experienced./
jasnell re scope and context, https://github.com/jasnell/w3c-socialwg-activitystreams/issues/300
cwebber2 https://github.com/w3c-social/activitypub/issues/32 <- issue here
KevinMarks_ hi there
rhiaro sandro: prefix with http://.....#
sandro say that webmention source is equivalent to 'http://www.w3.org/ns/webmention#source'
RRSAgent I have made the request to generate http://www.w3.org/2016/03/16-social-minutes.html rhiaro