#social 2017-07-13

2017-07-13 UTC
saper, timbl, prtksxna_, xmpp-social, bwn, prtksxna, timbl_ and csarven joined the channel
#
cwebber2 https://tsyesika.se/post/ap-why-creates/ by tsyesika
#
cwebber2 Gargron: puckipedia: ^^
#
cwebber2 reflects, whether you see Create as useful or annoying may be whether you see an AP stream as a series of objects or as language
#
puckipedia but yeah, that's basically my opinion on it
#
puckipedia and also I like the idea of the inbox/outbox being a list of Activities
#
puckipedia ... question: should a user be able to delete an activity???
#
cwebber2 puckipedia: probably, though it's true that it makes side effects tricky
#
cwebber2 that's a hell of a good question though
#
cwebber2 it also begs the question, what happens when you delete a like
#
puckipedia same with "should the server disallow Create'ing activities?"
#
cwebber2 and how different from that is undoing a like
#
cwebber2 puckipedia: fwiw my server does disallow it
#
puckipedia mine ... doesn't, I think?
#
cwebber2 creating activities
#
puckipedia also things like "should the server disallow liking/announcing an Activity?"
#
xmpp-social [ajordan] I can easily imagine deleting an activity "AJ rides a bike" to unpublish
#
cwebber2 https://gitlab.com/dustyweb/pubstrate/blob/master/pubstrate/webapp/inbox-outbox.scm#L368
#
puckipedia ajordan: but then everyone has a Tombstone in their inbox
#
puckipedia that message is actually amazing out of context
#
puckipedia ... but yeah, I see where you're coming from
#
puckipedia ... maybe limit it to the list of activities defined in the spec (and thus have side effects)?
#
xmpp-social [ajordan] How else would you represent unpublishing things?
#
xmpp-social [ajordan] You could argue that you could Undo that activity but it still seems like that should result in a Tombstone
#
puckipedia if you'd delete a Create, would it delete the object of that Create too?
#
puckipedia or does that mean we now have an object that isn't Created?
#
xmpp-social [ajordan] I have a theory but I gotta check the spec
#
ajordan okay so https://w3c.github.io/activitypub/#undo-activity-outbox
#
ajordan I did not realize Delete was the inverse of Create
#
ajordan I'm not sure now but originally my theory was, the spec says Undo is supposed to undo side effects too right?
#
ajordan so one way to interpret that would be, "the creation of the _activity itself_ is a side effect"
#
puckipedia Though: "The Create activity is used when posting a new object. This has the side effect that the object embedded within the Activity (in the object property) is created."
#
ajordan right
#
ajordan this is a really messy discussion :/
#
puckipedia I guess it's good we're having it
#
ajordan yeah
#
ajordan I'm kinda regretting that we didn't have this before AS2 went to REC status though ;)
#
ajordan oh well
#
puckipedia ... sidenote: I just had the worst idea for an ActivityPub server: one which stores the entire object inside the id
#
puckipedia so the server doesn't have to store anything :D:
#
ajordan hahahahahahaha oh my
#
Loqi hahaha
#
puckipedia like https://example.com/object?data={"type": "Create", etc...}
#
cwebber2 puckipedia: *banned*
#
cwebber2 hilarious though
#
ajordan Stateless™
#
ajordan wowwww cwebber2 really dislikes your idea puckipedia
#
cwebber2 I'm just kidding :)
#
cwebber2 I actually kind of love-hate it :)
#
ajordan when I came up with something stupid they "only" revoked my social standards development license
#
cwebber2 haha
#
ajordan the one problem is that other servers will create "regular" ids :/
#
cwebber2 or other servers can make content for you :D
#
puckipedia well, collections kinda don't work still, so you have to store collections and the ids of the objects inside
#
cwebber2 https://example.com/object?data={"type": "Note", "content": "I'm a butt", ...}
#
cwebber2 puckipedia: yeah that's true
#
cwebber2 Stateful!™
#
ajordan (context: https://twitter.com/dustyweb/status/877976696821100545)
#
Loqi [@dustyweb] @strugee2 I'm revoking your social standards development license
#
cwebber2 :)
#
ajordan loll
#
puckipedia oh and as a sidenote
#
puckipedia I was thinking of a way to add blocklists into Kroeg
#
ajordan I'd like to point out that we've now spent ~5 minutes discussing this thing that we all agree is a very bad idea :'D
#
cwebber2 puckipedia: yeah? are you thinking of using collections or something else?
#
puckipedia yep
#
puckipedia basically, if you were to block a Collection, it'd add that into the 'blocked' list, and the internal list of blocked actors is then updated from the collection that was added
#
cwebber2 puckipedia: you could also do this:
#
puckipedia then if the actor got an Add to that collection, it'd look through every person that has that blocklist
#
cwebber2 {"type": "Add", "object": "https://badapple.example/", "target": "https://foo.example/blocklist/", "to": "https://foo.example/blocklist/subscribers"}
#
cwebber2 so the blocklist has its own list of subscribers/users of the blocklist
#
cwebber2 which is another collection
#
puckipedia soo wouldn't that just be a Collection someone Created?
#
cwebber2 one collection to contain the banned people, another collection to contain people using/following it
#
puckipedia I mean. Isn't that how ActivityPub should work? :P
#
cwebber2 puckipedia: it could be that simple
#
puckipedia that was basically exactly what I would do
#
cwebber2 :D
#
ajordan puckipedia++
#
Loqi puckipedia has 8 karma
#
cwebber2 puckipedia: sometimes I wonder if we should have some collection subtypes for some of these things
#
puckipedia wouldn't that be something like ["OrderedCollection", "Blocklist"]
#
cwebber2 like, does BlockList merit its own subtype, or at least type that could be composited
#
cwebber2 yes
#
cwebber2 that's how you could do it without "subtyping"
#
puckipedia actually now that we're talking about collections
#
puckipedia ... (how) should servers sync collections?
#
puckipedia e.g. you want to verify a remote collection contains a specific object
#
puckipedia do you have to load the entire thing again?
#
ajordan I wonder if we should add "collection queries" to https://www.w3.org/wiki/ActivityPub_extensions#Possible_future_extensions
#
ajordan similar to "inbox search"
#
ajordan although actually inboxes are Collections so maybe it makes sense to define a way to query for different parts of Collections and have inboxen inherit from that
#
puckipedia looks at the list
#
puckipedia "WebSockets(? also value in something like SockJS) interface for clients to get streams like the inbox sent to them in realtime" woops I have that already
#
ajordan lolll
#
puckipedia well, I use EventSource
#
ajordan pump.io has something like that for the web UI, that's where the idea came from
#
puckipedia https://github.com/puckipedia/kroeg/wiki/extensions#eventsource-support-for-inoutbox
#
ajordan I figured we should treat all clients equally ;)
#
puckipedia beause of stupid CORS reasons the authorization header is in the query url
#
puckipedia query of the url*
#
ajordan wait what?
#
puckipedia I can't set arbitrary headers with the EventSource API
#
ajordan isn't familiar with EventSource
#
puckipedia EventSource is basically server push
#
ajordan reading the docs now
#
puckipedia sidenote, exactly how I implement it: I set data to an unflattened version of the object, id to the id of the object, and don't use event
#
puckipedia so if the connection drops and reconnects I can grab the Last-Event-ID and use it
#
ajordan why not use WebSockets instead?
#
ajordan https://caniuse.com/#feat=eventsource better compatibility and there are more Known Issues in the EventSource one
#
ajordan https://caniuse.com/#feat=websockets
#
ajordan maybe I don't understand your CORS issue though
#
puckipedia ajordan: well, I mean, I can't set headers with either js WebSocket or EventSource
#
ajordan right
#
ajordan I think I was making bad assumptions about EventSource
#
puckipedia that was what I meant with CORS, for some reason
#
puckipedia I think the idea of EventSource is that it is one-way
#
ajordan ahhhhh so you can't set an Authorization header
#
puckipedia exactly
#
cwebber2 oh yeah websockets stuff
#
puckipedia with websockets I could probably send the authorization value inside a websocket message
#
cwebber2 I'd love to get a websockets c2s extension formalized
#
puckipedia cwebber2: I could poke a test into Kroeg
#
ajordan puckipedia: the issue here is *only* browsers, right? because any other client should be able to set headers as they please
#
puckipedia yes
#
ajordan shouldn't you be able to authenticate based on cookies then?
#
puckipedia well, the client may not be on the same server as the server
#
ajordan that's going to be a problem no matter what
#
ajordan whenever you're building a web UI you
#
puckipedia e.g. people writing simple clients that run on github pages or so
#
ajordan *you'll *always* have to proxy stuff through a server
#
ajordan no CORS will prevent you
#
puckipedia I have cors on my server open, maybe I could limit it to authorized people
#
ajordan either every server you ever display posts from sets CORS headers, or you miss some data, or you introduce a server component
#
ajordan right?
#
puckipedia there's an endpoint "proxyUrl"
#
ajordan hang on I'm confusing myself
#
ajordan ah boy
#
ajordan ok tbh I can't quite keep track of what I(!) am saying
#
ajordan so instead of trying to work this out I'm gonna go make a grilled cheese sandwich and try again later ;)
#
puckipedia :)
#
ajordan just ignore me lol, I have no idea what I'm saying
#
puckipedia my idea is that not even the client runing on the same server is special
#
puckipedia so it'd use the same oauth mechanism
#
ajordan but you're optimizing for the lowest common denominator
#
ajordan that doesn't seem like a great idea in protocol design ;)
#
puckipedia dogfooding :P
#
puckipedia yeah, this is a part I should think about more
#
puckipedia some other systems fix it by POSTing to a place, and then you get a unique url you use for websockets
#
puckipedia I think websockets are almost finished (with same ?authorization=[...] requirement as above sadly)
#
puckipedia of course, this is a ... 5-minute hack
#
xmpp-social [ajordan] I mean you could also support both
#
xmpp-social [ajordan] Hacky, but it'd work
#
csarven #CORSPITA
#
csarven IIRC, in dokieli it tries to see if it can get away with CORS. Fallsback to proxy.
#
xmpp-social [ajordan] Hahahaha
#
Loqi nice
#
cwebber2 CORS is a clear indicator of how hacked-on our concepts of security are on the web
#
csarven What's xmpp-social?
#
xmpp-social [ajordan] XMPP bridge
#
cwebber2 I mean, it's good that CORS stuff has been worked on
#
csarven Bridge to?
#
cwebber2 but a nicer design would be where the concept of "a domain" as a grouping of things barely matters
#
cwebber2 or doesn't exist :)
#
cwebber2 down with dns!
#
xmpp-social [ajordan] When I get around to it I'll port #indieweb's Slack gateway to XMPP so it doesn't have the weird single-user thing you just noticed
#
csarven Down with Internet/Web. BBS will have a come back.
#
xmpp-social [ajordan] csarven: bidirectional bridge between #social and an XMPP room
#
csarven After this linktax fiasco.. wait and see
#
xmpp-social [ajordan] At xmpp:w3social@muc.im.koderoot.net?join
#
xmpp-social [ajordan] cwebber2: I guess
#
xmpp-social [ajordan] But really what's important is the concept of an origin, which just happens to be domains atm
#
xmpp-social [ajordan] That seems better than all the alternatives tbh
#
xmpp-social [ajordan] Disallow by default, poke holes where it's safe
#
cwebber2 ajordan: origins shouldn't matter either, and poking holes shouldn't be necessary, object-capability security 4lyfe ;)
#
cwebber2 but we don't live in that world, so okay I guess :)
#
xmpp-social [ajordan] See also https://w3c.github.io/webappsec-suborigins/
#
Loqi [Joel Weinberger] Suborigins
#
xmpp-social [ajordan] Hmm, I guess
#
xmpp-social [ajordan] Maybe I'm just too used to the web to properly think about this :)
#
xmpp-social [ajordan] I mean, it's been around basically my entire life. Web 2.0 happened when I was like, 8 or something
#
puckipedia I remember web 2.0 kinda
#
cwebber2 see also https://web.archive.org/web/20160302160222/www.eros-os.org/essays/capintro.html and the incredible http://mumble.net/~jar/pubs/secureos/secureos.html which demonstrates that security capabilities are a natural extension of the lambda calculus
#
puckipedia mostly https://script.aculo.us/
#
xmpp-social [ajordan] Oh god lambda calculus
#
xmpp-social [ajordan] I've tried to learn that a couple times lol
#
cwebber2 it's the basis of everything
#
cwebber2 ajordan: if you're trying to learn it from the lambda calculus itself, that's probably the wrong approach :)
#
xmpp-social [ajordan] Each time I've gotten a little more but still not any semblance of "understanding" ?
#
cwebber2 learn Scheme or Haskell, and read the Lambda Papers
#
xmpp-social [ajordan] Right
#
cwebber2 The Little Schemer is a great introduction, so is Structure and Interpretation of Computer Programs, the 1980s lectures of which are super fun
#
cwebber2 but lambda calculus is not hard at all
#
cwebber2 all it is
#
cwebber2 is you have functions
#
cwebber2 and you apply them
#
cwebber2 and you get a result
#
cwebber2 that's it!
#
cwebber2 and it turns out, with just that
#
cwebber2 you can build everything.
#
xmpp-social [ajordan] Neat
#
xmpp-social [ajordan] Lol I've been meaning to learn *both* of those languages for so long
#
cwebber2 you can even implement numbers and linked lists purely in terms of functions
#
xmpp-social [ajordan] Especially because, for someone who uses Emacs, I'm VERY BAD at Lisp
#
cwebber2 peano arithmetic and church notation
#
cwebber2 ajordan: so I highly recommend the following
#
cwebber2 - get a copy of The Little Schemer, install geiser, and go through it over the course of 1-2 weeks
#
cwebber2 it's a blast, I promise you
#
cwebber2 do a capter or 2 a night
#
cwebber2 by the end of the book, before you know it
#
cwebber2 you've learned how the Y Combinator has nothing to do with startups and everything to do with recursion
#
cwebber2 and you've written your own interpreter of scheme inside scheme
#
cwebber2 all through a really fun dialogue style of programming
#
xmpp-social [ajordan] Sounds awesome!
#
cwebber2 illustrations are cute too
#
cwebber2 the problem with The Little Schemer:
#
xmpp-social [ajordan] /me bookmarks the IRC logs from today
#
cwebber2 it's *nothing* like programming scheme in reality :)
#
cwebber2 but
#
cwebber2 if you struggle with recursion, and want to learn better about the ideas behind languages
#
cwebber2 it's a great intro
#
cwebber2 and by the end of it, writing recursive procedures will be as natural as a for loop
#
cwebber2 SICP is a lot more challenging and takes a lot longer, but is worth it too
#
cwebber2 okay, so what I didn't clarify is, what does the lambda calculus have to do with capabilities?
#
cwebber2 well, what's a capability
#
cwebber2 it has nothing to do with what android or linux call capabilities
#
cwebber2 call those "kibble-bilities" instead to differentiate
#
cwebber2 in a capability based system, you have nothing in your environment except what's provided to it
#
cwebber2 all access is by gaining a reference to something through a "capability"
#
xmpp-social [ajordan] Ahhhh right yes
#
xmpp-social [ajordan] I went to a talk on Pony a couple years ago which is very into this stuff
#
cwebber2 you know how in contemporary operating systems, if someone finds the tiniest pin-hole sized bug in libpng they can get you to open an email and trash your home directory?
#
cwebber2 you'd be safe from that in a capability security based environment
#
cwebber2 because it wouldn't have "ambient control" via an ACL
#
cwebber2 it would have access to what was given it
#
puckipedia somehow I'm getting double values in my websocket client thingy
#
cwebber2 and there's no reason to give libpng access to your home directory
#
puckipedia ... I know why :D:
#
xmpp-social [ajordan] Lol yes
#
cwebber2 http://mumble.net/~jar/pubs/secureos/secureos.html demonstrates running a program that you don't even trust
#
cwebber2 and it can't damage your system
#
cwebber2 and it turns out, if you think this is all just theoretical
#
cwebber2 it's gonna become not so soon
#
cwebber2 because this is what Google's Fuschia is based on
#
xmpp-social [ajordan] In a way chroot jails are a way of shoehorning capabilities into the existing model
#
cwebber2 something like them, but not very good, yeah
#
cwebber2 it's an old idea: microkernel based architecture with message passing and capabilities
#
cwebber2 that's the HURD's design in fact, and several other OS designs... contemporary os designs just beat them to the market but
#
puckipedia yay, websockets work
#
puckipedia and are exactly as boring as you'd expect
#
cwebber2 I think since trying to keep your system secure is nearly impossible these days
#
cwebber2 that design will come back, and at least some team at Google seems to think so
#
cwebber2 so what does it have to do with the lambda calculus?
#
cwebber2 read the Rees Thesis to find out :)
#
cwebber2 turns out, if you have a system that has no globals and has lexical scope
#
cwebber2 arguments and lexical closures are basically capabilities
#
cwebber2 fun!
#
xmpp-social [ajordan] Hahahaha of COURSE you're into microkernels
#
xmpp-social [ajordan] That's neat though
#
puckipedia quickly deploys to main instance
#
cwebber2 okay anyway
#
cwebber2 sorry for the wall of text
#
cwebber2 hope you found it interesting ajordan
#
puckipedia hm. what if I set up a large Kroeg instance and asked people like EUR 1 per month to have their own account
#
xmpp-social [ajordan] I think I see what you mean with origins too
#
cwebber2 yeah, trying to scope things by an origin
#
cwebber2 it's like trying to scope things by an ACL
#
cwebber2 it's ambient authority
#
xmpp-social [ajordan] I've always thought that Content Security Policy was a gross (but necessary) hack
#
cwebber2 the wrong model
#
cwebber2 it's a necessary hack for that model of things yeah
#
xmpp-social [ajordan] And np! This is super interesting
#
xmpp-social [ajordan] puckipedia: !!!!!!!!!
#
xmpp-social [ajordan] Awesome!
#
cwebber2 puckipedia: I might sign up at least to support your work :)
#
xmpp-social [ajordan] cwebber2: right
#
cwebber2 even if it's not my primary AP server :)
#
puckipedia I mean, it's more of an idea and it'd be interesting to have e.g. yourusernamehere.kroegapp.com
#
puckipedia though I feel it has to have a GUI at least :P
#
puckipedia I wonder how high I can scale Kroeg
#
xmpp-social [ajordan] /cc ben_thatmustbeme who has thought a lot about bare-domain AP identifiers :-)
#
puckipedia hehe, I tested it out
#
puckipedia http://test1.social.puckipedia.com/ (says it's https but don't be fooled, I don't have https for it)
#
puckipedia also woops http://test2.social.puckipedia.com//status/31f4dfe1/this-is-awesome
#
puckipedia yes that's two slashes
#
xmpp-social [ajordan] Hahahaha
#
xmpp-social [ajordan] I feel for you
#
xmpp-social [ajordan] That's the worst kind of bug
#
xmpp-social [ajordan] Like off-by-one errors
#
puckipedia so I was thinking
#
puckipedia {type: Create, object: {type: Person, id: example/A, name: "Example"}, actor: example/A}
#
puckipedia yes. the user creating themself
#
puckipedia iirc this is how I'm doing user creation now
#
puckipedia well, without the actor: example/A part though :<
#
puckipedia no wait yes
#
xmpp-social [ajordan] Quick update on where I am in my life rn: I talk in #social enough through my phone that the Android keyboard now suggests "cwebber2" as a word
#
puckipedia :D
#
xmpp-social [ajordan] https://strugee.net:5444/0f01e457d0d7ff0ed25b06e9b2af00370f8c8647/IcDjZHB4HAEGfchnur9B3Zn5LegRnxCy3xi260cr/Nt3lT4m7T7eOwEKklU_Znw.jpg
#
cwebber2 ajordan: ha
#
cwebber2 I guess I'll take that as a compliment :)
#
puckipedia btw, https://lol.puckipedia.com/d10a9265/create/f9f4cfdf.json
#
puckipedia (not online for a long time, going to bed pretty soon)
#
xmpp-social [ajordan] cwebber2: lgtm lol
#
puckipedia but yes that's a Create for the user that created that Create
#
ajordan puckipedia: I get "server not found" for that
#
puckipedia hm? oh wooooops
#
puckipedia I forgot I dropped the DNS but kept it in my hosts file for some reason
#
cwebber2 we ought to make a set of epic federation trolls
#
puckipedia https://gist.github.com/puckipedia/0f94fa1dd3768f0f3fa0f8faf83480ac
#
ajordan lol also I might have just found a vaguely security-like issue in an XMPP XEP
#
puckipedia I added the CNAME but it might take a while to recover
#
ajordan puckipedia: oh my god
#
puckipedia ajordan: that's actually in your outbox when you create an account :P
#
ajordan this is why we (will) have a "recursive objects" section in Security Considerations :D
#
puckipedia I don't consider this recursive :P
#
puckipedia I just kinda like the idea that you create yourself
#
ajordan how in the world is that not recursive
#
ajordan oh I guess not
#
cwebber2 well
#
cwebber2 a naive expander might recurse forever
#
puckipedia unless you count object->outbox->first->next->next->[...]->next
#
ajordan because the `actor` property is referring to the embedded Actor, not the Create
#
cwebber2 oh wait
#
cwebber2 I misread
#
cwebber2 I thought the Create was pointing at itself
#
cwebber2 but it's pointing at its own actor
#
ajordan ^^^ same
#
puckipedia anyways {type: Update, object: {id: puckipedia, location: bed}}
#
ajordan loll
#
cwebber2 so previously I thought the right way to do transient IM-like messaging in AP
#
cwebber2 would be to use fragment identifiers
#
cwebber2 but tsyesika suggested something interesting
#
cwebber2 (05:45:46 PM) Jessica Tallon: could just be tsyesika.se/objects/UUID or somethin and one can then forget about it
#
cwebber2 (05:46:21 PM) Jessica Tallon: 404 is valid for deleted objects
#
cwebber2 (05:46:38 PM) Chris Webber: heh yeah I guess you could have objects that exist for such a short period of time
#
cwebber2 (05:46:45 PM) Chris Webber: that the length is infinitely small: nothing :)
#
ajordan 404 is valid?
#
ajordan doesn't it at least require a Delete activity?
#
ajordan /Undo?
#
ajordan and shouldn't deleted objects also get a Tombstone instead of a 404? I might be misremembering that one though
#
ajordan also puckipedia I realize you're sleeping but I'm curious what timezone you're in?
#
tsyesika ajordan: it says may for tombstone
#
ajordan gotcha
#
ajordan goes to read the spec instead of potentially making random crap up
#
ajordan ah yep
#
ajordan I see
#
ajordan it still seems like you'd need a Delete tho
#
ajordan sometimes wonders if XMPP is a better fit for PMs...
#
ajordan it's much more focused on "real-time"
#
tsyesika I think XMPP is probably a better fit to be honest but maybe for other ephemeral objects (it seems it's all the rage these days)
#
ajordan what seems like all the rage? ephemeral objects?
#
tsyesika I don't know if it requires a delete activity
#
tsyesika ajordan: I'm thinking snapchat and the like
#
ajordan ahhhh yes
#
tsyesika she says never having used snapchat
#
ajordan lol
#
ajordan good for you
#
ajordan annoys all his friends by *having* a Snapchat and actively reading his Snapchat, but insisting on responding via text
#
ajordan because Freedom
#
tsyesika anyway. It's 1 in the morning here, I'm gunna head to sleep.
#
ajordan night tsyesika! sleep well
#
ajordan thinking about it more I guess the reason I wonder about XMPP is because like
#
ajordan say I PM someone a video
#
ajordan XMPP would just send it to them
#
ajordan but with ActivityPub you don't really know because none of the protocol has any timing guarantees
#
ajordan the server might e.g. transcode the video
#
ajordan there's really no expectation as to *when* delivery will actually occur... we leave that open on purpose in order to support broad implementation styles
#
ajordan but XMPP is designed at its core to do realtime message routing
#
ajordan idk maybe I'm worrying about this too much but
#
ajordan sooo RRSAgent made a request yesterday (https://chat.indieweb.org/social/2017-07-12#t1499876297131000) but https://www.w3.org/2017/07/12-social-minutes.html never got generated?
#
Loqi [RRSAgent] I have made the request to generate http://www.w3.org/2017/07/12-social-minutes.html trackbot
#
ajordan sandro, rhiaro: would you know anything about that?