#social 2017-11-19

2017-11-19 UTC
rowan, htrob, jankusanagi_, bengo, cdchapman, xmpp-social, JanKusanagi, timbl, dlongley and npdoty joined the channel
#
npdoty I am trying to get caught up on past Social CG discussions, but am discovering that there's no mailing list (!)
#
cwebber2 hi npdoty
#
cwebber2 yep
#
cwebber2 there's only irc, telecons, and a github issue tracker, but to be fair the github issue tracker is very active
#
npdoty for what it's worth, I'm really not sure how to get caught up on past conversations of the group
#
npdoty I know lots of people don't like mailing lists for whatever reason, but they have nicely archived asynchronous communication for general topics
#
npdoty also, if no mailing lists are available, could we clarify that on the Social CG home page (which currently includes a mailto: link to a mailing list not in use)?
#
npdoty maybe it would make help newcomers to point to the wiki page and github issue lists
#
cwebber2 npdoty: that's a good idea re: the home page
#
npdoty and is the community norm to use Github issue comments in place of mailing list threads for discussion of a topic?
#
npdoty (I want to point more people towards participating in the CG, and honestly don't know how one effectively communicates here)
#
puckipedia WHY DO I HAVE A LOG OUT BUTTON
#
puckipedia cwebber2: also I fixed a long-standing bug in the event queue, causing it to jam up basically
#
puckipedia I hacked a fix by just saying "check every 10 seconds" -- but now it does the proper queuing again :D
#
cwebber2 puckipedia: heh :)
#
cwebber2 puckipedia: ... wait why wouldn't you have a log out button
#
puckipedia I am the only user of it :D:
#
puckipedia I have no login button on my instance. if I want to log in, I have to run javascript:Kroeg.login()
#
puckipedia also I just added a way for consumers of Kroeg to change templates without causing issues in git
#
cwebber2 well maybe eventually you won't be the only user :)
#
puckipedia true :P
#
puckipedia I should test out multiple (load-balanced) instances
#
Loqi yea!
#
puckipedia it should be atomic, so no double POSTs or anything
#
puckipedia I do SELECT * from "EventQueue" [...] limit 1 for update skip locked
#
xmpp-social [ajordan] npdoty: yes, GitHub issues is the norm
#
puckipedia ajordan: I think they left lol
#
xmpp-social [ajordan] And meetings. Which are minuted
#
xmpp-social [ajordan] puckipedia: ah lol
#
xmpp-social [ajordan] Well maybe they'll check irc logs? Idk
#
puckipedia I set up a two-instance load balanced kroeg :P
#
puckipedia on puckipedia.com
bengo joined the channel
#
bengo https://distbin.com/activities/b125fa44-8509-4a8a-a55a-b6fb4806794c
rowan and eprodrom joined the channel
#
eprodrom cwebber2: I have a question
#
eprodrom Let's say someone unauthorized has no access to an inbox collection
#
eprodrom Should they get a 403 Unauthorized response...
#
eprodrom Should they get a 403 Unauthorized response...
#
eprodrom ...or should they get an OrderedCollection with no items in it?
#
eprodrom Follow-up question: if they get an OrderedCollection, should the totalItems be the real total number of items in the collection, or the number of items the principal can actually read from the stream?
#
eprodrom People on GNU Social love reading each other's inboxes, but this is actually pretty rare on other social services
#
eprodrom My feeling is that, except when the principal is the inbox owner, return a 403
#
csarven Were you thinking of responding with a 403 or a 200 with an OrderedCollection with no items? 403 is cleaner in my opinion and don't reveal any further information about the items in the response. The response could just say the reason.
rowan joined the channel
#
cwebber2 hi eprodrom
#
eprodrom hi cwebber2
#
cwebber2 eprodrom: I'd do unauthorized yeah
#
eprodrom csarven: yes, that's what I was thinking
#
cwebber2 I mean, you could filter to 0 items and I think that would be spec-acceptable
#
eprodrom OK
#
cwebber2 but 403 seems nicer to me
#
eprodrom I think so, too
#
eprodrom But just to be clear
#
cwebber2 yeah
#
eprodrom In any filtered collection, should totalItems = items available to YOU, or items available to ANYONE
#
eprodrom ?
#
eprodrom ?
#
eprodrom The second is easier for the server
#
eprodrom The first is easier for the client
#
cwebber2 eprodrom: haha, uh... unspecified! ;) but tbh I'd probably be doing the second for the reason you said
#
cwebber2 it could leak information though
#
Loqi nice
#
cwebber2 about when someone messaged you etc
#
eprodrom right
#
csarven re responding wiht an OrderedCollection with no items IMO implies that they have access to the "collection" but happened to have no access to any of the items. Slight semantic difference but important enough I hitnk. Consider the case where some of the items are accessible to them, so the OrderedCollection would only list those.
#
eprodrom csarven: I'd agree
#
eprodrom 403 -> there will never be anything in this collection accessible by you
#
eprodrom Scram
#
cwebber2 +1
#
cwebber2 implementing inbox:accept:special-forward / inbox:accept:special-forward:recurses / inbox:accept:special-forward:limits-recursion
#
cwebber2 I think once I get those in
#
cwebber2 we'll have 2 for every implementation item on the reports page
#
cwebber2 good enough for PR!
#
eprodrom cwebber2: that's great
#
eprodrom I'm working on tags.pub tonight and tomorrow
#
cwebber2 \o/
#
eprodrom I'll have a lot of features implemented by then, so I'll get an IR in Tuesday morning before the call
#
cwebber2 woo woo
#
eprodrom But I have to admit, I think HTTP Signatures are shaky