#social 2017-11-20

2017-11-20 UTC
#
cwebber2 why?
#
eprodrom Well, getting headers right for signatures is really error-prone
#
eprodrom And library support in languages I've seen so far is sparse
#
eprodrom It's an RFC draft
#
eprodrom That's all
#
eprodrom I'm prepared to be pleasantly surprised
#
cwebber2 ack on the rfc draft aspect
#
cwebber2 though I was able to do an implementation from scratch and verify that my stuff acked/nacked against another users' implementation
#
cwebber2 who was not the RFC author ;P
#
eprodrom That's good too
#
eprodrom I just remember it being a hassle with OAuth 1.0
#
eprodrom People can usually find a way to misinterpret directions so they get their signature wrong
#
cwebber2 probably the trickiest thing with HTTP sigs IIRC is that you have to agree what the key identifier in the key means
#
cwebber2 er
#
cwebber2 in the sig
#
cwebber2 which was intentionally left out of scope
#
cwebber2 it doesn't say "do an http GET with these parameters against the ID and fetch this blob from the json object" etc etc
#
cwebber2 which, I get was so that it was more general though. still, we gotta specify what *we* expect in AP-land...
#
eprodrom gotcha
#
eprodrom I don't know what's supposed to happen there
#
eprodrom Is the key just another property on the AS2 representation of the object?
#
cwebber2 eprodrom: yes, let me paste an example of my mastodon user
#
cwebber2 eprodrom: http://sebsauvage.net/paste/?0efddcfe6cb03228#W7yhotg5rY7ltL8vOSfOBh0MZaCnoKsEpfS8unxsEjA= see the publicKey section
bengo, rowan, h, cdchapman, timbl, npdoty and eprodrom joined the channel
#
eprodrom cwebber2: I added a new issue to AP2
#
eprodrom I think it's just a typo
xmpp-social joined the channel
#
puckipedia <eprodrom> Well, getting headers right for signatures is really error-prone <- surprisingly in C# it was pretty simple, I had control over every header (including Date!)
#
puckipedia hm. I think there's a bug in Mastodon somewhere
#
puckipedia I think it has to do with Delete blasting
#
puckipedia this post: tag:mastodon.social,2017-06-09:objectId=8499030:objectType=Status <- I think this got deleted. I got two "Undo/Announce" for kellerfuchs, three from cwebber2, 17 from .. .someone else, and 1 from Gargron
#
puckipedia this is a dedupe bug for me though
#
puckipedia but... 17 times!!
#
puckipedia I think it's once per linked server that also had someone that boosted the post
#
puckipedia except for Gargron, who is on the originating server
cdchapman and timbl joined the channel
#
puckipedia "so why doesn't the event queue system work" ... "oh, I forget to poke it to start processing events"
rowan joined the channel
#
cwebber2 puckipedia: the server was down for a while last night
#
cwebber2 I wonder if something weird happened
cdchapman, timbl, h and eprodrom joined the channel
#
eprodrom cwebber2: hey
#
eprodrom I hope you don't mind that I'm filing issues on AP
#
cwebber2 hi eprodrom
#
eprodrom I don't think they're normative
#
cwebber2 eprodrom: I don't mind as long as they aren't normative ;D
#
cwebber2 eprodrom: haha ok :)
#
eprodrom I'm just trying to get them out there while I can
#
Loqi awesome
#
eprodrom huh
#
eprodrom What does that mean? "awesome"?
#
eprodrom Is it a response to something one of us said?
#
eprodrom I should hang out in this channel more
#
Loqi yea
#
eprodrom ha
#
cwebber2 lol
#
eprodrom cwebber2: I think the "MAY" wording for the content types is fine. It says, I think, to prefer JSON-LD but that you can accept AS2 type
#
eprodrom So it's slightly loosening the requirements
#
cwebber2 eprodrom: cool, yeah that's my interpretation. Should I add a note also earlier in the "objects" section about expecting them to be equivalent?
#
cwebber2 or is it good enough with that MAY
#
eprodrom I think it's fine
#
cwebber2 cool. Wrapping that one up then!
#
eprodrom Cool
#
eprodrom I think that was my last read-through so you probably won't see any more issues from me
#
cwebber2 yay
#
Loqi giggles
#
eprodrom Oh wait
#
cwebber2 sweats
#
eprodrom I think I might have one more little beef
#
cwebber2 calms self by thinking of a tiny cute little cow!
#
eprodrom It's this: "The server MUST remove the bto and/or bcc properties, if they exist, from the ActivityStreams object before storage and delivery, ..."
#
eprodrom I think that how I store objects is none of your concern
#
cwebber2 is the problem with the storage part?
#
cwebber2 ok yeah
#
cwebber2 its just
#
cwebber2 hm
#
cwebber2 it really means about presentation and delivery
#
eprodrom RIght
#
cwebber2 eprodrom: I think itw ould be a non-normative change to delete the "storage"
#
eprodrom I agree
#
cwebber2 eprodrom: file an issue? I can make that one fast
#
puckipedia maybe change storage to presentation?
#
cwebber2 hm
#
eprodrom Maybe even move it to the privacy considerations
#
cwebber2 changing to presentation may be normative
#
eprodrom But there's another tricky part
#
cwebber2 unless we agree it was basically "what was meant" and what was done by implementors
#
cwebber2 uhoh
#
cwebber2 imagines another tiny cow
#
puckipedia makes guess on what the tricky part is
#
eprodrom Which is that, if a server receives an activity for a user...
#
eprodrom ...it may want to verify that the activity was addressed to that user.
#
cwebber2 eprodrom: it can't do that
#
eprodrom was that your guess?
#
cwebber2 because of bcc / bto!
#
puckipedia knew it. solution: if you get a signed request to the inbox, just trust that it was meant to be delivered there
#
cwebber2 puckipedia: ++
#
Loqi puckipedia has 15 karma
#
puckipedia this is actually needed for proper Mastodon interop
#
eprodrom Why
#
puckipedia as it sends Like/Follow/Accept/Reject with no audience whatsoever
#
eprodrom Ha
#
eprodrom It should not do that
#
cwebber2 mastodon won't accept posts that aren't signed
#
cwebber2 haha everything is bto/bcc!
#
puckipedia ^
#
puckipedia no way to prove it isn't :P
#
eprodrom Lemme check what pump.io does
#
puckipedia and yeah, I strip bto/bcc before presentation, as I consider that the functional equivalent to before storage+delivery
#
cwebber2 puckipedia: I assume before normalization too, right?
#
cwebber2 for signatures
#
eprodrom pump.io removes bto/bcc before remote delivery
#
eprodrom So that's good
#
eprodrom I think it leaves it on in storage though
#
puckipedia cwebber2: .... I have noooooo LD signatures right now
#
cwebber2 oh right
#
cwebber2 well those aren't as important
#
cwebber2 as http sigs
#
eprodrom That way if someone who is bcc'd tries to read the activity, they have access to it
#
cwebber2 just for sharing / forwarding
#
puckipedia ^ yep
#
cwebber2 eprodrom: ok yeah, that's fine, and you're right the server shouldn't say it
#
cwebber2 the question is whether we should say "presentation and delivery" or just "delivery"
#
cwebber2 should we take that up with the WG tomorrow?
#
eprodrom The server shouldn't say what?
#
cwebber2 ugh
#
puckipedia eprodrom: bcc/bto
#
cwebber2 the spec shouldn't
#
cwebber2 say storage
#
puckipedia ah lol
#
eprodrom Right
#
puckipedia hooray for stress
#
cwebber2 horray
#
eprodrom The spec shouldn't say storage, agreed
#
eprodrom I think presentation is another question
#
eprodrom Probably good to filter it for everyone but the author
#
puckipedia probably true
#
eprodrom That's the typical email behaviour, e.g.
#
cwebber2 M-: (let ((zone-programs [zone-pgm-stress])) (zone)) <RET>
#
cwebber2 for emacs friends
#
cwebber2 or just M-x zone
#
puckipedia egh I need to redo most of the handler chain (and flattening) in the Twitter AP bridge
#
puckipedia which is totally expected but still annoying
#
eprodrom TWITTER AP BRIDGE
#
eprodrom WAS IS DAS
#
cwebber2 :D
#
puckipedia eprodrom: a c2s AP api that allows you to use AP clients to talk to Twitter
#
eprodrom puckipedia: f*** yeah
#
eprodrom That's great
#
eprodrom Bravo
#
eprodrom I have that on my TODO list! I am taking it off right now!
#
cwebber2 I'm planning to work on a gtk activitypub client next month for fun btw
#
eprodrom cwebber2: that is good fun
#
cwebber2 eprodrom: so we're gonna get your AP impl reports bright and early tomorrow? :)
#
eprodrom cwebber2: maybeeeee make a note about bcc and bto in https://www.w3.org/TR/activitypub/#security-sanitizing-content ?
#
eprodrom cwebber2: yes
#
cwebber2 eprodrom: sweet
#
cwebber2 uh
#
cwebber2 eprodrom: I dunno I think the change we discussed already covers it right?
#
cwebber2 I feel like telling servers to strip out bto/bcc on delivery is important
#
eprodrom Agreed
#
eprodrom But you were talking about _presentation_
#
cwebber2 eprodrom: ah
#
eprodrom I think maybe making that a security/privacy note is probably enough
#
cwebber2 eprodrom: ok, sounds good.
#
cwebber2 eprodrom: mind filing an issue real quick? can even be subject-only
#
eprodrom "bto/bcc is private info that the author does not want shared with the world. Don't show it to anyone but the author."
#
eprodrom cwebber2: will do
#
cwebber2 ty
#
cwebber2 we're so close
#
cwebber2 we're gonna make it I thinnnnnk!
#
cwebber2 hm, ok, back to the task list :D
#
eprodrom cwebber2: https://github.com/w3c/activitypub/issues/280
#
Loqi [evanp] #280 Don't try to dictate storage strategies for the server for bto and bcc properties
#
cwebber2 eprodrom: ++
#
Loqi eprodrom has 50 karma in this channel (51 overall)
#
eprodrom cwebber2: I guess the main thing I want to make sure of is that I don't stumble over something in this spec 2 months from now where I'm like, uh, this is unclear and/or wrong
#
eprodrom So even those this is late in the day, I'd rather say it now than a week from now
#
aaronpk whoa, "eprodrom: ++" worked??
#
aaronpk Loqi++
#
Loqi loqi has 7 karma in this channel (444 overall)
#
cwebber2 eprodrom: I hear ya
#
puckipedia idea: hooking the Twitter -> AP bridge I'm writing into a GNU Social server
#
cwebber2 GNU SoCal (Southern California)
#
aaronpk puckipedia: an AP-to-twitter API sounds great! i've been very happy using bridgy publish and silo.pub to interface with twitter via webmention and micropub
#
eprodrom cwebber2: uh
rowan joined the channel
#
eprodrom cwebber2: I have another teensy one
#
eprodrom https://www.w3.org/TR/activitypub/#inbox-forwarding <-- here
#
cwebber2 eprodrom: notably I just pushed something about that
#
eprodrom Huh
#
eprodrom Well, it mentions bto and bcc
#
cwebber2 oh yeah
#
cwebber2 heh
#
eprodrom But we just said that bto and bcc are stripped before remote delivery
#
cwebber2 okay I didn't mention about tthat
#
cwebber2 you're right
#
eprodrom So they'll never show up there
#
cwebber2 I think we were just including All The Addressing
#
cwebber2 eprodrom: toss onto your existing issue?
#
cwebber2 I think this is kinda related
#
eprodrom I'll make this another issue
#
cwebber2 sounds good/fine
#
cwebber2 https://w3c.github.io/activitypub/#inbox-forwarding btw
#
cwebber2 I just added the note
#
eprodrom Oh thanks
#
cwebber2 because people kept getting confused as to what that was
#
cwebber2 oh, not about what we discussed, this is a different note
#
eprodrom cwebber2: " This problem isn't best demonstrated with an example. "
#
cwebber2 oh gosh
#
eprodrom That's very humble
#
cwebber2 lol
#
cwebber2 "this problem is best demonstrated by an example, but you need a better spec editor to get it"
#
cwebber2 fixed
#
eprodrom "There are probably better ways to demonstrate this problem, but I'm feeling lazy so I'm going to give you an example."
#
cwebber2 lol
#
eprodrom So, OK, I think this is a really smart way to do it
#
eprodrom Although
#
cwebber2 "it would be better if... look, you'll understand it when you're older (because you'll have written an implementation yourself)"
#
eprodrom umm
#
eprodrom Is the activity re-distributed as-is, or is it wrapped in an Announce activity?
#
cwebber2 eprodrom: I actually think it could have been simplified in retrospect if we just had collection/groups have inboxes themselves and check to see if they should forward
#
cwebber2 eprodrom: distributed as-is according to current spec
#
eprodrom cwebber2: yes, I think that's fine
#
cwebber2 and I think that's correct
#
eprodrom hmm
#
cwebber2 because distributing in an announce would have looked like a share
#
cwebber2 a user may think you're sharing it explicitly
#
eprodrom Well, it is a share
#
cwebber2 when you didn't
#
cwebber2 I mean, UI wise
#
cwebber2 it would render differently
#
eprodrom Maybe a share by the server instead of a share by the user
#
cwebber2 here it's like a bcc, but a bcc coming from someone else
#
eprodrom Yeah, I agree
#
cwebber2 yeah well I don't know how to render share by the server in current AP :)
#
eprodrom So servers that are validating input to the inbox need to make an exception for this
#
eprodrom Also, I think you're right about having an inbox for collections
#
cwebber2 yeah
#
cwebber2 I only realized this earlier this week
#
cwebber2 it would have simplified two of the more confusing parts of the spec
#
eprodrom 1.1
#
eprodrom It's also the best way to do groups
#
cwebber2 yeah
#
cwebber2 eprodrom: but I think there's an upgrade path
#
cwebber2 which I've already coded in
#
eprodrom Cool
#
cwebber2 *if* you see an inbox on the group
#
cwebber2 skip doing the forward and just send it to that group/collection to do it
#
eprodrom Right
#
eprodrom Nice
#
cwebber2 so that's an extension, but yeah would have been nice to get it right in this version of the spec
#
cwebber2 but at least it's backwards compatible
#
eprodrom Right
#
eprodrom So, I'm very happy about this
#
cwebber2 :D
#
eprodrom What I'm not happy about is the Big Problem we don't know about yet
#
eprodrom But there's only one way to find that
#
cwebber2 well we don't know what it is so
#
cwebber2 yeah
#
eprodrom Which is to get so popular that we make it happen
#
cwebber2 I have an extension to propose which I think can improve some security properties too
#
cwebber2 but I'm waiting tto raise it
#
cwebber2 because it's also backwards compatible
#
cwebber2 and I don't want to rock the boat at this moment :)
#
cwebber2 basically helps improve the weakest part of the spec, which is the "inferred ACL" problem
#
puckipedia okay, I have a fake AP server that, when you use the proxy endpoint to get a twitter url, gives you an AS2 object representing a twitter post :D
#
cwebber2 puckipedia: that's awesome!
#
cwebber2 puckipedia++
#
cwebber2 "too much karma"
#
cwebber2 is Loqi ignoring me to prevent me from karma ddos'ing ;)
#
puckipedia https://gist.github.com/puckipedia/2b5d0982883208efd6b783666242ccd4
#
cwebber2 hahaa
#
Loqi awesome
#
cwebber2 ISWYDT
#
puckipedia cwebber2: I grabbed a post with a link /and/ mention
#
puckipedia see how it translated the mentions and links as well :P
#
cwebber2 puckipedia: just any post right? ;)
timbl joined the channel
#
cwebber2 this looks really good
#
cwebber2 shit, nice job
#
puckipedia then I'm going to hook this so it piggy-backs on the Kroeg authentication, and run it for myself :P
#
cwebber2 puckipedia: mind if I link to this?
#
puckipedia of course not :P
#
puckipedia actually one sec
#
puckipedia going to recreate it
#
puckipedia fixing a few small issues I noted
#
cwebber2 ++
#
puckipedia https://gist.github.com/puckipedia/7803e80bc19f29dde4b9cc2254ba707f
#
puckipedia fun fact: I changed a thing then remembered it was cached
#
cwebber2 :)
#
puckipedia egh I feel like ther's a Kroeg bug somewhere
#
puckipedia I didn't get that mention
#
puckipedia wait was my server /aware/ that the object existed
#
cwebber2 this sounds very pedantic of your server
#
cwebber2 "server why didn't you know this was said"
#
cwebber2 "I was *aware* it was said, I just decided not to tell you about it."
#
puckipedia cwebber2: wait did you get the like back
#
cwebber2 puckipedia: yes
#
puckipedia hm
#
cwebber2 I know nightpool and Gargron are skeptical of doing it but I would be pretty amused if Mastodon one day spoke AP C2S on both their frontend and backend
#
cwebber2 especially
#
cwebber2 because then you could use mastodon's web ui against kroeg's c2s AP twitter bridge to control twitter :D
#
puckipedia :D
#
cwebber2 and it would look just like tweetdeck
#
rowan yo puckipedia i'm so into this bridge you're making
#
puckipedia so the biggest problem I'm looking at now is: do I keep track of the user's inbox locally, or do I just let it use the home_timeline
#
puckipedia cwebber2: I got that activity. I don't know what's in it yet, but I did get it
#
cwebber2 :D
#
puckipedia ah, it's the reply with the tweetdeck/mastodon c2s bridge
rowan joined the channel
#
Gargron cwebber2: i know it's cool and all but you should realize how much bigger and more complicated the mastodon frontend JS would have to be to speak C2S while staying the same
#
Gargron anyway, puckipedia: https://github.com/tootsuite/mastodon/issues/5761 i just experienced this on a ~massive~ scale after deleting a toot that received a lot of boosts
#
Loqi [puckipedia] #5761 ActivityPub: deleting a post spams a whole lot of Undo's to followers
#
Gargron (my toot, that is)
#
puckipedia aha
#
Gargron 250,000 queued jobs :thinkhappy:
#
puckipedia Gargron: you mean that you OH GOD
#
Gargron it almost cleared up now but
#
puckipedia do you have a dump of the instances those jobs are going to, just wondering
#
Gargron this needs to be fixed
#
Gargron well it would be instances whose users reblogged that toot
#
Gargron what happens is
#
cwebber2 Gargron: I would be interested to know why more complicated than it currently is... because it'd have to speak json-ld? :)
#
Gargron i send out a delete to my followers. their servers delete my toot and check if it had any reblogs. for each reblog, it sends out an Undo to *their* followers
#
Gargron etc
#
cwebber2 but I know you're also sick of me bringing it up ;)
#
cwebber2 undoception
#
Gargron puckipedia: so there's a massive overlap between who receives those Undos
#
Gargron actually it's not just undos that get forwarded afaik
#
Gargron delete also does
#
puckipedia hmm
#
Gargron yeah, otherwise original would remain on those end nodes
#
Gargron but yeah anyway so the receiving inboxes of all of those things don't get deduped
#
Gargron before sending
#
Gargron i mean, they can't be fully deduped *anyway* because one server cannot know if another has already sent this to this recipient
#
Gargron so some wasted work is always gonna be there
#
puckipedia but so you would receive it once per federated instance that boosted it
#
puckipedia ehm, hm
#
Gargron but: 1) the author of the toot should prolly not get their own delete
#
Gargron 2) you should try to forward the delete only once per inbox, instead of once per author of reblog
#
Gargron per inbox
#
Gargron if you know what i'm saying
#
puckipedia the question is, can't we implicitly do the unboosting? like, we don't need the unboost to be federated if we get the delete
#
Gargron this is true if we assume that deleting the target of an Announce should delete the Announce implicitly
#
Gargron if you tell me that's normative i'll assume as such
#
Gargron cwebber2:
#
puckipedia Gargron: well, you'd be announcing a deleted post otherwise
#
erincandescent I think that's notionally fine?
#
Gargron that's the thing, you *could* announce a deleted post for all i know
#
erincandescent Yeah
#
Gargron AP is very generic
#
cwebber2 Gargron: I don't think the spec says anything about behavior of what happens to Announce after it's been Delete'd; I think you have a lot of freedom to decide here
#
puckipedia well, you'd be announcing a Tombstone
#
erincandescent Theres no reason you couldn't announce a tombstone. It'd be weird, but you could do it
#
puckipedia which, tbh, is not useful behavior
#
cwebber2 yeah
#
cwebber2 I think Announce is probably not right
#
cwebber2 {Undo {Announce ... }}
#
Gargron ok so
#
cwebber2 is probably the right thing
#
cwebber2 Gargron: wdyt of that option?
#
Gargron no cwebber2 we do the Undo Announce right now, puckipedia is suggesting we *omit* that if the original was deleted, propagating *only* the delete instead
#
cwebber2 oh
#
cwebber2 thinking
#
cwebber2 so... right, a server, if it gets the Delete sent to them, can infer the right behavior probably
#
puckipedia and even if it didn't
#
cwebber2 by seeing "oh, it's now an Announce of a tombstone, no reason to show this anymore"
#
puckipedia then the timeline of that user would just sshow "announced [a tombstone]"
#
cwebber2 actually
#
cwebber2 that might be not bad behavior
#
puckipedia I mean for me it's more a coffin
#
cwebber2 Pumpa + Pump.io does that
#
puckipedia "⚰ here lies [post ID]"
#
cwebber2 btw
#
Gargron ok so we can reduce this traffic by half i guess
#
cwebber2 if you fetch an AS2 tombstone in Pubstrate
#
cwebber2 http://sebsauvage.net/paste/?6fe058d050e588aa#xd3AnrBcn20QcB4td5/P/E5JSR6cIbbWj1jmXXJI1eo=
#
cwebber2 you get that :D
#
Gargron aww
#
Gargron cute
#
Gargron ok so omitting the Undo->Announce, leaving only Delete, will literally reduce the traffic by 1/2
#
puckipedia more than that!
#
Gargron then we also need to add a check that if we're about to forward the delete back to its author, don#t
#
Gargron that'll reduce a bunch of useless pings also
#
puckipedia originally: status.boosts.select(a => a.boosted_by.followers.group_by(instance).count).sum()
#
puckipedia now: way less than that, like a total of 1 boost's worth of requests
#
puckipedia because the delete is generic and not for a specific follower (and might as well have as:Public in audience, imo!), while undo/boost is
#
Gargron oh we also gotta track who we received forward from, and omit forwarding it back *there*
#
Gargron tho i dont see how delete is "generic". we still need to forward it for every boost we've done so it goes to the right followers. the only dedup there is shared inboxes
#
puckipedia imagine if one instance has 10 people, all with the same 10 followers on 5 different instances. now, a post gets deleted. now instead of 5*10 requests going out for the undo, only 5 requests go out for the delete
#
Gargron but this is not how it happens
#
Gargron it's probably how it should happen if a correct deduplication algorithm is implemented
#
Gargron im considering if it would just be better to literally forward the delete to every known inbox once
#
Gargron regardless of followers, minus who sent it and who original author was
#
puckipedia and then have the receiving one filter out the forwarding
#
Gargron >minus who sent it
#
Gargron yes
#
puckipedia I mean, if it's already gone on your instance, don't forward it further
#
puckipedia so you get like, N deletes, where N is the amount of servers of the federation, and send out N deletes?
#
puckipedia anwyays I am moving to bed now