#social 2018-03-29
2018-03-29 UTC
# 
saranix I feel like if it was brought up in a meeting 6 months ago by someone 'famous' (in this realm) it would've been a 1.5 hr long convo where everyone unianimously agreed to keep extending. I was asked a comparison of prior meetings vs now.
# fr33domlover saranix, oh you didn't know i'm famous? ^_^
# saranix lol
# fr33domlover Ah finally fixed my dead hard disk situation, most of the stuff is back online
# fr33domlover I'm bringing this web app back too, the one i'm working on
# fr33domlover sadly i lost 2 months of data but it will be ok ^_^
cdchapman, fr33domlover, xmpp-social and bwn joined the channel
# 
@siilime ActivityPub: https://www.w3.org/TR/activitypub/
ActivityStreams: http://activitystrea.ms/
WebSub: https://www.w3.org/TR/websub/
WebFinger: https://www.packetizer.com/ws/webfinger/ (twitter.com/_/status/979255448162402304)
jankusanagi_, cwebber2 and ThibG joined the channel
# ThibG hi
# ThibG As far as I know, there is nothing in the ActivityPub specs to tell that an account has been suspended by the server's operators
# ThibG And I have to say that I have no idea how ActivityPub could be extended to do that
eprodrom joined the channel
# eprodrom hallloooooo
# ThibG The main issue is that as far as I understand, ActivityPub is written in such a way that an ActivityPub server could be really “dumb” and let the clients do the processing and… signing
# eprodrom you glamorous socialites
# ThibG So, it does not make much sense to store a “suspended” attribute in an object signed by the actor being suspended
# eprodrom ThibG possible but unlikely
# eprodrom that's a lot of work
# eprodrom what's the question? how to suspend a user?
# ThibG sorry you joined right after my question ;)
# ThibG <ThibG> As far as I know, there is nothing in the ActivityPub specs to tell that an account has been suspended by the server's operators
# ThibG <ThibG> And I have to say that I have no idea how ActivityPub could be extended to do that
# eprodrom 410 Gone
# eprodrom that's what we do when things are deleted
# ThibG suspended, not deleted
# ThibG also, you want to broadcast the fact that the account was suspended
# eprodrom suspended temporarily?
# ThibG yes
# eprodrom who wants to broadcast that?
# eprodrom admin account or server account
# ThibG you want end-users interacting with someone to know that person has been suspended
# ThibG even if they are on a remote server
# eprodrom so, I post to example.com/somebody 's inbox
# ThibG (so, by “broadcast” I meant, federate the information to followers, basically)
# eprodrom to humiliate that person is the goal
# ThibG no
# eprodrom tell all their friends they got suspended
# eprodrom it's a public shaming
# ThibG we're not going anywhere here
# eprodrom I just don't know what your goal is
# eprodrom an ooo message when someone sends them a message?
# ThibG The goal is to make clear the account is suspended, so that the absence of new content or replies or stuff is explained
# eprodrom sure
# eprodrom do other social networks do that?
# ThibG Yes.
# eprodrom the broadcast to followers feeds?
# ThibG ah no
# ThibG this is not what I meant
# eprodrom just a thing on the profile that says "this user is suspended"
# ThibG I mean let the software know that the account is suspended
# ThibG let the remote instances know
# eprodrom because
# ThibG so that a “this use is suspended” message can be shown there too
# eprodrom oh so when they cache the profile they can show it to the end user
# eprodrom sure
# ThibG yes
# eprodrom makes sense. would need to be a property of the as2 object for the profile
# eprodrom so, user, group, organization
# eprodrom I could see it as an extension
# eprodrom is there an issue open for this?
# ThibG the problem with it being an additional field to an ActivityPub actor object is that that object is meant to be authored and signed by the author themself
# eprodrom no it's not
# ThibG (even though in practice, the server holds the keys)
# ThibG hm
# eprodrom where did you get the idea that the actor was writable by clients?
# eprodrom that's not the case. I don't think it's defined in ap, and it's definitely not implemented that way
# eprodrom also, can you introduce yourself? I don't know you
# eprodrom * not implemented in any of the implementations I've seen
# eprodrom worth an asterisk
# eprodrom I'll take a look at the ap doc again
# ThibG No, right. By reading the spec, though, I got the idea that a server could conceivably be very “dumb” and defer stuff to the client. And in particular the client could hold the signing keys, in which case the client could just refuse to sign a “suspended” attribute.
# eprodrom ok
# eprodrom so, do you work on like LDP or something?
# ThibG In practice, I don't know of any server doing that, though, but I think it's worth leaving that as a possibility, if possible
# eprodrom solid, what have you?
# ThibG To reply to your earlier question, I haven't filed any bug against the spec about this, but the discussion comes from an issue in Mastodon
# eprodrom ok
# ThibG Currently, suspending an user here == broadcasting its deletion
# eprodrom uh huh
# eprodrom ok, so, you're talking about a rational server that works at scale
# eprodrom let's drop the dumb-server requirement
# eprodrom a property on the actor object should do the job fine
# eprodrom thibg, I'll open an issue on as2 and link to the Mastodon one
# ThibG ok thanks!
# ThibG Yeah, an additional property on the actor object would be the easiest way to go
# ThibG but nothing in the design of ActivityPub requires the server to hold the keys so far
# ThibG (afaik)
# ThibG and that thing would
# ThibG (well, not really, but it would prevent a “key-less” server from notifying that an user has been suspended, at least)
# eprodrom sure
# eprodrom but a lot of stuff in the actor object is probably best not user editable
# eprodrom id, type, published, updated
# ThibG well you can always check server-side for those
# ThibG (and reject bad values, forcing the user to provide valid values if they want there profile updated)
# eprodrom or just ignore them
# ThibG not if the user is the one signing
# eprodrom client
# eprodrom so, the client sends an Update activity with some values to the user's outbox...
# eprodrom the activity is signed for some reason...
# eprodrom and it's got bunkum values not supported by the server.
# ThibG then it doesn't process the update
# eprodrom I think the server could ignore those properties and do the update, or not
# eprodrom as a server dev, I'd figure it was just sloppy client development
# ThibG hm, I'm not sure we're discussing the same thing
# eprodrom yeah
# ThibG I meant, although it's not quite in the scope of ActivityPub itself, objects can be signed with the user's key to prove authenticity
# eprodrom so, it sounds like you are expecting something lokr
# eprodrom to whom?
# ThibG To other servers, typically
# eprodrom it's authentic because you fetch it from https://example.com/user
# ThibG This is done in most implementations, but I don't know of any implementation that doesn't hold the keys, though
# ThibG when you *deliver* it
# ThibG to someone's inbox
# eprodrom ok
# eprodrom I need to look at the Mastodon impl
# eprodrom let me see if I understand what you want
# ThibG so my point is that ActivityPub doesn't prevent a server+client system where the signing is done by the client rather than the server
# eprodrom you're saying it doesn't prevent thay
# eprodrom that
# ThibG in this situation, if the user wants to send something, they have to craft a valid activity and sign it
# eprodrom that's possibly true
# eprodrom its not a goal though
# ThibG hm ok
# ThibG I always thought it was a goal
# eprodrom why
# eprodrom i mean, it doesn't seem to be a stated goal
# ThibG anyway, when the user wants to send activities, it falls on them to push correct values, and the server can always reject bad values
# ThibG when the server wants to mark an user as suspended, it would be silly to ask for their cooperation
# eprodrom let's stop saying user and start saying client
# ThibG ok
# eprodrom I'm good so far
# ThibG yeah, that's about all
# eprodrom so, I think we only differ on the importance of digital signatures
# eprodrom which is fine
# ThibG ok
# eprodrom ok, we've got an open issue
# eprodrom I'll put it on the socialcg agenda for 2 weeks from now
# eprodrom rhiaro, I need your help pushing a new version of the as2 context doc
# eprodrom or Sandro
# ThibG I'll try to explain my reasoning on the issue
# eprodrom that sounds great
# ThibG https://github.com/w3c/activitystreams/issues/466#issuecomment-377242297 I hope that's clear
eprodrom_ joined the channel
# e_s_p s/hi+/hi/
# e_s_p wait
# e_s_p s/(hi)+/hi/g
# e_s_p shit
# e_s_p This is a dumb thing for me to be working on
# e_s_p cwebber2: did you see the discussion about suspending an account?
# saranix 503 Service Unavailable seems like a logical solution. Dumb servers who know nothing of any special properties will recognize the endpoint as being unavailable and try again later
# saranix the content returned with the 503 could indicate more detail about why
# saranix smart servers can display this detail
# saranix to the end user
# saranix only downside would be "dumb" servers who think that the whole server is down just because an endpoint is down
# saranix to dumb people? lol. It doesn't mean that. It literally doesn't. But yeah, some bad developers might ASSume... ;-)
# saranix "The implication is that this is a temporary condition which will be alleviated after some delay." in the RFC
# saranix apparently there is also a "retry-after" response header to give a hint when to try again
JanKusanagi and bwn joined the channel
# saranix technically, the 4xx client error *would* be better, because it indicates that the client request (the uri) is definitely the thing at fault... but there isn't an appropriate 4xx with retry semantics
# saranix except perhaps 403
# saranix yeah
# saranix with a 2xx it would also get indexed too... depending on if that's what you want... a semi-permenant record of when an account was suspended... kind of goes to the "shaming" thing eprodrom said
# saranix also might make sense to make a distinction between Accept html and Accept Activitstreams
eprodrom_ joined the channel
# saranix yeah, but sadly, it does imply permenance according to RFC
# saranix "no longer here and won't come back"
# saranix or something like that, too lazy to flip back to that window
eprodrom joined the channel
# 
cwebber2 if you wanted to see my libreplanet talk it's here: https://media.libreplanet.org/u/libreplanet/m/standardizing-network-freedom/
# cwebber2 and here's the slides: https://dustycloud.org/tmp/standardizing-federation.pdf
eprodrom_ joined the channel
# eprodrom_ cwebber, I'm not sure about "suspended"
# eprodrom I don't quite get the flow
# saranix hmm... it seems G**gle (ab)uses 402 Payment Required to indicate suspension due to resource limits... to me that implies you want the client to pay, and not for someone to pay their server bill though... meh
jankusanagi_, h_ll_k_n, JanKusanagi and eprodrom_ joined the channel
# eprodrom_ Sandro, rhiaro ping
# eprodrom interesting conversation on the suspend issue
# eprodrom making me think about how to tell if an activity is "true"
# eprodrom or "truth"
# eprodrom "truthy"
# eprodrom like, for a create activity, check that actor and object exist, that object.attributedTo = actor.id, that published timestamps match, that content, summary, name, etc. of object match (if not updated)
# eprodrom actually this is more for falsification
# ThibG In Mastodon, things are signed by the author, and that's about it. When they aren't signed, they are fetched from the actor and verified.
eprodrom_ joined the channel
# saranix eprodrom_, Create activities are defined as ad-hoc though, the server "forges" them on behalf of the client as a matter of course. Will timestamps necessarily match? and what if they didn't? What would that prove?
# eprodrom_ defined as ad hoc what?
# saranix eprodrom_, also, what about post-dated publishing times
# eprodrom_ yes, I think it makes more sense as a degree of belief rather than a discrete boolean value
# saranix ad hoc federation... ad hoc "wrapping" it in an activity.
# saranix err, but what does it prove? I don't get it I guess...
# eprodrom_ oh you mean the c2s thing where you post an object rather than an activity
# saranix yeah
# saranix that's what you're talking about matching, right?
# eprodrom_ no, those are stupid
# saranix lol
# saranix I'm lost then
eprodrom joined the channel
# eprodrom that's a good question
# eprodrom a program could refuse to accept activities that look false, or show them to the user with some kind of indicator of suspicion
# eprodrom if a remote server received a Like activity with actor = Evan and object = a note, "The implied create feature is great." ...
# eprodrom by cwebber
# eprodrom it might be valuable to verify that activity
# eprodrom did cwebber really say it? do the properties match up? is Evan in the list of likers? is the object in the list of things Evan likes?
eprodrom_ joined the channel
# eprodrom_ I used Create as an example
# eprodrom_ you could do similar verification on any verb
# eprodrom_ although if the processing software doesn't know about the verb, it's less possible
eprodrom, eprodrom_, sknebel, bwn and fr33domlover joined the channel
# 
@lightweight @VikOlliver @nullary @teh_aimee @BR3NDA @piawaugh @joindiaspora Yes, they are all implementing ActivityPub - https://www.w3.org/TR/activitypub/ the open standard underlying the fediverse (another is Matrix, the open messaging standard, which is similar in spirit but for different use cases). (twitter.com/_/status/979456021402828800)
# saranix someone should correct them, @joindiaspora is not
bwn joined the channel