#social 2018-06-30

2018-06-30 UTC
fr33domlover2, fr33domlover3, fr33domlover4, cwebber2, fr33domlover and fr33domlover1 joined the channel
# 03:11 
aaronpk Gargron: I tried to reply to your example post following your new guide, but I got a 401 Unauthorized response from your inbox and now i'm stuck
fr33domlover3, fr33domlover4 and fr33domlover joined the channel
# 03:33 
ajordan hey so I've got a question for the AP folks: I'm sitting with IndieWeb folks here and we're trying to get HTTP Signatures working
fr33domlover1 joined the channel
# 03:34 
ajordan if we're requiring LDS anyway for the comment-on-share problem why are we even bothering with HTTP signatures?
# 03:34 
ajordan what are they getting us
fr33domlover2, fr33domlover3, fr33domlover4, fr33domlover, fr33domlover1, bblfish and xmpp-social joined the channel
# 08:48 
jaywink[m] I totally agree, now there are two separate delivery/authority related technologies that have to be implemented when one would have been enough - signatures. They always prove the payload was from who it says it was. Tried hard pushing this during the WG but I guess LDS was too much of a draft - but then now it's required anyway :)
# 09:03 
saranix LDS is fairly complex and while it does add the capability of 3rd party transit, there are those that would question whether 3rd party transit is really necessary or even many who believe it's something to be avoided.
# 09:04 
saranix I'm on the side of the fence that is a good thing that AP can be implemented with HTTP sig only
# 09:06 
saranix and FWIW the spec doesn't say you *have* to implement HTTP sig either. If you choose LDsig only without HTTP sig that is spec compliant. It is only bad implementations that insist on both to work.
# 09:06 
jaywink[m] the problem is third-party transit is in the core AP spec. It's not even a SHOULD, it's a MUST.
# 09:07 
saranix where?
# 09:07 
jaywink[m] https://www.w3.org/TR/activitypub/#inbox-forwarding
# 09:07 
saranix not the same thing
# 09:07 
saranix that can be read to mean only other recipients on the same server
# 09:08 
jaywink[m] well, only if you're aiming for broken discussions ;)
# 09:08 
saranix not true
# 09:08 
saranix broken discussions was again always a bad implementation thing, never a protocol thing
# 09:09 
jaywink[m] "The following section is to mitigate the "ghost replies" problem which occasionally causes problems on federated networks. "
# 09:09 
jaywink[m] It's mentioned in spec - whether or not one thinks it shouldn't be
# 09:10 
saranix it still can be done elsewise
# 09:11 
jaywink[m] sure, you could check from the origin as the third-in-line receiver. but http sigs wont solve this problem, afaict they even make this delivery not possible (though not an expert on http sigs)
# 09:11 
saranix A server need only know of the existence of new replies, it does not need to receive them from anyone in particular. It can also fetch them straight from the canonical source always. 3rd party transit is NOT technically required. It just isn't.
# 09:12 
jaywink[m] the point was we now implement http sigs and LDS - but for what reason do we implement both? (going back to the original question by ajordan)
# 09:12 
saranix and I answered that. Both aren't necessary. So don't. :-P
# 09:12 
jaywink[m] what fun is making a federated platform that doesn't federate with others then? ,)
# 09:13 
jaywink[m] if all the others do, you have to, or your platform doesn't federate
# 09:13 
saranix "be liberal and what you accept, and conservative in what you send"
# 09:13 
jaywink[m] doesn't help if the others don't follow the same rules you do ;)
# 09:13 
saranix you have to ALLOW both... you don't have to (and should REQUIRE) both. Big DIFF
# 09:13 
saranix *shouldn't
# 09:14 
jaywink[m] a protocol will more be defined by implementations not spec
# 09:14 
jaywink[m] and currently implementations are requiring http sigs and lds
# 09:14 
saranix no no no no
# 09:14 
saranix spec doesn't require
# 09:14 
saranix that means those implementations are WRONG
# 09:14 
saranix fix them
# 09:14 
jaywink[m] spec doesn't but implementations do
# 09:14 
saranix exactly
# 09:14 
saranix they are wrong
# 09:15 
saranix fix them
# 09:15 
jaywink[m] that is easy for you to say. hey mastodon, drop your http sigs and lds requirement ok tnx :)
# 09:16 
saranix if they want to say they are spec compliant, they will be able to talk with any other server that implements the minimum spec. If they cannot receive from implementations that follow only the minimum spec, they are lying about being complioant. Plain and simple.
cwebber2 joined the channel
# 13:38 
Gargron jaywink[m]: saranix: aaronpk: LD sigs are not required and indeed only used for forwarding
# 13:39 
Gargron so you can do an implementation entirely without them
# 13:40 
Gargron aaronpk: i heard someone else was also having trouble with the 401 error based on my tutorial. i havent figured out whats wrong yet
# 13:41 
Gargron "why did we implement both http sigs and ld sigs"
# 13:41 
Gargron first off, LD sigs are monstrously complicated to implement due to the canonicalization stuff
# 13:41 
Gargron so having it as a base requirement didn't seem viable
# 13:42 
Gargron http sigs are really simple in comparison and they get the job done: "does this delivery come from the right actor?"
# 13:43 
Gargron and it does make sense that http sigs should not be required if there is an LD signature, it's just due to the order in which they were implemented in mastodon that it's not really possible
# 15:22 
aaronpk We tracked down a bug yesterday where the error message was not being reported on a bad signature. You have a PR for that from schmarty now
# 15:22 
aaronpk we still couldn't figure out *why* the signature didn't validate tho
cwebber2 and bblfish joined the channel
# 18:09 
dansup Hey up201705417, are you around?
# 18:11 
dansup aaronpk: What language are you using? I found a great http sig/guzzle library
# 18:11 
up201705417 dansup: yes
# 18:11 
aaronpk i was just following gargron's tutorial so I used ruby
# 18:12 
dansup aaronpk: Ah I see, this is what pixelfed is using https://github.com/99designs/http-signatures-guzzlehttp
# 18:12 
Loqi [99designs] http-signatures-guzzlehttp: Guzzle 6 support for 99designs http-signatures library
# 18:12 
dansup up201705417: Should we move GNU/Social ActivityPub plugin discussion here?
# 18:13 
up201705417 sure :)
# 18:14 
nightpool[m] aaronpk: i'll try to take a look at that this afternoon, it's probably a stupid logic bug in the ruby code
# 18:15 
dansup up201705417: Sounds good, what do you plan on working on next?
# 18:16 
up201705417 well, per the boards my next task is Actor Inbox: https://git.gnu.io/dansup/ActivityPub/boards
# 18:16 
up201705417 But it might be a good idea to get redis caching and http signatures working first
# 18:16 
up201705417 that's why I was studying about those now
# 18:17 
dansup Did I show you this already? https://redis.io/topics/twitter-clone
# 18:18 
up201705417 oh, nice :)
# 18:26 
dansup up201705417: I wonder if there is an event hook for the search, would be nice to be able to search remote profile/statuses like Mastodon
# 18:29 
up201705417 ahm, isn't that already done by GNU Social? I mean, the moment the instances interact the search already includes the remote instances data, right?
# 18:30 
nightpool[m] only profiles/statuses that are loaded locally
# 18:30 
nightpool[m] mastodon lets you retrieve remote content by urls
# 18:30 
dansup up201705417: https://git.gnu.io/dansup/gnu-social/blob/master/actions/profilecompletion.php#L39
# 18:31 
dansup nightpool[m]: yeah that is pretty cool
# 19:16 
aaronpk dansup: you're able to create an http sig with that library that mastodon accepts?
# 19:17 
nightpool[m] there are a lot of http signature libraries i know mastodon works with
# 19:17 
nightpool[m] https://github.com/joyent/node-http-signature, for ex
# 19:17 
aaronpk it apparenlty doens't work with the ruby one in the blog post 😂
# 19:17 
Loqi [joyent] node-http-signature: Reference implementation of Joyent's HTTP Signature Scheme
# 19:17 
aaronpk or there's some other missing info
# 19:22 
aaronpk am I looking at the wrong spot? Why is the placeholder secret used here? https://github.com/dansup/pixelfed/blob/b9c02e5b6862263bd45747e502fbc76b447aa905/app/Jobs/RemoteFollowPipeline/RemoteFollowPipeline.php#L58
# 19:41 
dansup aaronpk: yeah, and I never finished that. I'm not sure how that landed as a commit already lol
# 19:43 
aaronpk so wait where do you use that library to make a correct signature?
# 19:43 
dansup https://github.com/dansup/pixelfed/blob/dev/app/Util/ActivityPub/Inbox.php#L28
# 19:43 
dansup to verify an incoming payload
# 19:43 
dansup its not committed yet, but I'm pretty close
vasilakisfil joined the channel
# 21:01 
aaronpk Gargron: found the problem! your blog post says "(request-target): POST /inbox\n..." but it should be "(request-target): post /inbox\n..." instead
# 21:14 
nightpool[m] omg
# 21:15 
aaronpk also when did author/actor change to attributedTo?
cwebber2 joined the channel
# 22:13 
nightpool[m] aaronpk: they're two different things. Activities have an actor, objects are attributedTo
# 22:13 
nightpool[m] > The attributed entities might not be Actors. For instance, an object might be attributed to the completion of another activity.
# 22:14 
aaronpk which one is the one that mastodon et al use to show who wrote the post?
# 22:25 
nightpool[m] aaronpk: hmm
# 22:26 
nightpool[m] looks like it's a little ambiguous.
# 22:26 
nightpool[m] When receiving a message, it only cares about the activity
# 22:26 
nightpool[m] but when you look up a post by URL, it doesn't expect to find the enclosing Create, only the Note itself.
# 22:26 
nightpool[m] so it uses attributedTo then
# 23:46 
Gargron aaronpk: thanks for figuring it out and im really sorry about messing it up like that!
# 23:46 
Gargron https://mastodon.social/@Gargron/100296438118964338 credited you
# 23:47 
Loqi [Eugen] Hey, earlier version of my blog post about ActivityPub contained a mistake, uppercase POST instead of lowercase post, inside the HTTP signature, which led to it not working in practice. The article is fixed: https://blog.joinmastodon.org/2018/06/how-...