#social 2018-08-06
2018-08-06 UTC
# 
saranix so going back to the topic of special apps... let's say you have a site that can make special objects. Your site can authenticate the author a number of ways, but when passing that object along, there is no way to get it signed by a remote identity (the user), the software that controls that identity would have to be capable of forging arbitrary objects...
# saranix ... but what if, there was a standard interface on the actor services object (I forget the name of the field), similar to the oauth/token, but for signing objects
# saranix that would be super easy for people to implement, so they would, and it would save them from having to have a generic object UI
# saranix they would just need a signing UI which could just display the raw json for all anyone cares
# saranix better UI, just the URL ... take the user to a screen "would you like to publish?" [hidden from user]
{ type:Create, object:https://foreign-site.example/specialobjects/12432, to:<UI selected audience> }# saranix oh yeah, optionally, content: "Hey I just memed a meme at https://objplace"
# dansup kaniini: it seems like pleroma does not wait for Accept or Reject on a remote follow. It follows them regardless of getting a response
timbl joined the channel
# kaniini dansup it does if as:manuallyApprovesFollowers is false. if as:manuallyApprovesFollowers is true, it doesn't.
# kaniini dansup mastodon takes a similar shortcut
# dansup kaniini: but I followed a GS user over AP and there was a signature error and it never responded. It doesnt have that context set. cc up201705417
# kaniini dansup there is a bug in that if an account goes from as:manuallyApprovesFollowers = false to as:manuallyApprovesFollowers = true, and pleroma does not catch the update, it will still shortcut
# kaniini dansup yes
# dansup ah
# kaniini dansup AS2 manuallyApprovesFollowers can be assumed by default to be false
# dansup pleroma uses x509 for signing?
# up201705417 dansup: actually GS sets that context...
# kaniini dansup x509 isn't a signature scheme, but mastodon and pleroma use x509 certificates
# kaniini (pleroma previously used pkcs certificates, but i changed it to x509)
# kaniini (it would be nice to have an errata statement about x509 certificate usage)
# dansup up201705417: Are you sure?
# dansup kaniini: ok, we had an issue with signature validation from pleroma.site
# dansup error:0906D06C:PEM routines:PEM_read_bio:no start line
# kaniini that sounds to me that you are not storing the key properly
# dansup up201705417: I meant the @context of the object, never thought of the actor object but only inbox/outbox are required for the actor object
# kaniini has nothing to do with pleroma
# dansup kaniini: oh, remove the newlines?
# kaniini no, you should store the key exactly as sent
# kaniini don't remove any newlines or whitespace
# dansup what http sig headers are required to be signed for pleroma?
# dansup (request-target) and date?
# kaniini you can sign whatever you want, but i suggest (request-target) date and digest
# dansup up201705417: thats it, digest!
# kaniini pleroma does not require you sign digest yet
# dansup does mastodon?
# kaniini but it will calculate the digest and check it against the signed digest
# dansup kaniini: ok thanks for the help
# kaniini mastodon does not require signing digest either
# kaniini but again, strongly recommended
# kaniini if you want to participate in a mastodon relay, you have to implement json-lds though
# dansup GS will support AP before pixelfed, had to make a big change recently that might be controversial lol
# dansup I dont care about mastodon-relays or LD
# dansup not yet anyways :P
# kaniini pleroma relay won't require lds. i should finish that branch tonight.
# dansup the big change moves boosts and other activities of people you follow to a different page. Only top level posts appear in timelines now
# dansup kaniini: cool, i look forward to setting a pleroma relay up :)
# kaniini essentially there is virtual actor https://instance.tld
# kaniini if you Follow it, it will set up the relay
# kaniini :)
# dansup its interesting how pleroma stores the full object
# kaniini and, if you request https://instance.tld as AP object, you get an actor
xmpp-social, vasilakisfil and timbl joined the channel
# tuxether[m] Does ActivityPub support all the activity types in https://www.w3.org/TR/activitystreams-vocabulary/#activity-types? That is, if I submit a 'Join' activity which is not listed in the ActivityPub spec page, is that valid C2S considering it's valid ActivityStreams vocab?
# saranix I think the ap context inherits the as context so yes.
# fr33domlover It think it's the opposite?
# fr33domlover The AS2 context includes all the AP stuff
# fr33domlover Since the latter is a core extension of AS2
# fr33domlover The context used in AP is the core AS2 context, it just has the AP terms in it
# fr33domlover And any other extension AS may add in the future etc.
# fr33domlover tuxether[m], I guess it's valid C2S but the question is, does the AP server have any dedicated support for that activity? If AP doesn't use the Join in its spec, then I suppose nothing special happens
# fr33domlover Like, it could accept the activity and put it in your outbox, and send it to followers' inboxes and so on
# fr33domlover But wouldn't physically join you into anything unless that server has some special handling of Joins
# fr33domlover (Say, if it's some chat server that supports AP or whatever)
# tuxether[m] Hmm.. I see. But join is such a common usecase IMO.
# fr33domlover tuxether[m], well what else would you want to have happen? Other than propagating the activity
# tuxether[m] write to a database
# fr33domlover tuxether[m], well, putting the Join in your outbox is writing to a DB
# fr33domlover and propagating to follower's inboxes, it gets stored in their servers' DBs
# tuxether[m] Oh! That makes sense.
# fr33domlover tuxether[m], I guess the question is: Is a server implements C2S, does the AP spec require it to accept and propagate AS2 activies even if they don't have any other AP behavior? And in practice does anyone implement C2S? and do they follow the spec in that sense?
# fr33domlover *If a server
# tuxether[m] yes. I think my AP server has a bug, which is why I wanted to double check.
# fr33domlover I'm way behind on AP, I'm still implementing JSON-LD (very slowly indeed)
# fr33domlover Then https sigs and then hopefully can work on actual AP for my web app
# fr33domlover *http sigs
# tuxether[m] I was fortunate someone wrote a library for AP+httpsig in Golang. I get to think about much higher level concepts. All I need to do is put a bunch of callbacks in place.
# fr33domlover tuxether[m], which library are you using?
# tuxether[m] fr33domlover: go-fed. It just submitted an implementation report recently.
# fr33domlover (I'm writing in Haskell; I could choose to do AP over plain JSON but I suppose I like to be thorough and need to support extensions, so going for the long path with full JSON-LD support)
# fr33domlover tuxether[m], oh cool yeah I saw that one
# tuxether[m] fr33domlover: I'm looking forward to the Haskell implementation. It's nice to have more high-performance statically typed languages doing server stuff.
# fr33domlover tuxether[m] :)
up201705417 joined the channel
# puckipedia <fr33domlover> tuxether[m], I guess the question is: Is a server implements C2S, does the AP spec require it to accept and propagate AS2 activies even if they don't have any other AP behavior? And in practice does anyone implement C2S? and do they follow the spec in that sense? <- in order: no, yes, maybe
# fr33domlover puckipedia, does it make a difference whether the activity is a core AS2 activity or is an extension not documented in any spec?
# puckipedia it does not
# fr33domlover Hmmm I see
# puckipedia currently Kroeg will propagate anythinmg with a proper @context
# puckipedia even if it's unknown
# fr33domlover puckipedia, I'd like to think at least are the core AS2 activities are safe. I mean, if the target of the activity is on the local server, it could reject it based on some faulty logic (like joining something that isn't a group). But otherwise, just publish and propagate and it's up to the destination server to figure out what to do. I suppose people don't have motivation to publish useless activities in
# fr33domlover the first place, since it does nothing and just spams their outbox and others' inboxes
# puckipedia primarily it's because most servers don't actually store the full objects, but just the approx contents
# puckipedia secondarily, you don't want accidental side effects to happen
# fr33domlover puckipedia, hmm so why does kroeg propagate unknown stuff?
# fr33domlover I wish a spec clearly said whether to propagate unknowns or not
# fr33domlover And everyone just followed that
# fr33domlover I suppose it's not an easy question
# dansup up201705417: hows it going?
# saranix of course propagate unknowns. That's why json-ld in the first place
# fr33domlover saranix, hmmm what about what puckipedia said though about side effects. And the fact that AFAIK mastodon doesn't propagate unknowns? Or is that a different (s2s) issue?
# saranix lol idk I actually didn't read all the scrollback ;-)
# puckipedia fr33domlover: that's s2s, and that's because of the limited scope of Mastodon. propagating unknowns, imo, should be safe to do, but I don't know for sure if c2s should accept everything that would be via s2s
# puckipedia I currently do
# puckipedia the big issue right now is that, well, there are no unknowns yet
# puckipedia also yeah https://puckipedia.com/ is totally a c2s application
# fr33domlover puckipedia, I suppose any server may have limited scope. Some apps are for pics, some for videos, some for whatever
# saranix I've been bringing it up because I will be dealing with it soon
# fr33domlover s2s is different because Mastodon receiving an unknown into someone's inbox means someone from elsewhere initiated it
# puckipedia fr33domlover: so, I'd be interested in seeing multiple c2s apps (e.g. one that may be instagram-y, one that might be microblog-y, etc) talk to one generic server
# puckipedia so you can use your data any way you like, in multiple ways
# puckipedia s2s, I feel it should accept everything, but maybe throw it away silently if it can't process it
# fr33domlover c2s is a heavier decision because if you publish something, your server now has to host it as the canonical host of it
# saranix should at least let the client retrieve it, even if you can't understand it, even if that means losing some fidelity (fields)
# puckipedia definitely the former, unsure about the latter
# saranix yeah I'm unsure too, but I sympathise because most of my strategies involve storing a decoded object and not the raw
# fr33domlover I don't think it's bad if a server says "I only publish videos, you can't publish other stuff through me"
# fr33domlover "If you want to make a toot go to some Mastodon server"
# puckipedia yeah, that's c2s
# fr33domlover Yeah
# puckipedia saranix: Mastodon fixed it by just never returning the objects of a remote server in their activitypub representation
# saranix perhaps a better way would be to store unknowns as raw, the same as binary image/video/file data would be stored raw
# puckipedia mmm. doesn't work with c2s though? maybe.. hm.
# puckipedia saranix: right. Pleroma stores the objects as jsonb in postgres, and kroeg does RDF triples
# saranix yeah jsonb is pretty awesome
# saranix I just don't like having a json-ld internal model... yechh
# saranix ;)
# puckipedia I think the primary advantage of storing it as json-ld vs json is a very very tiny distinction
# puckipedia IDs
# puckipedia vs strings
# puckipedia also sets vs lists which is kinda dumb but important
Loqi_, jondashkyle_, cwebber2, dwhly and bigbluehat_ joined the channel