#social 2019-01-13

2019-01-13 UTC
#
fr33domlover
Hi people :)
#
fr33domlover
Is there a place / forum / mailing list / channel / resource for ActivityPub development info and collaboration? For example it seems that on the Fediverse HTTP signatures are valid for 30 seconds, but no standard seems to say that, I guess it's the de facto standard, but is it documented anywhere?
#
fr33domlover
If I wanted to discover these details, where should I look?
#
fr33domlover
Another such detail is the use of RSA-SHA256 for HTTP sigs, and there's the whole LitePub thing, I can't find any info about it except its website where many pages are missing
#
fr33domlover
But it already says Pleroma and PixelFed implement LitePub
#
fr33domlover
So I guess there is more info somewhere?
#
fr33domlover
dansup, ^ did you implement LitePub? If yes, where did you get all the info about it? ^_^
#
rialtate[m]
Best bet is to ask developers of individual projects directly if it matters for federation, and if it doesn't, don't let it bother you :)
#
rialtate[m]
What do you mean "valid for 30 seconds"? I think I remember mastodon having a cut off of the date header to prevent repeat and other abuse, but http sigs are ephemeral by nature. Only valid to process the request right then and there and that's it.
#
rialtate[m]
Fyi litepub has a freenode channel
#
fr33domlover
rialtate[m], I mean people use the Date header to make sure the signature can be used only within a short time period and then expires, Joyend recommends 300 seconds, Mastodon has 30 seconds iirc and iirc 30 is the common number? idk
#
fr33domlover
rialtate[m], on freenode?
#
fr33domlover
Found it :)
#
dansup
fr33domlover: I have not implemented LitePub yet
#
fr33domlover
dansup, hmmm litepub website lists PixelFed :P
#
dansup
kaniini and I have discussed it, but besides the directMessage extension its really nothing special
#
fr33domlover
Ah I see
#
dansup
I am working on my own extensions for pixelfed, specifically for Stories
#
fr33domlover
I'm working on an AP extension too, but for something quite different: Project hosting :P
#
dansup
nice!
xmpp-social, how and timbl joined the channel
#
heluecht[m]
Chocobozzz (IRC): Are you currently online here?
#
rigelk[m]
heluecht : choco is usually not online on weekends
#
heluecht[m]
He just had done some changes to the ticket, so I assumed he might be online here as well at the moment.
#
rigelk[m]
oh okay
timbl and jdormit[m] joined the channel; jdormit[m] left the channel
#
jdormit
Wanted to circle back around to my conversation with rialtate a couple days ago about authenticating that certain requests are authorized to access privately-addressed objects
#
jdormit
How are existing projects handling that? For example, if I send a private message on Pleroma to someone on another server, how does my Pleroma instance know to allow access to a GET request coming from that server for the private message?
#
jdormit
vs. a GET request coming from that other server that isn't acting on behalf of the Actor I sent the private message to?
#
jdormit
Or does none of this matter because that other received a copy of my message when I sent it, stored it locally, and never needs to retrieve it again?
#
jdormit
We talked about using http sigs to do that, but are any projects currently actually doing that?
#
rialtate[m]
sent a long message: rialtate[m]_2019-01-13_18:56:38.txt <https://matrix.cybre.space/_matrix/media/v1/download/cybre.space/IHgYilHHKFYuyYpnbwRlAyFz>
#
rialtate[m]
Gawd Riot seriously screws up all formatting always. Agh. :(
#
rialtate[m]
The time when a signed get fetch is really useful is when you only have a uri like a inreplyto or announce
#
jdormit
Haha still very helpful, thanks! Sounds like it's worth implementing signature verification for GETs, and since I'm building a library I'll add a hook so that client applications can plug in their own auth on top of that
#
rialtate[m]
From what I understand LitePub prefers to send uris instead of objects when possible...
#
rialtate[m]
Yeah for a lib you definitely don't want to leave out the functionality. Our httpsig constructor takes an optional actor param that contains id and privkey, otherwise it sends a normal get without sig, and we just use it for all gets. Probably backwards but it works :)
#
jdormit
That's a good approach, I'll steal it B)
timbl joined the channel