#social 2019-03-12

2019-03-12 UTC
#
GDorn when the mastodon UI is used on pleroma, how does it obtain the oauth token? is it embedded in an html template, or does it use the redirect_uri=urn:ietf:oauth:blahblahblah thing to display it and parse it somehow?
dmitriz joined the channel
#
dansup I just released https://pixelfed-debug.com/, the source code is here and easy to modify for other projects! https://github.com/pixelfedLabs/pixelfed-debug
ben_thatmustbeme, vitalyster, timbl, timbl_, xmpp-social and Loqi joined the channel
#
fr33domlover Should a user's following/followers collections be public?
#
fr33domlover It seems they are on Mastodon, at least by default
#
fr33domlover But it's also something private
#
fr33domlover Does anyone else feel that way?
#
csarven Each identity should decide for itself :)
#
fr33domlover csarven, I agree but is there code that relies on this data being public?
#
csarven The common pattern for social media is that it is publicly visible. Not particularly different than how people have been doing blogrolls.
#
csarven Oh, I have no idea about the inner details of implementations out ther.e
#
JasonRobinson[m] csarven (IRC): hmm not sure about "common pattern". I think we should at least try to default to better privacy.
#
JasonRobinson[m] fr33domlover (IRC): I would personally default to private, for example Diaspora does this. Mastodon emulates Twitter so I guess that is where they get their model from
#
JasonRobinson[m] Facebook defaults to public but allows changing it
#
csarven "common pattern" is just an observation. Not saying anything about how it ought to be.
#
csarven What I wrote *just before*: "Each identity should decide for itself :)"
#
csarven The owner/controller of the identity should decide (IMHO!) whether they want to publicise their relations with the world.
#
csarven Not the tool that they are using.
#
csarven The tool should enable what they want to achieve.
#
csarven So, sure, "better privacy" is what the should facilitate given the available options.
#
csarven But not some developers' notion of "what's better for everyone".
#
fr33domlover Hmmmm
#
fr33domlover Good points but I have another question
#
fr33domlover Suppose your following list is private
#
fr33domlover But the people you follow, their follower list is public
#
fr33domlover Then, it's possible to indirectly discover people you follow!
#
fr33domlover csarven, JasonRobinson, what can we do about that? ^_^
#
fr33domlover Maybe that's acceptable?
#
fr33domlover Also I noticed there isn't always a way to tell whether you're seeing the whole collection or just parts of it
#
cjslep[m] Collection page indicates it's just a part of it
#
fr33domlover Because it may be filtered, but you dont get the info about whether it is or how much of the info is hidden
#
cjslep[m] CollectionPage*
#
fr33domlover Yeah I mean you dont get to know which filtering was applied
#
fr33domlover Like, whatever custom filter the server applies
#
fr33domlover If it wishes
#
cjslep[m] Yes, that's related to an issue in the ActivityStreams GitHub. Answer is it's up to the specific implementation but the general design pattern should be based on the URI, query Params, auth, etc
#
JasonRobinson[m] > <@irc_fr33domlover:cybre.space> csarven, JasonRobinson, what can we do about that? ^_^
#
JasonRobinson[m] I'm not sure you can do anything about that. If server B which has a user you follow exposes all the information as public, better just not follow them ;)
#
fr33domlover cjslep yeah I mean the server may apply a filter based on auth, and you dont know thst
#
fr33domlover But that's okay, it just means don't rely on a follower list to be complete
#
fr33domlover You can only trust its completeness if its your own list, as a client
#
fr33domlover Otherwise, let the server access the list as needed
#
csarven Perfect example for software to aim for "better privacy" eg. if a profile's follower wishes to be undetectable/unobservable, the tool should adhere to that, and not expose it to the world. Take internal measures to hide that information from anyone but the controller.
#
csarven There is probably room for a profile to follow but not disclose that either. Or following is completely access controlled.
#
fr33domlover csarven I agree, I just mean we need an extension for this: a property to use in a Follow activity, that says "don't show people that I'm following you"
#
fr33domlover And hope that server respects your wish :)
#
csarven Yeap
#
csarven This is a subset of how much, far, to who, how long... should any piece of information should go.
#
csarven So, the control of following information is just one.. it can be about any eg. name, likes..
#
csarven statement-level access controls
#
fr33domlover Yeah
#
csarven and machine-readable privacy policies
#
csarven see also https://www.w3.org/TR/odrl-vocab/ , https://www.w3.org/TR/odrl-model/
#
fr33domlover I guess we could use auth tokens or crypto sigs here but it seems a bit too much for follows, I'll start with a custom property + trust target server to respect it
#
csarven see also rhiaro's http://dr.amy.gy/chapter3
#
fr33domlover Thanks for the links :)
timbl joined the channel
#
csarven fr33domlover: 'cascading' in particular
dmitriz, timbl, shelby and naturzukunft joined the channel
#
naturzukunft Hi all, i wonder if there is any kind of technical description of the activity stream vocabulary. something like xml schema. I've found the following, but I'm not sure if it's an extension or the base or both. https://www.w3.org/wiki/Activity_Streams/Expanded_Vocabulary#The_OWL_Definition
gwalchmai and gwalchmai_ joined the channel
#
naturzukunft https://www.w3.org/TR/activitypub Chapter 3: "Servers SHOULD validate the content they receive to avoid content spoofing attacks."
#
naturzukunft Would be nice, if the content could be validated against a specification.
#
cjslep[m] That section is talking about ensuring what Server B gets from Server A isn't being spoofed (something like having Server B dereference the @id IRI to ensure the origin's payload matches the one Server B got).
#
csarven naturzukunft: Check out https://www.w3.org/TR/shacl/ ( http://shacl.org/ ) and http://shex.io/
#
gwalchmai hey y'all! i'm trying to understand how to represent privacy/access info about activity -- e.g. an actor creates a note but only wants accepted followers (or "friends") to see this activity and note -- but i haven't found yet how that might be represented in the spec. i do see the section on privacy (https://www.w3.org/TR/activitystreams-core/#privacy) but it doesn't address how privacy is represented. is this something that's expected to be handled at
#
gwalchmai the implementation level rather than something that can be specified in the message itself?
#
cjslep[m] gwalchmai: Currently, yes. And getting it right is a can of worms (see complex consequences of mastodon's followers-only posts)
#
fr33domlover In email, you don't retrieve it after its creation, you just receive and keep it
#
fr33domlover To protect a post's privacy, either don't let anyone fetch it, or somehow let someone fetch it only if you alreay sent it to them before
#
gwalchmai cjslep: gotcha, thanks
#
cjslep[m] naturzukunft (IRC)so while that section is only about spoofed content, not about RDF structure, note that the ActivityStreams vocabulary is meant to be extensible. So rejecting messages with unrecognized properties or types is asking for interoperability trouble.
#
cjslep[m] ex: go-fed uses the following JSON-LD OWL2 definition of the ActivityStreams Vocabulary in order to generate the code representing the types as native Golang types. But it will still opaquely preserve things unknown to it, since the library is not linked-data aware at runtime.
#
cjslep[m] https://github.com/go-fed/activity/blob/master/astool/activitystreams.jsonld
dmitriz joined the channel