Post ASoeMdpFdmpYgPC9GC by alex@gleasonator.com
(DIR) More posts by alex@gleasonator.com
(DIR) Post #ASoDRJ3VapwMx2rbii by alex@gleasonator.com
2023-02-18T16:07:39.027282Z
7 likes, 1 repeats
A couple weeks ago someone said “HTTP Signatures are the reason ActivityPub will never succeed” and I was thinking “REALLY? Of all the things, not social issues but a technical detail? I don’t buy that.” Well after a week of trying to implement HTTP Signatures (and copying other people’s code!) it finally works on Mastodon and Misskey, but gets rejected by Pleroma.
(DIR) Post #ASoEPzYmgwGy9SQhlY by alex@gleasonator.com
2023-02-18T16:18:36.598926Z
1 likes, 0 repeats
The problem with ActivityPub and the various documents around it, is that they try to do EVERYTHING. HTTP Signatures is theoretically extensible to every possible signing algorithm on the planet, even though in practice everyone uses “RSASSA-PKCS1-v15” (I hate that I know that). This means you parse and support it 10 different ways just to do one thing. Meanwhile ActivityPub can have _any URL making it extremely hard to fetch things because you have to fetch a URL to know which URL to fetch.I suppose the idea is that if we adopt standards that can solve multiple problems, we’ll get overlapping contributions from people who don’t do social media stuff but want HTTP Signatures (etc) for other reasons. But in practice that doesn’t really happen, and we just have overly complex systems for no reason.Also this does matter, because if big important people don’t implement it because it’s too hard, it will hamper adoption.
(DIR) Post #ASoEQcp6iBVDvNMn7g by colinsmatt11@gleasonator.com
2023-02-18T16:17:39.551548Z
1 likes, 0 repeats
@alex I once thought about making an activitypub server for fun, after implementing .well-known I thought about doing http sigs and realised it's better to not continue this.
(DIR) Post #ASoEk7MBPfjU7m8GOG by james@gleasonator.com
2023-02-18T16:16:50.529658Z
0 likes, 0 repeats
@alex I thought Pleroma has HTTP Signatures as it's compatible with Mastodon?
(DIR) Post #ASoEk7vdHs5ZtiiZe4 by alex@gleasonator.com
2023-02-18T16:22:16.097830Z
1 likes, 0 repeats
@james Pleroma supports them. It says “Invalid signature”. Oddly if I corrupt the actor profile it accepts my activities, making me think there’s a security vuln in it. Because of course there is, because it’s so fucking complicated no sane person can perfectly implement it.
(DIR) Post #ASoF35fJvRncNg89UO by flappypaddle@shitpost.racing
2023-02-18T16:24:54.946423Z
1 likes, 0 repeats
Now you just need to return it into an XML RPC request base64 self signed via gpg using a locally cached key which is checked every day..
(DIR) Post #ASoF4bRPGoWTDkLMqu by alex@gleasonator.com
2023-02-18T16:25:56.831785Z
0 likes, 0 repeats
@flappypaddle This ☝️
(DIR) Post #ASoFAzvv7cE8v3fKOO by colinsmatt11@gleasonator.com
2023-02-18T16:25:43.163908Z
1 likes, 0 repeats
@alex One of the most important parts, it's still a composition of different standard from various things. Like OStatus nothing really changed.And there are little to nothing in terms of learning materials other than code of actual implementations.
(DIR) Post #ASoKmP3nA9cXKo0FWa by dave@podcastindex.social
2023-02-18T17:29:58Z
1 likes, 0 repeats
@alex This is true. There is a "strike zone" of specificity in a spec/protocol where you serve the needs of the immediate use case, but leave enough room for flexibility without overwhelming the immediate use case audience with complexity for a benefit that may or may not ever materialize.
(DIR) Post #ASoTfFawr4fBXUAxgu by alex@gleasonator.com
2023-02-18T19:09:27.164327Z
0 likes, 0 repeats
Update: Pleroma can’t handle the (created) pseudo header. So don’t sign sign with that. 🙃 Now it works fine.
(DIR) Post #ASoZrTDubsqt0Ubw6i by alex@gleasonator.com
2023-02-18T20:18:52.918266Z
2 likes, 0 repeats
Update: this broke Mastodon.
(DIR) Post #ASoaPTapk3iw01Y0Uy by matty@nicecrew.digital
2023-02-18T20:25:07.057686Z
0 likes, 0 repeats
What is the point of HTTP signatures?
(DIR) Post #ASoag9X1aD3shdiZ7I by alex@gleasonator.com
2023-02-18T20:28:04.432103Z
1 likes, 0 repeats
@matty See: https://gleasonator.com/@alex/posts/ASoYOAdWMBncls165w
(DIR) Post #ASoathy0rflNGanynw by matty@nicecrew.digital
2023-02-18T20:30:35.638680Z
0 likes, 0 repeats
I'm not quite understanding this. Is it a security related thing? Sorry, I am retarded.
(DIR) Post #ASobQZWrG2zAeXm4QK by alex@gleasonator.com
2023-02-18T20:36:26.258788Z
5 likes, 0 repeats
@matty Without this, some tranny would send posts to nicecrew.digital from @alex and it would be me saying “I love trannies” even though I didn’t post that.
(DIR) Post #ASobVCcRrazJ2zb5U0 by matty@nicecrew.digital
2023-02-18T20:37:19.807176Z
0 likes, 0 repeats
That makes things a lot more simple. Thank you for dumbing it down for me :pepe_durr:
(DIR) Post #ASobWxYIqvRCthUoee by PhenomX6@fedi.pawlicker.com
2023-02-18T20:37:41.957557Z
1 likes, 0 repeats
Is this the same as signed fetches?
(DIR) Post #ASodhQ0C8CqzwAenSK by Moon@shitposter.club
2023-02-18T21:01:58.036668Z
0 likes, 0 repeats
@alex > ActivityPub can have any URL making it extremely hard to fetch things because you have to fetch a URL to know which URL to fetch.I am not quite getting this, can you explain this further?
(DIR) Post #ASoeMdpFdmpYgPC9GC by alex@gleasonator.com
2023-02-18T21:09:20.395742Z
2 likes, 0 repeats
@Moon For example if I have the user’s AP ID (like https://shitposter.club/users/Moon) I do NOT know their inbox, follower address, public key ID, etc.I have to fetch you to find that information out.Wouldn’t it be nice if it were guaranteed to be at :id/inbox? Or even that users in general were guaranteed to be under /_ap/:username?Same with Webfinger.Not only that, but /.well-known/host-meta tells you how to fetch WEBFINGER.I have to fetch a thing to fetch a thing to fetch a thing to tell me where I can fetch the thing from.Wouldn’t it be nice if it were all one endpoint… like maybe a single Websocket stream I could subscribe to to get back certain events… like…
(DIR) Post #ASoeW3myTm0noScZn6 by Moon@shitposter.club
2023-02-18T21:11:07.770005Z
1 likes, 0 repeats
@alex oh yes, very similar to recent issues i was having with gotosocial and also something i noticed, AP probably should have just had standardized where things are.
(DIR) Post #ASoezp4pk5Z2s8AOHI by alex@gleasonator.com
2023-02-18T21:16:25.522300Z
1 likes, 0 repeats
@PhenomX6 They’re related.
(DIR) Post #ASof7K5yoZmB6LHN7g by alex@gleasonator.com
2023-02-18T21:17:48.218472Z
1 likes, 0 repeats
Okay I finally fixed it. Works with Mastodon, Pleroma, Misskey: https://gitlab.com/soapbox-pub/fedisign/-/commit/fded17e25cea70efc4cd1016fd2eb724aa5e46e7
(DIR) Post #ASofPwhS1VR62jgakC by Moon@shitposter.club
2023-02-18T21:21:13.720685Z
1 likes, 0 repeats
@alex absolutely agree but for the record anything under .well-known is by definition standardized to that location so you shouldn't have to ever look it up
(DIR) Post #ASoj2bJdlJl2sUfkxc by dwaltiz@pleroma.soykaf.com
2023-02-18T22:01:49.247976Z
0 likes, 0 repeats
@alex @Moon IIRC WebFinger was intentionally ommited from the ActivityPub spec, with some exception added with the hope that services that rely on WebFinger would eventually migrate to doing stuff through ActivityPub only. Haha, yeah... About that...
(DIR) Post #ASojWrqSs2hUpYSSZs by Moon@shitposter.club
2023-02-18T22:07:17.948593Z
1 likes, 0 repeats
@dwaltiz @alex webfinger turned out to be a lot less relevant than i expected if you only use it for basically the one single thing that mastodon requires it for which is to turn a handle uri into the AP ID URL, which again would have been unnecessary if a URL format was just specified. I ccan think of all kinds of objections to having standard urls but in practice it would be better 100% of the time until it had to be tweaked for a more, actually decentralized system (which honestly will probably never happen anyway)
(DIR) Post #ASojienDE1Rjp9YgUq by Moon@shitposter.club
2023-02-18T22:09:25.368355Z
0 likes, 0 repeats
@a @alex > usernames shouldn't be in ids at all, and inboxes shouldn't be guessableI disagree, also i actively dislike having single endpoint
(DIR) Post #ASojwBtxRGMSH2APzc by Moon@shitposter.club
2023-02-18T22:11:52.793860Z
0 likes, 0 repeats
@a @alex i'm not hardcore on standardizing the URLs but it would make a lot of common situations easier to deal with, totally open to arguing about how it's not a good idea.
(DIR) Post #ASojyiUtDgazwke7DU by Moon@shitposter.club
2023-02-18T22:12:19.878248Z
0 likes, 0 repeats
@a @alex 100% okay with that.
(DIR) Post #ASokEmaflj1lH70nVg by Moon@shitposter.club
2023-02-18T22:15:14.118474Z
0 likes, 0 repeats
@a @alex I dealt with this because gnu social let you change them, but was halfassed and broke everything. later servers just didn't let you change them because 100% coverage of this feature is a pain in the ass to do.
(DIR) Post #ASokseJ5zBmpARnfJQ by Moon@shitposter.club
2023-02-18T22:22:25.102371Z
0 likes, 0 repeats
@a @alex don't laugh at me for considering this a problem, but also because you have to rewrite every activity to fix the handles.
(DIR) Post #ASol0L6VGa8fvWZqPQ by Moon@shitposter.club
2023-02-18T22:23:49.619249Z
0 likes, 0 repeats
@a @alex my bias is toward smaller and admittedly less flexible systems
(DIR) Post #ASolaiIsUKv2Iui4Gm by ryan@rebased.io
2023-02-18T22:30:24.675808Z
0 likes, 0 repeats
who needs username changes when migrations are a thing
(DIR) Post #ASoleNk0seVJgo9Ra4 by Moon@shitposter.club
2023-02-18T22:31:03.792623Z
0 likes, 0 repeats
@a @alex you don't have to change the link to the AP ID but the actual string in the content won't change which is confusing. or you can try to change it, which is fraught with problems because the note body can be anything.I don't even know how you could fix this if you could time travel because the network transitioned from ostatus and gnu social so we were stuck with a lot of decisions.
(DIR) Post #ASolle8iJHe0ZjAWYa by ryan@rebased.io
2023-02-18T22:32:23.242268Z
0 likes, 0 repeats
but honestly why would you want to do either except in fringe circumstances
(DIR) Post #ASomk9TIwltT7oeQvA by Moon@shitposter.club
2023-02-18T22:43:18.820959Z
0 likes, 0 repeats
@a @alex > if/when i do my thing, i am not going to have compat with existing fedi as a design goal.only correct answer if you want to do it right and i wish you success.
(DIR) Post #ASomvkwDzJFCViiBJw by Moon@shitposter.club
2023-02-18T22:45:24.889059Z
0 likes, 0 repeats
@a @alex for the record i am not against nick changes philosophically and i think if you plan everything around it from the very beginning you can do it and not have it suck
(DIR) Post #ASonMqHCFSeUsyR8c4 by feld@bikeshed.party
2023-02-18T22:49:55.907108Z
1 likes, 0 repeats
> shouldn't be guessableIt's not private information, it just requires you chain multiple requests and parse responses to piece of together
(DIR) Post #ASop2Snw0TrsCn9zW4 by Moon@shitposter.club
2023-02-18T23:09:01.922062Z
0 likes, 0 repeats
@a @amy my whining about standard urls is pointless anyway because the spec is already made and now if you wanted to do it you would have to get buy-in from every single existing AP project and still support old AP servers forever so real benefit.
(DIR) Post #ASopodqiFHugMOQt2u by Moon@shitposter.club
2023-02-18T23:17:43.360472Z
0 likes, 0 repeats
@a @amy do you remember that essay moxy marlinspike wrote about federated protocols and everybody just fucking hates his guts? I think he was mostly right.
(DIR) Post #ASor39jIbymjFBRx7g by Moon@shitposter.club
2023-02-18T23:31:33.822750Z
1 likes, 0 repeats
@a @amy I'm definitely not endorsing centralized services but in a decentralized network you are going to constantly be dealing with server projects that don't update, and individual servers that don't update. that problem will never go away. but if you want to minimize that as much as possible you make a small spec that's not hard to implement and don't change it often.
(DIR) Post #ASor9Xozx2djhXA5z6 by amy@decept.org
2023-02-18T23:31:03.389719Z
1 likes, 0 repeats
@Moon @a Gotta say I agree with him too, SMTP could desperately use E2EE and something better than DMARC but it's basically impossible to update anything. XMPP fairs better because cap negotiation is fundamental to the spec but AP has no such thing.
(DIR) Post #ASorMNpuO6KyUri3uq by Herman_Hetherington@chudbuds.lol
2023-02-18T16:15:04.011840Z
1 likes, 0 repeats
Come on Lain!
(DIR) Post #ASorkX1LtJyxvrZq5Y by Moon@shitposter.club
2023-02-18T23:39:22.835626Z
0 likes, 0 repeats
@a @amy minor distinction i could make is you could update the vocabularies commonly used in ap servers all the time as llong as servers can gracefully drop objects it doesn't understand and that's not as big of a deal as like how http signatures fucking suck but everybody has to support every version and every bug or literally the servers just reject every message
(DIR) Post #ASos1u8LDCVWXQ880W by alex@gleasonator.com
2023-02-18T23:42:27.975572Z
0 likes, 0 repeats
@Moon @a @amy Not sure if this is the article you’re referring to, but it’s pretty amazing: https://moxie.org/2022/01/07/web3-first-impressions.htmlEspecially the NFT thing.
(DIR) Post #ASos6VgDYbwo91AhsW by Moon@shitposter.club
2023-02-18T23:43:22.381257Z
0 likes, 0 repeats
@alex @amy @a different, he did an article about why they killed federation of the Signal servers and Signal protocol.
(DIR) Post #ASosoRTeXmRxqsF8To by alex@gleasonator.com
2023-02-18T23:51:14.543026Z
1 likes, 1 repeats
@Moon @amy @a Found it: https://signal.org/blog/the-ecosystem-is-moving/I actually think he’s wrong about it. There’s no reason you can’t move fast and break things in a federated system, as I’ve proved many times, as long as you’re willing to tolerate people being angry.
(DIR) Post #ASot0XfdLLfcXDcIHQ by matty@nicecrew.digital
2023-02-18T23:52:23.573197Z
0 likes, 0 repeats
I'm sorry did you say "break things" yes I'm here do you need a free consultation?
(DIR) Post #ASot9NKf9MVX4s1Hfs by Moon@shitposter.club
2023-02-18T23:55:06.247438Z
1 likes, 0 repeats
@alex @amy @a admittedly microblogging syndication is less critical than email delivery and can tolerate experimentation better
(DIR) Post #ASotgeWiF6wdxeWXNA by snugglefist@freezepeach.online
2023-02-18T23:58:37.045282Z
0 likes, 1 repeats
Isn't it the intent of decentralized network architecture? If it isn't resilient to experimentation, how can it be resilient to catastrophe?
(DIR) Post #ASotgf6W5zaJkhH8BE by Moon@shitposter.club
2023-02-19T00:01:06.188908Z
0 likes, 0 repeats
@snugglefist @amy @alex @a if we listed all the ways you could kill this network, experimentation isn't one of them. experimentation will fragment the network. you may be okay with that but for a lot of people the number one thing they are trying to get out of it is they can talk to everybody on it. honestly though the network is already hopelessly fragmented for other reasons and is never going to get better on that front so it may already be a failed network.
(DIR) Post #ASoto8vDdGFSG1YezQ by Moon@shitposter.club
2023-02-19T00:02:28.545837Z
0 likes, 0 repeats
@snugglefist @a @alex @amy this biggest threat to this network imo is either DNS or CloudFlare
(DIR) Post #ASouCSflqnv0SnvcH2 by Moon@shitposter.club
2023-02-19T00:06:48.894061Z
0 likes, 0 repeats
@a @alex @amy @snugglefist alex can disagree with me on this, he is both smart and has tons of practical experience so whether or not you think he is evil he has an educated opinion.
(DIR) Post #ASq1xQQMvCRnwD1cXY by Moon@shitposter.club
2023-02-19T13:08:26.689414Z
0 likes, 0 repeats
@a able to talk where it technically makes sense. yeah it doesn't mtter at all if you can't talk to a bookwyrm actor from a mastodon microblog actor
(DIR) Post #ASq2CotmD0oyBg7ZpI by Moon@shitposter.club
2023-02-19T13:11:16.512129Z
1 likes, 0 repeats
@a @amy smtp was awful a long time before gmail.