Posts by mariusor@metalhead.club
(DIR) Post #Awy6sJyb5qR1Yl0Bl2 by mariusor@metalhead.club
2025-08-08T17:57:44Z
0 likes, 0 repeats
@silverpill and this happens because the purpose of the library and all the reference tooling around it is to deal with ActivityPub and only that. There's no additional APIs (well, except for all the CLI stuff I just mentioned :D) that can make the the client/servers have better UX for key rotation.Nothing prevents users to invent their own mechanism when they use it though.@marius
(DIR) Post #AwyBkdJZoEykzTy68e by mariusor@metalhead.club
2025-08-08T19:07:03Z
0 likes, 0 repeats
@silverpill I can't really understand your example. The client doesn't have access to other actor's private keys, so it shouldn't be able to sign requests. Or you're thinking for the case of a client that is used by multiple users, *and* it stores private keys... My clients generally use only OAuth2 for authorization to the service their users belong to and they don't do "signed requests" to other servers (because they don't really have access to the private key in the first place). @marius
(DIR) Post #AwyOHzIyGniMCMM9Tc by mariusor@metalhead.club
2025-08-08T20:23:51Z
0 likes, 0 repeats
There are some implementation details in my storage layers that would prevent this problem from happening, I think. The main one being that the only way to change the public key of an actor is to update the actor itself, the key does not exist as a stand alone object that could be overwritten maliciously.There might be some corner cases, but I'll try to come up with some tests.
(DIR) Post #AxCNhB2UOrBW5cX82i by mariusor@metalhead.club
2025-08-15T12:16:26Z
0 likes, 0 repeats
I just realized that the default specifications for ActivityPub/ActivityStreams do not have a way to perform an update on an object's ID. (ie, moving it from example.com/1 -> example.com/2)An Update activity does not allow ID updates because it would lose the reference to the original one. (It can be massaged by using an Origin property, but I don't like that).Another option would be to use a Move activity (which is defined as moving objects between collections), where the Origin property is the object itself instead of a collection. (I like this behaviour better, as it requires less divergence from the spec)#ActivityPub #fedidev #ActivityPubDev
(DIR) Post #AxCNhBohVbkWV95dBo by mariusor@metalhead.club
2025-08-15T12:17:14Z
0 likes, 0 repeats
Is anyone aware of a FEP for that?#ActivityPub #ActivityPubDev #FEP
(DIR) Post #AxXP7Y8vIrj1Y0qArY by mariusor@metalhead.club
2025-08-25T12:17:05Z
0 likes, 1 repeats
For the past couple of days I've been hard at work writing documentation in the attempt to decrease the friction for developers that try #GoActivityPub for their applications.I am of a mind to pay some #Go developers in the near future to do a weekend's worth of programming into trying to use the library in projects, so we can iron out potential issues with the use of the library itself and the documentation.Anyone interested?#go #ActivityPub #ActivityPubDev #fediverse
(DIR) Post #AxXP7gWG9z95WhovLc by mariusor@metalhead.club
2025-08-25T12:35:46Z
0 likes, 0 repeats
If anyone cares for a link: https://man.sr.ht/~mariusor/go-activitypub/index.md
(DIR) Post #AxyMnyzcoPIcOCx32G by mariusor@metalhead.club
2025-09-07T18:45:42Z
0 likes, 0 repeats
@silverpill do you have a citation for that? I always interpreted them that they're parallel, but maybe I missed something.@smallcircles
(DIR) Post #AxyNN5h7t52NJG2Vwe by mariusor@metalhead.club
2025-09-07T19:38:56Z
0 likes, 0 repeats
@silverpill yet it does. The grouping of the activity types by domain is quite useful and gives a good indication about what/how they can/should be used.@smallcircles
(DIR) Post #AyQnpgFzitb2HRNDGK by mariusor@metalhead.club
2025-09-20T20:24:45Z
0 likes, 0 repeats
@silverpill do you mean that the "malicious" attachment is not a facsimile of an actual note produced by that actor, but a forgery? In these cases, I'll agree with @grishka that some validation based on the ID should be necessary. For embedded object attachments on the other hand (like mastodon produces), probably the validation needs to check that attributedTo corresponds to the one of the parent object or missing. Interesting corner case.@technical-discussion
(DIR) Post #AyRCfMxD8MpKN5ldnE by mariusor@metalhead.club
2025-09-21T13:02:31Z
0 likes, 0 repeats
> - Recipient: trust embedded object only if the wrapping object has the same owner.@silverpill no, dereference object and use that instead. The canonical version of an object is the one retrieved from the originating service.Mastodon has popularised this behaviour where embedding collections (like your replies) is done by servers in the name of "optimizing" for request counts. But this introduces issues and personally I think it's a "code smell" for ActivityPub. Embedding should be restricted to anonymous objects. When an ID exists it should be used most of the time. @technical-discussion @julian @grishka
(DIR) Post #AyvaMIoLLcGh4lUCMy by mariusor@metalhead.club
2025-10-06T08:59:17Z
1 likes, 0 repeats
@mkljczk that's where the ghost of unfinished projects lies. :P[edit] I should clarify. Not Godot itself, but getting distracted with game development in general.
(DIR) Post #B0JjF3JUPtfkjSFuxk by mariusor@metalhead.club
2025-11-16T21:45:54Z
0 likes, 0 repeats
@silverpill there are protocols that people complain about, and protocols that nobody uses. From a couple of months ago: https://metalhead.club/@mariusor/114912833075947072
(DIR) Post #B0Y4KdYGZQkd35yCzw by mariusor@metalhead.club
2025-11-23T18:38:07Z
0 likes, 0 repeats
@silverpill I allow all collections' properties to be modified with Update activities with the exception of the items property itself. For those I allow Add/Remove/Move, etc.I don't see a reason to make a distinction between what you call views and containers. If there would be a distinction to make, I would consider views as random object arrays that are accesible at a certain URL (and I would add them in the Streams property of an Actor). Instead of a generated CollectionPage, you would only get its items.pro@dansup@mastodon.social
(DIR) Post #B0YCi7oB2guNBL7hOC by mariusor@metalhead.club
2025-11-23T20:59:24Z
0 likes, 0 repeats
@silverpill yes to first question, and no to second question because collection pages are indeed dynamic. When a collection gets retrieved from storage, if there are filters on it, they get applied and the resulting object becomes a collection page where first, next, previous are computed dynamically based on the filters.I haven't found a good method to do away with this conceit yet.
(DIR) Post #B0YCi8ovHP6CJwToBs by mariusor@metalhead.club
2025-11-23T21:02:01Z
0 likes, 0 repeats
@silverpill collections for GoActivityPub are not really special. A collection is an object which can be operated on with most of the Activity vocabulary to various degrees of success (based on what's in the spec, or based on what felt sensible at the time). The only way in which they are *special* is that when processing activities the collection ID gets extracted from the actor it belongs to, and gets operated on (for example to add an activity to an outbox or inbox).
(DIR) Post #B0YCi9l3nFbTEFgEoC by mariusor@metalhead.club
2025-11-23T21:05:47Z
0 likes, 0 repeats
@silverpill basically a storage to be able to work with GoActivityPub needs only 4 operations (the docs have 5 including Create, but that will go away soon):Load (IRI, Filters), Save (Object) AddTo (Collection, Object)RemoveFrom (Collection, Object)https://pkg.go.dev/github.com/go-ap/processing#Store
(DIR) Post #B0aJMmM5z9SweUYRLk by mariusor@metalhead.club
2025-11-24T07:15:49Z
0 likes, 0 repeats
@silverpill only an actor that owns the collection can operate on it, and only the server that resides on the same host can operate on collections with that host. Ie, all the logic I'm describing refers to client to server, collections that reside on other servers are not really relevant. And I don't know if I mentioned it before, mostly GoActivityPub focuses on the vanilla specification, the fancy use-cases in FEPs, like nomadic identity, are outside the scope until we can make use dynamic object types - which is not the case at the moment, we're limited to plain Activity vocabulary.
(DIR) Post #B0bP7EjPVfsMuOOM9w by mariusor@metalhead.club
2025-11-25T07:54:13Z
0 likes, 0 repeats
@silverpill yes, I was thinking of the nomadic identity aspect when I said that.So, for GoAP: a user wants to upload an image, it can specify recipients, the client builds an Image AP object out of that (including a reply collection) and wraps it in a Create collection, sends it to the server (C2S). Server saves Image locally, creates all collections for the Image that are not empty in the Image (like replies, likes, shares, etc) adds it to outbox of user's Actor, adds it to local follower's Inbox or sends it to remote followers Inbox (S2S). If it's in reply to something(s) loads the object(s) and disseminates it to the recipients.
(DIR) Post #B1a1qHp8a4oDk1KUdc by mariusor@metalhead.club
2025-12-24T17:01:13Z
1 likes, 1 repeats
I don't know if people are aware of this Firefox addon that brings discoverability for personal websites that have identity confirmation links to Mastodon profiles: StreetPass for Mastodon.It's pretty good, it allowed me to find quite a number of people based on incidentally reading their blogs.https://addons.mozilla.org/en-US/firefox/addon/streetpass-for-mastodon/