GNU social JP
  • FAQ
  • Login
GNU social JPは日本のGNU socialサーバーです。
Usage/ToS/admin/test/Pleroma FE
  • Public

    • Public
    • Network
    • Groups
    • Featured
    • Popular
    • People

Conversation

Notices

  1. Embed this notice
    Alex Gleason (alex@gleasonator.com)'s status on Sunday, 19-Feb-2023 01:07:44 JST Alex Gleason Alex Gleason

    A couple weeks ago someone said “HTTP Signatures are the reason ActivityPub will never succeed” and I was thinking “REALLY? Of all the things, not social issues but a technical detail? I don’t buy that.” Well after a week of trying to implement HTTP Signatures (and copying other people’s code!) it finally works on Mastodon and Misskey, but gets rejected by Pleroma.

    In conversation Sunday, 19-Feb-2023 01:07:44 JST from gleasonator.com permalink
    • Embed this notice
      Alex Gleason (alex@gleasonator.com)'s status on Sunday, 19-Feb-2023 01:18:42 JST Alex Gleason Alex Gleason
      in reply to

      The problem with ActivityPub and the various documents around it, is that they try to do EVERYTHING. HTTP Signatures is theoretically extensible to every possible signing algorithm on the planet, even though in practice everyone uses “RSASSA-PKCS1-v15” (I hate that I know that). This means you parse and support it 10 different ways just to do one thing. Meanwhile ActivityPub can have _any URL making it extremely hard to fetch things because you have to fetch a URL to know which URL to fetch.

      I suppose the idea is that if we adopt standards that can solve multiple problems, we’ll get overlapping contributions from people who don’t do social media stuff but want HTTP Signatures (etc) for other reasons. But in practice that doesn’t really happen, and we just have overly complex systems for no reason.

      Also this does matter, because if big important people don’t implement it because it’s too hard, it will hamper adoption.

      In conversation Sunday, 19-Feb-2023 01:18:42 JST permalink
    • Embed this notice
      MattZ (colinsmatt11@gleasonator.com)'s status on Sunday, 19-Feb-2023 01:18:51 JST MattZ MattZ
      in reply to
      @alex I once thought about making an activitypub server for fun, after implementing .well-known I thought about doing http sigs and realised it's better to not continue this.
      In conversation Sunday, 19-Feb-2023 01:18:51 JST permalink
      Alex Gleason likes this.
    • Embed this notice
      Alex Gleason (alex@gleasonator.com)'s status on Sunday, 19-Feb-2023 01:22:21 JST Alex Gleason Alex Gleason
      in reply to
      • James Pearson :soapbox:

      @james Pleroma supports them. It says “Invalid signature”. Oddly if I corrupt the actor profile it accepts my activities, making me think there’s a security vuln in it. Because of course there is, because it’s so fucking complicated no sane person can perfectly implement it.

      In conversation Sunday, 19-Feb-2023 01:22:21 JST permalink
    • Embed this notice
      James Pearson :soapbox: (james@gleasonator.com)'s status on Sunday, 19-Feb-2023 01:22:22 JST James Pearson :soapbox: James Pearson :soapbox:
      in reply to
      @alex I thought Pleroma has HTTP Signatures as it's compatible with Mastodon?
      In conversation Sunday, 19-Feb-2023 01:22:22 JST permalink
    • Embed this notice
      Alex Gleason (alex@gleasonator.com)'s status on Sunday, 19-Feb-2023 01:26:02 JST Alex Gleason Alex Gleason
      in reply to
      • flappypaddle

      @flappypaddle This ☝️

      In conversation Sunday, 19-Feb-2023 01:26:02 JST permalink
    • Embed this notice
      flappypaddle (flappypaddle@shitpost.racing)'s status on Sunday, 19-Feb-2023 01:26:04 JST flappypaddle flappypaddle
      in reply to
      Now you just need to return it into an XML RPC request base64 self signed via gpg using a locally cached key which is checked every day..
      In conversation Sunday, 19-Feb-2023 01:26:04 JST permalink
    • Embed this notice
      MattZ (colinsmatt11@gleasonator.com)'s status on Sunday, 19-Feb-2023 01:27:13 JST MattZ MattZ
      in reply to
      @alex One of the most important parts, it's still a composition of different standard from various things. Like OStatus nothing really changed.

      And there are little to nothing in terms of learning materials other than code of actual implementations.
      In conversation Sunday, 19-Feb-2023 01:27:13 JST permalink
      Alex Gleason likes this.
    • Embed this notice
      Dave (dave@podcastindex.social)'s status on Sunday, 19-Feb-2023 03:55:45 JST Dave Dave
      in reply to

      @alex This is true. There is a "strike zone" of specificity in a spec/protocol where you serve the needs of the immediate use case, but leave enough room for flexibility without overwhelming the immediate use case audience with complexity for a benefit that may or may not ever materialize.

      In conversation Sunday, 19-Feb-2023 03:55:45 JST permalink
      Alex Gleason likes this.
    • Embed this notice
      Alex Gleason (alex@gleasonator.com)'s status on Sunday, 19-Feb-2023 04:09:34 JST Alex Gleason Alex Gleason
      in reply to

      Update: Pleroma can’t handle the (created) pseudo header. So don’t sign sign with that. ? Now it works fine.

      In conversation Sunday, 19-Feb-2023 04:09:34 JST permalink
    • Embed this notice
      Alex Gleason (alex@gleasonator.com)'s status on Sunday, 19-Feb-2023 05:18:59 JST Alex Gleason Alex Gleason
      in reply to

      Update: this broke Mastodon.

      In conversation Sunday, 19-Feb-2023 05:18:59 JST permalink
    • Embed this notice
      Alex Gleason (alex@gleasonator.com)'s status on Sunday, 19-Feb-2023 05:28:08 JST Alex Gleason Alex Gleason
      in reply to
      • Matty

      @matty See: https://gleasonator.com/@alex/posts/ASoYOAdWMBncls165w

      In conversation Sunday, 19-Feb-2023 05:28:08 JST permalink

      Attachments

      1. Domain not in remote thumbnail source whitelist: media.gleasonator.com
        Alex Gleason (@alex@gleasonator.com)
        @tassoman Anyone can POST /inbox from anywhere. TLS only helps verify servers, not clients.Public activities don’t have to be signed, because if we get an unsigned activity we can just refetch it f...
    • Embed this notice
      Matty (matty@nicecrew.digital)'s status on Sunday, 19-Feb-2023 05:28:09 JST Matty Matty
      in reply to
      What is the point of HTTP signatures?
      In conversation Sunday, 19-Feb-2023 05:28:09 JST permalink
    • Embed this notice
      Alex Gleason (alex@gleasonator.com)'s status on Sunday, 19-Feb-2023 05:36:32 JST Alex Gleason Alex Gleason
      in reply to
      • Matty

      @matty Without this, some tranny would send posts to nicecrew.digital from @alex and it would be me saying “I love trannies” even though I didn’t post that.

      In conversation Sunday, 19-Feb-2023 05:36:32 JST permalink
    • Embed this notice
      Matty (matty@nicecrew.digital)'s status on Sunday, 19-Feb-2023 05:36:33 JST Matty Matty
      in reply to
      I'm not quite understanding this. Is it a security related thing? Sorry, I am retarded.
      In conversation Sunday, 19-Feb-2023 05:36:33 JST permalink
    • Embed this notice
      Alex Gleason (alex@gleasonator.com)'s status on Sunday, 19-Feb-2023 06:09:26 JST Alex Gleason Alex Gleason
      in reply to
      • Sexy Moon

      @Moon For example if I have the user’s AP ID (like https://shitposter.club/users/Moon) I do NOT know their inbox, follower address, public key ID, etc.

      I have to fetch you to find that information out.

      Wouldn’t it be nice if it were guaranteed to be at :id/inbox? Or even that users in general were guaranteed to be under /_ap/:username?

      Same with Webfinger.

      Not only that, but /.well-known/host-meta tells you how to fetch WEBFINGER.

      I have to fetch a thing to fetch a thing to fetch a thing to tell me where I can fetch the thing from.

      Wouldn’t it be nice if it were all one endpoint… like maybe a single Websocket stream I could subscribe to to get back certain events… like…

      In conversation Sunday, 19-Feb-2023 06:09:26 JST permalink

      Attachments

      1. Domain not in remote thumbnail source whitelist: static.banky.club
        Beyond Your Comprehension (@Moon@shitposter.club)
        I just want to make friends on here. Anybody can interact with me. I am done making joke bios, they caused too much trouble.
    • Embed this notice
      Sexy Moon (moon@shitposter.club)'s status on Sunday, 19-Feb-2023 06:09:28 JST Sexy Moon Sexy Moon
      in reply to
      @alex > ActivityPub can have any URL making it extremely hard to fetch things because you have to fetch a URL to know which URL to fetch.

      I am not quite getting this, can you explain this further?
      In conversation Sunday, 19-Feb-2023 06:09:28 JST permalink
    • Embed this notice
      Sexy Moon (moon@shitposter.club)'s status on Sunday, 19-Feb-2023 06:11:26 JST Sexy Moon Sexy Moon
      in reply to
      @alex oh yes, very similar to recent issues i was having with gotosocial and also something i noticed, AP probably should have just had standardized where things are.
      In conversation Sunday, 19-Feb-2023 06:11:26 JST permalink
      Alex Gleason likes this.
    • Embed this notice
      Alex Gleason (alex@gleasonator.com)'s status on Sunday, 19-Feb-2023 06:17:53 JST Alex Gleason Alex Gleason
      in reply to

      Okay I finally fixed it. Works with Mastodon, Pleroma, Misskey: https://gitlab.com/soapbox-pub/fedisign/-/commit/fded17e25cea70efc4cd1016fd2eb724aa5e46e7

      In conversation Sunday, 19-Feb-2023 06:17:53 JST permalink

      Attachments

      1. Domain not in remote thumbnail source whitelist: gitlab.com
        Do sign the Date header, even though it's "forbidden" (this fixes federation... (fded17e2) · Commits · Soapbox / Fedisign · GitLab
        Do sign the Date header, even though it's "forbidden" (this fixes federation with Mastodon, Pleroma, and Misskey)
    • Embed this notice
      Sexy Moon (moon@shitposter.club)'s status on Sunday, 19-Feb-2023 06:35:40 JST Sexy Moon Sexy Moon
      in reply to
      @alex absolutely agree but for the record anything under .well-known is by definition standardized to that location so you shouldn't have to ever look it up
      In conversation Sunday, 19-Feb-2023 06:35:40 JST permalink
      Alex Gleason likes this.

Feeds

  • Activity Streams
  • RSS 2.0
  • Atom
  • Help
  • About
  • FAQ
  • TOS
  • Privacy
  • Source
  • Version
  • Contact

GNU social JP is a social network, courtesy of GNU social JP管理人. It runs on GNU social, version 2.0.2-dev, available under the GNU Affero General Public License.

Creative Commons Attribution 3.0 All GNU social JP content and data are available under the Creative Commons Attribution 3.0 license.