Conversation

Notices

1. Embed this notice
   Alex Gleason (alex@gleasonator.com)'s status on Sunday, 19-Feb-2023 01:07:44 JST Alex Gleason

   A couple weeks ago someone said “HTTP Signatures are the reason ActivityPub will never succeed” and I was thinking “REALLY? Of all the things, not social issues but a technical detail? I don’t buy that.” Well after a week of trying to implement HTTP Signatures (and copying other people’s code!) it finally works on Mastodon and Misskey, but gets rejected by Pleroma.

   • Embed this notice
     Alex Gleason (alex@gleasonator.com)'s status on Sunday, 19-Feb-2023 01:18:42 JST Alex Gleason

     in reply to

     The problem with ActivityPub and the various documents around it, is that they try to do EVERYTHING. HTTP Signatures is theoretically extensible to every possible signing algorithm on the planet, even though in practice everyone uses “RSASSA-PKCS1-v15” (I hate that I know that). This means you parse and support it 10 different ways just to do one thing. Meanwhile ActivityPub can have _any URL making it extremely hard to fetch things because you have to fetch a URL to know which URL to fetch.

     I suppose the idea is that if we adopt standards that can solve multiple problems, we’ll get overlapping contributions from people who don’t do social media stuff but want HTTP Signatures (etc) for other reasons. But in practice that doesn’t really happen, and we just have overly complex systems for no reason.

     Also this does matter, because if big important people don’t implement it because it’s too hard, it will hamper adoption.

   • Embed this notice
     MattZ (colinsmatt11@gleasonator.com)'s status on Sunday, 19-Feb-2023 01:18:51 JST MattZ

     in reply to
     @alex I once thought about making an activitypub server for fun, after implementing .well-known I thought about doing http sigs and realised it's better to not continue this.
     Alex Gleason likes this.
   • Embed this notice
     Alex Gleason (alex@gleasonator.com)'s status on Sunday, 19-Feb-2023 01:22:21 JST Alex Gleason

     in reply to

     • James Pearson :soapbox:

     @james Pleroma supports them. It says “Invalid signature”. Oddly if I corrupt the actor profile it accepts my activities, making me think there’s a security vuln in it. Because of course there is, because it’s so fucking complicated no sane person can perfectly implement it.

   • Embed this notice
     James Pearson :soapbox: (james@gleasonator.com)'s status on Sunday, 19-Feb-2023 01:22:22 JST James Pearson :soapbox:

     in reply to
     @alex I thought Pleroma has HTTP Signatures as it's compatible with Mastodon?
   • Embed this notice
     Alex Gleason (alex@gleasonator.com)'s status on Sunday, 19-Feb-2023 01:26:02 JST Alex Gleason

     in reply to

     • flappypaddle

     @flappypaddle This ☝️

   • Embed this notice
     flappypaddle (flappypaddle@shitpost.racing)'s status on Sunday, 19-Feb-2023 01:26:04 JST flappypaddle

     in reply to
     Now you just need to return it into an XML RPC request base64 self signed via gpg using a locally cached key which is checked every day..
   • Embed this notice
     MattZ (colinsmatt11@gleasonator.com)'s status on Sunday, 19-Feb-2023 01:27:13 JST MattZ

     in reply to
     @alex One of the most important parts, it's still a composition of different standard from various things. Like OStatus nothing really changed.
     
     And there are little to nothing in terms of learning materials other than code of actual implementations.
     Alex Gleason likes this.
   • Embed this notice
     Dave (dave@podcastindex.social)'s status on Sunday, 19-Feb-2023 03:55:45 JST Dave

     in reply to

     @alex This is true. There is a "strike zone" of specificity in a spec/protocol where you serve the needs of the immediate use case, but leave enough room for flexibility without overwhelming the immediate use case audience with complexity for a benefit that may or may not ever materialize.

     Alex Gleason likes this.
   • Embed this notice
     Alex Gleason (alex@gleasonator.com)'s status on Sunday, 19-Feb-2023 04:09:34 JST Alex Gleason

     in reply to

     Update: Pleroma can’t handle the (created) pseudo header. So don’t sign sign with that. ? Now it works fine.

   • Embed this notice
     Alex Gleason (alex@gleasonator.com)'s status on Sunday, 19-Feb-2023 05:18:59 JST Alex Gleason

     in reply to

     Update: this broke Mastodon.

   • Embed this notice
     Alex Gleason (alex@gleasonator.com)'s status on Sunday, 19-Feb-2023 05:28:08 JST Alex Gleason

     in reply to

     • Matty

     @matty See: https://gleasonator.com/@alex/posts/ASoYOAdWMBncls165w

   • Embed this notice
     Matty (matty@nicecrew.digital)'s status on Sunday, 19-Feb-2023 05:28:09 JST Matty

     in reply to
     What is the point of HTTP signatures?
   • Embed this notice
     Alex Gleason (alex@gleasonator.com)'s status on Sunday, 19-Feb-2023 05:36:32 JST Alex Gleason

     in reply to

     • Matty

     @matty Without this, some tranny would send posts to nicecrew.digital from @alex and it would be me saying “I love trannies” even though I didn’t post that.

   • Embed this notice
     Matty (matty@nicecrew.digital)'s status on Sunday, 19-Feb-2023 05:36:33 JST Matty

     in reply to
     I'm not quite understanding this. Is it a security related thing? Sorry, I am retarded.
   • Embed this notice
     Alex Gleason (alex@gleasonator.com)'s status on Sunday, 19-Feb-2023 06:09:26 JST Alex Gleason

     in reply to

     • Sexy Moon

     @Moon For example if I have the user’s AP ID (like https://shitposter.club/users/Moon) I do NOT know their inbox, follower address, public key ID, etc.

     I have to fetch you to find that information out.

     Wouldn’t it be nice if it were guaranteed to be at :id/inbox? Or even that users in general were guaranteed to be under /_ap/:username?

     Same with Webfinger.

     Not only that, but /.well-known/host-meta tells you how to fetch WEBFINGER.

     I have to fetch a thing to fetch a thing to fetch a thing to tell me where I can fetch the thing from.

     Wouldn’t it be nice if it were all one endpoint… like maybe a single Websocket stream I could subscribe to to get back certain events… like…

   • Embed this notice
     Sexy Moon (moon@shitposter.club)'s status on Sunday, 19-Feb-2023 06:09:28 JST Sexy Moon

     in reply to
     @alex > ActivityPub can have any URL making it extremely hard to fetch things because you have to fetch a URL to know which URL to fetch.
     
     I am not quite getting this, can you explain this further?
   • Embed this notice
     Sexy Moon (moon@shitposter.club)'s status on Sunday, 19-Feb-2023 06:11:26 JST Sexy Moon

     in reply to
     @alex oh yes, very similar to recent issues i was having with gotosocial and also something i noticed, AP probably should have just had standardized where things are.
     Alex Gleason likes this.
   • Embed this notice
     Alex Gleason (alex@gleasonator.com)'s status on Sunday, 19-Feb-2023 06:17:53 JST Alex Gleason

     in reply to

     Okay I finally fixed it. Works with Mastodon, Pleroma, Misskey: https://gitlab.com/soapbox-pub/fedisign/-/commit/fded17e25cea70efc4cd1016fd2eb724aa5e46e7

   • Embed this notice
     Sexy Moon (moon@shitposter.club)'s status on Sunday, 19-Feb-2023 06:35:40 JST Sexy Moon

     in reply to
     @alex absolutely agree but for the record anything under .well-known is by definition standardized to that location so you shouldn't have to ever look it up
     Alex Gleason likes this.