Conversation
Notices
-
Embed this notice
the fairest eris (kallisti@social.xenofem.me)'s status on Monday, 12-Sep-2022 07:24:42 JST 
the fairest eris
i long for some sort of activitypub that can still communicate with main activitypub to some extent because i want one implemented in K
i mean like implementing a blocklist on a stream of json messages is something like this
(|/'blocks=/:\:@[;`instance])#`j'-
Embed this notice
Hélène (helene@p.helene.moe)'s status on Monday, 12-Sep-2022 07:24:26 JST 
Hélène
@p @pwm @kallisti @nyx No one actually implements those properly, there is no good spec and only a mashup of drafts and different implementations, and no one can fix it because otherwise it breaks the network down. Misskey and Peertube tried changing the signing algorithm to some automatic signature type detection system, mastodon couldn’t handle it and decided that it’d continue rolling with RSA-SHA256; it does not support any of the alternatives, not even RSA-SHA512 and the latest drafts of HTTP signatures aren’t any better in that regard, because all of these algorithms are deprecated and the entire HTTP signature thing has been reworked. GoToSocial goes on to do yet another different thing, but dialed it back to be Mastodon-compatible. Everyone’s stuck with this way of doing things for now. That’s what happens when implementing very active IETF drafts, really… I would blame Mastodon for introducing something improperly documented (no info on how to determine actor keys without reading source, and they don’t even do it exactly right either) and incomplete (a mash of different versions for the same IETF draft), but honestly, Pleroma isn’t much better in that regard either; and I find it baffling that no proper discussion was had on this subject. Oh well.
For now, HTTP signatures are RSA-SHA256, no PSS, no SHA512, nothing; because no one supports it and it’s a disaster. And Pleroma (before one of my recent patches in develop) will fail to validate signatures for requests with a query string if you include it in your signature (/abc?a signed /abc?a would fail, /abc?a signed /abc would not) because of how poorly read the IETF draft was. Well, expect disasters around it.
-
Embed this notice
pistolero :thispersondoesnotexist: (p@freespeechextremist.com)'s status on Monday, 12-Sep-2022 07:24:27 JST 
pistolero :thispersondoesnotexist:
@pwm @kallisti @nyx
> what the hell do you do to get signatures working?
The answer to that is excessively long. I more or less followed the code in Honk/Pleroma/ActivityRelay/Masto and some random Masto blog post (it's https://blog.joinmastodon.org/2018/06/how-to-implement-a-basic-activitypub-server/ but it is also dated as hell and it doesn't work as-is). Support for ED25519 seems to be aspirational so I just used RSA everywhere, and I sign "(request-target)" (fucking fuck i hate that entire thing), Date, Host, and Digest (extra header for the body; I don't know how it handles GETs because I'm not planning to add signed fetches, SHA-256 works). What is it that you're doing? Might be easier than describing the entire process.
Pleroma often 500s on messages that it doesn't understand because they rely on pattern-matching pretty heavily and don't tend to handle the case where it doesn't match. Use PKIX for the pubkey you're serving or Masto will just break without explaining anything.
> Relevant, I am using cavage draft 6 as that seems to be what both use
iono, man. Specs and documentation seem to have been useless during this entire process.Hélène likes this. -
Embed this notice
pwm (pwm@poa.st)'s status on Monday, 12-Sep-2022 07:24:31 JST 
pwm
@p @kallisti @nyx Random, but what the hell do you do to get signatures working? Somehow I managed to get them talking to mastodon but not pleroma. I've looked at the relevant code for both but whatever I do I cannot get pleroma to validate. It even started 500ing on messages mastodon validated.
Relevant, I am using cavage draft 6 as that seems to be what both use (but maybe pleroma doesn't and I didn't pick up on that from their http signatures library)Hélène likes this. -
Embed this notice
pistolero :thispersondoesnotexist: (p@freespeechextremist.com)'s status on Monday, 12-Sep-2022 07:24:32 JST
pistolero :thispersondoesnotexist:
@nyx @kallisti It is such a pain to debug and Masto's code is nigh-unreadable. I spent an entire day trying to get signatures correct because the documentation does not match the behavior. I can only imagine what new horrors await me the more I try to add.
LitePub was essentially Pleroma forking the spec because ActivityPub authors were ignoring everything that wasn't Mastodon. The prospect of forking the network made them reconsider and they started working with Pleroma's dev team, so fleshing out LitePub became a lower priority, but lanodan said if there's interest in it, then it might get picked back up.Hélène likes this. -
Embed this notice
pistolero :thispersondoesnotexist: (p@freespeechextremist.com)'s status on Monday, 12-Sep-2022 07:24:33 JST
pistolero :thispersondoesnotexist:
@nyx @kallisti Yeah, I'm using LitePub as the rough guideline and then there's "ActivityPub as she is spoke" which is an entirely different deal. -
Embed this notice
??? 妛彁 :xf_nyxsigil: :xf_nyxdisapproving: (nyx@social.xenofem.me)'s status on Monday, 12-Sep-2022 07:24:33 JST 
??? 妛彁 :xf_nyxsigil: :xf_nyxdisapproving:
@p @kallisti I see, I was wondering about that because litepub sounded nice in concept since AP in practice is all just implemented as "copy whatever Mastodon does", which makes me extremely not interested in ever developing software that would use it, along with some other issues. but then I saw litepub is also dead =_= -
Embed this notice
??? 妛彁 :xf_nyxsigil: :xf_nyxdisapproving: (nyx@social.xenofem.me)'s status on Monday, 12-Sep-2022 07:24:35 JST
??? 妛彁 :xf_nyxsigil: :xf_nyxdisapproving:
@kallisti I think @p is using it in Revolver but idk if he forked it or something -
Embed this notice
the fairest eris (kallisti@social.xenofem.me)'s status on Monday, 12-Sep-2022 07:24:36 JST
the fairest eris
@nyx ha'f of the spec links 404 -
Embed this notice
the fairest eris (kallisti@social.xenofem.me)'s status on Monday, 12-Sep-2022 07:24:37 JST
the fairest eris
@nyx yea looks completely out of date sadly -
Embed this notice
the fairest eris (kallisti@social.xenofem.me)'s status on Monday, 12-Sep-2022 07:24:38 JST
the fairest eris
@nyx ooh yea thisbis it -
Embed this notice
??? 妛彁 :xf_nyxsigil: :xf_nyxdisapproving: (nyx@social.xenofem.me)'s status on Monday, 12-Sep-2022 07:24:38 JST
??? 妛彁 :xf_nyxsigil: :xf_nyxdisapproving:
@kallisti it sounds neat but stopped being developed at some point, also idk how compatible it is with the rest of AP -
Embed this notice
??? 妛彁 :xf_nyxsigil: :xf_nyxdisapproving: (nyx@social.xenofem.me)'s status on Monday, 12-Sep-2022 07:24:39 JST
??? 妛彁 :xf_nyxsigil: :xf_nyxdisapproving:
@kallisti litepub? -
Embed this notice
the fairest eris (kallisti@social.xenofem.me)'s status on Monday, 12-Sep-2022 07:24:41 JST
the fairest eris
there was a mini AP protocol published somewhere vut i dont remember wjere now -
Embed this notice
pistolero :thispersondoesnotexist: (p@freespeechextremist.com)'s status on Monday, 12-Sep-2022 07:30:03 JST
pistolero :thispersondoesnotexist:
@helene @kallisti @nyx @pwm It's disasters all the way down. I don't even know for certain why what I do works, I just kept adding stuff until it did. Hélène likes this. -
Embed this notice
rru142 (rru142@blovice.bahnhof.cz)'s status on Monday, 12-Sep-2022 08:07:16 JST 
rru142
@helene
(This is just remotely related...)
> That’s what happens when implementing very active IETF drafts, really.
Anyone remeber draft-ietf-ipsec-isakmp-xauth-06?Hélène likes this. -
Embed this notice
pwm (pwm@poa.st)'s status on Monday, 12-Sep-2022 08:10:20 JST
pwm
@helene @p @kallisti @nyx literally the first thing you need to implement a new activitypub server is this signature or you're effectively unable to federate. How there is __no__ real documentation other than a stub wiki page linked from an appendix in the w3 published spec is fucking incredible Hélène likes this. -
Embed this notice
pwm (pwm@poa.st)'s status on Monday, 12-Sep-2022 08:10:22 JST
pwm
@helene @p @kallisti @nyx a stub wiki page which, by the way says "dunno here's a survey of best practices"
this is the power of fucking open source softwareHélène likes this. -
Embed this notice
Hélène (helene@p.helene.moe)'s status on Monday, 12-Sep-2022 08:12:23 JST
Hélène
@pwm @p @kallisti @nyx Yeah, been considering writing that kind of stuff for a while already, and not just on HTTP signatures (+ actor key discovery). Just haven't had the time to get around to doing it so far, my hands are quite full already. -
Embed this notice
Hélène (helene@p.helene.moe)'s status on Monday, 12-Sep-2022 08:13:22 JST
Hélène
@rru142 What happened with that one? :cirno_thinking: -
Embed this notice
pistolero :thispersondoesnotexist: (p@freespeechextremist.com)'s status on Monday, 12-Sep-2022 08:16:54 JST
pistolero :thispersondoesnotexist:
@helene @pwm @kallisti @nyx
> (+ actor key discovery)
OH THAT WAS THE OTHER THING
You can tell Masto where the key is, but it will ignore that and webfinger you and webfinger has to tell it where the key is.Hélène likes this. -
Embed this notice
Hélène (helene@p.helene.moe)'s status on Monday, 12-Sep-2022 08:27:56 JST
Hélène
@p @pwm @kallisti @nyx Mastodon has some of the best support for the keyId field in HTTP signatures, with the ability resolving Key objects into Actors, and figuring that out all by itself; what matters to it is having an URI to the Actor as the keyId or set to the URI of a Key object with the owner field set to the Actor’s URI. This allows for having the Actor’s public key separated from the Actor itself and very useful for authentication purposes/locking access to some Actors/etc. The issue is that Mastodon seems to be the only software that supports it so far. GoToSocial seems to be mostly okay with it but it’s barely working, it somewhat works by accident. Misskey remembers keyIds and can map them into Actors; but if it can’t find it, it will use the given activity’s Actor to discover its public key.
Pleroma does the worst thing I’ve seen amongst all fedi software: it assumes the keyId in the signature is an actor URI. It broke down when Misskey decided to have Key objects separated from their Actors and to give them in a subpath (/users/:id/publickey). Instead of actually bothering, someone decided to remove the /publickey from the keyId if it was found at the end of the URI; because that’d give the actor URI with Misskey. That was done around 5 years ago, and I’m still ranting about this. I don’t think I need to explain why that’s terrible…
-
Embed this notice
pwm (pwm@poa.st)'s status on Monday, 12-Sep-2022 08:34:35 JST
pwm
@p @kallisti @nyx I actually did get signatures working shortly after asking and I cannot quite explain why. I just moved all the signing code into it's own file and will never ever touch it again.
I actually was referencing that blog post too. I still cannot explain the pleroma bad behavior.
Now time to figure out if you `remove` or `undo` or `unfucking-believably-unclear-semantics` to unfollow someone.Hélène likes this. -
Embed this notice
pistolero :thispersondoesnotexist: (p@freespeechextremist.com)'s status on Monday, 12-Sep-2022 08:34:36 JST
pistolero :thispersondoesnotexist:
@pwm @kallisti @nyx
> I actually did get signatures working shortly after asking and I cannot quite explain why.
ActivityPub!Hélène likes this. -
Embed this notice
rru142 (rru142@blovice.bahnhof.cz)'s status on Monday, 12-Sep-2022 08:44:58 JST
rru142
@helene
In the end It was never integrated into the IPSec RFCs for good reasons but the whole industry created VPN-Appliances and client software with XAUTH that was completely incompatible between vendors. It was an "industry standard" that never worked and the quality of the (mostly windows) client software was abysmal.
(And the software in the appliances was not much better...)
(Mind you, that was around 2000, but then Windows 2000 and following had (and IMHO still has) quite a clean IPSec implementation... MS abstained from XAUTH for good reasons.)Hélène likes this. -
Embed this notice
Hélène (helene@p.helene.moe)'s status on Monday, 12-Sep-2022 08:49:01 JST
Hélène
@rru142 yeah, that pretty much sounds like what's going on with HTTP signatures :akko_weary: -
Embed this notice
pistolero :thispersondoesnotexist: (p@freespeechextremist.com)'s status on Monday, 12-Sep-2022 08:49:45 JST
pistolero :thispersondoesnotexist:
@helene @kallisti @nyx @pwm
> it assumes the keyId in the signature is an actor URI.
Because masto does this terrible "key is actor with an #id but it's JSON and not HTML so what is it even doing here" deal. Not a fan, personally.Hélène likes this. -
Embed this notice
Hélène (helene@p.helene.moe)'s status on Monday, 12-Sep-2022 08:55:14 JST
Hélène
@p @pwm @kallisti @nyx My guess is that Mastodon expected people to use the given activity’s Actor to discover the associated Actor; which is what Misskey does; but Mastodon doesn’t even do that itself, it removes the fragment from the keyId and uses that as an Actor URI.
I did bring this up last time I complained about actor discovery and HTTP signatures, and it led to this issue on the Mastodon side of things, which I would think is better behaviour.
-
Embed this notice
All GNU social JP content and data are available under the