Conversation

Notices

1. Embed this notice
   Christine Lemmer-Webber 🌀 (cwebber@social.coop)'s status on Saturday, 23-Nov-2024 05:31:32 JST Christine Lemmer-Webber 🌀

   If you read the documentation of did:plc, they're actually quite upfront about did:plc's centralization being non-ideal. That's good, I appreciate that. Again, you gotta dig though, and the name misleads (which is, to be fair, the original sin of the DID Working Group)

   • Embed this notice
     Christine Lemmer-Webber 🌀 (cwebber@social.coop)'s status on Saturday, 23-Nov-2024 05:33:01 JST Christine Lemmer-Webber 🌀

     in reply to

     (aside: wow my eyes are getting tired from staring at my monitor while I recap of what was a 24 page blogpost, why do I do this to myself)

   • Embed this notice
     Christine Lemmer-Webber 🌀 (cwebber@social.coop)'s status on Saturday, 23-Nov-2024 05:34:48 JST Christine Lemmer-Webber 🌀

     in reply to

     Aside from being irritated about the name misleading, I don't mind the centralization of did:plc too much (other things, I am more concerned about, we'll get there)

     There's one organization that can be queried via their API that keeps a definitive list of certificate and their updates

   • Embed this notice
     Christine Lemmer-Webber 🌀 (cwebber@social.coop)'s status on Saturday, 23-Nov-2024 05:37:42 JST Christine Lemmer-Webber 🌀

     in reply to

     In theory, once a DID is registered with Bluesky, it cannot be altered by Bluesky, because a cryptographic update from the original key is necessary; it's a certificate chain, a good design

     Bluesky can refuse to share did:plc documents or their updates, but it can't manufacture updates

   • Embed this notice
     Christine Lemmer-Webber 🌀 (cwebber@social.coop)'s status on Saturday, 23-Nov-2024 05:38:49 JST Christine Lemmer-Webber 🌀

     in reply to

     This is pretty good tbh, it lowers the stakes a lot to have certificate chains

     I love certificate chains, certificate chains are great

     Honestly, having a centralized registry for them, it's not the best but it's not the worst (aside from that damn naming thing)

     However...

   • Embed this notice
     Christine Lemmer-Webber 🌀 (cwebber@social.coop)'s status on Saturday, 23-Nov-2024 05:40:11 JST Christine Lemmer-Webber 🌀

     in reply to

     There are some strange, strange things about did:plc that heightens the centralization concerns and, well

     I'm not a cryptographer, but some of my good friends are cryptographers, etc etc. I got some... reactions to what is to follow

   • Embed this notice
     Christine Lemmer-Webber 🌀 (cwebber@social.coop)'s status on Saturday, 23-Nov-2024 05:42:32 JST Christine Lemmer-Webber 🌀

     in reply to

     The first strange thing to me is that did:plc uses sha256 and, AFAICT, not sha256d (which is really just running sha256 again over the hash). Unless I am missing something? Am I wrong?

     Maybe it's not a concern because of doc parsing but it's best practice to protect against length extension attacks

   • Embed this notice
     Christine Lemmer-Webber 🌀 (cwebber@social.coop)'s status on Saturday, 23-Nov-2024 05:44:10 JST Christine Lemmer-Webber 🌀

     in reply to

     The next concerning thing is that did:plc truncates the hash to just *15 bytes* of entropy.

     I'm... again I'm not a cryptographer, but why throw away all that delicious entropy? So the did fits in 32 characters? Weird choice, and it means collisions are cheaper

   • Embed this notice
     Christine Lemmer-Webber 🌀 (cwebber@social.coop)'s status on Saturday, 23-Nov-2024 05:47:01 JST Christine Lemmer-Webber 🌀

     in reply to

     This is public information, I don't need to file a CVE to tell you about the truncation of entropy. I am, again, not a cryptographer. Maybe it's fine?

     I do remember the Debian short IDs fiasco tho https://gwolf.org/2016/06/stop-it-with-those-short-pgp-key-ids.html

     Why not hold onto all the entropy you can get?

   • Embed this notice
     Christine Lemmer-Webber 🌀 (cwebber@social.coop)'s status on Saturday, 23-Nov-2024 05:48:15 JST Christine Lemmer-Webber 🌀

     in reply to

     DIDs weren't meant to be seen by the user; cryptographic identifiers in general *shouldn't be*, they should be encapsulated in the UI.

     We'll get to UI stuff in a bit.

     I just don't understand this decision though, it just seems weird to me but maybe a cryptographer will tell me it's fine, actually

   • Embed this notice
     Christine Lemmer-Webber 🌀 (cwebber@social.coop)'s status on Saturday, 23-Nov-2024 05:50:30 JST Christine Lemmer-Webber 🌀

     in reply to

     At any rate, I continue to not understand it, maybe it's fine, but it did play a part in that "Hijacking Bluesky Identities with a Malleable Deputy" blogpost, which is fascinating and, unlike me, is written by a Real Cryptographer (TM) https://www.da.vidbuchanan.co.uk/blog/hacking-bluesky.html

     Good post btw

   • Embed this notice
     Liliane Fontenot (fontenot@mastodon.social)'s status on Saturday, 23-Nov-2024 05:51:21 JST Liliane Fontenot

     in reply to

     @cwebber

     Shouldn't this be 20 bytes? There are 32 characters, and each character is base32, or 5 bits. So 160 bits?

     I don't *think* there's a huge concern over this, because while maybe you could do a birthday collision attack in 80 bits, this wouldn't really get you much and wouldn't let you take over someone else's account. For that you'd need a pre-image attack on the whole 160 bits.

     *Also not a cryptographer!!*

     Christine Lemmer-Webber 🌀 repeated this.
   • Embed this notice
     Christine Lemmer-Webber 🌀 (cwebber@social.coop)'s status on Saturday, 23-Nov-2024 05:51:21 JST Christine Lemmer-Webber 🌀

     in reply to

     @fontenot no because the 32 characters includes the "did:plc:"

   • Embed this notice
     Christine Lemmer-Webber 🌀 (cwebber@social.coop)'s status on Saturday, 23-Nov-2024 05:54:55 JST Christine Lemmer-Webber 🌀

     in reply to

     One way in which the truncation shows up in that blogpost which I thought was curious is that the attack involved generating a *longer* truncated hash

     The fix ended up resulting in codifying the hash length: 24 characters, and no longer https://github.com/did-method-plc/did-method-plc/pull/31

   • Embed this notice
     Christine Lemmer-Webber 🌀 (cwebber@social.coop)'s status on Saturday, 23-Nov-2024 05:56:41 JST Christine Lemmer-Webber 🌀

     in reply to

     There's another thing about that blogpost that caught my attention. I will just quote it:

     > However, there's one other factor that raises this from "a curiosity" to "a big problem": bsky.social uses the same rotationKeys for every account.

   • Embed this notice
     Christine Lemmer-Webber 🌀 (cwebber@social.coop)'s status on Saturday, 23-Nov-2024 05:57:29 JST Christine Lemmer-Webber 🌀

     in reply to

     > This is an eyebrow-raising decision on its own; apparently the cloud HSM product they use does billing per key, so it would be prohibitively expensive to give each user their own. (I hear they're planning on transitioning from "cloud" to on-premise hosting, so maybe they'll get the chance to give each user their own keypair then?)

   • Embed this notice
     Christine Lemmer-Webber 🌀 (cwebber@social.coop)'s status on Saturday, 23-Nov-2024 05:58:46 JST Christine Lemmer-Webber 🌀

     in reply to

     Anyway that's the quote and presumably this must be changed. I haven't looked, but I can't imagine they're still doing this today (are they?) but the fact that only one key was ever used in production for expense purposes is a strange decision

   • Embed this notice
     Christine Lemmer-Webber 🌀 (cwebber@social.coop)'s status on Saturday, 23-Nov-2024 06:01:02 JST Christine Lemmer-Webber 🌀

     in reply to

     At any rate, that decision was used to create a kinda confused deputy-ish attack, which is why it came up in the blogpost, and anyway, hi, I'm not a cryptographer, momentary reminder that I am not a cryptographer, but I have designed cryptographic certificate chains and I was pretty shocked by that

     Raphael Lullis repeated this.
   • Embed this notice
     Christine Lemmer-Webber 🌀 (cwebber@social.coop)'s status on Saturday, 23-Nov-2024 06:02:24 JST Christine Lemmer-Webber 🌀

     in reply to

     At any rate, one way or another, you can presumably use did:plc to move yourself from one server to another so in the interest of "credible exit" this is a good choice

     Though, one might take a moment to ask: who controls the keys if you *do* want to move?

   • Embed this notice
     Christine Lemmer-Webber 🌀 (cwebber@social.coop)'s status on Saturday, 23-Nov-2024 06:05:11 JST Christine Lemmer-Webber 🌀

     in reply to

     Bluesky has identified, I'd say correctly even, that key management for users is an *incredibly* hard thing to do.

     But the solution, once again, ends up pretty centralized: for all users on Bluesky's main servers at least, Bluesky generates and manages the keys for them.

   • Embed this notice
     Christine Lemmer-Webber 🌀 (cwebber@social.coop)'s status on Saturday, 23-Nov-2024 06:07:03 JST Christine Lemmer-Webber 🌀

     in reply to

     I am, once again, kinda sympathetic and kinda unsettled simultaneously.

     - Sympathetic: key management *is* hard and we just don't have the UX answers to solve that, and Bluesky is once again trying to deliver to Twitter refugees
     - Unsettled: it's centralized, but... there's something *more* troubling

   • Embed this notice
     Christine Lemmer-Webber 🌀 (cwebber@social.coop)'s status on Saturday, 23-Nov-2024 06:08:51 JST Christine Lemmer-Webber 🌀

     in reply to

     The big promise here, the "credible exit" side of things is that for most users, the vision they have is that if Bluesky gets bought by a big evil company, no problem, move somewhere else

     But for those same users, Bluesky still *controls their keys* and thus *controls their destiny*

   • Embed this notice
     Christine Lemmer-Webber 🌀 (cwebber@social.coop)'s status on Saturday, 23-Nov-2024 06:11:03 JST Christine Lemmer-Webber 🌀

     in reply to

     Regardless, Bluesky has this "your domain is your id!" thing, and that's pretty cool, the domain maps to your DID and your DID maps to your domain

     Well, I'm not gonna get into this in detail here, I do on the blogpost if you wanna read it but, the cyclic dependency might be an actual cycle

   • Embed this notice
     Christine Lemmer-Webber 🌀 (cwebber@social.coop)'s status on Saturday, 23-Nov-2024 06:12:45 JST Christine Lemmer-Webber 🌀

     in reply to

     tl;dr on that UX part:

     - users only know domains, they don't know the DIDs
     - turns out that's a phishing attack when those can change at any time
     - if bsky.app ever goes down how do you actually know I *really* mapped to that name
     - and a whole lot of "liveness" problems that enter there

   • Embed this notice
     Christine Lemmer-Webber 🌀 (cwebber@social.coop)'s status on Saturday, 23-Nov-2024 06:13:29 JST Christine Lemmer-Webber 🌀

     in reply to

     in addition to this long-ass thread there is a long-ass article and if you care about things like "zooko's triangle" maybe read that version, the rest of y'all can move on we've got other stuff to cover here

   • Embed this notice
     Christine Lemmer-Webber 🌀 (cwebber@social.coop)'s status on Saturday, 23-Nov-2024 06:16:26 JST Christine Lemmer-Webber 🌀

     in reply to

     It is time for TEA BREAK 2: THE REHEATENING

     I will also go to the bathroom

     TMI? If you've read this far into this weird thread I am already giving you too much info

     === TEA BREAK 2 ===

   • Embed this notice
     Christine Lemmer-Webber 🌀 (cwebber@social.coop)'s status on Saturday, 23-Nov-2024 06:25:55 JST Christine Lemmer-Webber 🌀

     in reply to

     I have returned, with tea

     I am still not reading notifications. Well, I have seen a few fly by on the fediverse which is blipping and blooping nonstop in the Mastodon UI so people are clearly reading it there

     Bluesky says "30+". How big is the +?? I will resist temptation to look and assume "31"

   • Embed this notice
     Christine Lemmer-Webber 🌀 (cwebber@social.coop)'s status on Saturday, 23-Nov-2024 06:28:57 JST Christine Lemmer-Webber 🌀

     in reply to

     "Where are we going with this Christine?"

     Well you could have just read the blogpost but 3 more sections remain, we are approximately 2/3 there

     I know, bear with me, what is left is:

     - What should the fediverse do?
     - Preparing for the organization as a future adversary
     - Conclusions

   • Embed this notice
     Christine Lemmer-Webber 🌀 (cwebber@social.coop)'s status on Saturday, 23-Nov-2024 06:30:21 JST Christine Lemmer-Webber 🌀

     in reply to

     Yes, I changed the order of the remaining sections, not from the blogpost but from the last time I said what was left on this thread

     pray I do not reorder them again

   • Embed this notice
     Christine Lemmer-Webber 🌀 (cwebber@social.coop)'s status on Saturday, 23-Nov-2024 06:32:32 JST Christine Lemmer-Webber 🌀

     in reply to

     Before we get into the next section, earlier I left an easter egg, which you could quote post and say "I found the easter egg" or something

     Now you can put 2 eggs

     I 2 was once an egg

     (Look I specifically transitioned so I could never be accused of making dad jokes again so that does not qualify)

   • Embed this notice
     Christine Lemmer-Webber 🌀 (cwebber@social.coop)'s status on Saturday, 23-Nov-2024 06:34:20 JST Christine Lemmer-Webber 🌀

     in reply to

     Alright you've heard enough critiques of Bluesky for a bit and I SAID I was gonna critique the fediverse and I am a WOMAN OF MY WORD

     So let's get into it!

   • Embed this notice
     Hollie (hollie@social.coop)'s status on Saturday, 23-Nov-2024 06:36:22 JST Hollie

     in reply to

     @cwebber <grabs popcorn> :)

     No but seriously this thread is great, thank you so much for writing this! I'm learning a lot

   • Embed this notice
     Christine Lemmer-Webber 🌀 (cwebber@social.coop)'s status on Saturday, 23-Nov-2024 06:36:51 JST Christine Lemmer-Webber 🌀

     in reply to

     I have actually critiqued ActivityPub and the fediverse a lot! I have kind of never stopped critiquing it, ever since the spec was released. There's a lot that can be improved!

     I have even gotten criticism from AT LEAST ONE ActivityPub spec author for critiquing AP-as-deployed but I do anyway

   • Embed this notice
     Christine Lemmer-Webber 🌀 (cwebber@social.coop)'s status on Saturday, 23-Nov-2024 06:38:37 JST Christine Lemmer-Webber 🌀

     in reply to

     Actually something that is funny about ActivityPub is that there's "ActivityPub the spec", which I think is pretty solid for the most part, and "ActivityPub-as-deployed"

     Many of the critiques I'm about to lay out we left holes in the spec for which I hoped would be filled with the right answers

     Life is Tetris repeated this.
   • Embed this notice
     Christine Lemmer-Webber 🌀 (cwebber@social.coop)'s status on Saturday, 23-Nov-2024 06:40:40 JST Christine Lemmer-Webber 🌀

     in reply to

     One thing we have already discussed so, before I will say anything else, I will repeat: content addressing is really good, and I'd like to see it happen in ActivityPub, and it's *possible to do*, I even wrote a demo of it https://gitlab.com/spritely/golem/blob/master/README.org

     Bluesky does the right thing here, AP should too

   • Embed this notice
     Christine Lemmer-Webber 🌀 (cwebber@social.coop)'s status on Saturday, 23-Nov-2024 06:42:20 JST Christine Lemmer-Webber 🌀

     in reply to

     Content addressing is important. It should not matter where content "lives". It should be able to live anywhere.

     A server should be able to go down, and content should survive.

     Go content addressing!

   • Embed this notice
     Christine Lemmer-Webber 🌀 (cwebber@social.coop)'s status on Saturday, 23-Nov-2024 06:43:37 JST Christine Lemmer-Webber 🌀

     in reply to

     Actually with this and several other things I am going to bring up, I actually made sure there was space to do things right: there was a push to make ActivityPub "https-only"

     I pushed back on that, I didn't want that requirement, and it was exactly for this reason: enabling content addressing

   • Embed this notice
     Christine Lemmer-Webber 🌀 (cwebber@social.coop)'s status on Saturday, 23-Nov-2024 06:45:25 JST Christine Lemmer-Webber 🌀

     in reply to

     This isn't the only time I left a critique of ActivityPub-as-Deployed as opposed to ActivityPub-as-it-could-be: see also OCapPub, which critiques the anti-abuse tools of AP as inadequate and leading to "the nation-state'ification of the fediverse" https://gitlab.com/spritely/ocappub/blob/master/README.org

     Oh, and ocaps!!!

     bhaugen repeated this.
   • Embed this notice
     Christine Lemmer-Webber 🌀 (cwebber@social.coop)'s status on Saturday, 23-Nov-2024 06:46:54 JST Christine Lemmer-Webber 🌀

     in reply to

     ActivityPub left giant holes in the spec around two things which sound the same but which are not the same: Authentication and Authorization

     Trying to mix these two, you accidentally get ACLs, and then you get confused deputies and ambient authority, plagues of the security world

     bhaugen repeated this.
   • Embed this notice
     Christine Lemmer-Webber 🌀 (cwebber@social.coop)'s status on Saturday, 23-Nov-2024 06:48:29 JST Christine Lemmer-Webber 🌀

     in reply to

     • The Spritely Institute

     Anyway, if you know *anything* about me, you know I am a big fan of capability security (ocaps) and that's the foundation of our work over at @spritely

     But we will come back to ocaps in a second because it turns out OCapPub is not the only time I proposed AP + ocaps!

     bhaugen repeated this.
   • Embed this notice
     Christine Lemmer-Webber 🌀 (cwebber@social.coop)'s status on Saturday, 23-Nov-2024 06:53:17 JST Christine Lemmer-Webber 🌀

     in reply to

     The other time I wrote about ActivityPub + ocaps was in a proposal to, yes, Twitter's Bluesky process in 2020 with @jay.bsky.team titled... "ActivityPub + OCaps"! https://gitlab.com/-/snippets/2535398

     I think that document laid out all the right ideas for *the fediverse* (not saying bsky, the fediverse)

     dave repeated this.
   • Embed this notice
     Rocketman (slothrop@chaos.social)'s status on Saturday, 23-Nov-2024 06:55:50 JST Rocketman

     in reply to

     @cwebber Real ActivityPub has never been tried

   • Embed this notice
     Christine Lemmer-Webber 🌀 (cwebber@social.coop)'s status on Saturday, 23-Nov-2024 06:56:18 JST Christine Lemmer-Webber 🌀

     in reply to

     • The Spritely Institute

     Now I want to be clear here that I *don't* think that proposal was necessarily the right one for Bluesky, and I *do* think Jay Graber *was* the right person to lead Bluesky

     What I wanted to do required a lot more research, and we have done that over at @spritely instead

   • Embed this notice
     Christine Lemmer-Webber 🌀 (cwebber@social.coop)'s status on Saturday, 23-Nov-2024 06:58:54 JST Christine Lemmer-Webber 🌀

     in reply to

     The reason I bring up the proposal here is that I think it has all the right analysis of *what the fediverse should do*, if it was going to rise to the challenge of fulfilling its true potential

     So let me lay out what the things in that proposal were:

     bhaugen repeated this.
   • Embed this notice
     Christine Lemmer-Webber 🌀 (cwebber@social.coop)'s status on Saturday, 23-Nov-2024 07:01:43 JST Christine Lemmer-Webber 🌀

     in reply to

     Here is your recipe for making the "Correct Fediverse IMO (TM)":

     - Integrate ocaps, which is possible because actor model + ocaps compose
     - Content addressed storage!
     - Decentralized identity (notice the *y*, I did not say DIDs) on top of ~mutable CAS storage
     - Petname system UX

     (cotd...)

     bhaugen repeated this.
   • Embed this notice
     Rocketman (slothrop@chaos.social)'s status on Saturday, 23-Nov-2024 07:01:54 JST Rocketman

     in reply to

     People complain about threading on Mastodon not working right, and @cwebber is just out there like

   • Embed this notice
     Christine Lemmer-Webber 🌀 (cwebber@social.coop)'s status on Saturday, 23-Nov-2024 07:03:51 JST Christine Lemmer-Webber 🌀

     in reply to

     (cotd ...)

     - Better anti-spam / anti-harassment using OCapPub ideas
     - Improved privacy with E2EE ("encrypted p2p" even a better goal)

     Whew! An improved fediverse?

     "Uh, Christine, this sounds like a lot, do you think the fediverse can take this on?"

   • Embed this notice
     Christine Lemmer-Webber 🌀 (cwebber@social.coop)'s status on Saturday, 23-Nov-2024 07:08:40 JST Christine Lemmer-Webber 🌀

     in reply to

     Spec-wise in ActivityPub, I think it's possible. The ecosystem, as deployed? I think the ecosystem can and will only do part of it, if we really get everyone excited, maybe the content addressed storage and decentralized identity parts, in which case the fediverse will also survive nodes going down

     bhaugen repeated this.
   • Embed this notice
     Christine Lemmer-Webber 🌀 (cwebber@social.coop)'s status on Saturday, 23-Nov-2024 07:12:53 JST Christine Lemmer-Webber 🌀

     in reply to

     The ocap stuff, I tried getting fediverse implementers excited about this and tbh, it's pretty hard to design into a Ruby on Rails or Django style framework and mindset. Backporting the right designs to existing systems is a real challenge.

     Especially ocaps need to go bottom-up.

     dave repeated this.
   • Embed this notice
     Christine Lemmer-Webber 🌀 (cwebber@social.coop)'s status on Saturday, 23-Nov-2024 07:14:22 JST Christine Lemmer-Webber 🌀

     in reply to

     • The Spritely Institute

     For this reason, @spritely's tech looks like it's very focused on computer science'y low-level BS, but that's actually because it's *too hard to build the systems I want right now on top of current technology*, we need stronger foundations

     But people have to build for today too

     anban and Raphael Lullis repeated this.
   • Embed this notice
     Christine Lemmer-Webber 🌀 (cwebber@social.coop)'s status on Saturday, 23-Nov-2024 07:16:08 JST Christine Lemmer-Webber 🌀

     in reply to

     Let's leave the ocap stuff to the side for now, then. Let's focus on what Bluesky and the fediverse have to learn from each other.

     - The fediverse should adopt content-addressed storage and decentralized identity
     - Bluesky should adopt real, actual federation and decentralization

     bhaugen and esmevane, sorry repeated this.
   • Embed this notice
     Christine Lemmer-Webber 🌀 (cwebber@social.coop)'s status on Saturday, 23-Nov-2024 07:18:41 JST Christine Lemmer-Webber 🌀

     in reply to

     • blaine

     For this reason @blaine says of both ActivityPub done right and Bluesky done right, "they're the same picture" (The Office meme goes here, yes)

     To a large degree, I think @blaine is right

   • Embed this notice
     Christine Lemmer-Webber 🌀 (cwebber@social.coop)'s status on Saturday, 23-Nov-2024 07:21:43 JST Christine Lemmer-Webber 🌀

     in reply to

     Of course, adapting an existing system as deployed isn't easy.

     I will say though that I think if Bluesky were to become *actually decentralized* it would look a lot like ActivityPub in terms of having directed messaging. This will also introduce similar challenges around eg replies, etc.

   • Embed this notice
     Christine Lemmer-Webber 🌀 (cwebber@social.coop)'s status on Saturday, 23-Nov-2024 07:23:52 JST Christine Lemmer-Webber 🌀

     in reply to

     To the end of the fediverse, perhaps I sound bitter, "they didn't adopt ActivityPub the way *I* saw it!"

     The truth is that Mastodon didn't, but Mastodon also saved ActivityPub. It then painted a vision of the future that wasn't, at least, what Jessica Tallon and I expected of it. But it saved AP.

   • Embed this notice
     Christine Lemmer-Webber 🌀 (cwebber@social.coop)'s status on Saturday, 23-Nov-2024 07:25:37 JST Christine Lemmer-Webber 🌀

     in reply to

     The fediverse and Bluesky, at great effort, could learn a lot from each other in the immediate term.

     In the longer term, neither is implementing the ocap vision I think is critical for the big vision, and in a way, I think maybe neither can be easily rearchitected to achieve it. Well, not yet.

   • Embed this notice
     Christine Lemmer-Webber 🌀 (cwebber@social.coop)'s status on Saturday, 23-Nov-2024 07:27:06 JST Christine Lemmer-Webber 🌀

     in reply to

     When I laid out the ideas of OCapPub to various fediverse developers, the response was "this sounds cool but I have *no idea* how to retrofit a Rails/Django app for this kind of actor-oriented design".

     And they were right.

     Remember when I said Conway's Law flows in both directions?

     Rocketman repeated this.
   • Embed this notice
     Christine Lemmer-Webber 🌀 (cwebber@social.coop)'s status on Saturday, 23-Nov-2024 07:29:17 JST Christine Lemmer-Webber 🌀

     in reply to

     Conway's Law says that a technical architecture reflects the social structure under which it was built. But the reverse is also true. The social structures *we can have* are made possible by the affordances of the tools we have available.

     "Tech problems/social problems": false dichotomy.

   • Embed this notice
     Christine Lemmer-Webber 🌀 (cwebber@social.coop)'s status on Saturday, 23-Nov-2024 07:31:14 JST Christine Lemmer-Webber 🌀

     in reply to

     It's for that reason that @spritelyinst.bsky.social, while aiming for a *socially collaborative* revolution, is first focusing on a *technical* revolution.

     It's too hard to build massively, securely collaborative tools right now. With Spritely's tools, p2p ocap secure tech is the *default output*.

   • Embed this notice
     Christine Lemmer-Webber 🌀 (cwebber@social.coop)'s status on Saturday, 23-Nov-2024 07:33:00 JST Christine Lemmer-Webber 🌀

     in reply to

     Remember when I said that IMO @jay.bsky.team is the right person to lead Bluesky and that I am sympathetic with many design decisions of Bluesky (even if critical of them for being non-decentralized)?

     Bluesky is building what they can for a scale big objective. The tech flows from goals.

     Rocketman repeated this.
   • Embed this notice
     Christine Lemmer-Webber 🌀 (cwebber@social.coop)'s status on Saturday, 23-Nov-2024 07:34:27 JST Christine Lemmer-Webber 🌀

     in reply to

     So too does the social structure flow from the tech. It does on Bluesky, and it does on the fediverse.

     I won't elaborate further on this, I actually would like you to pause and think about it. In which ways are tech and social systems bidirectional, here and otherwise? It's important.

   • Embed this notice
     Christine Lemmer-Webber 🌀 (cwebber@social.coop)'s status on Saturday, 23-Nov-2024 07:37:04 JST Christine Lemmer-Webber 🌀

     in reply to

     • The Spritely Institute

     The vision laid out for the fediverse, both independently in my writings and even in Jay Graber and I's joint proposal... well, it's a big lift.

     @spritely would like to see if we can retrofit our version onto ActivityPub. Time will tell if that's a separate thing.

   • Embed this notice
     Christine Lemmer-Webber 🌀 (cwebber@social.coop)'s status on Saturday, 23-Nov-2024 07:38:49 JST Christine Lemmer-Webber 🌀

     in reply to

     And perhaps this is all my *massive* Cassandra complex speaking. I won't deny that I have one, for better or worse

     Still, despite all I have said about both Bluesky and the fediverse technically, it is because I want a hopeful direction for all of us. Secure collaboration. More important than ever.

   • Embed this notice
     Christine Lemmer-Webber 🌀 (cwebber@social.coop)'s status on Saturday, 23-Nov-2024 07:40:39 JST Christine Lemmer-Webber 🌀

     in reply to

     Let's take another tea break. (And another bathroom break. This teacup is massive.) We're getting close to done, I promise. Just two sections left, they're both much shorter.

     Then I can finally brave reading my notifications.

     Maybe.

     == TEA BREAK THE THIRD: BEVERAGE TRIFORCE ==

   • Embed this notice
     Christine Lemmer-Webber 🌀 (cwebber@social.coop)'s status on Saturday, 23-Nov-2024 07:55:57 JST Christine Lemmer-Webber 🌀

     in reply to

     Hello, I am back again. Did you miss me? I still am not reading notifications.

     Help I started writing this summary at 11am and it is now 6pm here I have wasted a whole day of work

     But I have tea, and I also flossed my teeth, and it is time to resume this thread. If you are here, you know why.

   • Embed this notice
     Christine Lemmer-Webber 🌀 (cwebber@social.coop)'s status on Saturday, 23-Nov-2024 07:58:43 JST Christine Lemmer-Webber 🌀

     in reply to

     • Evan Greer

     Before we go any further, earlier I mentioned the US House of Representatives, and here I am giving a MASSIVE content warning for transphobia

     But @evangreer is the coolest fucking person for standing up to Rep. Mace at the Project Libery summit https://www.fightforthefuture.org/news/2024-11-21-transgender-digital-rights-activist-confronts-hate-monger-rep-nancy-mace-at-internet-summit/

     mark repeated this.
   • Embed this notice
     Christine Lemmer-Webber 🌀 (cwebber@social.coop)'s status on Saturday, 23-Nov-2024 08:00:38 JST Christine Lemmer-Webber 🌀

     in reply to

     • Evan Greer
     • Fight for the Future

     What I am trying to say is I don't have many heroes but @evangreer is absolutely a heroine of mine

     You should donate to @fight they are some of the only people doing sensible advocacy against terrible internet laws

     Also fuck TERFs

     But anyway

     Rocketman repeated this.
   • Embed this notice
     Christine Lemmer-Webber 🌀 (cwebber@social.coop)'s status on Saturday, 23-Nov-2024 08:02:10 JST Christine Lemmer-Webber 🌀

     in reply to

     Also you have reached it: the third secret egg

     You have now collected the egg triforce and can defeat Gender Ganon

     If you want to

     The power was in you all along

     But let's continue.

   • Embed this notice
     Christine Lemmer-Webber 🌀 (cwebber@social.coop)'s status on Saturday, 23-Nov-2024 08:04:25 JST Christine Lemmer-Webber 🌀

     in reply to

     It's time, we have reached the second to last section: "Preparing for the organization as a future adversary."

     I love this one because I love that phrase, and the best part is that the Bluesky team came up with it, "the organization is a future adversary". It's genuinely good and self reflective

   • Embed this notice
     Christine Lemmer-Webber 🌀 (cwebber@social.coop)'s status on Saturday, 23-Nov-2024 08:07:00 JST Christine Lemmer-Webber 🌀

     in reply to

     Occasionally an org creates a phrase like this, and back in the day Google had "Don't be evil"

     And yeah, people criticize Google for never having been sincere but it gave an opportunity for people inside and outside the organization to critique Google on its own stated values. That was good.

     Rocketman repeated this.
   • Embed this notice
     Christine Lemmer-Webber 🌀 (cwebber@social.coop)'s status on Saturday, 23-Nov-2024 08:08:53 JST Christine Lemmer-Webber 🌀

     in reply to

     It was *at least* good insofar as the moment Google retired the phrase as never really meaning anything anyway, as evil as Google may have been before, Google got *noticably* worse.

     To Bluesky people internally: keep that phrase going as long as you can, and use it reflectively.

   • Embed this notice
     Christine Lemmer-Webber 🌀 (cwebber@social.coop)'s status on Saturday, 23-Nov-2024 08:10:33 JST Christine Lemmer-Webber 🌀

     in reply to

     As opposed to Google's "Don't be evil", a commandment for the everpresent, "the organization is a future adversary" acknowledges the realities of the future, that it is uncertain, and in fact, that power-dynamics-wise, there will be pressure to make things worse.

   • Embed this notice
     Christine Lemmer-Webber 🌀 (cwebber@social.coop)'s status on Saturday, 23-Nov-2024 08:12:48 JST Christine Lemmer-Webber 🌀

     in reply to

     Making design decisions in the present which guard against the future is one of the most important things we can do. It is one of the most important reasons to choose FOSS licenses, for instance, which provide an exit plan and also counterbalance against temptation to enshittify a project.

   • Embed this notice
     Rocketman (slothrop@chaos.social)'s status on Saturday, 23-Nov-2024 08:17:28 JST Rocketman

     in reply to

     @cwebber You have given me - and all of us - an excellent exploration of ActivityPub and Bluesky. For me, it’s the best one I’ve read on here, period.

     So no, you haven’t “missed a day of work”. Quite to the content, you’ve done a good day’s work, and then some.

   • Embed this notice
     Christine Lemmer-Webber 🌀 (cwebber@social.coop)'s status on Saturday, 23-Nov-2024 08:18:34 JST Christine Lemmer-Webber 🌀

     in reply to

     To this end, Bluesky's goals of "credible exit" are actually very important. It creates a similar pressure for the organization itself to stay true as long as it can, even acknowledging the organization as a future adversary, and actually preparing for it.

     I am pro-Bluesky-credible-exit.

     anban repeated this.
   • Embed this notice
     Christine Lemmer-Webber 🌀 (cwebber@social.coop)'s status on Saturday, 23-Nov-2024 08:20:31 JST Christine Lemmer-Webber 🌀

     in reply to

     And there *will* be a lot of pressure: Bluesky has taken VC money as investments; the pattern of such is that early on, things are very good and flexible, and after some time, the investors start placing pressure to enshittify.

     I have seen good peoples' orgs clawed from their hands. It happens.

     anban repeated this.
   • Embed this notice
     Christine Lemmer-Webber 🌀 (cwebber@social.coop)'s status on Saturday, 23-Nov-2024 08:22:23 JST Christine Lemmer-Webber 🌀

     in reply to

     This happens despite the very best people with the very best intentions. Talk to early Twitter co-founders and they will tell you the org that things became was not the org that they envisioned.

     A future adversary indeed. So we should plan for it today.

     Rocketman repeated this.
   • Embed this notice
     Christine Lemmer-Webber 🌀 (cwebber@social.coop)'s status on Saturday, 23-Nov-2024 08:23:59 JST Christine Lemmer-Webber 🌀

     in reply to

     Before we continue further, I have done about every job imaginable in a FOSS project/organization. Fundraising, by far, is the worst, and the most stressful.

     It's incredibly hard to raise anything to do anything. I think that's worth acknowledging.

   • Embed this notice
     Christine Lemmer-Webber 🌀 (cwebber@social.coop)'s status on Saturday, 23-Nov-2024 08:26:50 JST Christine Lemmer-Webber 🌀

     in reply to

     • The Spritely Institute

     The structure of an organization does matter. There's a reason that @spritely is a 501(c)(3) in the US. Any money we take in is a donation: we aren't "delivering on an investment" (though we must deliver on *results*)

     Bluesky is a Public Benefit Corporation, also interesting

   • Embed this notice
     Christine Lemmer-Webber 🌀 (cwebber@social.coop)'s status on Saturday, 23-Nov-2024 08:29:07 JST Christine Lemmer-Webber 🌀

     in reply to

     A Public Benefit Corporation has a mission for the public good, but can take investments in the way a nonprofit cannot. This also means it can move much faster. Given the influx of users to Bluesky, taking investments this way may have been the only load handling route available this fast.

   • Embed this notice
     Christine Lemmer-Webber 🌀 (cwebber@social.coop)'s status on Saturday, 23-Nov-2024 08:29:38 JST Christine Lemmer-Webber 🌀

     in reply to

     Again, this is all tuned to "What is Bluesky trying to build?"

     Bluesky might not be a good "decentralized Twitter replacement", but it is a good "Twitter replacement" with the possibility of "credible exit"

   • Embed this notice
     Christine Lemmer-Webber 🌀 (cwebber@social.coop)'s status on Saturday, 23-Nov-2024 08:30:56 JST Christine Lemmer-Webber 🌀

     in reply to

     That Bluesky is providing needs for many users who are looking for refuge from a white supremacist site *today* is something to pause and acknowledge the difficulty and scope of doing so quickly and in the moment. I'm glad Bluesky is here at this stressful geopolitical moment in history.

   • Embed this notice
     Christine Lemmer-Webber 🌀 (cwebber@social.coop)'s status on Saturday, 23-Nov-2024 08:32:27 JST Christine Lemmer-Webber 🌀

     in reply to

     There will be a lot of pressure soon from investors: run ads, make premium accounts that do not actually make sense in a decentralized way, so on and so on.

     In this way, "credible exit" is the most important thing for Bluesky the organization and its community to push on *today*

     BeAware repeated this.
   • Embed this notice
     Christine Lemmer-Webber 🌀 (cwebber@social.coop)'s status on Saturday, 23-Nov-2024 08:34:47 JST Christine Lemmer-Webber 🌀

     in reply to

     What I will *not* accept is the goalposts being moved on decentralization and federation. Bluesky is neither decentralized nor federated.

     If Bluesky wants to become so, it has an enormous amount of work to do, particularly in terms of architectural design.

     Blogs are decentralized, Google is not.

   • Embed this notice
     Christine Lemmer-Webber 🌀 (cwebber@social.coop)'s status on Saturday, 23-Nov-2024 08:38:01 JST Christine Lemmer-Webber 🌀

     in reply to

     Bluesky will face every pressure to be enshittified. Bluesky has even, correctly, acknowledged this. It is up to Bluesky and its community to rise to the challenge of "credible exit" knowing that this is a likely, perhaps inevitable, risk.

     The org is indeed a future adversary. So what now?

   • Embed this notice
     Christine Lemmer-Webber 🌀 (cwebber@social.coop)'s status on Saturday, 23-Nov-2024 08:39:13 JST Christine Lemmer-Webber 🌀

     in reply to

     And here it is. We have reached the final part.

     I am not even going to take a tea break. I am not even going to go to the bathroom. I kinda have to, but we are powering through.

     We have reached the conclusion of this megathread, and "summary" of an equally long article.

   • Embed this notice
     Christine Lemmer-Webber 🌀 (cwebber@social.coop)'s status on Saturday, 23-Nov-2024 08:41:26 JST Christine Lemmer-Webber 🌀

     in reply to

     I laid out definitions of "decentralization" and "federation", and Bluesky meets neither, without major rearchitecting or moving the goalposts on those terms, which I cannot accept.

     However, "credible exit" is a good goal for Bluesky. Bluesky created that term and it's a good and feasible goal.

   • Embed this notice
     Christine Lemmer-Webber 🌀 (cwebber@social.coop)'s status on Saturday, 23-Nov-2024 08:43:21 JST Christine Lemmer-Webber 🌀

     in reply to

     I laid out a strong critique, but let me end on a call to empathy.

     Bluesky is built by good people, and the fediverse is built by good people. Neither reflect the designs I presently would like to see today, but ultimately these are built by humans trying their absolute hardest.

     Mr. Bill and Janneke repeated this.
   • Embed this notice
     Christine Lemmer-Webber 🌀 (cwebber@social.coop)'s status on Saturday, 23-Nov-2024 08:44:46 JST Christine Lemmer-Webber 🌀

     in reply to

     The infrastructure we build reflects our social dynamics, and our social dynamics are made possible by our infrastructure.

     This thread has been long, and I have said everything I have to say. Thanks for listening. I hope we can build a good future for each other. 💜

   • Embed this notice
     𝓼𝓮𝓻𝓪𝓹𝓪𝓽𝓱【ツ】☮(📍🇬🇧) (serapath@mastodon.gamedev.place)'s status on Saturday, 23-Nov-2024 17:04:05 JST 𝓼𝓮𝓻𝓪𝓹𝓪𝓽𝓱【ツ】☮(📍🇬🇧)

     in reply to

     • David Bruchmann

     @DavidBruchmann @cwebber

     its just a question.
     i have rarely seen such long statements and i just wonder 🙂

     i am not disagreeing with what she said, but it is long and way too polite imho.

     apart from that, the connection i can see is spritely cofounded by randy farmer, friend of chip morningstar and mark miller and ocap being used in agoric, which is chip morning star and mark miller... built on top of cosmos, which is web3.

     Bluesky is web3 as well as stated by the CEO of bluesky, thus - same

   • Embed this notice
     David Bruchmann (davidbruchmann@mastodon.world)'s status on Saturday, 23-Nov-2024 17:04:06 JST David Bruchmann

     in reply to

     • 𝓼𝓮𝓻𝓪𝓹𝓪𝓽𝓱【ツ】☮(📍🇬🇧)

     @serapath

     I think to counter or criticize @cwebber you've to come forward with something technical as long as you can't prove a big money-flow.

     Life is Tetris repeated this.
   • Embed this notice
     𝓼𝓮𝓻𝓪𝓹𝓪𝓽𝓱【ツ】☮(📍🇬🇧) (serapath@mastodon.gamedev.place)'s status on Saturday, 23-Nov-2024 17:04:07 JST 𝓼𝓮𝓻𝓪𝓹𝓪𝓽𝓱【ツ】☮(📍🇬🇧)

     in reply to

     @cwebber

     Why give them soooooo much space?
     Why talk soooo much about bluesky?

     Did they pay you for it?
     I havent seen you do this for other platforms, especially when mastodon and even nostr exist that are way more decentralized. It seems kinda weird and unexpected 🤷

   • Embed this notice
     Christine Lemmer-Webber 🌀 (cwebber@social.coop)'s status on Sunday, 24-Nov-2024 00:38:01 JST Christine Lemmer-Webber 🌀

     in reply to

     • Alessio :linux:

     @dottorblaster yes the agent and the book are both called "my blog"

   • Embed this notice
     Alessio :linux: (dottorblaster@fosstodon.org)'s status on Sunday, 24-Nov-2024 00:38:02 JST Alessio :linux:

     in reply to

     @cwebber did you already get yourself an agent to turn this into a book?

   • Embed this notice
     Christine Lemmer-Webber 🌀 (cwebber@social.coop)'s status on Sunday, 24-Nov-2024 00:40:45 JST Christine Lemmer-Webber 🌀

     in reply to

     • Canageek

     @Canageek yes

   • Embed this notice
     Canageek (canageek@wandering.shop)'s status on Sunday, 24-Nov-2024 00:40:47 JST Canageek

     in reply to

     @cwebber Would I be allowed to call them Mom jokes then?

   • Embed this notice
     lizard appreciator (bonzoesc@m.bonzoesc.net)'s status on Sunday, 24-Nov-2024 00:41:22 JST lizard appreciator

     in reply to

     @cwebber “i still am not reading notifications” 👑👑👑

   • Embed this notice
     mark (atleagle@mastodon.online)'s status on Sunday, 24-Nov-2024 01:10:23 JST mark

     in reply to

     @cwebber i skipped replying to the second egg, because I had no idea how far I was going to continue scrolling. Now I still have to roll back to find some links and then on to the 24 page blog post (I'm not entirely certain if that can be a thing)

     Oh well, egg 3

   • Embed this notice
     praveen (pravee_n@mastodon.social)'s status on Sunday, 24-Nov-2024 02:54:39 JST praveen

     in reply to

     • 𝓼𝓮𝓻𝓪𝓹𝓪𝓽𝓱【ツ】☮(📍🇬🇧)

     @serapath @cwebber mastodon.social is the biggest instance out there. What happens if someone like musk bought it? What are my options?

     Hyolobrika repeated this.
   • Embed this notice
     𝓼𝓮𝓻𝓪𝓹𝓪𝓽𝓱【ツ】☮(📍🇬🇧) (serapath@mastodon.gamedev.place)'s status on Sunday, 24-Nov-2024 02:54:39 JST 𝓼𝓮𝓻𝓪𝓹𝓪𝓽𝓱【ツ】☮(📍🇬🇧)

     in reply to

     • praveen

     @pravee_n @cwebber

     the option is to kove to nostr.

     move to p2p.
     move beyond the fediverse.

     the flaws of the fediverse are known since email.

   • Embed this notice
     𝓼𝓮𝓻𝓪𝓹𝓪𝓽𝓱【ツ】☮(📍🇬🇧) (serapath@mastodon.gamedev.place)'s status on Sunday, 24-Nov-2024 02:54:40 JST 𝓼𝓮𝓻𝓪𝓹𝓪𝓽𝓱【ツ】☮(📍🇬🇧)

     in reply to

     • praveen

     @pravee_n @cwebber

     bluesky can be bought.
     mastodon cant, but federating with the big corporate backed ones and lobbying, maybe buying big instances allows big money to defederate with small instances, cutting off the vast majority of big instance users from the rest.

     it is the same power gmail and other big ones have over small email providers.

     they can filter/block you from talking to the users on big email providers, making is slightly inconvenient for those, but unusable for independents

   • Embed this notice
     praveen (pravee_n@mastodon.social)'s status on Sunday, 24-Nov-2024 02:54:41 JST praveen

     in reply to

     • 𝓼𝓮𝓻𝓪𝓹𝓪𝓽𝓱【ツ】☮(📍🇬🇧)

     @serapath @cwebber The sign in experience and finding or following people on mastodon or fediverse is not a good ux. It’s a subject matter for many people. May be not for you. And you really think mastodon can’t be bought? Hypothetically what happens if musk bought mastodon.social?

   • Embed this notice
     praveen (pravee_n@mastodon.social)'s status on Sunday, 24-Nov-2024 02:54:42 JST praveen

     in reply to

     • 𝓼𝓮𝓻𝓪𝓹𝓪𝓽𝓱【ツ】☮(📍🇬🇧)

     @serapath @cwebber Why not give them space? Bluesky is the best social networking site currently for most people. Why are you even thinking that she’s got paid for it?! I use bluesky and it’s a very well designed platform. Most people should use it instead of twitter. No platform on the fediverse that i know has a user-friendly design. For a large flux of users bluesky is best suited for them and its ok to talk about them!

   • Embed this notice
     𝓼𝓮𝓻𝓪𝓹𝓪𝓽𝓱【ツ】☮(📍🇬🇧) (serapath@mastodon.gamedev.place)'s status on Sunday, 24-Nov-2024 02:54:42 JST 𝓼𝓮𝓻𝓪𝓹𝓪𝓽𝓱【ツ】☮(📍🇬🇧)

     in reply to

     • praveen

     @pravee_n @cwebber

     lol.
     why not go and stay on X or facebook then?

     oh maybe because they are run by musk and zuck? ...twitter wasnt until it got bought and that can happen to bluesky as well. they will also add ads, they already announced. enshittification is guaranteed.

     UI/UX on mastoson is great. tou say the vluesky one is better? thats really subjective. ...so kinda decentralization matters when it comes to FB and X ...but once it comes to nostr/blsky.. then its UX?

     isnt that funny?

   • Embed this notice
     praveen (pravee_n@mastodon.social)'s status on Sunday, 24-Nov-2024 03:15:25 JST praveen

     in reply to

     • 𝓼𝓮𝓻𝓪𝓹𝓪𝓽𝓱【ツ】☮(📍🇬🇧)

     @serapath @cwebber So suppose a journalist or an artist who has thousands of followers and years of content here on mastodon just move? What about the content?

   • Embed this notice
     𝓼𝓮𝓻𝓪𝓹𝓪𝓽𝓱【ツ】☮(📍🇬🇧) (serapath@mastodon.gamedev.place)'s status on Sunday, 24-Nov-2024 03:15:25 JST 𝓼𝓮𝓻𝓪𝓹𝓪𝓽𝓱【ツ】☮(📍🇬🇧)

     in reply to

     • praveen

     @pravee_n @cwebber
     mastodon is anyway new.
     i have seen ppl cross post from mastodon to nostr.

     https://mostr.pub/

     swiching always costs, thats why it is so important to switch to where you dont risk of having a future musk rug pull your experience 🙂

     Hyolobrika likes this.
   • Embed this notice
     bread (breadcattt@social.vivaldi.net)'s status on Sunday, 24-Nov-2024 03:59:09 JST bread

     in reply to

     • Rocketman

     @slothrop @cwebber what client is that btw

   • Embed this notice
     bread (breadcattt@social.vivaldi.net)'s status on Sunday, 24-Nov-2024 04:19:52 JST bread

     • Rocketman
     • Phanpy

     @slothrop @cwebber @phanpy neat, I've just been on moshidon (and pwa for cherrypick) since Im mainly on android

   • Embed this notice
     Dmitri | 🇺🇦 (dmitri@social.coop)'s status on Monday, 25-Nov-2024 01:51:32 JST Dmitri | 🇺🇦

     in reply to

     • bengo

     @cwebber Hey, for what it's worth. @bengo and i are working on exactly that for the Fediverse! We've got the FEPs written, a content-addressed zCap powered storage backend MVPd, and are now working on fedi integrations!