Notices by Julian Lam (devnull@crag.social)

@evan @pfefferle I was wondering how Megalodon did it (or maybe it's via Mastodon API)... I always figured that maybe Mastodon saved a list of domains corresponding to known instances, but wasn't 100% sure.

I'm honestly a little glad it's NOT that hacky.

@evan @pfefferle is there a way to do it without having to load the whole page?

I'm thinking through how my app would know to load a resource via AP instead of a browser navigation, but if the step to determine that requires... a browser navigation, then what even is the point?

I have to be missing something, right?

@evan @pfefferle does this mean that if I add this link tag to my pages, then implementors (should they look for it) could elect to load that content internally? (And vice versa?)

Can an instance operator running a derivative of Misskey (Sharkey, firefish, or maybe even Misskey itself) get in touch with me? I can't seem to federate with that entire pie of the fediverse... 401 Unauthorized 😬

Alternateively, if you've run into this type of issue before, any tips? Heh.

#fediadmin #activitypub

You know what @J12t or @Identitywoman need to do? Send out a formatted csv file of everybody who provided a fediverse handle, so you can import it into Mastodon in one fell swoop and follow everybody all at once 😂

#fediforum

@dansup awesome news, fellow Canuck 🇨🇦

Do you mind sharing any pitfalls or stumbling blocks you encountered?

@jerry honestly I think fedi might've dodged a bullet there.

Approaching open federation is a tricky subject, and it seems like Threads isn't rushing in and breaking things like they used to say 😏

Pleasantly surprised.

Spent most of the workday today adding in hostname checks to the NodeBB-ActivityPub integration in order to improve security. There's much to reflect on with the recent vulnerability disclosures, and many lessons to learn.

It absolutely sucks that Mastodon and Pixelfed contained these vulnerabilities, but their public disclosure allows the rest of the fediverse to learn from their mistakes and publish better software.

#nodebbActivityPub

🙄

No matter the reason, and despite how silly the reason, it's these stress tests that expose weak spots and allow us to improve.

I look forward to joining a more spam-resilient fedi soon 😈

https://cyberplace.social/@GossiTheDog/111954920343204483

#fedi #spam

@liaizon as you alluded to in your reply, WP gets around this by assuming type as:Note which I disagree with from a protocol fragmentation standpoint. It implicitly acknowledges Mastodon as the dominant #ActivityPub player with clout to change the behaviour of others, and I stand against it.

#nodebb will send type as:Page (like #lemmy and #kbin), and we will work with @article_interop (and hopefully @pfefferle) to encourage Mastodon to handle it properly by modelling the appropriate behaviour.

@liaizon @article_interop @pfefferle my understanding is that if Mastodon doesn't recognize the type it just falls back to showing title and url, which is a sane default. Not everything is meant to be parsed like a note.

So I get their direction here, but the knock-on effect on other implementors is signalling that some additional thought is required here.

At an in-office session with the #nodebb team, talking #ActivityPub

There are some hard questions to answer, such as:

- how to scalably introduce the concept of ACL at the post/toot level.
- how to educate about the #fediverse in a user-friendly way
- how to solve the "empty home feed" problem
- how do we handle #GDPR compliance when federating in and out?
- how do we improve on "newest to oldest" without introducing a corruptible algorithm?

@nodebb is all in on fedi. Let's make it work.

It seems this happens occasionally on #fedi where malicious users decide to take advantage of instances with poor moderation to spam widely.

There are many solutions, but let me offer a simple change that stops spam dead in its tracks:

#nodebb has a post queue built in. If you have 0 reputation, you need your post to be manually approved. You can adjust this as needed, but even the default (allow regular posting after 1 upvote) is sufficient. Stops 👏spam 👏 cold 👏.

#fediblockmeta #mastoadmin

@steve is email the "right" mental abstraction, or is it just the most convenient?

Even *during* the advent of email, "to", "cc", and "bcc" seemed oddly outdated, but that's because it too, came from something before it.

Nowadays with fine-grained permissions and ACLs baked into a lot of the software we already use, stuffing it into a recipient list seems awkward at best.

My #nodebbActivityPub implementation now handles incoming boosts, but I haven't gotten around to pruning stale content that wasn't interacted with... and I also followed @lisamelton, so I guess it's a race against time to either implement content pruning, or my hard drive fills up with her boosts. 🤷

#activitypub

@evan this open issue raises similar questions and @trwnh advocated for sending a separate activity for the bto/bcc'd user

https://github.com/w3c/activitypub/issues/326

For simplicity's sake, disallowing bto/bcc in S2S seems wise.

If blind recipients are omitted then it presents a real problem in S2S communications, and sending the activity to those users' inboxes directly ASSUMES behaviour on the other server's part, which is unwise.

@phiofx @david_megginson @davew @evan interested in hearing more about this threading problem? I'd love to tackle something like this with #nodebb

@david_megginson @davew @evan I disagree, #ActivityPub is perfect for medium and long-form content. #Mastodon is just crap at displaying it because its UI is optimized for short-form microblogging.

You can watch an on-stage performance through a camera lens but it doesn't mean the performance itself is sub-par because of it.

@evan my understanding is that those properties are stripped if forwarded along in another activity, but not on the original send.

Please please please I mean no offense by quoting the AP spec to you 😅

https://www.w3.org/TR/activitypub/#server-to-server-interactions

It's not explicitly mentioned but that paragraph talks as though bto/bcc are present.