@grishka yeah, ed25519 for some of my actors supported by GoActivityPub. (Well, it could be anything that the Go crypto library supports, but only ed25519 is in some use)
@silverpill in the context of Mastodon's FEP, perhaps cache poisoning could be a problem, but from the context of ActivityPub, there's no "cache poisoning" because the canonical version of an object is the one the server retrieves explicitly based on its ID, anything else is hearsay and should not be trusted by default.
Also I find very hard to reason about what you call "cache poisoning" when the entity that serves the object is the same with the one that sends the activity.
@silverpill hypothetically the last one is the one I find the most consistent with the way I interpreted the Activity vocabulary spec, and the way I implemented the ActivityPub processing state machine.
PS. I'm not defending the Mastodon FEP, but clarifying that the underlying assumption of using existing vocabulary for what is basically the same operation, be it on different object types, makes sense.
@silverpill I think you're wrong. It feels perfectly natural that the same activity can be used with different objects. That's the whole purpose of the Activity vocabulary itself being split between activities and objects, isn't it?
And yes, that sometimes means that different side-effects need to be implemented for processing the same type of activity.
@evan I've noticed that the public ActivityPub objects from tagspub are all behind CORS.
Can this be relaxed/removed? For one of my projects that fetches them directly from the frontend, it forces a second request through the proxyURL mechanism when the first one fails due to CORS.
So on my ONI instance that I've been use as an alternative fediverse profile for myself for about two years, the full storage used is about 3.4G, but out of that there's 2.5G containing mostly the Delete activities of mastodon.social. Crazy.
@silverpill to come back to this, I have added both this example and one of your original requests to the unit-tests, and they both validate correctly.
So I still have no idea why this is failing in production. The only thing I can think of is the http proxy messing with the value of the "target-uri" parameter.
Would it be too much trouble for you to create a minimum example that generates a signature using your libraries so I can adapt it to test on my dev setup?
@silverpill damn, I didn't have debugging enabled after restarting the server. I found the request, but the errors are not very enlightening on signature check failure.
@david_chisnall as far as I remember Firefox also bundles an LLM with the install (useful at least for in browser translations) but it still manages to keep the size reasonable...
@silverpill when you get a chance, please send another request. While waiting for the upstream to solve the issue, I fixed on my end trying to validate missing nonces.
Mostly a programmer.Implementing #ActivityPub in the #Go programming language.Current projects: * #GoActivityPub - a library to use ActivityPub in Go. * #FedBOX - a generic ActivityPub service supporting the client to server API. * #brutalinks - a link aggregator inspired by (old) reddit, hacker news and lobste.rs built on top of FedBOX. * #oni - a single user ActivityPub server with minimal fuss.My posts are mostly related to ActivityPub and web development.