Cool. Hubzilla (and red)'s "profile things" map directly to ActivityPub. So "Bob likes Amy's beard" or "Amy likes Bob's shoes" translates directly into something in that network without requiring any special namespace or hacks. I was worried about that one. Now I'm down to the really unusual ones like the poke variants and mood variations and file activities. But I'll see what I can do..
Klaus
Alex
Beni Grind
Haakon Meland Eriksen (Parlementum)
Alexandre Hannud Abdo
Raymond Monret
Hubzilla @ sasiflo
So there's now the website blockadblock.com - dedicated to busting through adblockers.
[business opportunity]
I notice there is currently no registration for blockblockadblock.com.
[business opportunity]
I notice there is currently no registration for blockblockadblock.com.
from Qvitter
@mike Since they use javascript it's pretty easy to get around their prevention method.
So now I've got HTTP Signatures (draft-cavage-http-signatures-07) working in ActivityPub. The bigger question is how to enforce them. I think the right thing to do is just indicate signing success or failure as we already do in Hubzilla but not actually block an unsigned (or even a failed signature) activity. That might be a config option, but we'll leave it turned off by default since it's anti-federation (and one of my bigger gripes about Diaspora).
We should also probably block or indicate posts that are unsigned after receiving any successfully signed post since we then know they are capable of signing it - so if they suddenly don't it's likely to be a forgery.
Anyway, there are a few posts today that indicate Mastodon is pretty much ready to go with ActivityPub. So are we. I've tried to reply and work out some interop testing but I think I'm blocked pretty widely on that network and the messages have been lost in space.
We should also probably block or indicate posts that are unsigned after receiving any successfully signed post since we then know they are capable of signing it - so if they suddenly don't it's likely to be a forgery.
Anyway, there are a few posts today that indicate Mastodon is pretty much ready to go with ActivityPub. So are we. I've tried to reply and work out some interop testing but I think I'm blocked pretty widely on that network and the messages have been lost in space.
For anybody who wants to mess with this - first make sure you're on current dev and stay current
If you're connecting to a channel that is multi-protocol capable, and you want to connect with that channel using a specific protocol; you can connect using the syntax
[protocol]web.address
Valid protocols are determined by what plugins you have installed, but can be one of 'zot', 'diaspora', 'ostatus', 'activitypub', or 'feed'.
ActivityPub does not use webfinger so you'll usually be connecting with the URL of the person's profile page. For Hubzilla channels it would be https://macgirvin.com/channel/nickname
Basic posts and comments are currently working. Most things that don't work in Diaspora won't work in ActivityPub either. There may be privacy and security issues until the dust settles, so if you're worried about this, please wait for an official release.
If you're connecting to a channel that is multi-protocol capable, and you want to connect with that channel using a specific protocol; you can connect using the syntax
[protocol]web.address
Valid protocols are determined by what plugins you have installed, but can be one of 'zot', 'diaspora', 'ostatus', 'activitypub', or 'feed'.
ActivityPub does not use webfinger so you'll usually be connecting with the URL of the person's profile page. For Hubzilla channels it would be https://macgirvin.com/channel/nickname
Basic posts and comments are currently working. Most things that don't work in Diaspora won't work in ActivityPub either. There may be privacy and security issues until the dust settles, so if you're worried about this, please wait for an official release.
Seeing a teeny bit of blue haze in the Blue Mountains. Spring is definitely on its way, though we're still likely to get a few more frosts and "cold winds from hell".
Maria Karlsen
loadaverage.org is back. It's only been down/migrating for what, a month (?) or thereabouts.
Nomadic identity folks. It's not just a good idea. It's a bloody great idea.
Nomadic identity folks. It's not just a good idea. It's a bloody great idea.
High Range, Australia, last edited: Fri, 11 Aug 2017 13:19:40 +1000
ActivityPub:
[master 8647648] pubcrawl: friending, approvals, posting and comments now working
[edit: also likes]
[master 8647648] pubcrawl: friending, approvals, posting and comments now working
[edit: also likes]
maiyannah
Mario Vavti
A lot of folks have rightly questioned why I'm so hot and cold on ActivityPub. It's horribly flawed. I mean absolutely miserably flawed. BUT - it's also designed as a walled garden, and I'm watching certain players who divided other free communities turn their attention and their divisive ways in that direction with an intent to dominate and divide like they've done elsewhere. I'm drawing a line in the sand. I smashed Diaspora's walls. I fully intend to do the same here. ActivityPub will be free and open to all. It will federate with other technologies. I might lose this battle, but I'm standing up for what's right and refusing to accept a W3C mandated walled garden.
First off, grabbed a #homebrew. Been one of those days. Pulled out the old resonator and changed the strings.
Was in the mood for some South American folk songs. And by "South American" I mean Mississippi and the Bayou country. Not to be confused with Andean folk songs (which require a different guitar). First up "I'll Fly away", a delta prison song. Then a rousing little boogie I wrote called "Stankie Sadie". May the blues be with you all.
Was in the mood for some South American folk songs. And by "South American" I mean Mississippi and the Bayou country. Not to be confused with Andean folk songs (which require a different guitar). First up "I'll Fly away", a delta prison song. Then a rousing little boogie I wrote called "Stankie Sadie". May the blues be with you all.
phellmes
Manuel
Carolus Rex
Sean Tilley
HTTP Signatures are pretty much under control now. Friending works. Outbox collection is fetchable. Posting sort of works.
Moving forward....
Moving forward....
HTTP/1.1 200 OK
Date: Wed, 09 Aug 2017 03:25:58 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Digest: SHA-256=8P+aLfepyDnYe5URaJhw1L4AQG2VyGwuJtmlKa4QVxY=
Signature: keyId="https://macgirvin.com/channel/hubzilla", algorithm="rsa-sha256", headers="content-type digest", signature="PnxYkZvAzj93ptZiS90zVUyBoFIyqwsGpJ6DCUCCLwkXDlmhkeo+YhZxscBvdg3RFYsapCCY8ePc+piOt1B+dzyxU++BqadD0GlmiCixZ7OmTJDktYkxygDJI+DTKZ812PIw4r4W7D1syelCLQJSM9i0knpR1quECYvBsV3OZDxtgEG9xVLhCajRgC1yedSlDO9NxCsVPtp0zuctSpgO8fTC6Tl4AuNPc9j86cc/iErE/mdjbe49Qww6HeCLlzSmJ8D9aLXxtm81UD+8OvdSeCmk1Bcq/mlsM8u08hOvbYI3CFZaw6s9uop1yL4BR9L20s3iSfUubc986nULB6GNykCvg/msUZ8BsODxIfsYarWGABMpNYCea6JhBzE5hp135iGAguqXnVdINozytlXSS4E9taKpIE2K8k/r3S8qGV/nyb+6+/oBvhxh6V9vHBdPBOZ/IHRD1Ep22Ze9OtV9d5JGTnmFalTgUV/yyLLwVRH18I5icWH9L20EAFm5+Ox5+okje72QBX2y9hF/1cDipewhH1mRB4UcMJkdrV1xV8weG+Wu0/0484DnqcbmbqlY5weCwLS7Fs0t8dLb9QkJDCLR3rGSTNuIC5bRmbbkwy8SWTwYop8PMZLDQruefEMvqOaHr52eqKrwMV6iVrcjFHweFMe5shfhPxqNKxYroaE="
Set-Cookie: PHPSESSID=YouWish; path=/; secure; HttpOnly
Transfer-Encoding: chunked
Content-Type: application/ld+json; profile="https://www.w3.org/ns/activitystreams"
Something about Twitter style interactions turns most everybody on those networks into an Aunt Dorothy. You know - the one that can't stop talking for two seconds even though she has absolutely nothing to say. Luckily we've got connection filters and the affinity tool.
King Emir#
I find myself torn between the two formats. On the one hand, microblogging seems to encourage saying whatever is on your mind, and the engagement of it increases the frequency of messages sent back and forth. Mastodon has been super fun to use for exactly that reason. When you say something particularly funny or insightful, the engagement feels like an endorphin rush as people reshare or respond to whatever you said. Unfortunately, this behavior can lead to some really toxic dynamics, and rampant pseudo-intellectual post-ironic hipster spiels.
Contrasting against "the fediverse" (OStatusWeb) the Federation is generally more pleasant. People explain themselves a little more effectively, and the emphasis seems to lean more towards conversation, rather than "spontaneuous feverish communication". Long-form content takes longer to write, there's more to articulate, and different conventions for formatting might be used.
Contrasting against "the fediverse" (OStatusWeb) the Federation is generally more pleasant. People explain themselves a little more effectively, and the emphasis seems to lean more towards conversation, rather than "spontaneuous feverish communication". Long-form content takes longer to write, there's more to articulate, and different conventions for formatting might be used.
Einer von Vielen
We're off to see the blizzard...
At least this time it isn't yet another 'lizard of oz'.
'The Blizzard of Oz': It's a winter wonderland at Aussie snowfields
At least this time it isn't yet another 'lizard of oz'.
'The Blizzard of Oz': It's a winter wonderland at Aussie snowfields
Australia's powder hounds rejoice after a weekend deluge of the white stuff — dubbed the Blizzard of Oz — creates a winter wonderland at Australia's snowfields.
A couple of things became obvious trying to bolt http signatures onto activitypub.
1. The key_id pretty much has to be the actor URL
2. You can't proxy, relay, or forward anything that is signed. The best you can do is forward a pointer and let the destination fetch the original itself.
So it will work but you're going to suffer a performance hit on relayed activities. Magic-envelopes would be a much better way of doing this since you can package a magic-envelope (the signed data and signature) inside something else (like an activity). Linked Data Signatures could also do this, but as of today, cross platform LDS is vapourware; and likely to continue to be so for at least the next 1-3 years.
1. The key_id pretty much has to be the actor URL
2. You can't proxy, relay, or forward anything that is signed. The best you can do is forward a pointer and let the destination fetch the original itself.
So it will work but you're going to suffer a performance hit on relayed activities. Magic-envelopes would be a much better way of doing this since you can package a magic-envelope (the signed data and signature) inside something else (like an activity). Linked Data Signatures could also do this, but as of today, cross platform LDS is vapourware; and likely to continue to be so for at least the next 1-3 years.
More specifically the actor URL of the *sender*, who may be a completely different entity than the actor who created the activity. And that's why #2 .
Anyway my current thinking (which could change tomorrow) is to support HTTPSig because that's likely to have general support - even though it's an inferior technology for this purpose. I'll also support salmon sigs for those who want better performance and have a distribution model based on relaying comments. Then we'll wait and see which way the wind blows but at least have something useful and functional while we sit around and blow soap bubbles and wait for LDS to be a thing.
I should have ActivityPub connecting/following working both directions now; or pretty close to it. Another day or three and we may be ready to start passing some text messages back and forth.
I'm reminded of the film "The Day After" back in the 80s -
I'm reminded of the film "The Day After" back in the 80s -
This is Lawrence... is there anybody out there? Anybody at all ...
Hint: use the smudge tool to avoid embarrassing copy/paste artifacts.
Katy Perry criticised over advert telling her dog to 'chase koalas' in Australia
Katy Perry criticised over advert telling her dog to 'chase koalas' in Australia
Katy Perry has been criticised after telling her dog to "go chase some koalas" in an advert for an Australian department store chain.
I can't find the original post (which may have been deleted). Anyway, a question was recently asked about what tools Hubzilla provides to help administrators enforce legal compliance of content on their sites.
The answer is that it does not. We've generally considered the creation of any tools which enable spying on the private communications of site members as malware; and this is somewhat in conflict with the Hubzilla core missions of privacy and providing code which is both ethical and transparent.
That said, a site administrator has every right to maintain legal compliance on their site with their local laws. Nobody is questioning or disputing this. It just has never been part of our core mission to provide those tools.
I recommend creating a plugin to do this kind of task since producing malware is likely to be rejected as a core feature/enhancement. I also highly recommend notifying site members in your terms of service if such a plugin is installed.
A place to start would be the existing authentication plugins. In order to have unfettered access to any of a channel's content, the simplest mechanism is to be able to 'sudo' or login as that channel with the system admin's credentials. Be warned that this may be detectable - as several content areas automatically mark items "seen" once they have been loaded into the channel's browser. In order to browse undetected one would also need to provide plugin hooks in core code to allow a plugin to disable this automatic flag setting if such a monitoring operation was in progress.
Also w/r/t end-to-end encrypted content: Hubzilla provides no mechanism to access this content through a back door. There are multiple ways that end-to-end encryption could be used and by definition Hubzilla site administrators will not have access to any keys which can be used to render this content in plaintext. If you have a legal requirement to allow law enforcement access to all your site content, you may need to disable the creation of end-to-end encrypted content on your site.
I'm not certain how you would go about doing such a thing since encrypted content could lurk in uploaded files or wiki pages or even embedded in text posts and there is no single distinguishing characteristic one could use to reliably filter or block it. If you are a developer and would like to create such a tool please consult with other community developers before proceeding.
The answer is that it does not. We've generally considered the creation of any tools which enable spying on the private communications of site members as malware; and this is somewhat in conflict with the Hubzilla core missions of privacy and providing code which is both ethical and transparent.
That said, a site administrator has every right to maintain legal compliance on their site with their local laws. Nobody is questioning or disputing this. It just has never been part of our core mission to provide those tools.
I recommend creating a plugin to do this kind of task since producing malware is likely to be rejected as a core feature/enhancement. I also highly recommend notifying site members in your terms of service if such a plugin is installed.
A place to start would be the existing authentication plugins. In order to have unfettered access to any of a channel's content, the simplest mechanism is to be able to 'sudo' or login as that channel with the system admin's credentials. Be warned that this may be detectable - as several content areas automatically mark items "seen" once they have been loaded into the channel's browser. In order to browse undetected one would also need to provide plugin hooks in core code to allow a plugin to disable this automatic flag setting if such a monitoring operation was in progress.
Also w/r/t end-to-end encrypted content: Hubzilla provides no mechanism to access this content through a back door. There are multiple ways that end-to-end encryption could be used and by definition Hubzilla site administrators will not have access to any keys which can be used to render this content in plaintext. If you have a legal requirement to allow law enforcement access to all your site content, you may need to disable the creation of end-to-end encrypted content on your site.
I'm not certain how you would go about doing such a thing since encrypted content could lurk in uploaded files or wiki pages or even embedded in text posts and there is no single distinguishing characteristic one could use to reliably filter or block it. If you are a developer and would like to create such a tool please consult with other community developers before proceeding.
Jake Moomaw
Seth Martin
Monopoly was invented to demonstrate the evils of capitalism
Monopoly's inventor, Elizabeth Magie, would have sent herself straight to jail if she’d lived to see just how influential today’s twisted version of her game turned out to be.
Anybody here with a NextCloud ActivityPub installation? I need to look at some other servers and examine their data structures and it seems that this is the only one out there. I'm not ready to connect yet - just want to poke around and look at the packets.
So who wants to wager how long it'll take Mike to pwn our Nextcloud servers? Oh wait, I'm the only one who gave him a URL 
After all this hoopla, the NextCloud ActivityPub implementation is just barely anything at all, hardly usable, and it certainly doesn't adhere to the specs. I'm looking at the source. It's actually a stripped down ActivityStreams interface and whoever called it an ActivityPub implementation must've been smoking crack. So it seems there are actually zero (zip, zilch, nada) spec-compliant ActivityPub instances on the planet earth; which makes it a bit difficult to test federation code in any kind of real-world scenario. There's nobody to federate with. Nextcloud sends some basic file activities back and forth but there's no channel discovery. I'll have to look closer but I'm guessing the instanceID has some kind of registry using some other protocol. They don't supply the required 'id' attribute you need to connect, not to mention inbox and outbox and follow messages. So you couldn't federate with them if you wanted to.
The same thing happened with Diaspora. People hassled me for over a year with increasing hysteria and "the sky is falling" urgency to implement the 'new protocol' and once I did, found that nobody in the world was actually using it - not even Diaspora.
On the bright side, since I'm unapologetically disregarding the published ActivityPub spec (as it is anti-federation) it's not like you can claim that I'm breaking compatibility with anything.
The same thing happened with Diaspora. People hassled me for over a year with increasing hysteria and "the sky is falling" urgency to implement the 'new protocol' and once I did, found that nobody in the world was actually using it - not even Diaspora.
On the bright side, since I'm unapologetically disregarding the published ActivityPub spec (as it is anti-federation) it's not like you can claim that I'm breaking compatibility with anything.
Operation Pub Crawl
You wouldn't expect to go into a pub and be asked for a membership card - or you can't get in to have a beer and talk to your mates.
Neither would I.
Announcing Operation Pub Crawl. It's kind of like ActivityPub, but you can participate without being an ActivityPub member. Operation Pub Crawl is based on and is compliant with ActivityStreams2 (JSON-LD). It is also somewhat compatible with ActivityPub, but has no membership requirement; so you'll find people in the Pub Crawl that you won't find in ActivityPub. We have to break some rules to do this, but these rules serve no useful purpose except to restrict membership and prevent members from communicating with non-members. Other ActivityPub sites and projects may decide that they want to restrict membership and enforce the rules strictly. This is OK. You can still communicate with them. They'll just miss out on half the party. If you're in the Pub Crawl, you can talk to anybody you wish, on any network you wish. Pub Crawl will be available as a plugin to red/hubzilla in Q3 2017.
Neither would I.
Announcing Operation Pub Crawl. It's kind of like ActivityPub, but you can participate without being an ActivityPub member. Operation Pub Crawl is based on and is compliant with ActivityStreams2 (JSON-LD). It is also somewhat compatible with ActivityPub, but has no membership requirement; so you'll find people in the Pub Crawl that you won't find in ActivityPub. We have to break some rules to do this, but these rules serve no useful purpose except to restrict membership and prevent members from communicating with non-members. Other ActivityPub sites and projects may decide that they want to restrict membership and enforce the rules strictly. This is OK. You can still communicate with them. They'll just miss out on half the party. If you're in the Pub Crawl, you can talk to anybody you wish, on any network you wish. Pub Crawl will be available as a plugin to red/hubzilla in Q3 2017.
