Spent most of the workday today adding in hostname checks to the NodeBB-ActivityPub integration in order to improve security. There's much to reflect on with the recent vulnerability disclosures, and many lessons to learn.
It absolutely sucks that Mastodon and Pixelfed contained these vulnerabilities, but their public disclosure allows the rest of the fediverse to learn from their mistakes and publish better software.
One quick question about instance keys... I have private and public keys generated for individual user actors in my implementation, and that works when attempting to access resources from an instance with AUTHORIZED_FETCH enabled. If I need to retrieve content without a local user context, would I be making the call with an "instance level" public key/signature?
That was my interpretation, but would appreciate confirmation 😃
Last week, I started my initial forays into retrieving and parsing remote content from the #fediverse. As expected much of the data structures are identical to #ActivityPub but named and organized differently, so there's a lot of bits and pieces that need connecting.
Nevertheless, it's thrilling to see remote content on a local instance!
Today, like most of this week, I worked on follow logic for @nodebb (#nodebbActivityPub) — follow/unfollow is now working, and now I can browse follow lists from remote accounts too!
Have been developing #nodebbActivityPub locally (making calls to itself, which as an aside, is a no-no in production), and all was going well, until I accidentally tried sending a call to a real #Mastodon instance and got instantly shouted down 😂
I keep hearing about how #Mastodon is too complicated for people to grok, and I can't help but think that this is entirely a marketing problem. #Mastodon positions itself as THE #fediverse, each instance being one way to connect to it, but not much more (the lack of local/instance-only toots reinforces this).
It's like the whole idea that each individual instance can have their own subculture, memes, and posts is secondary to this grand idea of the fediverse. No wonder people don't get it!
I'm certain it can be done. We've seen that small, niche sites were absolute powerhouses of information and showcased an uncanny ability to bring disparate people with common interests together. To eschew this is to turn your back on so much potential for community-building!
@nodebb (here comes the plug) started off providing that niche space, and with the development of #nodebbActivityPub, I can finally realize that vision of combining the best of both worlds, small vs big, niche vs fedi.
#FoodForThought — a lot of #Fediverse implementors are Fedi-first, but in @nodebb's case, we're adding #ActivityPub integration to already existing and established forums. It makes me wonder whether I should think about individual users' #consent to have their content federated outside of the local instance.
All along I assumed I'd just build in a global on-off switch for AP integration, but maybe we need more granular user-level opt-in/out here 🤔
The first thing I have to do for #NLNet is to create a project plan. This goes against my default setting as a software dev, which is to just hack on things until they work, and then refactor endlessly because the earlier revisions were garbage.
So. It's a fantastic thing that they're making me think about #nodebbActivityPub from the top-down, because otherwise I'd literally just dive right back into the trenches and miss the forest for the trees 😄
Would I be a bad #ActivityPub implementor if I don't maintain a "feed"?
If a post is created, NodeBB would send the Create activity to all of the author's followers, and that post would be displayed on that app, usually in the form of a feed.
On the other hand, if other apps send Creates to me, I can save them, but there's no place to display them organically within the existing forum structure 🤔 — since they're not part of an existing topic/category/etc...
@shoq when it comes to groups, there are two parallel implementations in @nodebb:
"user groups" which — true to name — is a group of users. They can be mentioned in posts and will be notified thusly.
Group chats, which function almost exactly like "mentioned-only" visibility in #mastodon. Users are added to the group and messages exchanged only show up to the users in said group.
Is there a third use case you'd like to see, or is it covered in the above?
I've been musing passively about how I can develop locally while still making #ActivityPub requests in order to test with real HTTP requests, and was pretty close to just deploying my code on a test subdomain (and then making the call to my #Mastodon server — crag.social), but then realized I could just stand up two #NodeBB instances on my machine and have them gab to each other instead
Initial federated contact made! My local dev instance has just made its first calls to a remote #Mastodon instance (via #WebFinger discovery) to retrieve a remote user account!
One small step for #NodeBB, ah... also one small step for the #Fediverse I guess.
@trwnh you said earlier today — "having a topic is a useful feature or abstraction, and i'd like to see literally any support or thought given to it"
💯 will do. A post created in @nodebb will have a topic associated with it in its metadata as you've suggested. That just makes complete sense. It would continue to exist in the (sub-)category hierarchy already present in #nodebb