@blake@infosec.town

blake

@blake@infosec.town

A software developer with a passion for the powers, rights, and freedoms of users. Developer of dahliaOS, LucidLog, Bodacious, and more. Sometimes tries to design and write. Cool tech enthusiast.

Likely to post about #FOSS, #FreeSoftware, and #OpenSource (specifically, my various projects), radio stuff, and some other technology-related stuff. For my climate activism and solarpunk adjacent stuff, see my alt account linked below.

  • I hereby opt in my public posts to be searchable on tootfinder
  • My profile picture is not up to date, even though I just took some for this purpose
  • Recovering from being a lot of bad things, still have more to go. Keep me in check please

This profile is from a federated server and may be incomplete. Browse more on the original instance.

blake, to random

This is starting to sound familiar

I think if an XMPP server (in the relevant space) had implemented an API inspired by, say, Discord, the whole ecosystem would be seeing a lot more traction right now. The underlying tech is impossibly confusing and incredibly inconsistent, much like the ActivityPub situation (although AP is still way easier to work with than XMPP). Unlike AP, that inconsistency has made using it in most situations difficult enough that Matrix -- Matrix! -- is a better option (you can start by looking at encryption mechanisms! Ad-hoc commands support!). The saving grace for AP was probably Mastodon, which had real traction even before Twitter imploded, because it worked, it worked well, and it was easy to use from every angle. That's why there are so many good Mastodon clients and bots out there and like one "good" XMPP client that's only available on one platform.

RE: https://infosec.town/notes/9kcv8qx2dq34kdo7

blake,

@jabberati Ad-hoc commands seems pretty simple to me. It has spotty implementation. That caused issues when I was connecting to Libera.chat with Biboumi. Encryption I do see is a huge challenge but it's been solved in XMPP multiple times for some time now, and the problem is mostly getting enough (or the right) clients to support and use any one of the standards.

evan, (edited ) to random
@evan@cosocial.ca avatar

One of the funny things about ActivityPub is that we originally had a charter to develop a social API, with an option to make a social federation protocol.

The ActivityPub federation protocol has been very successful. The entire API is only implemented in a few projects, which I think is a mistake, but I hope to see improve over time.

Some people think the parts of the API not needed for federation drag down the spec, without realising that the protocol wouldn't exist without the API.

blake,

@evan I think a lot of this is the complexity of it on both sides.
Clients and bots sprung up like crazy on Mastodon primarily because of Mastodon's easy, opinionated API (which is also why it's been added to so many other servers, like Firefish and Pleroma).
The AP C2S API doesn't have any opinions on how you use it, which is both a blessing and a curse: it's super powerful, but a challenge to work with, especially consistently.
Both the client and federation APIs have inconsistent forms and the contexts are weird, i.e. a spec-valid format may fail to parse correctly on any given server or app. JSON-LD tooling isn't used as widely as you'd expect for this, it's usually "just" a super convoluted parsing framework (and JSON-LD support in languages is sparse. This is beginning to sound familiar).

There are also a few critical things missing from the API as specified, namely collections for, say, all public/local posts or conversations that you're in.
FedBOX has custom endpoints to handle this, which just grab everything it knows about.
I'm planning on a different approach for my own server, using AP C2S for sending messages and updating yourself, and a supplementary REST API for getting conversations, determining who you are, and performing proxied lookups (handling the HTTP signatures at the server side, leveraging the database, and allowing for things like xmpp: URIs).

blake,

@evan I've long believed that multiple approaches can, do, and will co-exist. Some software can, does, and will have its own opinionated API and purpose and enforce it. Some software is an open-ended hub that does everything you could ever want it to and then some. Hell, it might be better that way, and enable even more innovation!

blake,

@evan I'd argue that in cases like Mastodon's, letting people create things Mastodon doesn't know how to work with seems like something it wouldn't want to do. I think the approach would be to just apply the artificial limits -- that's what I plan to do (mostly, don't let users create other "users", and don't do public delivery).

blake, to fediverse

It appears the prevailing mechanism for DMs over is just direct Notes. Misskey/Firefish mark it as a DM with a non-standard field. Pixelfed either doesn't have any DM distinguisher, or it uses a different non-standard field. Pleroma uses a non-standard type ChatMessage and appears to apply certain special logistics to it (i.e. only one person, and it must be a single Actor, may be specified, and only in the to field).

Maybe the mechanism for Babilejo will aim for maximum compatibility with "type": ["Note", "ChatMessage", "https://joinbabilejo.org/ns/type#ChatMessage"], the Misskey special field, and treating the Babilejo ChatMessage type (and the Pleroma ChatMessage type) as a descendant of Note. That way, I don't have to have any special compatibility mode (as long as all the popular projects are spec-compliant, accepting multiple types...)

evan, to random
@evan@cosocial.ca avatar

deleted_by_author

    •
    blake,

    @evan Apparently that's a valid Bitcoin address. No data for it though. I kinda hoped it would have Never Gonna Give You Up tied to it somehow.

    ward, (edited ) to random
    @ward@easymode.im avatar

    How do you listen to music?

    blake,

    @ward
    All of my music on shuffle.
    @steffo

    rabble, to random
    @rabble@mastodon.social avatar

    In the fediverse, how do i tell which servers federate with / defederate which other servers? I was trying to follow somebody on hachyderm.io via mostr.pub and couldn't find them. But is there an explorer or list?

    blake,

    @rabble Most servers have blocked mostr.pub because it's prone to spam, scams, and other unwanted behavior, and is also super difficult to moderate.

    evan, to webdev
    @evan@cosocial.ca avatar

    What's the best place to host a single page client-side app in 2023 on one's own domain with SSL?

    Is the answer still “GitHub Pages”, or is there something better?

    blake,

    @evan I use Vercel sometimes for it but Render.com is a pretty good option for this too.

    joel, to random
    @joel@fosstodon.org avatar

    Why is our education system so bad?

    I had to teach a sister's friend yesterday how to sum fractions. She's already in high school...

    blake,

    @joel I know I learned this in school. I've since forgot it, of course, but I did learn this.

    Meanwhile, I have little idea what the geography of my own country looks like, and even less for the rest of the world. Or how things are done at all outside of my own country; I have to rely on organic discovery on the Internet and my German friend for that...!

    J12t, to fediverse
    @J12t@social.coop avatar

    About half of the Fediverse addresses typed by FediForum attendees into the session notes are missing the leading "@".

    People typed in their very own Fediverse handles. And because they came to FediForum, it's very likely they are very well acquainted with the right syntax.

    Pretty strong circumstantial evidence that most people won't be able to distinguish Fediverse handles from e-mail addresses.

    I have long believed that they should be the same.

    blake,

    @J12t It's definitely ideal but it's also pretty hard when a given person's email address is going to be @gmail.com 8 times out of 10.
    Fedi servers are more spread out than email servers, and are already run by people thin on resources. Tying email to Fedi would make it even more costly to run and price people out. Tying Fedi to email is impossible because again, Gmail isn't going to do it. Outlook wouldn't either. Most people use one of those two to host their email.

    You have to get people to either switch away from Gmail (god save your soul) or get Gmail to conform to something else. It's simply not possible.

    I think this is another advantage Bluesky has for the use of domain names as a user ID; it continues to serve the identifier's best known, most familiar purpose (pointing to a website).

    blake, to mastodon

    4.2.0 comes out on the 21st night of September.

    I mean he definitely planned it but that's some funny meme number stuff.

    joel, to RocketLeague
    @joel@fosstodon.org avatar

    Anyone here plays ? :blobcatderpy:

    blake,

    @joel
    I do, but I suck. Still find it fun though.

    blake, to Matrix

    I think both and clients should support looking up Fediverse-style Webfinger handles (i.e. @me@blakes.dev) for their corresponding URI schemes, matrix:// and xmpp:. That could make contacting people over bridges much easier and allow for more portability, at least for new conversations. Plus, a server could implement those on its own, if it speaks one of those protocols and/or hosts a gateway, or (for i.e. Mastodon) to allow users to set their XMPP/Matrix IDs to be discovered via their existing Fediverse handle.

    Also, a rel="alternate" type="application/activity+json" pattern on Webfingers could be used to discover multiple accounts with one handle, too...

    evan, to random
    @evan@cosocial.ca avatar

    There is literally one (1) example of any company taking an Embrace, Extend, Extinguish strategy (Microsoft, with the Web, in the late 90s). They went through years of antitrust lawsuits for it.

    There are zero (0) examples of it ever working. No, not RSS; no, not XMPP.

    There are literally millions of examples of companies, individuals, governments and non-profits adopting open standards and making the network, and their services, better.

    More ActivityPub makes a better Internet for everyone.

    blake,

    @evan I think we've started interpreting "embrace, extend, extinguish" to include strategies that only have the "embrace" and "extinguish" components. In a lot of ways that's what happened to XMPP, which is more or less a thing that nowadays only a group of nerds and people they've forced onto it use, and a few backends that are totally irrelevant to XMPP as an open ecosystem (i.e. WhatsApp or Fortnite text chat. They could stop using XMPP on their backend tomorrow and nothing public-facing would change).

    RSS is similar, although really it's just not used for news anymore, just podcasts, which are generally not branded as RSS (and, to a much lesser extent, blogs). Many news sites just pump data directly into Google, Feedly, and Apple News nowadays (i.e. there are sites on those platforms that don't have RSS feeds, at least not public ones. That could just be scraping/web crawling, though). So I'd say it's been diminished, but unlike XMPP, it's still pretty useful, and has at least one mainstream case where people are "directly" using it, even if just not by name. (If a podcast stopped offering an RSS feed, many readers, including corporate ones like Google Podcasts, wouldn't know about any future episodes. In this way, RSS is still relevant as an open standard, unlike XMPP.)

    I think I agree that EEE has never worked. Attempts to diminish or extinguish open standards, however, have. ActivityPub, unlike XMPP but like RSS, has a broad, popular ecosystem that's working just fine without the big name(s) on it. So if a big name decides to break shit, we can just keep trucking along with our open standards and leave them in the dust. That ecosystem is a damn good defense against any attempts by Meta or even Automattic to absorb or extinguish us. So I doubly agree on your statement, "More ActivityPub makes a better Internet for everyone."

    mttaggart, to random

    Hey @PogoWasRight and @douglevin, is it just me, or is 2023 shaping up to be a banner year for school cyberattacks? Or are they just better covered, in large part thanks to your efforts?

    blake,

    @mttaggart @PogoWasRight @douglevin Probably both.

    JessTheUnstill, to random

    People who need glasses are disabled under any meaningful definition of disabled.

    blake,

    @JessTheUnstill @CatHat Hello, glasses wearer here 👋
    I like to joke that I'm blind (because sometimes, especially without them, I can't read or make out faces anymore!), but I'd personally avoid calling myself disabled for it. My best guess is it's mostly an impostor syndrome kind of thing, at least for me: it feels disrespectful to call myself disabled when it's such a trivial disability.

    Although to be fair I do have at least autism too, which I believe is still classified as a mental disability? (Or is it just disorder/condition now, or?)

    spaceraser, to random
    @spaceraser@fosstodon.org avatar

    Hey @blake, I went and checked out DahliaOS after seeing it in your bio, but I’m having trouble spinning it up in a vm. Is that a known issue or should I keep trying to mess with the configuration on my side? Using the February iso from the site and qemu/kvm through vmm.

    blake,

    @spaceraser I believe qemu works if you use the legacy image. We have a short tutorial up here; maybe that can help?

    Is there any specific error you're having? What exactly is happening when you run it?

    erlend, (edited ) to fediverse
    @erlend@writing.exchange avatar

    Several years in the making, GitLab is now very actively implementing ! 🙌

    https://gitlab.com/groups/gitlab-org/-/epics/11247

    The end-goal is to support AP for merge requests (aka pull requests), meaning git.alice.dev can send a merge request to gitlab.com/Bob/project.git

    First bite-sized todo on the implementation path there is ‘subscribe to project releases’.

    Smart move by ; through ActivityPub they’re getting a distributed version of GitHub’s social layer.

    @fediversenews

    blake,

    @evan @danielsiepmann @fediversenews @erlend I think they don't realize ForgeFed is based on ActivityPub (although I think it doesn't use AS/2). So it's most definitely fulfilling that use case.

    blake, to random

    New instance, new (as I'm bombarded with "X followed you!" notifications from migrating)!

    My name is Blake Leonard, I write software for fun and hope I can do the one thing I'm good at for a living. For now I make money to support my hobbies and family's Christmas presents at a grocery store, which isn't bad work but it doesn't pay much (so I haven't moved out yet 😔) and it's not well suited for me.

    Like many others, I migrated away from today. It's not the first migration I've done; last time, I came amicably from indieweb.social to a community (and timeline) that suited me better. Today's migration away from Fosstodon comes in response to a few things, in rough order of weight on my decision:

    • Firefish's feature set is so much richer than Mastodon's. Quoting, longer posts, and markup are among the things I've missed most when on my main account.
    • I found out this morning that some years ago one of the admins said some problematic things -- generally problematic with an ignorant use of the word "snowflake," followed by remarks about how pronouns in profiles are annoying. I'm not going to tolerate that from someone I trust as a custodian of my identity. This would have ranked higher if it weren't years ago and long resolved.
    • I'm sure it wasn't meant to come across this way but I received some condescending responses from one admin to genuine questions about moderation decisions. It wasn't a one time incident. It's happened multiple times. That doesn't exactly make me feel welcome there.
    • The biggest thing causing the rounds of drama right now is the English-only rule, which as a cis white American man who only (in any usable capacity) speaks English, I fully understand the long-established decision to keep the instance English-only for moderation reasons. At that scale though, they probably should have more than two moderators, and at least one of them should probably speak some other language. The policy, when brought to light that they seemed to be more strictly enforcing it (which they denied, of course, but I'm sure there's a reason why people are only now upset about it when it's been around forever), felt like it would further hinder my ability to reply to comments in German than my A1 level knowledge of the language does, despite them denying it.

    Due primarily to the transphobia/right-of-center issue, I did cancel my Patreon membership at Fosstodon, because while I have enough reason to trust that they're not just pocketing the money, I don't trust them to handle it anymore (plus, I'm not on their server now).

    I ended up picking this server at Kainoa's suggestion, which I agreed with because of Infosec Exchange's reputation, which is pretty good as far as Fedi servers go.

    I'll probably spend the next couple hours switching my website to pull posts from a "clip" on this account instead of all public posts from my old account. If you have any questions about me, or my decision to migrate here; ask away!

    renchap, to mastodon
    @renchap@oisaur.com avatar

    Full text search has been merged in main branch, and will be in the next (and final?) 4.2.0 beta 🎉

    It is opt-in, so it will take some time to be filled with people content as they enable their profile to be indexed, but this was one of the most wanted Mastodon features for some time.

    We plan to deploy it to mastodon.social and mastodon.online in the coming days to have a bit more feedback on it and see how it behaves in the wild.

    blake,

    @renchap So he did actually listen when people loudly complained about merging it into one setting! I'm kinda surprised, but it's a good surprise this time!

    blake,

    @renchap Does the "old" option migrate over? I think there was a search engines related option before.

    Going this route was definitely the right call.

    santiago, to random
    @santiago@masto.lema.org avatar

    So we’re in 2023 . Is there any stable cross platform development system which isn’t an awful large web container ?

    BTW: I recently played with Pixel Studio which is made in Unity and aside from the slow-fade in Unity logo at start it was pleasant on both iOS and MacOS (both are fast devices though, not sure how it runs on cheap devices).

    blake,

    @dzamir @santiago React Native has this same problem the opposite way too (or so I've heard: it works well on iOS but sucks on Android, which is why Discord didn't build the Android app with React Native when they did that for iOS). Building two apps is a lot of duplicated work, and it'll never work the same as a native app because it isn't. It's great when you don't have the time to maintain two apps but you want people to have the same experience across platforms.

    Also, for what it's worth, there are two dominant UI frameworks on Linux and you have the same consistency and integration issues when running Qt apps on GNOME or GTK apps on Plasma, even though it's the same damn platform.

  • All
  • Subscribed
  • Moderated
  • Favorites
  • tester
  • kavyap
  • thenastyranch
  • anitta
  • normalnudes
  • GTA5RPClips
  • DreamBathrooms
  • mdbf
  • magazineikmin
  • Youngstown
  • ngwrru68w68
  • slotface
  • InstantRegret
  • rosin
  • JUstTest
  • cubers
  • cisconetworking
  • provamag3
  • modclub
  • everett
  • osvaldo12
  • khanakhh
  • Durango
  • Leos
  • megavids
  • ethstaker
  • tacticalgear
  • lostlight
  • All magazines
    •