@julian@fietkau.social
@julian@fietkau.social avatar

julian

@julian@fietkau.social

Human-computer interaction #HCI, computer science & programming, home server & self-hosting, games and other fun stuff.

Increasingly into making tools for the fediverse: FediRoster, Pinhole, more to come(?). See https://fietkau.software/tag/fediverse for project info and downloads. If you do HCI-related research, check out https://directory.hci.social.

He/him. Posting mostly in English, but you might see the occasional German boost.

This profile is from a federated server and may be incomplete. Browse more on the original instance.

devnull, (edited ) to fediverse
@devnull@crag.social avatar

Can an instance operator running a derivative of Misskey (Sharkey, firefish, or maybe even Misskey itself) get in touch with me? I can't seem to federate with that entire pie of the fediverse... 401 Unauthorized ๐Ÿ˜ฌ

Alternateively, if you've run into this type of issue before, any tips? Heh.

โœ… Resolved! โ€” https://crag.social/@devnull/112135536070616187

julian,
@julian@fietkau.social avatar

@devnull They can be a bit picky. I remember fixing an interop issue by removing the space after the commas in my HTTP signature header. I.e. before:

keyId="...", algorithm="rsa-sha256", headers=...

After:

keyId="...",algorithm="rsa-sha256",headers=...

I don't remember with 100% certainty whether it was Misskey that needed this.

FWIW, the grapevine tells me that the upstream Misskey team can be difficult to reach, but I've experienced the Iceshrimp team to be very friendly and helpful.

julian,
@julian@fietkau.social avatar

@devnull Nice, Julian fist bump! ๐Ÿ‘Š Yeah, the algorithm was already in the example I learned from: https://socialhub.activitypub.rocks/t/python-mastodon-server-post-with-http-signature/2757 Glad that did the trick. ๐Ÿ™‚ Maybe one day we'll be able to move the ecosystem towards actual RFC 9421 compliance.

dansup, (edited ) to random
@dansup@mastodon.social avatar

Edit: As mentioned below, it appears to be a bug, not intentional!

Threads hiding @pixelfed mentions, not a good look Meta ๐Ÿ™„

julian,
@julian@fietkau.social avatar

@PersistentDreamer Pixelfed is an ActivityPub-powered social platform that @dansup is developing. It's focused on photo and image sharing. It's interoperable with Mastodon, so you can follow Pixelfed users from here if you want to. https://pixelfed.org

The above screenshot documents and incident where a post on Meta's Threads was automatically marked as spam for mentioning Pixelfed. This is likely because Pixelfed is a competitor to Instagram and Meta is petty.

axbom, to random
@axbom@axbom.me avatar

Doing a session tomorrow on Postmortem Design - actually designing to protect the legacy of users after they pass away.

I'm prepping my slides and I'm already crying. So much data getting lost and so hard for families to access it.

I'm using my grandma's attic as a backdrop. I used to love heading up there and discovering old photos, letters, stamps, coins and memorabilia each with its own story.

Now who owns everyone's atticโ€ฆ do our digital legacies matter and if so, who should own it and access itโ€ฆ

julian,
@julian@fietkau.social avatar

@axbom Been there with my dad, I handled the "digital estate" for mom after he died. He had no online presence to speak of, so it was mostly about taking over the email inbox and using that to cancel subscriptions, delete accounts, etc. Not every site was accommodating and it took a year of piece by piece labor.

I'm curious what designers can do better. I know of Facebook's and Google's systems to inherit data, but having to have a pre-existing account on every service is clearly not practical.

sarajw, (edited ) to random
@sarajw@front-end.social avatar

I think I want to recreate the structure one of my old teenage sites, where almost everything was loaded into an iframe in the middle of the page.

Dunno when I'll ever have time.

Dunno if I'll be able to make it accessible - and it'll need some JS to make sure that the page titles track, and you can link to specific pages. Hm.

An interesting exercise or kind of useless? Who knows!

julian,
@julian@fietkau.social avatar

@sarajw There are security aspects to think of with iframes nowadays, right? Like if you let anyone out there put parts of your site in an iframe, they could do clickjacking attacks using a transparent overlay or something. Might be worth making sure that only your site can contain/frame itself. ๐Ÿ™‚ https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors

julian,
@julian@fietkau.social avatar

@sarajw It is definitely retro though! ๐Ÿ˜„

julian,
@julian@fietkau.social avatar

@sarajw My first website was a Pokรฉmon fan site from the year 2000. The Wayback Machine already existed then, but seems to have never found it. ๐Ÿ˜ข

Edent, to fediverse
@Edent@mastodon.social avatar

๐Ÿ†• blog! โ€œI made a mistake in verifying HTTP Message Signaturesโ€

It's never great to find out you're wrong, but that's how learning and personal growth happens. HTTP Message Signatures are hard1. There are lots of complex parts and getting any aspect wrong means certain death2. In a previous post, I wrote A simple(ish) guide to verifying โ€ฆ

๐Ÿ‘€ Read more: https://shkspr.mobi/blog/2024/03/i-made-a-mistake-in-verifying-http-message-signatures/
โธป

julian,
@julian@fietkau.social avatar

@Edent Wait, you're comparing the Date header to the activity's "published" property? Is that recommended? I don't think there are restrictions on that duration, I've received hours old messages from congested servers.

What I compare (and what I believe Mastodon compares) is the difference between the signed message's Date header and my own server's time. The goal is to ensure the signature itself is current. There's less room for valid time differences there.

julian,
@julian@fietkau.social avatar

@Edent Okay, but Mastodon's signatures don't have a "created" signature parameter, right? I don't remember ever seeing one. Is this one of those things where Mastodon's signatures differ from the RFC?

Looking at your code now, I see you're checking both differences: between signature date and current local time, as well as between signature date and "published" property. I think the latter will keep causing problems. Multi-hour differences are not especially rare in my experience.

hello, to fediverse
@hello@social.wedistribute.org avatar

The situation is a dumpster fire for the . What would you do if you were building something, people misunderstood what it was, and things escalated to a point that someone loaded CSAM onto your server for the sake of reporting it?

https://wedistribute.org/2024/03/contentnation-mastodons-toxicity/

julian,
@julian@fietkau.social avatar

@hello One of my dream projects (not as in "pipe dream" but actually in realistic reach) is an ActivityPub interface for ORCID records: https://fietkau.social/@julian/112004249891946278

Being able to follow scientists' new publications even if they aren't personally on here would be useful. But the Bridgy Fed harassment has given me some pause. Academics are incentivized to be as public as possible about their articles, so I'm having trouble imagining backlash. Then again I didn't imagine the Bluesky bridge backlash...

sarajw, to random
@sarajw@front-end.social avatar

Does anyone working in Germany as a normal employee take a little cash on the side (legally) for stuff like giving talks, reviewing books, writing articles or other comparable stuff?

I'm happy in my job and want to keep it, but some little opportunities may come up where I could earn something, currently I'm opting out or doing it for free because of the whole tax thing.

I'm trying to figure out whether I can do a Nebenjob freiberuflich, or something. The whole system terrifies me, haha! Help?

julian,
@julian@fietkau.social avatar

@sarajw Just starting out with that myself. ๐Ÿ™‚ Haven't heard back from the tax people yet about my application/notification of a new "freiberufliche Tรคtigkeit".

jwildeboer, (edited ) to random
@jwildeboer@social.wildeboer.net avatar

What I dream of: "Here's my stuff. My thoughts, my pictures, my videos. Here's who should be able to see it. And who's able to share it. Have fun! Is all". So what I really want is a storage layer and an ActivityPub layer on top of that that distributes my "stuff". I don't want to think about that being Mastodon, PeerTube, PixelFed, Lemmy etc. It's ActivityPub and my content. Nothing more. Who builds that? ;)

julian,
@julian@fietkau.social avatar

@jwildeboer Sounds a lot like @activitypods.

eniko, to random
@eniko@peoplemaking.games avatar

i really wish i could use formatting for my mastodon posts. last i checked formatting is converted to html tags and then your post is stored that way, which means the fallback for formatting being not supported is to strip the html tags

which means if i wanna add emphasis like this, which would be formatted as italics, the result of an instance without formatting showing the post is to strip the asterisks which means way more of the original intent of my post is gone than if i do it in plain text without formatting

julian,
@julian@fietkau.social avatar

@eniko What kind of fedi instances strip out simple formatting on incoming remote posts? Is that a thing that happens?

Mastodon instances (like mine) that don't offer formatting to their own users should still show formatting in incoming posts, at least since some time early in the 4.x versions.

julian,
@julian@fietkau.social avatar

@eniko Valid, but I wouldn't treat losing italics as a concern in practice. Mastodon has supported formatting on incoming posts for a year now (https://github.com/mastodon/mastodon/pull/23913) and I think pretty much all other server software does too. I might have missed things, but I've never heard of anywhere where that went wrong.

jwildeboer, to random
@jwildeboer@social.wildeboer.net avatar

New blog post (unfinished) on spam and Mastodon, Activitypub at https://jan.wildeboer.net/2024/02/ActivityPubSpam/ - replies to this toot will show up as comment on the blog post. It's magic! This blog post resulted from this thread: https://social.wildeboer.net/@jwildeboer/111970226411427292

julian,
@julian@fietkau.social avatar

@jwildeboer Confirmed measures that Mastodon is taking to mitigate the issues with abandoned servers:

"Change registrations to be disabled by default for new servers"
https://github.com/mastodon/mastodon/pull/29280
(Meaning that admins must opt into the type of user registration they want, open is no longer the default.)

"Automatically switch from open to approved registrations in absence of moderators"
https://github.com/mastodon/mastodon/pull/29318
(When no admin/mod has logged in for 7 days, open registration closes automatically.)

DavidDarnes, to mastodon
@DavidDarnes@mastodon.design avatar

New addition to my collection: <mastodon-post>!

Embed mastodon posts on your web pages by progressively enhancing a regular link and without the need for an <iframe>. Use the built in semantic template or apply your own! Read more about it here:
https://darn.es/mastodon-post-web-component/

Thanks to @robb and @mariohamann for the inspiration โœจ

julian,
@julian@fietkau.social avatar

@DavidDarnes Nice work, I'm into it. ๐Ÿ‘

As embeddable solutions go, this one beats iframes IMO, but I'm still kinda on the lookout for one that contains a plain-text copy of the post it can fall back on for displaying if the Mastodon server is down. You think that'd be potentially in scope for yours?

julian,
@julian@fietkau.social avatar

@DavidDarnes Yeah, pretty much. Mastodon servers vanish often enough that I think the fallback text is critical. I'd likely add the posting date/time too, but the principle's the same.

I haven't tried out your script myself yet, but for me it'd be ready to replace the default iframe embeds if the per-post code snippet can easily be copypasted in without futzing with style sheets or one-off scripts, doesn't choke if multiple posts are embedded within the same page, etc.

Again, very cool to see.

leigh, (edited ) to random
@leigh@ottawa.place avatar

Currently sleeping the sleep of the righteous, @andrew was up way too late building tools to fend off the current wave of fedi spam, playing whack-a-mole with bad accounts, and getting fedi friends up and running with their own blocklists.

Iโ€™d like to convene a discussion this week or next to do a mini retro on this attack and some work around fedi spam fighting tools. If youโ€™re interested in the discussion, @ me your email or send one to spamretro at hypatia dot ca and Iโ€™ll loop you in on it ๐Ÿ™

Would love to have a proper UR/UX person on the call, Iโ€™m a mere amateur at that part ๐Ÿ˜…

Edit to add for reach ๐Ÿš€

julian,
@julian@fietkau.social avatar

@leigh My impression is it might be worthwhile to check in with @thisismissem if you don't want to reinvent existing work (see https://hachyderm.io/@thisismissem/111949447074925218), unless of course you're deliberately taking a blank slate approach. ๐Ÿ™‚

For UX, the first person to come to my mind who might be interested in providing support is @scottjenson. I'd offer my own help, but all of my experience is academic and none of it has to do with spam or trust & safety...

julian,
@julian@fietkau.social avatar

@leigh Ah, sorry if that came across as a challenge to your expertise โ€“ I meant it more as a question of, do you want to join up with other people who are in the process of building these tools or do you want to get something completely fresh started. I could see either path leading to worthwhile results. ๐Ÿ‘ @thisismissem @scottjenson

julian,
@julian@fietkau.social avatar

@leigh I see! Alright yeah, that sounds like a solid plan. ๐Ÿ™‚ I think I did misinterpret your original post a bit, maybe because I've seen a number of posts along the lines of "why is no one else tackling this problem, it can't be that hard can it" on my feed these past 48h. Best wishes for sure!

Edent, to fediverse
@Edent@mastodon.social avatar

๐Ÿ†• blog! โ€œActivityPub Server in a Single PHP Fileโ€

Any computer program can be designed to run from a single file if you architect it wrong enough! I wanted to create the simplest possible Fediverse server which can be used as an educational tool to show how ActivityPub / Mastodon works. The design goals were: Upload a single PHP file to the server. No [โ€ฆ]

๐Ÿ‘€ Read more: https://shkspr.mobi/blog/2024/02/activitypub-server-in-a-single-file/
โธป

julian,
@julian@fietkau.social avatar

@Edent Nice work! It looks similar to my own self-study one-file ActivityPub server in Python. I think the structure of the protocols lends itself to implementing single-actor servers as a learning experience.

I know you're saying it's quick & dirty in some ways, but if it's intended as a learning tool for others, do you want feedback on it? There's one bad assumption in there that I think would be better if it was cleaned up.

julian,
@julian@fietkau.social avatar

@Edent Then I'll make it short: The assumption that a server has a shared inbox at /inbox does not generalize, as even the existence of a shared inbox is not mandated by anything.

What you'd need to do is when someone follows, you fetch their actor data and store at minimum their inbox and/or shared inbox.

For sending, I build a set of all shared inboxes that occur more than once, and use the individual inboxes for the rest.

eniko, to random
@eniko@peoplemaking.games avatar

hello i need people to link me to videos from video essayists talking at length about very old games. the more obscure the channel the better, since i watch a lot of these. it's for my mental health. thank you

julian,
@julian@fietkau.social avatar

@eniko This one's pretty well-known and you may have already watched it, but for that prompt I can't not link it:

Ahoy โ€“ The First Video Game

https://www.youtube.com/watch?v=uHQ4WCU1WQc

jwildeboer, (edited ) to random
@jwildeboer@social.wildeboer.net avatar

PSA: Dear @snarfed.org@snarfed.org @snarfed - I hereby request that you remove my account @jwildeboer and any other account at social.wildeboer.net from your bridge. Please confirm. Thx. (not sent as DM, as I wish to make it public that I do not agree to your opt-out approach but have to do it this way.)

EDIT: context at https://mastodon.online/@mastodonmigration/111921365604965429 and https://snarfed.org/2024-02-12_52106 also: I have now fediblocked everything brid.gy

julian,
@julian@fietkau.social avatar

@jwildeboer Update on this: the bridge is now planned to be opt-in.

https://github.com/snarfed/bridgy-fed/issues/835#issuecomment-1942046208

CerstinMahlow, to iOS
@CerstinMahlow@mastodon.acm.org avatar

Is it possible to text with other people using different messengers? You can use iOS iMessage with SMS and iMessage. But here Iโ€™m looking for communicating with a friend like this: he would use Signal and I stick with iMessage?

Reason: I donโ€™t own a smartphone, my iPad has no SIM card, so Signal isnโ€™t possible on my side. We already agreed on not using WhatsApp. Any other suggestions for iOS?

julian,
@julian@fietkau.social avatar

@wuethrich I'm guessing you were typing this before you got my first reply. Again, I'm not going to be using bridges and I'm not going to have a Signal or WhatsApp account. I'm going to be using the native messenger interoperability mandated by the DMA, and Signal/WhatsApp are going to send their messages to my Matrix server knowing that it is a Matrix server. How they explain that to their users is up to them, maybe there'll be a popup warning.

  • All
  • Subscribed
  • Moderated
  • Favorites
  • โ€ข
  • JUstTest
  • kavyap
  • DreamBathrooms
  • thenastyranch
  • magazineikmin
  • tacticalgear
  • cubers
  • Youngstown
  • mdbf
  • slotface
  • rosin
  • osvaldo12
  • ngwrru68w68
  • GTA5RPClips
  • provamag3
  • InstantRegret
  • everett
  • Durango
  • cisconetworking
  • khanakhh
  • ethstaker
  • tester
  • anitta
  • Leos
  • normalnudes
  • modclub
  • megavids
  • lostlight
  • All magazines
    •