#indiewebcamp 2013-08-01

2013-08-01 UTC
melvster, josephboyle, bnvk and shaners joined the channel
#
shaners aaronpk: i've got question about / maybe a feature request for indieauth.com.
#
shaners if i ran my own oauth2 provider at iamshane.com, could indieauth.com somehow detect that and delegate back to me for signing into indiewebcamp.com, instead of requiring a silo?
#
aaronpk shaners: sorta maybe
#
shaners lay it on me
#
aaronpk we'd need dynamic client registration so I can get a client_id + secret from you
#
aaronpk that's one of those things that got bumped from the spec because nobody could agree
#
shaners ok.
#
shaners for the sake of proofing-of-concept, we could manually add iamshane.com to your list strategies
#
shaners manually register indieauth with my (purely hypothetical) iamshane.com provider
#
aaronpk so if we leave off the "automatic" bit, here's what would need to happen
#
aaronpk you'd need to write an omniauth strategy for talking to your iamshane.com provider https://github.com/intridea/omniauth/wiki/List-of-Strategies
#
aaronpk then I'd need to "register" an app (you could just send me a client_id and secret)
#
aaronpk and I'd add it to the indieauth DB and it should "just work"
#
shaners Should Just Work as a Service™
#
aaronpk exactly
#
aaronpk how fast can you set up an oauth server?
#
shaners dunno. lemme get back to you on that part.
#
aaronpk cool. making the omniauth gem would let me pretty much just drop it in.
#
shaners i was curious if there was any reason to even try before diving in.
#
aaronpk at first glance I don't see any trouble
#
aaronpk I'll noodle on it for a while though, because I'm curious about the implications of this
#
aaronpk like chances are, not everyone would set up a provider on their domain, more likely a group of people would end up using a shared provider, like a tribe
#
shaners and you could only show iamshane.com as auth provider to me, or people who try to login as iamshane.com, right?
#
aaronpk well it would only show up if they have a profile link at iamshane.com
#
aaronpk but for the small group use case you'd end up with a profile like groupx.com/veganstraightedge and could choose to auth with that one
#
shaners ok. thx. i'll look into it on my end.
#
aaronpk in my case my family would be using parecki.com/aaron etc
#
aaronpk the main question is how do I know I can trust the OAuth provider?
#
aaronpk I can trust twitter, github, google, etc because there are only a few of them and they're big enough that security problems are pointed out and corrected quickly
#
aaronpk but how do I trust that your oauth provider isn't compromised, letting someone else log in as you?
#
aaronpk I should probably read up more on openid connect since I think they've done a lot of this already http://openid.net/wg/connect/
#
Loqi fo sho
#
aaronpk shaners: check out https://github.com/nov/openid_connect
#
shaners that's a fair point wrt compromised security
#
shaners i don't have a good answer about that, aaronpk
#
aaronpk I think it's the same question for openid as well
pfenwick joined the channel
#
aaronpk openid connect seems to have done the work of defining the discovery protocol
f-a joined the channel
#
shaners aaronpk: have you met @jlsuttles?
#
aaronpk I think we met briefly at osbridge
#
shaners she's at my house/office today for work. she's gonna be helping on some HS things.
#
aaronpk nice!
#
shaners we just chatted about this. and she said she'll take a look at it this weekend.
#
shaners i'll do an email intro to remind you two of each other
#
aaronpk awesome
#
aaronpk yea have her look at the openid connect stuff, it may be what we need. not sure if it's overly complicated but iirc they've trimmed it down from the original openid
#
shaners that feels like what i remember about it too
#
shaners security: if iamshane.com gets pwned, does that affect me or all of indiewebcamp.com?
#
aaronpk I think just you. because someone would have to put a link to iamshane.com on their site in order to let it be a provider in the first place
#
shaners so. Jane puts a link to iamshane.com on her site. she tries to log in as "iamshane.com" on indiewebcamp. indiewebcamp => indieauth => iamshane.com
#
shaners she'd still need to be able to log in to iamshane.com, right?
#
shaners she'd have to also make a user/pw at iamshane for that to work
#
shaners or get ahold of my u/pw
#
aaronpk yea, indieauth would redirect to iamshane.com asking her to log in. the response from that would have to indicate that she is "jane" in order for indieauth to confirm the login
#
aaronpk so if an attacker can log in as you (either by knowing your password or by hacking the system) then they can log in as iamshane.com to anything that uses indieauth
#
aaronpk s/the system/iamshane.com
#
Loqi aaronpk meant to say: so if an attacker can log in as you (either by knowing your password or by hacking iamshane.com) then they can log in as iamshane.com to anything that uses indieauth
#
shaners thx for the clarification, Loqi!
#
shaners whois Loqi
#
Loqi who, me?
#
shaners yes, you
#
shaners aaronpk: how does indieauth.com know that Jane is trying to login as iamshane.com and not me as iamshane.com?
#
aaronpk well in the case of github for example, it found https://github.com/veganstraightedge on iamshane.com so it expects the result of the oauth flow to come back with a username of vegenstraightedge
#
aaronpk in the case of a root domain like that, there would only ever be one account at iamshane.com, and the "username" returned by the "who am i" query would have to be "iamshane.com"
#
aaronpk brb
#
shaners aaronpk: (when you get back) i'm gonna have jls build this as a little stand alone rails app + oauth2 provider on its own domain (for initial testing).
#
shaners so we don't have to deal with trying to integrate with my monkey mess of a codebase :D
scor joined the channel
#
shaners aaronpk: does this look like a sane overview of the work to get a test case working? https://github.com/homesteading/homesteading-oauth/issues
earplugs and shaners joined the channel
#
shaners i just switched IRC clients. will someone mention my name, so I can see what the notification looks like? Please.
#
f-a shaners, hello
#
shaners f-a: thanks!
#
f-a which client are you using
#
shaners i just switched from LimeChat to Textual
#
f-a I don't know them, will search
#
shaners f-a are you on a mac?
#
f-a no, on a linux laptop
#
shaners ah. these are both mac apps.
#
f-a I see!
#
shaners f-a : have we met? are you one of the european folks in the channel?
#
f-a I am european but I never partecipated to one of the camps!
#
f-a So we haven't met *yet*!
#
shaners :D
#
shaners what are you working on / interested in working on?
#
f-a well, I get to know indiewebcamp from gnu consensus
#
shaners f-a: do you have your own domain/website?
#
f-a being a non technical guy, I was planning to write a few articles on how to regain your data and live a social life without silos, in a frugal way
#
f-a yes, ariis.it
#
shaners are you technical enough to write html on your site?
#
f-a I came here and found some very interesting ideas, starting with mfs, so I an staying here
#
f-a yes shaners , the whole site is written via a quasi markdown language I wrote in haskell
#
shaners would you like a few suggestions of easy things to get started with #indiewebbing your site?
#
f-a let me see: adding rel="me" on my contact link?
#
f-a (yes, please do tell!)
#
shaners :D yep!
#
shaners rel-me links to your external accounts: twitter, github, facebook
#
shaners .h-card with contact info on your homepage
#
shaners .h-entry microformats on your stream posts
#
f-a problem with rel="me" stuff is: I don't have an account on any of those sites yet. I will soon contribute (or plan to contribute) to pump.io, so github seems the way to go.
#
f-a .h-entry?
#
f-a takes note
#
f-a I will check on the wiki the format!
#
f-a what is your website?
#
shaners start with github.com. it's a great site / community.
#
shaners .h-entry is the mf for blog posts
#
shaners http://microformats.org/wiki/h-entry
#
shaners my site is http://iamshane.com
#
f-a well Shane, I am currently vegetarian, pondering about going vegan
xtof joined the channel
#
bret shaners, have you tried colloquy?
#
shaners bret: i have. it's been a while though.
#
shaners i remember not being a fan of it
#
bret there are a few wacky default settings, but I like better than any other IRC client I have tried
#
bret Textual looks nice, but I have been burned by other comercial IRC clients in the past, so, Im reluctant
#
bret commercial*
#
shaners sure
#
shaners i don't keep logs or anything
#
bret the znc stuff looks kinda interesting in textual
#
bret linkunus was the regretful purchace. I never understood how an IRC client could drain a laptop battery so fast
#
shaners so if textual dies, at least i got my $5 worth in the meantime
#
bret what is this ZNC stuff they talk about? how does it tie in more than any other client?
#
shaners and textual is open source, bret
#
shaners https://github.com/Codeux/Textual
#
bret did not know that!
#
bret in that case....
#
aaronpk my favorite osx client is Limechat
#
aaronpk http://limechat.net/mac/
#
shaners bret no idea what the znc stufff there talking about is
#
shaners aaronpk that's what i was using until a few minutes ago. trying textual.
#
aaronpk bret: you can run a znc on a server somewhere and then you'll always be signed in to IRC and when you re-connect to the ZNC thing it'll do tihngs like show you who's mentioned you while you were offline
#
shaners aaronpk: scrolling back, https://github.com/homesteading/homesteading-oauth/issues
#
shaners does that look sane to you?
#
aaronpk shaners: ah yes, reading now
#
aaronpk I fixed the title of this one: https://github.com/homesteading/homesteading-oauth/issues/6
#
aaronpk :D
#
shaners well done
#
aaronpk i'm going to make a new one for the authorization screen
#
shaners ah. good catch.
josephboyle joined the channel
#
aaronpk so hey..this is actually a great excuse for me to do some real-world testing on my book
#
shaners which book is that?
#
aaronpk OAuth 2
#
aaronpk for o'reilly
#
shaners ah
#
aaronpk i'm adding it to the reading list :) https://github.com/homesteading/homesteading-oauth/issues/1
#
shaners BOOM!
#
aaronpk I like this checklist approach, I should put that into a sort of "cheat sheet" for the book
#
shaners do it
#
shaners it's all yours
#
f-a night gents
#
shaners f-a later f-a
#
aaronpk sent you the book, plz share with jlsuttles!
#
aaronpk also feel free to file issues against the oauth.net site :) https://github.com/aaronpk/oauth.net/issues
#
bret aaronpk, what book?
#
aaronpk i'm writing a book on OAuth 2
#
bret oh right on!
#
shaners aaronpk: what's your email that you use on heroku?
#
aaronpk the usual
#
shaners figured
#
shaners added you to the thing
#
aaronpk sweet
gjones and xtof joined the channel
#
neuro` Good morning
cweiske joined the channel
#
shaners later, friends
xtof, benwerd, andreypopp, smcgregor and Jihaisse joined the channel
#
Jihaisse Hello
andreypopp joined the channel
#
@vivi_tatyana RT @t: No @instagram clients that upload photos … except a worm.
earplugs, seyz, eschnou, bnvk, adactio, andreypopp, friedcell, fmarier, melvster, xtof, josephboyle, scor, f-a and hober joined the channel
#
@edsu @rdhyee fwiw, the demise of google reader, snowden &amp
#
Loqi the #indieweb movement seem to be giving blogging technologies a reboot
#
@rdhyee RT @edsu: @rdhyee fwiw, the demise of google reader, snowden &amp
#
Loqi the #indieweb movement seem to be giving blogging technologies a reboot
tantek, barnabywalters, andreypopp, f-a, melvster, tilgovi, ozten, josephboyle, spinnerin, eschnou, jihaisse_, benwerd, pfenwick, scor and shaners joined the channel
#
shaners Good morning, campers!
#
@veganstraightedge RT @edsu: @rdhyee fwiw, the demise of google reader, snowden &amp
#
Loqi the #indieweb movement seem to be giving blogging technologies a reboot
josephboyle joined the channel
#
@schofeld I'm with @davewiner on interop: http://dave.smallpict.com/2013/08/01/seasonForInterop #indieweb FTW
tantek and benwerd joined the channel
#
shaners Instagram is apparently deleting photos uploaded by means other than their official app
#
shaners http://www.theverge.com/2013/7/30/4570610/instagram-deleting-photos-from-instance-windows-phone-app
#
neuro` shaners: that was predictable. They could not let photos uploaded by the famous unofficial API
#
f-a *unofficial* meaning that worm?
#
neuro` f-a: I'd rather say that the worm was using the unofficial API
#
shaners sure. but they're also deleting photos uploaded by unofficial apps by windows phone users
#
neuro` I understand their reaction. If I had millions users I'd probably frak out that thing would go out of control
#
neuro` That does't change the main issue: IG being a walled garden owned by another walled garden
#
shaners if i had millions of users, i'd make a more open documented public api and let it grow and be wild and free
#
neuro` shaners: agree, please read my last statement :)
#
shaners exactly
#
neuro` shaners: what's your twitter id btw?
#
neuro` f-a: same question
#
shaners https://twitter.com/veganstraightedge
#
shaners Roll call:
#
shaners Twitter handle
#
shaners Personal domain
#
shaners #indieweb project/s
#
f-a I don't got twitter/facebook/whatever. But I have a minibloguesque thing here http://ariis.it/items/rss/stream.html neuro`
#
shaners @veganstraightedge
#
shaners http://iamshane.com
#
shaners Homesteading. NewBase60 (ruby gem). Microformats 2 (ruby gem).
#
neuro` Oh cool
#
neuro` I needed both of them and was about to reinvent the wheel
#
iamshane.com edited /Instagram (+275) "added verge story about instagram unofficial apps and api change" (view diff)
#
shaners neuro`: if you find any bugs or want to fix outstanding issues, feel free to send pull requests ;)
tantek joined the channel
#
neuro` shaners: will do.
#
shaners namely, these issues: https://github.com/G5/microformats2/issues?state=open
#
shaners tantek: did aaronpk talk to you about the rel-canonical problem we ran into at our mini-meetup in pdx?
gjones joined the channel
#
shaners hey gjones! long time, glenn.
#
tantek shaners - did you or aaronpk document the rel-canonical problem you ran into on the wiki?
#
shaners it was right at the end of our hangout. i don't think either of us did.
#
shaners can i give you the short version to see if it's been considered already?
#
tantek sure
#
shaners rel-canonical should only be used once on a page, right?
#
shaners so, on a blog post permalink, not on a feed, for example.
#
tantek rel values are page scoped
#
tantek so all you can do is link from a page to the canonical URL for that page
#
shaners when linking from a post syndicated to wp.com back to my site's original post, I'd use a[rel=canonical][href=sbb.me/bXYZ1]
#
tantek that's the definition
#
tantek sure you can use it for that
#
shaners but i can't NOT show a rel-canonical on the wp.com feed view. it's the same unchangeable markup for permalink and feed.
#
shaners so, aaronpk and i think we need a .u-canonical in places where you can't control the markup
#
shaners i mean, where you can't conditionally control the markup
#
shaners make sense?
#
tantek "same unchangeable markup" - sounds like a platform limitations
#
tantek limitation
#
tantek that has nothing to do with rel-canonical
#
aaronpk it means he can't use rel-canonical on wordpress.com
#
tantek sounds worth documenting as a limitation of wordpress.com on : http://indiewebcamp.com/WordPress#WordPress_hosting_service
#
tantek we already have the equivalent to rel-canonical but for pretty much any microformat with u-uid
#
tantek so you could use that if you like
#
tantek but there's no need for a u-canonical because that would be redundant (a second name for the same thing)
#
tantek ("uid" comes from vCard/iCalendar and predates rel-canonical by many many years)
#
aaronpk question: on my tag page I have other peoples' posts, the permalinks to their domains are marked up as u-url, is that correct?
#
tantek ironic that @schofeld is linking to winer, then mentioning #indieweb - whereas winer seems to be stuck on RSS, while the #indieweb has leapfrogged far past RSS (which is just legacy XML at this point)
#
tantek aaronpk - yes that's fine
#
aaronpk also http://news.indiewebcamp.com/ apparently uses rel-canonical on the list view, which is now wrong
#
tantek re: http://indiewebcamp.com/irc/2013-08-01/line/1375389554
#
tantek aaronpk - it's always been wrong ;) rel-canonical has always been page-level
#
aaronpk so I should switch indienews to u-url or u-uid?
#
aaronpk but not u-canonical?
#
tantek aaronpk - see above about u-canonical being redundant
#
aaronpk so, u-url or u-uid?
#
tantek using u-uid is optional and if you're already using u-url and only linking to the original via that - then that's fine
#
shaners tantek: it's absolutely a limitation of wordpress.com. but nonetheless it's a context that users (including me) will have to deal with.
#
tantek u-uid (and rel-canonical) are only really useful / interesting if you're actually disambiguating
#
shaners thanks for reminding me of u-uid
#
aaronpk so in shaners case, is u-url enough then?
#
tantek if you're only linking to one URL via u-url, then you don't really need to specify u-uid as well
#
tantek shaners - ironic about the winer post you reference, he says "choose to invest in user freedom" - but he isn't really. he's explicitly investing (or asking others to invest) in "RSS" and making RSS competitive - but RSS is already so much legacy XML that is has nothing to do with "user freedom" any more.
#
shaners tantek: i agree. the intent is in the right place. even if he's totally lost/invested in RSS land.
#
tantek if all you're looking for is wistful posts about user freedom (without any actual action to back it up), the W3C Federated Social Web mailing list is good for that too.
#
tantek anyway, I guess I just got tired of such noise without action about 2+ years ago
#
tantek regardless of the source
#
shaners sure
#
tantek just checking with you to make sure I wasn't missing something
#
shaners so, wrt to u-hid, here's my example:
#
shaners https://veganstraightedge.wordpress.com/2010/11/7/no-more-sharecropping/
#
shaners at the bottom: "Originally published at: http://sbb.me/b48f1"
#
shaners i should use?
#
shaners a[href=sbb/b48f1].u-url.u-uid
#
Loqi I agree
#
tantek makes sense
#
shaners kthx
#
shaners i'll write i up on the wiki
#
aaronpk so the real answer is to not use rel-canonical on wordpress
#
shaners i'm not. because i don't have any control over the markup in a feed vs permalink page.
barnabywalters joined the channel
#
tantek yes, sounds like a good limitation to document about POSSEing to wordpress.com
hober and andreypopp joined the channel
#
iamshane.com edited /WordPress (+918) "use .u-url.u-uid on WordPress.com in attribution links to original post" (view diff)
#
tantek.com edited /WordPress (+8) "/* Themes */ class=" (view diff)
josephboyle and scor joined the channel
#
tantek aaronpk - when do you get into town next week?
#
aaronpk flight lands at SFO at 12pm
#
aaronpk in my head I said Aug 6th
andreypopp, benwerd and fmarier joined the channel