#indiewebcamp 2014-04-09

2014-04-09 UTC
#
aaronpk
now I have to go redeploy everything in AWS
#
aaronpk
of course 5pm is the best time to do that
#
snarfed
aaronpk: mostly for the client side fixes, right?
#
snarfed
or do you terminate ssl yourself for your aws stuff?
#
aaronpk
no, ELBs do that for us
#
snarfed
exactly
#
aaronpk
but this whole system is built around callback URLs, so...
#
snarfed
yeah, client side, whee
#
barnabywalters
sanity has been restored
#
Loqi
does a happy dance!
#
barnabywalters
turns out it was iptables playing up for some reason
#
barnabywalters
hot chocolate time!
#
barnabywalters
goodnight all
#
Loqi
goodnight!
#
@stefek99
@indiewebcamp Hello :) I wonder if you endorse / support this one: https://www.resetthenet.org/ #ResetTheNet ?
(twitter.com/_/status/453687329052708864)
#
@kyle_wm
@courtarro thanks for the heads up, tis intentional http://indiewebcamp.com/permashortcitation ... thinking about alternatives that'll still support backfeed
(twitter.com/_/status/453694694858317824)
#
kylewm.com
edited /permashortcitation (+106) "/* Criticism */ example of PSC confusion"
(view diff)
#
@kevinmarks
@edbott @alex clearly we need to teach @pmarca and the a16z crew to POSSE #indieweb http://indiewebcamp.com/POSSE
(twitter.com/_/status/453695016964091904)
scottros, caseorganic, scor, gRegor`, fmarier and snarfed joined the channel
#
gRegor`
!tell snarfed I think your timezone settings might be off. I'm finally going through and parsing webmentions I received and this one lists the UTF offset as -07:00 but it should have been -08:00 at that time (before DST) https://snarfed.org/2014-02-11_re-gregorlove-com-little-g-big-r-powered-by-indieweb
#
Loqi
Ok, I'll tell them that when I see them next
scor and tantek joined the channel
KevinMarks joined the channel
#
tantek.com
edited /Sponsors (-2) "TOC at bottom just for easy click/referencing frags"
(view diff)
#
tantek.com
edited /Sponsors (+0) "fix heading levels"
(view diff)
#
tantek.com
edited /Trsst (+133) "note sponsorship, see also their Twitter"
(view diff)
eternicode joined the channel
#
tantek
oh dear - this is a scary phrase: "…since the openssl libraries are statically compiled"
#
tantek
ergo, if you have ANY software on your server (not just the OS, or the webserver, etc.) that MIGHT have OpenSSL compiled/linked into it, you need to upgrade them.
#
tantek
it's not just updating the server
#
tantek
rather, it's not just updating the OS
#
GWG
Good evening
#
GWG
Link sharing isn't working
#
tantek
GWG - what do you mean by "Link sharing" ?
#
GWG
tantek: I've decided my site into several types of content
#
GWG
Links, Status Updates, Videos, Images, and Articles.
#
tantek
what's an example of a "Links" post on your site?
#
tantek
and do you have any "Status Updates" that include hyperlinks themselves?
#
gRegor`
tantek: yeah, very scary. it's a mess.
#
GWG
No. The status update posts, when syndicated, would have a link back.
JonathanNeal joined the channel
#
GWG
A link is a link to an external site, with a short comment.
#
GWG
So, it is similar to a status update.
#
GWG
I tried to separate them.
#
GWG
It is Twitter that is the problem
#
GWG
I can't get the formatting right when anything sends to Twitter
#
GWG
Unless I craft the Tweet myself, it comes out wrong
#
tantek
that is indeed a bit of an art
KevinMarks joined the channel
#
kylewm
anyone have experience with Dokku (or the like -- self-hosted mini-herokus)? ran into a little snag playing with it, trying to decide if i should keep going or give up :)
#
kylewm
GWG, it seems your tweets with links are being overzealously shortened
#
kylewm
perhaps the wordpress plugin does not take into account that links will be shortened to 22/23 characters
#
GWG
Well, the SNAP people aren't responding.
#
GWG
But, it supports shortening and it is turned on, oddly enough
#
GWG
The problem is that it doesn't recognize the different formats.
#
GWG
I have some ideas though.
KartikPrabhu joined the channel
#
Loqi
KartikPrabhu: gRegor` left you a message 6 hours, 17 minutes ago: Still on for tomorrow night?
#
KartikPrabhu
gRegor`: yeah sure
#
GWG
kylewm: To answer your question, no, I don't.
#
KartikPrabhu
gRegor`: that was in reference to Chicago HWC
#
gRegor`
Cool
#
GWG
Hmm...this might work as a variable. "Inserts the text till the <!--more--> tag or first N words of the post"
#
GWG
This is what I'm looking at.
#
kylewm
oh, nice, so could you include the full URL of your post at the end instead of the goo.gl shortened link?
#
kylewm
imho, that would look better
#
GWG
The post, yes. But I'm afraid that would truncate the title.
netweb joined the channel
#
GWG
But, these are where I am linking/commenting on another site.
#
GWG
I may have to find a format for the link posts.
#
kylewm
so that's what I was getting at before -- twitter automatically shortens links on their end, so each one only counts 22 (or 23 for https) characters
#
kylewm
no need to shorten them beforehand
#
GWG
Yes, but the plugin has an issue with that.
#
GWG
Trying a test.
#
kylewm
Looks like it
#
kylewm
is it open source?
#
GWG
It is.
#
GWG
Trying some tests.
#
GWG
But, on the link posts, it should share the original link, not my URL.
#
GWG
Unlike the other posts.
#
kylewm
i'm genuinely curious why someone would write code like this
#
GWG
Because they sell a pro product?
#
GWG
I may have to add a custom-field in order to put in the link.
netweb and snarfed joined the channel
#
Loqi
snarfed: gRegor` left you a message 2 hours, 9 minutes ago: I think your timezone settings might be off. I'm finally going through and parsing webmentions I received and this one lists the UTF offset as -07:00 but it should have been -08:00 at that time (before DST) https://snarfed.org/2014-02-11_re-gregorlove-com-little-g-big-r-powered-by-indieweb
#
snarfed
kylewm: saw the unhashable dict error, i'll investigate
#
KartikPrabhu
howdy! everyone
#
kylewm
snarfed, I am running bridgy locally explicitly so it doesn't email you every time i get an error ;)
#
snarfed
KartikPrabhu: howdy!
#
snarfed
kylewm: funny, wonder why it emailed then
#
kylewm
no I mean, I just started after I got that error
#
kylewm
it's the only way I can outgun you on tracking things down
#
kylewm
good evening, KartikPrabhu how's it going?
#
KartikPrabhu
aah just flew back from Savannah so quite exhousated
#
snarfed
sounded like the talk went well, congrats
#
kylewm
oh lovely, GA's my home state
#
KartikPrabhu
is so exhausted that he can't spell exhausted
#
kylewm
I've never been to Savannah though
#
KartikPrabhu
snarfed: yeah it did...
#
KartikPrabhu
kylewm: Savannah is pretty cool! You can drink beer on the street! ;)
#
kylewm
haha, that's a big plus
#
kylewm
snarfed, it looks like it expects in-reply-to to be a url, but mine is an "p-in-reply-to h-cite" object
#
kylewm
which could be a goof on my part
#
snarfed
kylewm: ah, yes, no such thing as p-in-reply-to
#
snarfed
should be u-in-reply-to
#
kylewm
my inclination would be to add a new function that takes a url-like thing and returns url if it's a url or object["properties"]["url"][0]
#
snarfed
regardless, i should handle it better
#
kylewm
i got p-in-reply-to from here https://indiewebcamp.com/in-reply-to
#
snarfed
oh i see. nm. looking
#
snarfed
you're right. i should know better than to say anything at all about mf2 :P
#
kylewm
seriously right?
#
kylewm
(i mean not you, in general)
#
snarfed
heh, understood
#
snarfed
kylewm: agreed, that utility fn makes sense. it would probably go in source.py or somewhere similar
#
kylewm
would you like me to take a stab at a fix, or is it not worth you havin to review it?
#
snarfed
always worth fixing bugs!
#
snarfed
if you're interested, definitely take a stab, i'm happy to review
#
snarfed
the consistent facebook 500 is also probably my/our fault. they should report the error better, but still, i bet we can fix it.
#
kylewm
dang, I just tried to post a regular post locally, and it went through without a 500
#
kylewm
heisenbug
#
snarfed
!tell gRegor` thanks!
#
Loqi
Ok, I'll tell them that when I see them next
#
kylewm
oh, that's embarrassing...already a function to extract urls from h-cite, on the very next line
#
snarfed
even so, we still need to use it!
#
GWG
Okay....custom fields...so far so good.
#
GWG
Oh...things changed.
#
GWG
Did I miss anything?
paulcp and eschnou joined the channel
tantek, scottros, eschnou, basal, LauraJ and jsilvestre joined the channel
pfefferle, LauraJ, pasevin, pasevin_, pfenwick, voxpelli, krendil, Sebastien-L and glennjones joined the channel
#
acegiak
pfefferle: does the webmention plugin re-send webmentions when posts are updated or trashed?
#
pfefferle
when they are updated
#
pfefferle
not when they are trashed
#
acegiak
I'm trying ot make it so that when I delete a comment post I notify the post I'm commenting on
#
voxpelli
do any webmention endpoints support deletion of mentions?
#
voxpelli
I know I haven’t added it to https://webmention.herokuapp.com/ yet, but can’t really remember how that would be done? what does it send?
#
acegiak
http://indiewebcamp.com/comment#Delete_a_comment < this is what I'm trying to implement
#
voxpelli
acegiak: ok, that makes sense
#
voxpelli
but I don’t like the reliance on 410 there
#
voxpelli
makes it impossible for sites on something like Github Pages to signal that one of their posts has been deleted :/
#
acegiak
I kinda think if you send a webmention that points to something that comes back as 4** then it should be counted as a deletion?
#
voxpelli
acegiak: seems like not everyone agrees with that: http://indiewebcamp.com/deleted#404_Not_Found
#
voxpelli
but I agree, if one wants to rely on HTTP codes, then a 404 needs to be treated as a 410 for pragmatic reasons as its not always possible or feasible to return a 410 instead
friedcell, eschnou, pfenwick, tobiastom, pfefferle, voxpelli, melvster, adactio, barnabywalters, bnvk, LauraJ, scor, scottros and glennjones joined the channel
#
ben_thatmustbeme
good morning
bnvk, LauraJ, glennjones_, hober2 and chloeweil joined the channel
#
pdurbin
ben_thatmustbeme: good morning
LauraJ and gRegor` joined the channel
#
Loqi
gRegor`: snarfed left you a message 9 hours, 50 minutes ago: thanks!
JasonO, pfefferle, snarfed, LauraJ, iangreenleaf, KevinMarks, paulcp, ttepasse, npdoty, tantek and eschnou joined the channel
#
kylewm.com
edited /User:Kylewm.com (+399) "/* other ideas/goals */"
(view diff)
#
kylewm.com
edited /User:Kylewm.com (-12) "/* other ideas/goals */ I keep forgetting that activitystreams-unofficial isn't called "activitystreams" :)"
(view diff)
benprew, barnabywalters, tantek-ipod, jsilvestre, snarfed, _6a68, pasevin, eschnou, tantek and KartikPrabhu joined the channel
#
ben_thatmustbeme
quiet in here
#
ben_thatmustbeme
its like everyone is saving their thoughts for tonight
paulcp joined the channel
#
tantek
ben_thatmustbeme: I think Pacific Time folks are still waking up
#
tantek
yesterday was quite busy with Heartbleed
#
aaronpk
still busy with heartbleed
#
tantek
!tell voxpelli using 404 for "delete" is actually *less* pragmatic in that it is more *fragile*, since systems are ephemerally down or unavailable or broken all the time - and thus return 404 because they don't know any better.
#
Loqi
Ok, I'll tell them that when I see them next
#
ben_thatmustbeme
tantek, I can understand the issue though, There are some places that don't let you set a custom response header
#
ben_thatmustbeme
the counter argument being that you should be running your own site
#
tantek
!tell voxpelli more on that here under "Server error." (and other reasons) http://indiewebcamp.com/deleted#404_Discussion
#
Loqi
Ok, I'll tell them that when I see them next
#
ben_thatmustbeme
and yeah, heartbleed was impressive
#
tantek
if you can't set a custom response, then the fallback is to simply provide some deault text like "This comment has been deleted by the author."
#
tantek
and if you contrast the needs, the need to preserve user data (avoid accidental deletes due to server errors) outweighs the need to support places that don't let you set a custom response header
#
tantek
is having a hard/slow time loading/editing the wiki pages and will add those notes accordingly
#
ben_thatmustbeme
Working with the webmention status polling, I felt like it should be some markup format on the html again, otherwise its a repeat of the headers again
#
ben_thatmustbeme
I feel like things like "post deleted" could be marked up in some standard way as well. I don't believe there is anything in mf to say "this post is deleted" is there?
#
ben_thatmustbeme
s/post/h-entry/
#
Loqi
ben_thatmustbeme meant to say: I feel like things like "h-entry deleted" could be marked up in some standard way as well. I don't believe there is anything in mf to say "this h-entry is deleted" is there?
#
tantek
no there is no way to indicate in h-entry that it's a tombstone
#
tantek
though that's an interesting suggestion
#
ben_thatmustbeme
I'm thinking if we start to get rid of status update from http headers, we are probably better off, seems more indie-web style anyway
#
tantek
well it helps to provide both options, as it does parallel what we've done with webmention itself, allowing both HTTP LINK header for discovery, and HTML link rel
#
tantek
some prefer (and find it easier) to do one vs. the other
#
tantek
from a publisher perspective
#
aaronpk
ben_thatmustbeme: I just realized that I didn't actually implement sending back status headers in my webmention status page :)
#
ben_thatmustbeme
hmm, I'm not sure I put the link header in mine..
#
ben_thatmustbeme
checks his site
#
tantek
ben_thatmustbeme: we don't want to get rid of status update from HTTP headers because it's always good to re-use existing standards/protocols when they precisely reflect your semantic needs
#
aaronpk
tantek: i think he's talking about the "Webmention-Status: xxx" header
#
aaronpk
that's what i'm talking about anyway
#
ben_thatmustbeme
aaronpk, that too
#
ben_thatmustbeme
thats what got me on the idea of it, it seemed like that should be marked up to be easily parsed from the page returned, thus one result, human and machine can read
#
tantek
did I miss the spec/brainstorm for the "Webmention-Status: xxx" header ?
#
aaronpk
i thought you were part of that?
#
aaronpk
it's in ben's implementation note here http://indiewebcamp.com/webmention
#
ben_thatmustbeme
I think it was put in to the brainstorming on webmention
KartikPrabhu joined the channel
#
aaronpk
seems to have disappeaered
#
ben_thatmustbeme
maybe we never did
#
ben_thatmustbeme
I'm just updating the webmention spec to whatever I use, that way I have a github I can point people to if they want to see what I'm doing
#
ben_thatmustbeme
well, the actual code is there too
#
tantek
hah! I claim it was a figment of imagination. or perhaps *IRC* brainstorming that never made it into the wiki :P
#
tantek
ben_thatmustbeme: better to edit the /webmention wiki page so that your notes are more discoverable
#
ben_thatmustbeme
I just keep seeing people going back and forth on what HTML codes to return, and I just was thinking it seemed somewhat silly since its all machine readable only specs we are debating, better to have it in the page returned so that the user can get actually see what is happening too
#
aaronpk
I think the reason for using HTTP status and headers was so that the webmention spec doesn't actually dictate what is returned in the body
#
tantek
it's also more efficient for consumers
#
ben_thatmustbeme
actually it looks to be similar to the Variable Response Body Problem section
#
KartikPrabhu
it should be OK to use both the codes and return a helpful response body like the case of a 404 page... though 404s are not usually well designed
#
tantek
KartikPrabhu: good point
#
aaronpk
you all saw my implementation right?
#
KartikPrabhu
aaronpk: I might have missed it... wasn't around here for the last few days
#
aaronpk
a URL like this is returned in a Link header when you send me a webmention now https://aaronparecki.com/webmention/rf2_14yA
#
ben_thatmustbeme
aaronpk, I think I found a good reason to have my webmention queue items persist indefinitely.
#
KartikPrabhu
aaronpk: nice! do you also include some useful error message in case the mention fails?
#
aaronpk
KartikPrabhu: yes! shows details about what went wrong
#
aaronpk
I should probably generate some sample URLs for those too
#
ben_thatmustbeme
I keep them linked to the actual item they create (so I could give the status page the link)
#
KartikPrabhu
aaronpk++ very nice...
#
Loqi
aaronpk has 419 karma
#
Loqi
fo sho
#
aaronpk
ben_thatmustbeme: I may be able to be convinced to keep the status page around for successful mentions, but not for error ones
#
ben_thatmustbeme
but it would make update and delete easier for me. I just check the input fields to see if they are in my mentions queue
#
ben_thatmustbeme
thus, just from the input I have all the info from last time they submitted.
#
aaronpk
you will too once you see how much pingback spam there is
#
aaronpk
maybe I can log the spam I get for a day and post it somewhere
#
ben_thatmustbeme
yeah, I could certainly be convinced to trash any error ones
#
ben_thatmustbeme
uh oh, trying to log in to the wiki and getting ... No rel="me" links were found on your site!
pasevin_ joined the channel
#
aaronpk
huh that's odd
#
aaronpk
it says it's getting a 404 error ... http://ben.thatmustbe.me/
#
aaronpk
lol your home page is returning 404
#
aaronpk
good thing 404 doesn't mean deleted
#
ben_thatmustbeme
ahh, that may be my end
#
ben_thatmustbeme
yeah, damn routing table isn't working correctly for me
#
aaronpk
HTTP/1.1 404 Ben Not Found
#
ben_thatmustbeme
its loading the error/not_found controller, which looks exactly the same as the main page.
bret joined the channel
#
aaronpk
well I *think* treating a 404 response as empty is the correct thing for indieauth.com to do
#
ben_thatmustbeme
yeah, thats my fault
#
ben_thatmustbeme
was trying to fix it as /asdf1234 would return a 200 and the home page
#
ben_thatmustbeme
apparently I went a little too far and it was returning 404 for / as well
#
tantek
ben_thatmustbeme: thanks for proving my point about server errors unintentionally returning 404s
#
tantek
and THAT is why 404 MUST NOT be interepreted as "delete" - a destructive action.
#
tantek
presumably your permalinks were also returning 404
#
tantek
so anyone could have (re)webmentioned any of your comments to their originals
#
tantek
and if 404=delete, your comments would have been deleted.
#
tantek
without *any* notification to you.
#
tantek
kind of a bad vulnerability
#
tantek
voxpelli ^^^
#
GWG
Good afternoon
#
tantek
hello GWG
#
ben_thatmustbeme
tantek, You're welcome. Thats why I did it... yeah, I go with that
#
kylewm
oh lightbulb moment, h-as-note means "activitystreams note"?
#
kylewm
i always thought it was "interpret this h-entry *as* a note"
#
tantek
kylewm yes and yes ;)
#
KartikPrabhu
it is both
#
tantek
(it was a deliberate choice of "vendor" specific h-*- prefix on my part
#
tantek
pretty sure I was the first to start that practice in the wild
pasevin joined the channel
#
tantek
also sort of reads as "has note"
#
kylewm
i like it! who is the intended consumer for those types?
#
KartikPrabhu
I can see readers, maybe bridgy can use diff. UIs according to -as-note or -as-article
#
KartikPrabhu
of instance, for -as-article you could "tweet" the p-summary and for -as-note a truncated version of the content
#
KartikPrabhu
snarfed: does bridgy do this ^^
snarfed joined the channel
#
kylewm
ask and he appears
#
gRegor`
beetlejuice beetlejuice beetlejuice
#
KartikPrabhu
true! snarfed: does bridgy/publish treat -as-note and -asarticle differently?
#
tantek
I sure hope not!
#
tantek
h-as-* class names I intended purely as an experiment on my site, not as any kind of serious proposal :)
voxpelli joined the channel
#
Loqi
voxpelli: tantek left you a message 58 minutes ago: using 404 for "delete" is actually *less* pragmatic in that it is more *fragile*, since systems are ephemerally down or unavailable or broken all the time - and thus return 404 because they don't know any better.
#
Loqi
voxpelli: tantek left you a message 56 minutes ago: more on that here under "Server error." (and other reasons) http://indiewebcamp.com/deleted#404_Discussion
#
KartikPrabhu
tantek: so you think diff. behaviour would be bad?
#
voxpelli
tantek: I agree, but 410 can't be the only solution, needs alternatives for restrictive environments
#
voxpelli
tantek: A solution that doesn't work on a GitHub Pages like environment needs alternatives or replacement
kbs and squeakytoy joined the channel
#
bret
voxpelli there was talk of using http equiv headers
#
voxpelli
bret: Any solution depending on any kind of specific HTTP-responses from the blog itself rules out file-based systems like GitHub Pages
#
aaronpk
voxpelli: <meta http-equiv="Status" content="410 GONE"/>
#
aaronpk
that's not http headers, that's in the html
#
bret
thats what the equive headers address
#
bret
we just have to make sure that we hound implementors to support it ;)
#
voxpelli
ah, I thought you were refering to using http headers rather than a http code
#
bret
i had no idea about these untill i had the same question
#
aaronpk
http-equiv seems to be the right solution, since it's already a thing
#
bret
github pages redirects is pissing me off
#
kbs
heh
#
bret
chrome says that it gets in a redirect loop now sometimes
#
kbs
ha!
#
kbs
I knew it
#
aaronpk
bret: ha that's awesome
#
aaronpk
now you can file a bug report with github
#
kbs
has a deliberate check to handle that situation
#
bret
like wtf are they thinking?
#
aaronpk
it's probably some optimization on their end
#
voxpelli
yeah, http-equiv meta tags sounds like the most obvious alternative
#
aaronpk
it would be great if the http-equiv was included in the result of microformats parsers, like how "rels" is
#
voxpelli
the other alternative would be to have a property of a h-entry that tells that it's gone, can't remember what the activitystreams group decided there
#
voxpelli
aaronpk: indeed, and also if meta http-equiv refreshes was parsed as redirects by them ;)
#
bret
aaronpk++
#
Loqi
aaronpk has 420 karma
#
bret
420 karma
#
kbs
!tell snarfed fyi on your public key, the image doesn't appear to be signed by your key [let me know if this sort of thing is not that useful :) mostly a side-effect of my tests with key management.]
#
Loqi
Ok, I'll tell them that when I see them next
#
tantek
aaronpk - I think that means you get to take a break. #420
#
ben.thatmustbe.me
edited /webmention (+586) "/* Asynchronous status polling */"
(view diff)
paulcp joined the channel
#
ben_thatmustbeme
there. my site is fixed and the status polling header added to the wiki
#
tantek
aaronpk - just saw this from you "it would be great if the http-equiv was included in the result of microformats parsers, like how "rels" is" - that's a fascinating suggestion
#
tantek
what uses would it have beyond HTTP status equiv?
#
bret
tantek aaronpk, could the parser pull in actual http codes as well?
#
tantek
I can also see this slippery sloping into including all meta name constructs into the parsing
#
tantek
bret - the parser typically doesn't do the http retrieval
#
aaronpk
that is the only one I was thinking of right now, but the reason being if peopel are going to be putting http-equiv 410s in there, I want to be able to consume that as easily as possible
#
tantek
it's handed a chunk of HTML and the asserted URL that it was retrieved from (for relative URL resolution)
#
aaronpk
tantek: that's why I called the key "http" instead of "meta"
#
tantek
aaronpk, I think that would be a good place to draw the line
#
tantek
since we *do* advocate use of http status etc., and do advocate AGAINST using generic meta name for things
#
tantek
hidden metadata etc.
#
aaronpk
I'm just thinking about ease of parsing for consumers, it'll be easiest if it's included in the result of the mf2 parsing and not another step people have to do
#
tantek
that's actually a really interesting way to properly scope use of meta
#
aaronpk
otherwise nobody will parse it, and it'll end up being mostly unsupported
#
tantek
that the only valid use of meta is for information that SHOULD be provided OUTSIDE the document (e.g. in the HTTP headers)
#
aaronpk
that's a great distinction
#
tantek
rather than all the metacrap like OGP and Twitter Cards
#
tantek
ok let me see if I can draft up some brainstorming
#
bret
the issue with http equiv is that it will likely contradict the real http code
#
tantek
for barnabywalters tommorris and other parser developers to consider
#
tantek
bret - not an issue, you must just specify which has priority
#
kbs
Just out of curiosity - is the guiding principle here to avoid repeating info in the html? (DRY etc?)
#
tantek
kbs, actually it's avoiding invisible metadata
#
tantek
which tends to rot
#
tantek
invisible metadata is often duplicated, but not always
#
bret
tantek you mean prefer the http equiv over the actual http code?
#
tantek
however invisible metadata always rots
#
kbs
ah, I see - okay.
#
aaronpk
I think http equiv should take priority, and should only be used if the author is unable to set the actual http header
#
tantek
bret - see for example meta charset
#
tantek
charset can be specified in <meta charset="utf-8"/>
#
snarfed
KartikPrabhu: re as-note vs as-article, not that i know of
#
tantek
or in HTTP headers: Content-Type: text/html
#
tantek
charset=utf-8
#
snarfed
if so, it's unintentional, feel free to file a bug
#
Loqi
snarfed: kbs left you a message 12 minutes ago: fyi on your public key, the image doesn't appear to be signed by your key [let me know if this sort of thing is not that useful :) mostly a side-effect of my tests with key management.]
#
bret
maybe the validator would warn against consistant http codes and http-equiv codes
#
bret
only do this if you have to!
#
snarfed
kbs: thanks for the heads up re the key image
#
aaronpk
bret: but if you're specifying http-equiv 410 on github pages then you can't make it send an http header 410 so it'll always be different and that's ok
#
tantek
btw <meta charset="utf-8"> is basically just short for <meta http-equiv="content-type" content="text/html
#
tantek
charset=UTF-8">
#
kbs
snarfed: sure - it's a good test case for my code as well - thanks go both ways :)
#
tantek
so what does it always return then? 200?
#
tantek
no matter what?
#
aaronpk
if there's a page there, yes
#
aaronpk
if no page, 404
#
bret
thats my experience
#
bret
sometimes it just returns a /
#
aaronpk
(of course it sometimes returns a 301 redirect to itself, but that's a different issue)
#
bret
fucking gh pages
#
tantek
uh it has to return a status code per HTTP
#
aaronpk
(ignore bret that's not what he meant)
#
tantek
aaronpk, bret - could you write that down precisely in a brief paragraph at http://indiewebcamp.com/GitHub#No_HTTP_Status_Code_Control ?
#
tantek
I think it's important that those details be captured.
#
bret
wonders if gh-pages is going to pull a massive geocities one day
#
bret
at least the sites and content are safe
#
tantek
bret, you can add that wondering to a new "Risks" section on the /github page too
#
bret
yeah ill at least stub out that info
#
aaronparecki.com
edited /GitHub (+335) "/* No HTTP Status Code Control */"
(view diff)
#
aaronpk
feel free to elaborate
#
voxpelli
bret: well, anyone using GitHub Pages should be using their own domain so that they then can easily move
#
bret
i would hope so!
#
bret.io
edited /GitHub (+125) "/* No HTTP Status Code Control */ Linked to http-equiv info"
(view diff)
jsilvestre joined the channel
#
aaronpk
question about http-equiv, does the value really end up being "410 GONE" or would it just be "410"?
#
bret.io
edited /deleted (+342) "/* Brainstorming */"
(view diff)
#
tantek
so I'm thinking: if HTTP status 200, then check http-equivs for a more specific status
#
tantek
aaronpk - both should work
#
tantek
and the parser will simply return the number, special casing for "status" that is
#
aaronpk
ok, so the parser can handle all the variations?
#
aaronpk
"410 Gone" "410" "410 GONE" etc
#
aaronpk
I like the idea of only reading http-equiv if the http status was 200, that seems reasonable
#
voxpelli
aaronpk: "410 Gone" could just as well be "410 Deleted by evil overlord" – the reason phrase can be completly custom
#
aaronpk
oh right
#
bret
"410 Moving on to a hobby with less angle brackets"
#
voxpelli
Couldn't a 410 http equiv on a 404-page be useful as well?
#
aaronpk
voxpelli: example?
#
bret
voxpelli not because what if it really is a 404?
#
tantek
"410 Pilgrim"
#
voxpelli
aaronpk: as a workaround for CMS:es not supporting 410
#
bret
deleting jekyll posts is hard because you have to clear out all your hold git history of the file
#
bret
harder*
#
tantek
voxpelli - which CMSes?
#
aaronpk
but you wouldn't want *all* your 404 pages to return 410, that defeats the purpose
#
tantek
if your CMS doesn't support 410, then use 200 with http-equiv
#
tantek
no need to provide yet another way
#
tantek
don't mix 404 with this
#
tantek
you're gonna have a bad time
#
bret
does http actually have any real use as of right now?
#
bret
httpequv*
#
voxpelli
aaronpk: it doesn't completely defeat the purpose as it only returns that when the CMS is actually up and running, not when your server is broken
#
bret
gah equiv*
#
tantek
bret - biggest http-equiv use in practice has been for charset
#
tantek
as documented above
#
aaronpk
voxpelli: but what about /sldkfjslkjsef?
#
aaronpk
you wouldn't want your cms to say 410 deleted on that, it's just 404
#
aaronpk
so you shouldn't put the http-equiv 410 into your 404 template
#
bret
oh right
#
voxpelli
aaronpk: I don't see a reason to rule it out
#
bret
i didnt see the cross over
#
tantek
voxpelli - wrong methodology - if you don't need it, leave it out. that's what's best for design of standards, UI, etc.
#
tantek
everything that goes into a design, spec, UI MUST be justified with necessary use-cases. otherwise, leaving it out is the right answer to keep the design simpler, the spec shorter, the UI easier to understand.
#
tantek
this is like design 101
#
voxpelli
I think a http-equiv status should always be checked an override the default status if it is there, why ignore it?
#
voxpelli
why say that it should only be taken into consideration for some requests and not others?
#
tantek
because it's better to start conservative (only check http-equiv status on a 200) with a new feature like that
#
tantek
can always expand it later if anyone actually has a real world use case
#
tantek
conservative = less risk of breaking things with a new faeture
#
tantek
s/faeture/feature
#
Loqi
tantek meant to say: conservative = less risk of breaking things with a new feature
#
voxpelli
tantek: you mean to suggest that people should check it for 200 codes but not saying that they shouldn't for other codes? if so then were on the same page
#
tantek
I'm saying they MUST ONLY check it for 200 codes
#
tantek
and that any kind of validator should return a warning to anyone doing anything else
#
tantek
the more narrowly you define a new feature to fit use-cases, the better
#
voxpelli
I would interpret that as someone having found a specific reason not to use it for other status codes, which isn't the case here
#
@mrmzholland
practising javascript whilst making a bootable linux pendrive, POSSEing about it on my #indieweb… http://bupk.es/t/G5
(twitter.com/_/status/453965750928044032)
#
tantek
voxpelli - nope, no specific reason needed to leave things out. see above notes on design methodology.
#
tantek
btw, narrow definitions are also better for security, reducing attack surface etc.
#
tantek
if you ever find yourself sayin "I don't see a reason to rule it out" - you're making a mistake.
snarfed, yaf, Kopfstein, chloeweil and tilgovi joined the channel
#
ben_thatmustbeme
i need to find a cheap machine to set up as a plex server in my basement
#
aaronpk
define cheap
eschnou joined the channel
#
aaronpk
why is there a monthly fee for plex.tv?
#
tantek
what's a plex server?
#
aaronpk
i assume you mean plex.tv?
chloeweil joined the channel
#
GWG
aaronpk: Plex Premium services have a fee
#
GWG
The server is free
#
ben_thatmustbeme
I have like over 1000 DVDs. To be able to rip them all and just stream from a giant hard drive in my basement would be amazing
#
ben_thatmustbeme
the hard drive would be the only thing. and cheap being the minimum required to run plex. I'm thinking one of those small form factor windows boxes
#
ben_thatmustbeme
just find an old one and be done with it
#
aaronpk
hard drives are super cheap now. I'm gonna get some 2tb usb drives and plug them into this http://www.amazon.com/dp/B00F3F381A running ubuntu
#
aaronpk
interesting article about replacing x509 with pgp http://lorddoig.svbtle.com/heartbleed-should-bleed-x509-to-death
chloeweil_ and eternicode joined the channel
#
GWG
ben_thatmustbeme: I've been ripping
#
GWG
Same idea
#
GWG
Fewer DVDs
caseorganic and friedcell joined the channel
#
tantek
aaronpk, odd, http://indiewebcamp.com/irc redirects to http://indiewebcamp.com/irc/ which is not the wiki page /IRC
#
aaronpk
that was my attempt at getting push stuff working
#
tantek
interesting - are there any PuSH enabled readers that support this?
#
aaronpk
I was trying to get it to work with google reader a long time ago
#
tantek.com
edited /https (+367) "add Criticism section with Heartbleed should bleed X.509 to death post"
(view diff)
#
aaronpk
oh and I think the real reason I wanted to get it set up was so that the google search crawler would index the logs faster
#
aaronpk
but that seems to not be a thing anymore
#
tantek
maybe it depended on using the Google test hub?
#
aaronpk
that's what I thought yeah, didn't you say you noticed your posts aren't being indexed in realtime anymore tho?
#
tantek
I forget when that seemed to stop working
#
aaronpk
it was a while ago...
#
aaronpk
anyway that's what that page is from
#
tantek
ah - you *are* using the Google test hub
#
tantek
no problem, perhaps add a big link at the bottom to go to the IRC archives?
#
aaronpk
ah yeah
#
tantek
someone typing in /irc vs. /IRC shouldn't get them lost
benprew joined the channel
#
tantek
I have a feeling we're going to be talking a lot about Heartbleed and its implications for the indieweb tonight
#
tantek
let me see if I understand the full extent of the problem
#
GWG
None for me
#
tantek
assume: anything on your server could and should be assumed to be compromised, including passwords stored in cleartext or hashed and any private keys (SSL certificates, SSH keys)
#
GWG
I don't have SSL
#
GWG
Thought about it
#
ben_thatmustbeme
GWG, what are you ripping with?
#
ben_thatmustbeme
yeah, I don't have SSL either. Someone said client side existance would effect you though too
#
tantek
GWG doesn't matter if you have SSL or not. The attack works even if you don't have SSL.
#
aaronpk
assuming your server listens on port 443 like someone else's site on a shared host
#
aaronpk
also if you have SSH listening publicly
#
tantek
right
#
tantek
this needs a "what to do if you're a user or a server admin" flow chart
#
tantek
e.g. changing your password on services is not enough
#
tantek
nor is patching the software
#
aaronpk
* patch openssl
#
aaronpk
* re-generate your ssl certs with a new private key
#
GWG
ben_thatmustbeme: MakeMKV on Linux, then reencoding to H264 using Handbrake
#
tantek
* get new certificates
#
aaronpk
* expire all current user sessions
#
tantek
* force users to change their passwords
#
aaronpk
* require your users change their passwor
#
aaronpk
we're on the same page :)
#
tantek
aaronpk - has someone already documented this?
#
aaronpk
probably
#
tantek
so that's just the checklist for server admins
#
tantek
for *users* the problem is harder :(
#
aaronpk
oh! OpenSSL isn't actually vulnerable
#
aaronpk
so if you *only* have ssh public, and no other ssl services, you do not need to assume you've been compromised
#
tantek
aaronpk every web server is an ssl service
#
aaronpk
not if it isn't listening on port 443
#
aaronpk
which a lot of mine aren't
#
tantek
huh - that stackexchange URL is not loading for me :/
#
tantek
so you're *hoping* they didn't do a portscan
#
aaronpk
no i mean if your server doesn't listen on 443, then there's no way in
#
tantek
why does the port number matter?
#
aaronpk
ok port number is not significant, i was using that as a shorthand
#
tantek
couldn't they just scan for all ports that your server may be listening on, and try them all brute force?
#
aaronpk
so what I meant to say is, if your server does not have an https listener then there is no way to attack it
#
tantek
stackexchange: HTTP ERROR: 504 / Gateway Timeout
#
tantek
oh boy
#
ben_thatmustbeme
aaronpk, openssl is used in far more than https though
#
bret
i cant make it to HWC tonight. got sick yesterday :(
#
aaronpk
ughhh stop taking what i say so literally :P
#
tantek
aaronpk - the way to attack non-https-listening servers is to trick them into opening an https connection to an unfriendly server
#
tantek
sorry, security stuff makes me think more literally
#
@dietrich
@HackOregon i'm hosting #indieweb meetup at Mozilla PDX tonight! someday i'll meet up with y'all :)
(twitter.com/_/status/453996319292395520)
gRegor` and krendil joined the channel
#
caseorganic.com
edited /2014/Cambridge (-253) "/* Participating */"
(view diff)
#
aaronpk
yeah if you're making outbound calls to HTTPS servers there's a potential attack vector there too
ttepasse and benprew joined the channel
#
aaronpk
so basically everything is screwed
KevinMarks joined the channel
#
dietrich
yes. i'm now only using the internet while offline. you're currently interacting with my markov chain generated self. expect delayed responses to specific questions.
#
ben_thatmustbeme
okay, so at least SSH was not vulnerable, unless you also had a service that does use the heartbeat extension
#
ben_thatmustbeme
and the key leaked. in which case, I give up
#
aaronpk
note that it would take a very targeted attack to actually reveal the private key of an SSL cert
#
aaronpk
the attack dumps 64k of memory at a time, so given enough attacks you could eventually put together a larger contiguous memory block
#
gRegor`
I like that PGP article, aaronpk. Good thoughts, though switching to that model would definitely take time.
#
aaronpk
it is much more likely that any passwords you've entered into your server are compromised
#
ben_thatmustbeme
this is why i try not to reuse passwords all over the place unless its something i don't care about
#
kylewm
tantek: not a big deal, but on http://microformats.org/wiki/rel-in-reply-to#u-in-reply-to the sentence below "Advantages" is cut off.
kbs joined the channel
#
gRegor`
Yeah, I saw screenshots of dumps from mail.yahoo.com with passwords in plaintext
#
gRegor`
Crazy
caseorganic joined the channel
#
tantek
thanks kylewm, fixed. BTW edits to the microformats wiki can be seen realtime in #microformats the same way Loqi reports indiewebcamp wiki edits here.
#
Loqi
you're welcome
#
aaronpk
here's a great explanation of heartbeat and why your private key is not likely to be compromised http://blog.erratasec.com/2014/04/why-heartbleed-doesnt-leak-private-key.html
KevinMarks and caseorga_ joined the channel
#
tantek
aaronpk - tl;dr - HTTPS sites don't need to get new SSL certs?
#
aaronpk
more or less
#
aaronpk
but definitely assume anything sent recently via https was leaked (like session cookies and passwords)
warden_ joined the channel
#
kylewm
thanks for the edits tantek :) i was pretty sure that was the intention but not enough to edit it myself
#
gRegor`
"in most software, this cannot happen" . . .
#
gRegor`
Unless you're absolutely sure, have tested and can confirm that your software meets that criteria... you should get new certs.
#
gRegor`
Call me paranoid, but I'll stick with Schneier "And you have to assume that it is all compromised. All of it." https://www.schneier.com/blog/archives/2014/04/heartbleed.html
#
kbs
hm - I'm not so sure I'd implicitly go with that blog post
#
kbs
at least for high value sites. [eg: "Thus, the server may leak the private key right after a reboot, but not later."] . I also think the openssl code is funky enough that I'd probably also wait for someone else to see whether the claims here are true
#
aaronpk
high-value sites I would be more paranoid about
#
kbs
yea
scor joined the channel
#
aaronpk
i'm going to assume most of the sites I run are not high value enough for someone to go to the ttrouble of trying to extract the private key
tilgovi_ joined the channel
#
kbs
*nod* yep, makes sense. I think [eg: indiewebcamp.com] perhaps at worst auth-tokens get taken
#
kbs
but not sure it really matters much in the grand scheme of things
#
aaronpk
funny thing about indieauth is everything is ephemeral anyway, since it delegates to the oauth providers
#
kbs
for how long is the auth token you get back valid?
#
aaronpk
30 seconds or something
#
kbs
oh, you don't exchange it for an access token I guess... nice
#
aaronpk
oh hm i guess indieauth does get an access token from the oauth provider, but then it discards it
#
kbs
meant to say access token, sorry for the confusion
#
kbs
I personally at least don't think it really matters - the permissions aren't much more than what's public anyway
#
aaronpk
but no, consumers of indieauth.com do not get an access token, they just get back the user's domain name
fmarier joined the channel
#
kbs
*nod* - it's indieauth.com that would potentially have the issue, right
#
kbs
well - actually I only use github and g+, dunno how powerful the access tokens requested from twitter are...
trodrigues joined the channel
#
tantek
aaronpk I'm assuming that certain organizations with resources have been using this vulnerability to scrape keys and passwords from every server. You know, perhaps by renting botnets?
#
aaronpk
that is a paranoid but safe assumption
#
tantek
e.g. "SSL removed and added here"
#
tantek
having everyone's private keys would be a great easy way to do that
#
kbs
initially misread that as 'everyone having a private key would be an easy way to fix that' :-)
#
kbs
(something about twisting facts to fit ones world-view ;)
scor joined the channel
#
trodrigues
hi all. if I was interested in putting together an indiewebcamp what would be the best way to go about this? I was looking around the wiki but couldn't seem to find much information in this direction
#
kbs
aaronpk: ah, are the twitter tokens a non-issue you think? [dunno what token-type it's getting
#
kbs
lazy to look it up :)]
#
aaronpk
kbs: it's only getting read access anyway
#
kbs
aaronpk: ah, cool.
#
aaronpk
kbs: and I believe it can't even read DMs
#
tantek
trodrigues: you're here so that's the right first step :)
#
aaronpk
trodrigues: welcome!
#
tantek
next - add yourself to indiewebcamp.com/irc-people :)
#
Loqi
woot
#
kbs
aaronpk++ [nice, careful coding :)]
#
Loqi
aaronpk has 421 karma
basal and fmarier joined the channel
#
trodrigues
so long story short, we're trying to put together a few more events happening around jsconf.eu in September or so, and I thought it'd be really cool to have an indiewebcamp around it
#
trodrigues
(have to admit I shamelessly stole the idea form jsfest in SF)
KevinMarks joined the channel
#
tantek
trodigues - great! there's an IndieWebCampUK scheduled for September
#
trodrigues
oh, the one before/after dconstruct?
#
trodrigues
wanted to attend that last year but it was full when I noticed :(
#
tantek
right - right after
#
tantek
trodrigues - yes it was overflowing!
#
tantek
where's jsconf.eu?
#
trodrigues
still not sure of the exact dates this year but it's usually around the end of september
#
tantek
cool!
#
aaronpk
I'd love to go to berlin again!
glennjones and tantek-ipod_ joined the channel
#
tantek
there's likely to be enough interest to do one then, as http://indiewebcamp.com/2014/UK is scheduled for near the beginning of September
tantek-ipod joined the channel
#
trodrigues
yep. also, with all the people coming for the events of the wekk, and the local community I'm pretty sure there would be more than enough people
pauloppenheim joined the channel
#
trodrigues
s/wekk/week/
#
Loqi
trodrigues meant to say: yep. also, with all the people coming for the events of the week, and the local community I'm pretty sure there would be more than enough people
#
trodrigues
(oh that's nice)
#
trodrigues
what I'd like to understand right now is what would be necessary to put one event together. we're doing a meeting in a few days with the jsconf organizers and other people involved in the surrounding events so we can try and start putting together a picture of what we'll try to do
#
tantek
trodrigues perhaps most importantly: you need multiple people to be dedicated co-organizers committed to putting in the time and effort to do the event.
#
trodrigues
I might even try and attend the UK one this year. been to the last couple of dconstructs and it's always great to go back to Brighton :)
#
tantek
and preferably all of them on IRC (coordinating here in this channel)
#
tantek
our experience has been that with only one person organizing an indiewebcamp, lots of things fall apart
#
tantek
3 seems like the minimum so far for a small to medium indiewebcamp of 20-30 people
#
trodrigues
yeah I can imagine. I guess that's one of the things we're going to try and figure out on this meeting. what we really want to commit to doing and who's doing what and helping who
#
tantek
you should!
#
tantek
that will also help with running one
#
tantek
that is, having attended one and see how they're run
#
tantek
makes a big difference, answers lots of details / defaults questions
#
Loqi
fo sho
#
tantek
have you ever run a BarCamp?
#
tantek
a lot of running and IndieWebCamp is basic BarCamp stuff with a bit more
#
tantek
s/and/an
#
Loqi
tantek meant to say: a lot of running an IndieWebCamp is basic BarCamp stuff with a bit more
#
trodrigues
nope. I have a general idea but haven't been involved in one
#
trodrigues
I was involved in LXJS (a JS conf in Lisbon) over the last couple of years, but that's kinda different I guess :)
#
tantek
any chance of getting someone on your team who has helped run a BarCamp before? that will help a lot.
#
trodrigues
mmm...I can ask around. I'm pretty sure I can find someone in Berlin who has done so
#
trodrigues
I'm having a look through some of the past event pages to have a better idea of what's involved
#
trodrigues
oh there's some irc logs too
#
trodrigues
ok, I'll read through some more of this stuff, and also have a better look at the concepts of a barcamp and try to find someone who's been involved in one. also, I'll hopefully be able to get some more people involved by the end of the week
caseorganic joined the channel
#
tantek
I think there are a bunch of "how to do a barcamp" posts?
#
tantek
like a good one from cleverclevergirl
#
trodrigues
oh. also hadn't noticed this http://decentralizecamp.com/
#
trodrigues
damn. I think I'm in the UK on this date. would love to attend this
#
tantek
trodrigues - if you have a proposed date(s) for IndieWebCampBerlin, please feel free to add it as a tentative to indiewebcamp.com/events
#
tantek
good to start capturing possibilities, sometimes that brings out people who want to help!
glennjones joined the channel
#
trodrigues
will do. I should now the exact dates when we do the meeting. jsconf probably falls on a weekend as well, and there's other events happening so I want to figure out what the best dates would be
#
trodrigues
ugh. *know. I need to go get some sleep
#
trodrigues
ok, well thanks a lot for the info. I already have something to move forward on, and I'll stick around here and try and figure out this stuff. I'm off to sleep now
#
pauloppenheim
kbs: PGP getting some positive press today after heartbleed
pfenwick joined the channel
#
kbs
pauloppenheim: ha, interesting - thanks for that link. (BTW, some of the old farts have been toiling away at their cut for a replacement for PKI-based authentication (using pgp) over at http://web.monkeysphere.info/)
#
kbs
monkeysphere is mostly about authentication I suppose (rather than adding PGP encryption so there's another backstop.)
#
kbs
also thinks that the openpgp format is itself pretty old and hairy
#
kbs
probably a different set of issues lurk in any codebase that tries to work with it too...
#
kbs
something about people who started coding in the 70s *cough zimmermann* makes them want to create bit-field data formats rather than even byte-aligned things. sigh.
tantek joined the channel
#
GWG
What would you say are the most important things about an indieweb site?
snarfed and gRegor` joined the channel
#
gRegor`
Chicago HWC about to start! Once KartikPrabhu arrives.
#
GWG
Did I miss anything?
#
pauloppenheim
kbs: is this related to monkey.org?
#
tantek
GWG awesome!
#
tantek
I'm en route to SF to get setup for ours
#
tantek
sorry, meant, gRegor` awesome!
snarfed1 joined the channel
#
GWG
Awesome what?
#
GWG
I've been having network hiccups all night
KartikPrabhu joined the channel
#
kylewm
you didn't miss anything GWG, and you can always check the log https://indiewebcamp.com/irc/today ... it's updated more or less in real time
#
bret
crap HWC never made it to calegator
kbs joined the channel
#
kbs
pauloppenheim: not related to monkey.org - monkeysphere.info is mostly a bunch of pgp fanatics who are trying to replace the PKI bits of ssl with the WoT pgp model
#
kbs
and have gotten some of them pieces talking together
#
Loqi
Homebrew Website Club PDX on Wednesday, Apr 9, 6:30pm at Mozilla
#
KartikPrabhu
what should eb done at HWC Chicago :P we don't have an agenda!
#
snarfed1
KartikPrabhu: anything you want! this is a good template: http://tantek.com/2013/332/b1/homebrew-website-club-newsletter
#
snarfed1
tl;dr: first half, everyone briefly mentions their interests. second half, people split up into small groups on common interests
#
kbs
pauloppenheim: yep - moxie is doing lots of awesome things [particularly like textsecure among all the things he's done]
#
KartikPrabhu
snarfed1: we are only 2 people :)
#
gRegor`
Check and check :)
#
snarfed1
KartikPrabhu: lol good point
#
snarfed1
then skip the talking and jump straight to hacking :P
#
GWG
kylewm: How are you doing?
#
snarfed1
KartikPrabhu: if you're looking for conversation topics, more thinking about this would be great! https://github.com/snarfed/bridgy/issues/125
#
gRegor`
hacks into snarfed.org
#
gRegor`
Oh, is that not what you meant? :)
#
snarfed1
is confused
#
snarfed1
oh. heh
#
GWG
I'm always confused
#
snarfed1
please do try. i'll happily offer a bounty for any exploits you find :P
#
tantek
GWG re: the most important things about an indieweb site - follow the IndieMark levels: http://indiewebcamp.com/indiemark
snarfed joined the channel