@trwnh @silverpill @technical-discussion I'd claim that *outboxes* don't publish or deliver anything. Servers do. In all but one place, the spec wording is consistent with this claim. But... there is one place (out of many mentioning the outbox) that is phrased "the receiving outbox can then perform delivery". Although I believe this is just poor writing (very common in the spec), I suppose one could use this exception to claim outboxes deliver activities instead of servers.

@eyeinthesky @silverpill @technical-discussion outboxes are HTTP resources (commonly), and we use that HTTP resource's internal semantics (via HTTP POST, which is specified to mean exactly this) to publish and deliver.

the idea of a "server" is actually a lot less real than most would think. you have an application listening on TCP port 443 that you can talk to with TLS and HTTP, but after you send it the HTTP POST, everything else is completely opaque internally.

@eyeinthesky @silverpill @technical-discussion i would say the most consistent answer is that deliveries are done by an HTTP agent which delivers a constrained LDN (AS2 document with exactly 1 activity). this role *might* be played by the same software handling the outbox, but it doesn't have to be.

sending http agent -> POST -> ap outbox -> [internal interfaces] -> delivering http agent -> POST -> inbox

the [internal interfaces] can be anything, including HTTP POST

@eyeinthesky @silverpill @technical-discussion in most cases right now the [internal interfaces] are probably hardcoded function calls in the codebase between e.g. outbox controller and delivery workers. the outbox controller could do synchronous delivery inline if it wanted to, but async is more advantageous usually

@trwnh @silverpill @technical-discussion "Servers" are the term in the spec for what implements the AP side-effects. If Alice's *server* has access to Bob's follower collection, then it can be resolved and processed for delivery. This doesn't mean that Alice's "outbox" (if that even exists internally beyond the HTTP endpoint) has access to Bob's followers collections. The spec actually doesn't say anything about that AFAICT.

@eyeinthesky @silverpill @technical-discussion sure, but the "server" can have any internal architecture it wants -- monolith, microservice, etc -- and at the level of HTTP (the most common instantiation of AP, because AP uses HTTP semantics), you are talking to outboxes. you could deliver to inboxes yourself (and there might be good reasons to do this instead of expecting outboxes to deliver for you!) but you don't get to talk to a "server" directly, just an HTTP Host/Resource

@julian so, let's start from the beginning: this is already in ActivityPub, always has been, and removing it from ActivityPub would be a grossly backwards-incompatible change. So, I would fight very hard against even considering removing this valuable feature.

Second, a already covered some of the main use cases, and I won't reiterate them. One they didn't mention was making followers-only conversations actually useful. If I create a Note like this:

{
   "@context": "https://www.w3.org/ns/activitystreams",
   "type": "Note",
   "id": "https://social.example/note/1",
   "attributedTo": "https://social.example/user/100",
   "to": { 
       "id": "https://social.example/user/100/followers",
       "type": "Collection",
       "name": "Evan's followers"
   },
   "content": "Hello, followers!",
   "context": "https://social.example/note/1/thread"
}

A reply by one of my followers should address everyone who the original post was visible to:

{
   "@context": "https://www.w3.org/ns/activitystreams",
   "type": "Note",
   "id": "https://other.example/note/2",
   "attributedTo": "https://other.example/user/200",
   "inReplyTo": "https://social.example/note/1",
   "to": "https://social.example/user/100",
   "cc": "https://social.example/user/100/followers",
   "content": "Hello, back!",
   "context": "https://social.example/note/1/thread"
}

Another application is private groups. If the members of a group are represented as a Collection, then sending an activity to that collection is a private, members-only message. There's some discussion of this in in the Groups TF explainer:

Groups

Repository for the Groups Task Force of the SocialCG

groups (swicg.github.io)

Features in the ActivityPub spec were designed to be really flexible and useful beyond narrow applications, allowing interesting extensions and new kinds of interactions. "Mastodon doesn't do that" is a bad reason to not support a feature.

@evan The groups (private groups, specifically) aspect is the reason why I brought up this topic at all — it was mostly for my understanding of the spec because to my knowledge, there weren't many collections being passed around in recipient fields; the only one being /follower, which isn't always resolvable.

The same issues would occur around private groups... a public group publishing something a /members collection would be addressable, but not a private group or one whose membership list is hidden.

All threadiverse softwares work around this by having the group itself be the distributor, and so you needn't address a members collection, you just need to ensure the group itself is addressed. The rest is implied (which HA! I bet @trwnh@mastodon.social has much to say about implied behaviour)

@julian

> group itself be the distributor

well, naturally, i would suggest addressing both the group and its members. just like you would address both a person and their followers. or a moderated conversation and its audience. the way inbox forwarding works is that someone has to do the forwarding from their inbox.

> list is hidden

you don't need to know the items. that's private info, and you just need the id to be understood by the forwarder (who will themselves know the secret items)

@trwnh@mastodon.social I thought inbox forwarding between instances was a non-starter per the AP spec because you cannot guarantee that the activity hasn't been tampered with.

I thought it must be paired with a signature of some sort.