Sorry, but requiring requests to public activitypub objects to be signed is completely whack, merveilles.town

profpatsch@mastodon.xyz

julian@activitypub.space

@profpatsch@mastodon.xyz isn't this "authorized fetch", a Mastodon safety feature?

(The efficacy of the safety feature is debated, but it's a safety feature nonetheless.)

phnt@fluffytail.org

@julian @general @Profpatsch Yes, it's a safety feature whose purpose can be easily worked around. It's utterly pointless and only serves as annoyance for ActivityPub developers that need to get the Activities and Objects in a raw unmodified form with something simple like curl.

https://evilmaid.net/blog/trusting-trust-fediverse/index.html#fetching

dps910@social.freedombits.org

@julian @general @Profpatsch its used when a instance doesnt want a blocked instance to see their posts. I dont get the point of it tbh

evan@cosocial.ca

@Profpatsch interesting command line! What is that?

profpatsch@mastodon.xyz

@evan xh, a rust rewrite of httpie, both are a nicer UX alternative to curl for http-only use-case

evan@cosocial.ca

@Profpatsch ohhhh. I thought it was AP-specific, probably because of the `--follow` flag. Thank you!

profpatsch@mastodon.xyz

@evan haha, no, but AP is such a plain protocol that you “usually” can use plain tools … unless people require weird signatures on GET requests. Then you need a full-on domain and an AP server just to fetch a json file …

profpatsch@mastodon.xyz

@evan The “funny” thing here is that avoiding the restriction is absolutely trivial, e.g. I can spin up a new (sub)domain or just `tailscale funnel` myself around the blocklists.

julian@activitypub.space

@profpatsch@mastodon.xyz right. Yeah it is definitely annoying from an AP dev perspective, I've tried debugging requests tons of times only to find out... oops, my requests are coming from localhost, so the signature can't be verified <img class="not-responsive emoji" src="https://activitypub.space/assets/plugins/nodebb-plugin-emoji/emoji/android/274c.png?v=0c477ea069b" title="" />

There is a minor legitimate use case for requiring signatures on GET though, and that's for retrieving user specific objects (like non-public notes and such)

@evan@cosocial.ca

evan@cosocial.ca

@julian @Profpatsch oh, yeah, definitely. It's really our only way to authenticate requests right now.

profpatsch@mastodon.xyz

@evan @julian yeah, not saying anything against authentication via signatures, that’s a valid use-case if done correctly.

Citiverse

Navigazione

Account

Navigazione

Account

Sorry, but requiring requests to public activitypub objects to be signed is completely whack, merveilles.town

I Social sono una parte fondamentale della nostra vita?

Am I overreacting?

So I am using Scheme's Medea library to parse ActivityPub posts.

FWIW, I have been storing Linked Data (including ActivityPub) in an INI like format — because I find INI-like formats more human-friendly (to both read and write) than JSON.

ActivityPub user and category outboxes coming soon

are people on here that have opinions about #Solid (the pod technology not the javascript framework / library)

I've started my exploration of using @timbray's Quamina project for saving some compute time in the filters module of #GoActivityPub

On stage now, @django — arguing for widespread adoption of ActivityPub client-server (C2S) protocol.