@[email protected] @[email protected] we've seen this a million times before and we'll see it again, i don't believe we need to worry too much
this place is not dying, it's already dead. the meager caves we carve out of our little corner of the Fediverse might as well be an independent social media network, given how the rest of "open social" looks like
Posts
-
@[email protected] existed in a capitalist hellscape -
@[email protected] existed in a capitalist hellscape@[email protected] @[email protected] this just looks like yet another stupid, wasteful, useless corporate promise to "expand the social web" as they've been doing for the last few years
We've got:
- Generic promises about "improving the social web"
- Project ideas with zero results being shown as if they had any actual work behind them whatsoever
- Minimalist, professional site with sans-serif font
- lots of companies with wildly different industries and motives marked as "sponsors" without any explanation
- headed by some famous people
- "[ActivityPub] has attracted over 100 software implementations" (are these 100 software implementations in the room with us right now?)
- the inevitable quotes section -
@[email protected] @[email protected] @[email protected] What does Mastodon do with follows??@[email protected] @[email protected] @[email protected] WHO DECIDED IT HAD TO BE THIS WAY
-
@[email protected] @[email protected] @[email protected] What does Mastodon do with follows??@[email protected] @[email protected] @[email protected] WHAT THE FUCK
-
@[email protected] @[email protected] @[email protected] What does Mastodon do with follows??@[email protected] @[email protected] @[email protected] well that's... not great
-
@[email protected] @[email protected] @[email protected] What does Mastodon do with follows??@[email protected] @[email protected] @[email protected] What does Mastodon do with follows??
-
Your irregular reminder that domain blocking is not a feature of #ActivityPub -
Your irregular reminder that domain blocking is not a feature of #ActivityPub@[email protected] Do you mean that it breaks federation if you try to do it naively, or it's just not in the spec and “left up to implementations”
-
Hi @hrefna I just a FYI on https://versia.pub a federation protocol "heavily inspired by ActivityPub" which I just bumped into via @erlend .. didn't have a deep look yet, but thought it might be interesting given your own musings re:FeatherPub.@[email protected] @[email protected] @[email protected] @[email protected] @[email protected] Interesting point, then if I've understood correctly I would consider this as intended behavior: the point of the signature is to prove the authenticity of a message, not to provide confidentiality (adding things like end-to-end encryption would probably be out of scope for us for reasons explained at https://mk.cpluspatch.com/notes/9xynutbevkyr01mf).
If the messaged is replayed verbatim to a third party, then it should probably validate (this would also allow for easier “relay servers” such as what ActivityPub has).
I will also specify the purpose of the signature in the docs right now -
Hi @hrefna I just a FYI on https://versia.pub a federation protocol "heavily inspired by ActivityPub" which I just bumped into via @erlend .. didn't have a deep look yet, but thought it might be interesting given your own musings re:FeatherPub.@[email protected] @[email protected] @[email protected] @[email protected] @[email protected] @[email protected] one thing that was very important to me and the team while designing Versia was prioritizing simplicity and correctness over complex sets of features (such as end-to-end encryption or large cryptographic schemes with revocable keys, certificates, devices and such)
We've settled on a threat model where you trust your instance administrator to not tamper with your keys, because otherwise it could overcomplicate the protocol and make it harder for small developers to create independent implementations
The thing that we try to remember during spec design and integrating feedback is “how complicated would this entire thing be to implement from scratch for anyone that doesn't have a whole team of professional engineers?”. If you or anyone else can figure out a way to restrict the threat model in a simple way, that would be awesome, because we haven't been able to for now.
this is also why pure nomadic identity isn't really a thing here btw, and instead the “delegation” system exists, because it's really simple to implement in code -
Hi @hrefna I just a FYI on https://versia.pub a federation protocol "heavily inspired by ActivityPub" which I just bumped into via @erlend .. didn't have a deep look yet, but thought it might be interesting given your own musings re:FeatherPub.@[email protected] @[email protected] @[email protected] @[email protected] @[email protected] Hi, thanks for the compliments!
Couple points raised here that I'm going to try to answer1. the signature based authentication algorithm is susceptible to being replayed.
I care very much about security, would you mind sharing some details so that we could work on fixing any issues?2. there's no real way to negotiate protocols.
There is the Nodeinfo for discovering which protocols an instance supports (such as https://mastodon.social/nodeinfo/2.0) but you're right that it's not actually mandated inside the protocol, mainly because we've been looking for any better ways to do protocol negotation. If you're interested, the reference implementation tries to search for/.well-known/versia
in order to find out if Versia is supported (otherwise it falls back to ActivityPub), but this is not ideal.3. websockets as a lower overhead transport ???? What
According to our testing, this actually makes a lot of sense for very high-volume traffic, as keeping a WebSockets connection alive takes basically zero resources.
The goal with that particular idea is to allow for a king of "request batching", so instead of sending each entity in its own individual HTTP request, with the associated overhead, hundreds of entities could be sent at once rather easily, significantly reducing the load on instances (it's pretty crazy how efficient WS is)
If y'all have more questions or suggestions, I'd be happy to listen (even if it'd introduce breaking changes)