# I am the Watcher. I am your guide through this vast new twtiverse.
#
# Usage:
# https://watcher.sour.is/api/plain/users View list of users and latest twt date.
# https://watcher.sour.is/api/plain/twt View all twts.
# https://watcher.sour.is/api/plain/mentions?uri=:uri View all mentions for uri.
# https://watcher.sour.is/api/plain/conv/:hash View all twts for a conversation subject.
#
# Options:
# uri Filter to show a specific users twts.
# offset Start index for quey.
# limit Count of items to return (going back in time).
#
# twt range = 1 217
# self = https://watcher.sour.is?uri=https://twtxt.net/user/ocdtrekkie/twtxt.txt&offset=217
# prev = https://watcher.sour.is?uri=https://twtxt.net/user/ocdtrekkie/twtxt.txt&offset=117
@abucci I think you are talking the user side while @prologic is talking protocol side, and that means you're talking about wildly different things.
@prologic Interesting. I think I interacted with that user today?
@lyse I have no problem with opt-in telemetry at all. If you choose to share info with the developer, why not provide good tools to do it?
@prologic Awesome. We need to catch up. Hoping to make it tomorrow maybe.
@prologic What's your current plan/concept on this?
Haha, this is getting funny at this point... I'm here for this later call now. Just. Keep. Missing. It.
@prologic We were on the road until right now and I am barely awake and am going to sleep.
@prologic I mean, from a historical standpoint, probably no, but the fact that there's actually two and now a proposed third variable you have to set to keep Google out of your dev tools is a continuing problem, especially since the second one doesn't seem to be well-known.
@prologic I mean my point is that people thought they were excluding Google from that info by turning the proxy off, so Google went and implemented another less known switch to get the same data.
@prologic What info do they get via GOPROXY but not get through GOSUMDB? They'd get obviously your IP/connection plus all of the packages you are using, no?
@prologic It basically gives them all the same data using GOPROXY does though, does it not?
@prologic From Russ Cox: "note that if you set GOPROXY=direct, the go command still uses the checksum database to protect against supply chain attacks. If you really want the go command not to use servers, you also need to set GOSUMDB=off."
lol it has no end
Whelp, @prologic, Google can't help but be Google, and I shouldn't have believed you... Russ Cox wants to build telemetry directly into the core Go tools: https://github.com/golang/go/discussions/58409
You can't remove the Google stench from anything Google is involved in.
@prologic Russian sites generally don't care about US law, so you can feel free to say things on a relay there you could get in trouble for here. Of course, I'm confident Russia allows so much criminal Internet activity in their borders because it's annoying to the West.
@prologic I mean, I wouldn't want a Russian server to ensure my free speech, but some of the free speech absolutists will take it anywhere they can get it.
@prologic This is the downside of lacking notifications. Just saw this. I can't get Firefox to prompt for audio access on this site.
Oh, shoot, it's 13 UTC now? I just... got on the call... whoops. I knew the second call was 7 hours after the first one, and I didn't actually look at the time of the first one in my calendar, and made a daylight savings-inspired screw-up.
Can we please get rid of daylight savings time as a thing?
Messages are signed with a keypair to verify who they came from. But there's no blockchain strategy in use for them.
@prologic It's decentralized: You submit a copy of your messages to as many relays as you would like, and people can follow them from as many relays as they like. The relays act as the "server", but your profile isn't tied to any specific one.
@prologic Haha, well I'm up so that's reasonable.
@prologic Yeah the protocol for it is pretty straightforward. It suggests relays should charge money for their services though, which is likely why Bitcoin payment integration may be common.
@prologic Nostr doesn't have any blockchain features, it just has a community with a lot of crypto bros in it.
@prologic I should try to come to the first one today, I have been a lapsed attendee for a bit here.
@prologic We do, though technically what I'm blocked on is just re-organizing yarnd auth design.
Tonight I killed an eight year old issue report in Sandstorm's WordPress package, so I am on a roll right now.
@prologic I have not had a ton of desktop-based social media time lately, so every time I tried to check in here I slammmed into the expired app and went back to Mastodon. :P Missing the calls has just been me failing, a lot of cool stuff has happened.
@prologic Staring at the app no longer available screen. ðŸ«
Wooo! I'm back! And the app has a new name!
@abucci A decade and a half of unchecked marketing that it's the next thing.
@justamoment @prologic Heh, just had to go trace back and find out what issue was being discussed. Heh, interesting thread indeed. I swear James, though, you lean hard into "do everything everyone else is doing but NOT THAT WAY", lol 😂🤣😂
@prologic Working on fixing that! Some prototyping of doing Cap'n Proto capabilities instead!
@bender @prologic One of the big things Forgejo is working on is federation support, so you can contribute to projects on various code forge servers from your own. Forgejo is led by a bunch of Gitea contributors who were blindsided by the corporate push.
But right now it is a soft fork, so it is yet to be seen how much they will diverge in the near future.
Hey @prologic, are you planning on switching git.mills.io over to Forgejo when it launches?
As per usual, I show up when you aren't here. Ah well. Hope you recover quickly.
@abucci There are tens of thousands of Mastodon servers. I believe the hit is caused by the servers all checking the link at once, not the clients.
On the call we were talking about how Mastodon servers DDoS websites when they generate link previews: https://www.jwz.org/blog/2022/11/mastodon-stampede/ There's some interesting questions about how to do this more efficiently without a bad user experience.
@mckinley I grab pretty much all unmaintained Sandstorm app repos, in case they disappear, and then anything interesting related to copyrighted games. Like if you saw the Portal64 thing recently... really interesting but begs for a DMCA, so I took a copy.
@mckinley What all makes the list? I have been archiving repos that matter to me too of late, though it's a smaller list.
Switched my Sandstorm dev box from an Ubuntu machine to a Debian one this week. Night and day difference in performance, once you get past the part where Debian fresh installs broken in various subtle ways.
@mckinley The fact that nothing on their website even mentions a business model and that their company's values page is entirely about vision and not at all about privacy or user rights at all should drive everyone far, far, far away from this thing.
A point of pride to me is that in a single file of less than 50 lines of code: Dark mode is supported without a whole stylesheet and input is validated without JavaScript.
Doja cat owns Elon Musk
We don't deserve DojaCat
@prologic Not quite that bad, but imagine a system that let you keep all your Word docs. But could remove your Microsoft Office install at any time. You might be able to recover your data and use them with another app, but it won't really be the same. And also Microsoft Office was a cloud service?
@prologic Not quite that bad, but imagine a system that let you keep all your Word docs. But could remove your Microsoft Office install at any time.
@prologic So the problem with Solid is that the concept is to control your data, and merely allow apps to access that data. Aka, a significant downgrade from any selfhosting, because your apps can still disappear at any time.
The only reason this would make sense is if you really really were focused on enabling proprietary services while still giving lip service to owning your data.
@prologic Kinda. As per usual, Tim Berners-Lee is in the media here to promote Solid, a bad self-hosting idea that only gets coverage because Tim's famous.
@abucci Whether warning before or after the date is somewhat immaterial, except it slides the sysadmin window even narrower, for no good reason. Google's already aggressively forced everyone to a 12 month deadline. Not everything supports Let's Encrypt. And so every year we have a window where I have to rush around and update all the certs before the expiration date, but if I start the process too soon, then I am doing it every eleven months, because of that absolute 12 month cap.
And again, there's nothing inherently less secure about a 13 month old cert than a 12 month old cert. About 99% of certificate behavior is security theater and Google flexing it's ability to force everyone to do what it says.
@lyse We tricked rocks into thinking, and this how they get back at us for it, because thinking is a horrible curse.
@abucci I think TLS is fine. I think PKI is a crock of garbage, because most participants in PKI are garbage, and Google has complete capture of it and makes decisions that work best for it, and not the real world.
Ultimately what I think should happen for certificate expiration is browsers should soft-warn for like a week or two after expiry, with like a yellow address bar, as opposed to trying to block navigation. The risk of an expired cert just doesn't justify browser behavior.
@prologic I have to be reachable during my personal time for work stuff. So I feel no guilt or shame in being reachable during my work time for personal stuff. It's a balance still.
@abucci I literally had to fix an outage this weekend caused by a weird certificate. Not external facing, but the security risk caused by it was nonexistent, and yet, it was implemented as a requirement and caused random unexpected breakage when it expired itself.
@abucci Bypassing a warning about an expired certificate is basically never actually dangerous. I have yet to see a maliciously used expired certificate in the wild.
@abucci Yep. Eugen said image uploads for posts took like 12 minutes after uploading to process earlier today.
@abucci As long as open source orgs reject the concept of sustainable development, any reasonably sized project will eventually go corporate.
@prologic Yep, it's the land of Musk. The Fediverse is seeing it's standard huge population uptick on the news, that will disappear again in a month or two as usual.
@abucci I won't delete mine, but I'll probably transition from being a user to a lurker.
@mckinley maya wouldn't see my response anyways, right?
@mckinley I've just done a manual git pull and push for those, they're rarely things I'm too worried about keeping "up to date".
@abucci Well in this case the problem is that corporations tend to make and control all the web browsers.
@prologic It does, but EV was already just prohibitively expensive. It's very hard for corporations to distinguish between malware authors and hobbyist developers, unfortunately.
@prologic @abucci The entire public key infrastructure is kinda a joke, tbh. Let's Encrypt made HTTPS free, but in practice that mostly just means malware can be delivered securely to your PC. EV certs made a lot more sense, but Google had to deprecate those, VMC appears to be a potentially worthy replacement though.
@prologic @abucci I'd also definitely second the recommendation of HedgeDoc. It's very clean and very capable.
@prologic The official lingo is ocap for object capabilities. And FWIW that is still IMHO just a need for better implementation by Sandstorm: Capabilities done right actually cause a lot less friction than ACLs!
@prologic Absolutely a jab at Golang. Though I still want to try
building a web app with it.
@prologic True, though it becomes less of a problem once people realize writing apps with traditional security models is bad and everyone does it our way. ;)
The challenge with changing the world is overcoming momentum.
@abucci What I've learned in production is the apps need to be built or heavily modified to truly support object capabilities. We've packaged numerous apps for Sandstorm, but the best experience is still apps written to work in that environment, even if they aren't as feature-heavy.
@eaplmx Both the OS and browser have heavy restrictions, and I want to enable WebAuthn, but *only* WebAuthn, and I'm not sure what's breaking it when I test it.
@eaplmx Just got a couple of these to play with. At the least it's a convenient option to always using the TOTP app, but I'm having issues getting them working on one of my networks still.
@prologic I really like Active Directory still. Mostly for Group Policy though, which only works on Windows.
@abucci As a fun fact, Sandstorm is neither RBAC or ACL, it uses object capabilities, which is a superior but niche model also seen in Google's Fuchsia and a very limited number of random things since the 1980's.
@prologic To be fair, that both predates Sandstorm (circa 2014), and considering you've tried it recently and still spun up your own corporate infrastructure, demonstrates it's not ready to meet your needs even today.
I would probably love your top bullet points on what Sandstorm would've needed to have or do to meet your business infra needs.
@abucci - Sandstorm.io hopefully someday ;) Though I admit we are probably not quite at the polish today for someone to replace their existing self-hosting stack (yet)
@prologic Few spelling errors in there. msision, hotable, pacakages
@mckinley If you have any sort of CI, it is relatively trivial in theory to have it git push to another repo. It's how I backup all my GitHub repos.
@prologic No problem. I just got here, and it's twenty minutes past anyways.
@prologic I think the OSI positions are paid positions via memberships/donations. Which is to say, the status quo is perfectly sustainable... for the OSI.
I had recent conversations with both the OSI's Executive Director and Standards Director, and both conversations convinced me the OSI does not remotely care about sustainable open source.
@prologic I mean he is very sour on Mastodon/ActivityPub, so it's not outside the realm of possibility...
@kt84 More than likely if a class action settlement happens, anyone who can allege they had their code on GitHub during the span of time Microsoft was training Copilot will be eligible, which would include anyone who deleted their repos when Microsoft first showed it off.
@prologic The problem is that if I fork your code (which I can do), and then post it on GitHub (which I can do), then Copilot still trains on it, whether you like it or not.
The answer here, is what's happening: Litigation.
The problem is the OSI considers this working-as-intended.
@mckinley Yarn call was actually sbout Yarn stuff mostly this week? What on earth?
I was just trying to see if my account got suddenly deleted.
Why is everyone's profile picture gone/default on Goryon?
@prologic I find the top purpose for corporate VPN providers is low-impact legal offenses involving torrenting: It's not necessarily about the VPN provider not ratting you out, but about being enough of a hassle to uncloak you that by the time the legal process to do so has ramped up, the VPN provider has dumped their logs anyways. Serious crimes, governments are going to act a lot faster, and get the response they need quickly, but for the low level stuff it's more civil law nonsense a VPN company in the middle will befuddle the process.
@abucci I feel this about Signal giving everyone real phone numbers. I worry a little less about IP addresses because I'm generally pretty public about my rough geographic area anyways...
@abucci Interestingly enough, Signal has announced plans to deprecate SMS/MMS support entirely. So even if I had a phone which could tamper with my text messages, Signal soon won't anyways.
Since I've solely installed Signal to talk to the Yarn social Signal group, and that's not a sensitive communication, it doesn't bother me if it's compromised very much.