102 Matching Annotations
  1. Jan 2023
    1. The code above is somewhat simplified and missing some checks that I would advise implementing in a serious production application. For example:The request contains a Date header. Compare it with current date and time within a reasonable time window to prevent replay attacks.It is advisable that requests with payloads in the body also send a Digest header, and that header be signed along in the signature. If it’s present, it should be checked as another special case within the comparison string: Instead of taking the digest value from the received header, recompute it from the received body.While this proves the request comes from an actor, what if the payload contains an attribution to someone else? In reality you’d want to check that both are the same, otherwise one actor could forge messages from other people.
    2. We need to read the Signature header, split it into its parts (keyId, headers and signature), fetch the public key linked from keyId, create a comparison string from the plaintext headers we got in the same order as was given in the signature header, and then verify that string using the public key and the original signature.

      ```ruby require 'json' require 'http'

      post '/inbox' do signature_header = request.headers['Signature'].split(',').map do |pair| pair.split('=').map do |value| value.gsub(/\A"/, '').gsub(/"\z/, '') # "foo" -> foo end end.to_h

      key_id = signature_header['keyId'] headers = signature_header['headers'] signature = Base64.decode64(signature_header['signature'])

      actor = JSON.parse(HTTP.get(key_id).to_s) key = OpenSSL::PKey::RSA.new(actor['publicKey']['publicKeyPem'])

      comparison_string = headers.split(' ').map do |signed_header_name| if signed_header_name == '(request-target)' '(request-target): post /inbox' else "#{signed_header_name}: #{request.headers[signed_header_name.capitalize]}" end end

      if key.verify(OpenSSL::Digest::SHA256.new, signature, comparison_string) request.body.rewind INBOX << request.body.read [200, 'OK'] else [401, 'Request signature could not be verified'] end end ```

    1. Sure, this means that the conversations take place on those platforms, but the source of my content – my words – are still on my site, which I control.

      Kev is equating integration with any service to attempts to increase conversation around a post. That is often true but not always. E.g. I'm looking at AP to increase what own words I am sharing. E.g. AP for limited audience postings, and e.g. RSS for a subset of posting that are unlisted for the general public on my site.

    2. While that discourse is very important, the complexity it would add to the site to manage it, just isn’t worth it in my eyes.

      Valid point Kev makes here. A site should do only what its author needs it to do. I want interaction visible on my site, though I probably will cut down on the facepiles.

  2. Dec 2022
    1. Tom MacWright, a software developer in Brooklyn, has firsthand experience with the pitfalls of ActivityPub. As an experiment, he tried to turn his photo blog into an actor that could be followed by users via their Mastodon accounts. It worked in the end—and you can search for @photos@macwright.com from your Mastodon instance to follow his photography—but it wasn't easy.

      Example of how ActivityPub standards don't work in practice, in part because Mastodon is an 800 pound gorilla which actively flauts or adds their own "standards".

    2. "Queer people built the Fediverse," she said, adding that four of the five authors of the ActivityPub standard identify as queer. As a result, protections against undesired interaction are built into ActivityPub and the various front ends. Systems for blocking entire instances with a culture of trolling can save users the exhausting process of blocking one troll at a time. If a post includes a “summary” field, Mastodon uses that summary as a content warning.
  3. Nov 2022
    1. First, to experiment personally with AP itself, and if possible with the less known Activities that AP could support, e.g. travel and check-ins. This as an extension of my personal site in areas that WordPress, OPML and RSS currently can’t provide to me. This increases my own agency, by adding affordances to my site. This in time may mean I won’t be hosting or self-hosting my personal Mastodon instance. (See my current fediverse activities)

      Interesting for me to explore and understand too. How does AP compare to micropub which can be used for similar purposes? As far as I can tell it is much more heavyweight

  4. whyineedtofillusername.github.io whyineedtofillusername.github.io
    1. Inbox is an application built for a diploma thesis to showcase work with Linked Data Notifications, Activity Streams and ActivityPub, using Solid pod as data provider.
    1. o understand what Activity Streams is, think of it as an abstract syntax to represent basically anything that can be an action on social media. The Activity Streams Vocabulary specification defines, amongst other things, three types of objects: Actors: Application, Group, Organization, Person, Service. Activity types: Accept, Add, Announce, Arrive, Block, Create, Delete, Dislike, Flag, Follow, Ignore, Invite, Join, Leave, Like, Listen, Move, Offer, Question, Read, Reject, Remove, TentativeAccept, TentativeReject, Travel, Undo, Update, View. Objects: Article, Audio, Document, Event, Image, Note, Page, Place, Profile, Relationship, Tombstone, Video. To build a valid Activity Streams activity, you pick one of each category and add some metadata to it. You describe that something did something to or with something, and you explain those things in more detail.

      A valid activity in Activity Streams is using one of each Actors, Types and Objects. Me Arrives at Place, Me Travels to Place, Me Announce Event etc. It's all JSON

    1. Towards a  federated metaverse

      Immers Space is a immersive web / metaverse initiative. It is federated, using ActivityPub. The AP implementation uses the Arrive/Leave/Travel and Places Object Types for virtual destinations. Vgl [[ActivityPub voor Check-ins 20221109095516]]

  5. Aug 2022
  6. Jul 2022
    1. Your Hub’s CMS: a Thinking Management System for writersEach Hub’s content management system (CMS) is actually a “Thinking Management System”: a thinking tool based on a Personal Knowledge Graph (PKG) which is custom-designed to support thinking and writing.

  7. Jun 2022
    1. SkoHub supports a novel approach for finding content on the web. The general idea is to extend the scope of Knowledge Organization Systems (KOS) to also act as communication hubs for publishers and information seekers. In effect, SkoHub allows to follow specific subjects in order to be notified when new content about that subject is published.
  8. May 2022
  9. Apr 2022
  10. Mar 2022
  11. Nov 2021
  12. Aug 2021
  13. Jun 2021
  14. Jan 2021
    1. Lemmy is a great open source federated and privacy respecting alternative to Reddit. Nodes can be self-hosted and posts will sync between them.

  15. Oct 2020
    1. Graber helped us understand the broad categories of what’s out there: federated protocols such as ActivityPub and Matrix; peer-to-peer protocols such as Scuttlebutt, and social media apps that utilize blockchain in some way for  monetization, provenance or storage.

      Missing from this list is a lot of interop work done by the IndieWeb over the past decade.

    1. Any pointers or experiences to share?

      There are a couple of WordPress plugins for Mastodon that allow you to syndicate your content from your own website into your instance. You might find that somewhat useful.

      The IndieWeb wiki has some generally useful information as well as some criticisms and related articles which might be helpful: https://indieweb.org/Mastodon

      Mastodon runs on the Activity Pub specification for sending messages back and forth. As a result some people are looking into having their personal websites support these protocols so that people on Mastodon (or other parts of the Fediverse) can subscribe to one's primary website. If you can do this then you don't necessarily need "yet another social platform" for interacting with those online. The two biggest of these efforts within the WordPress community are Fed Bridgy and the Activity Pub plugin

  16. Sep 2018
    1. All of these platforms are different and they focus on different needs. And yet, the foundation is all the same: people subscribing to receive posts from other people. And so, they are all compatible. From within Mastodon, Pleroma, Misskey, PixelFed and PeerTube users can be followed and interacted with all the same.
    1. ActivityPub is a decentralized social networking protocol based on the ActivityStreams 2.0 data format. ActivityPub is an official W3C recommended standard published by the W3C Social Web Working Group. It provides a client to server API for creating, updating and deleting content, as well as a federated server to server API for delivering notifications and subscribing to content.