Now Twitter is an option for logging in to this site. See the Authl release announcement for more information on that.

## You can now use IndieAuth to login to this site

I’ve released a new version of Authl that has direct login support for IndieAuth. Also as of v0.1.6 it supports discovery via WebFinger, which should at least have Ryan a lot happier.

If you don’t know what any of the above means, this update probably doesn’t matter to you. 🙃

Just some miscellaneous things that I don’t feel are worth getting their own entries.

• For the last few weeks I’ve been trying only using shampoo on occasion when I feel that my hair is truly dirty, on the theory that hair does a good job of self-regulating its moisture when it’s not being disrupted constantly. I’m finding that my hair is, as such, much more lustrous and also doesn’t tangle as easily. But it still feels greasy all the time.
• Today (Saturday) I finally had the courage to go into Patchwerks and I managed to not completely destroy my wallet or make any regrettable space-chewing purchases. It’s a fun shop, and I played with a bunch of neat things including some modular and semi-modular gear, and I got to nerd out about my SIDstation with the folks who were working there (and one of the other customers talked about his MonoMachine as well). I ended up buying a couple of Pocket Operators, specifically the PO-20 Arcade and the PO-35 Speak. They’re both fun to play with.
• The new Rocko’s Modern Life special (Netflix) was just as frenetic and dissociative as the original show was, but it also had a really good message. Also, yay, positive non-metaphorical trans representation in cartoons!
• She-Ra season 3 (Netflix) was amazing and intense and I watched it all in one sitting. Hopefully Netflix lets this show keep going.
• So is Infinity Train (Cartoon Network), which I watched the first half of. The Cartoon Network app for Apple TV is complete garbage though, especially for serialized content. It’s as if they never even test the thing at all.
• I wonder if HBO Max will be worth it just to get a better CN viewing experience.
• I keep forgetting how badly bulleted lists work for blog posts.
• Huh, HBO Max is going to have a Dune prequel series called “Dune: The Sisterhood,” about the Bene Gesserit presumably in the years leading up to Paul’s birth. Interesting.
• I should have been in bed two hours ago. I wonder if this is why I’m always having fibro flareups these days.
• Oh and I’m back to using my CPAP again. It seems to be helping for now.

## Comments more or less restored

As far as I know, all of the comments have been restored and mechanically updated to work correctly. It’s pretty neat that I actually have comments dating back to 2003, that have survived four separate comment systems! (Movable Type, phpBB, Disqus, and now Isso.) And some of the oldest ones hadn’t been visible for years, since I never got around to migrating them over to my comics section before.

I also now have a script to automatically rehash the thread IDs in case the HMAC key leaks, as it did yesterday when I accidentally forgot to redact it from the sample templates repository, oops. I doubt anyone saw that but now it doesn’t matter if they did.

I do want to make a final migration script to try adding thread nesting to comments which quote other comments. I have a good idea of how to do it but it’s gonna be tricky and since Isso apparently uses oldest-to-newest sort on comments I don’t know how useful it’ll be, anyway. But I like doing that sort of thing.

I also have automated backups of my comment database, as well as having it checked into a git repository so I can do simple checkpointing whenever I do something funky with a migration (and it means I can also run the migration on my local machine instead of having to worry about hecking something up in production). And of course since Isso runs as its own systemd unit I can easily take it down while I’m doing a thing. (If you ever notice my comments completely vanishing for a while, that’s probably what happened. Unfortunately there isn’t any easy way to show a reasonable message when that’s what’s going on.)

So, now I feel a lot more confident in the privacy and longevity of my comments. Which is good because I have a lot more private stuff to talk about. 😛

## More comment migration stuff

Because my original import from phpBB to Disqus got botched, and the Disqus to Isso import lost a bunch of useful information, I ended up just going back to my old phpBB database and reimporting it directly into Isso. It mostly went well but there’s a few things that I need to go back and fix. This is my TODO list:

• Unescape <a href> stuff that got converted to &lt;a href&gt; (example) DONE
• Defunge the weirder bits of BBCode where e.g. [quote] turned into [quote:abcde] so it didn’t get converted to HTML (example) DONE
• Clean up some older comments where I was a lot more accepting of Problematic Things (not gonna link to any but yeah they’re there) done, I think
• If possible, reparent comments based on [quote]s (way easier said than done, I’ll probably have to do that manually)
• Update: generate a new comment secret key and fix the thread IDs, because I made an oops DONE
• Looks like when I did the reimport of phpBB stuff I accidentally removed some of the earliest Disqus-based comments (example, also) so I’ll have to do a bunch of reconciliation for that, fun fun… DONE

Also some of my earliest journal comics had comments posted via Movable Type’s comment system rather than phpBB, so I’ll want to also migrate those over (which I never got around to doing back when I was still using Movable Type to run my website); back then I just had “native” MT comments rendered in the MT template, which was Good Enough and I figured I’d get around to fixing it later. Well, it’s later. And that’s done. Even though I’m up way later than I meant to be. Oops.

Oh, and since I set up monsterid for the default avatars I feel like I should try to track down the email addresses of the folks who were posting to Disqus and fill that stuff in wherever possible.

I promise at some point I’ll get back to blogging about stuff other than the website itself.

## Proper comment privacy! Yay!

Okay, instead of trying to modify Isso to support thread IDs that are separate from page URIs, I ended up leveraging the way that Publ request routing works and just made all thread IDs consist of a /<signature>/<entry_id> path, where <signature> is computed from an HMAC signature on the entry ID and a secret key. So, now the thread ID is only visible to people who have access to the entry in the first place (as long as my signing key never leaks), and the fact that Isso only uses the thread ID when generating a reply email link isn’t a problem.

So, for example, this entry has an entry ID of 4678, and the generated thread ID is (for example) /890824f4d450d4ac/4678, so when someone gets a reply notification the email will say something like:

such-and-such <foo@bar.baz> wrote:

Good point!

which will then redirect back here.

It’s not ideal, of course, but it works well enough.

Of course, to do this I had to migrate all of my thread IDs again, but hopefully this is the last time I’ll have to do that, and it also takes care of all my legacy Movable Type-era thread IDs. It does set a bad precedent that I’ll have to migrate thread IDs more in the future if I ever change my publishing system but the fact I was able to get away with not doing that for so long is a pretty good testament to my laziness, which I ended up having to pay interest on in the future anyway. So, lesson learned.

Also, this approach is even better privacy than what I was hoping to get out of the Disqus method; as it stood before, someone on my friends list (or who saw an Auth: * entry) could have theoretically figured out the way I was determining private thread IDs and used that to explore comments on entries they don’t have access to, and also there was an issue that if I ever took a public entry private, its thread ID would remain the same as when it was public. But this way, it’s unguessable as long as my HMAC key never leaks, and if my HMAC key does leak I can just reset it and regenerate the thread IDs. (Edit from the future: Ha. Haha. Ha hahaha ha haha. Ha.)

This approach is also useful for things other than Publ; my advice to anyone who’s using Isso for comments is that instead of using the actual entry URI as the thread ID, they should have some sort of stable mechanism for forwarding an opaque thread ID to the actual entry, and use that. This just happened to be really easy to implement for Publ since Publ already supports opaque ID chasing.

## Comment integration blues

So, there’s an issue with Isso which will require a bit of refactoring/feature work on Isso, which I’d might as well try to do since I can’t be the only one who needs to decouple their thread IDs from their URLs.

Anyway, this’ll probably mean that I’ll have to redo the comment import at some point, so don’t get too attached to anything you’ve posted so far.

Update: Rather than doing the right thing for now I’ve opted to just use the shortlink as the identifier. This means that future site migrations will be more painful, and also I need to do some more work to migrate in the old comments from older entries, but I guess the idea of a single universal migration path is a bit silly anyway.

## Moving away from Disqus

So, Disqus has served me pretty well for quickly embedding comments into my website, but there are a few pretty big downsides to it:

• No support for private/hidden threads
• No way to disable random discovery of hidden threads, by design
• They’re trying to make the whole Internet into their own forum rather than providing “just” a comment system (not that anyone even uses it the way they intend)
• Their UX keeps getting more and more cumbersome and annoying

I’m going to look into alternative comment systems, ideally ones I can self-host. Isso looks promising, if a bit sparse. So does Schnack. (I’m going to try Isso first because its setup/requirements are far less onerous.)

Anyway, thanks Passerine for bringing the privacy leak issue to my attention. I figured there was probably something like that lurking in the shadows, but I didn’t think it was quite so close to the surface…

## Long transitions

Tonight, my set at Song Fight! Live went really well. There were some rough patches due to the usual nature of the beast but we managed to hold it together and afterwards everyone told me how great it sounded. I’m overall happy with that.

An “interesting” thing has been happening regarding how people deal with my gender stuff lately though.

## Song Fight! Live 2019

I forgot to mention it here, but I’m going to be in Madison, WI for Song Fight! Live this weekend! I’ll be performing my set sometime Friday night, and will also (probably) be playing drums for one or two other acts throughout the weekend, and (hopefully) debuting a new song (yet to be written, as I do not yet know the title) on Saturday!

Anyway if you’re in or near Madison and can make it to The Rigby and want to watch me flail in front of a crowd, now’s your chance.

(We’ll also try to have a live stream although right now there’s some logistics to work out on that front, so no guarantees.)

Anyway I’ll also be in Madison until Tuesday and don’t currently have plans for Sunday or Monday, so if I know anyone in the area it’d be fun to meet up and do something I guess? I mean, assuming I don’t get murdered for my anti-Trump song.

## Birdsite

So, my Mastodon instance of choice is having notification/sending/receiving issues again, and rather than doing what I usually do in this circumstance (temporarily switch back to mastodon.social or see what other instances I’ve been on are still around – spoiler: very few of them) I decided to just go without instant-update social networking for most of the day.

But then I still needed that little dopamine rush, and so I decided to try Twitter again (at least, more than my usual “post some stuff and maybe check my notifications” tendencies), and friends, let me tell you… Twitter is awful.

I’d forgotten just how much of a hellhole of advertising, “engagement”-optimizing, outrage-inducing chatter it is.

On the plus side, a lot of people seem to really enjoy the anti-ads I’ve been running for a few weeks (for \$1 a day). I think I’ll expand that out into other subject areas.

But what’s even better is just getting unaddicted to commercial social media. Yikes.

## Thoughts on quality engineering

Throughout my career, I’ve noticed that quality/test engineering is usually seen as a bottom-of-the-barrel discipline, something that someone should want to be promoted out of rather than someplace to end up. I find that really strange.

It takes a lot of skill to look at other peoples' code and write tests to exercise it and determine correctness, and to do it well. And to have exacting standards about code quality and testability of the code in the first place.

Nearly everywhere I’ve worked, though, test engineers have been incredibly junior and not particularly skilled. Which made it part of a self-fulfilling vicious cycle; test engineers do poor-quality work (and don’t seem to bring much value to the actual product development), so low-calibre programmers end up being put in those roles, and so then they continue to do poor-quality work. Test engineering seems to be treated as glorified QA in most places.

## Emojitalics

Today I discovered, quite by accident, that Safari will happily 😀 italicize emoji. 😆 😆 😆

I wonder if it’ll also boldface 😙 it…

Although strikeout 💔 wouldn’t surprise me at all.

Edit: It doesn’t seem to happen on every browser. Here’s a screenshot of what it looks like on Safari on macOS 10.13:

## Slowcial networking

Over on IndieWeb Chat, Kevin Marks linked to this wonderful essay about social media that is absolutely worth reading, and examines a part of the “personal social networking” thing I’ve been on a kick about lately but didn’t quite have the words for.

For me, a big part of the problem with social media as it stands today is that everything’s about fast, immediate, in-the-moment dissemination of Hot Takes and viral propagation and so on, and that’s a design that so many of the other indie-focused social networks are trying to replicate. I’m not much a fan of microblogging or protocols which exist to make it the norm (which is why I’m still not particularly interested in supporting ActivityPub natively in Publ!) and I like being able to take some time to expand on my thoughts and not have to chunk things up into 280-to-500-character chunks and worry about fixing my spelling and grammar and phrasing right then and there.

I like being able to sit on things for a few days, and add addendums without it being a whole new post, and I like having feedback come slowly and measured. Yes, I get quick replies and a variety of favorites-like reactions via Webmention and other things, and I do appreciate that in this little nichey corner of the web this is a way that people can interact with me, but I’m not really writing for an audience so much as writing for me and my friends, and hoping that the things I write also maybe resonate with folks who happen to read it.

I still use Twitter and Tumblr and Mastodon quite a lot (much more than I’d like, really) but that’s not how I prefer to interact with folks. I don’t even try to read everything that people post there, and I have no idea how anyone can think of timeline-oriented streams-of-updates services as a place where you’re going to be able to. I just occasionally glance at them to see what’s going on and maybe interact with others in the moment, and spend much more time wondering why the hell I even bother trying to communicate in that way beyond “it’s how everyone else communicates today.”

My big concern about my blogging habits here is that I’m mostly talking about the platform itself. Blogging about blogging is so dreary. Hopefully soon the new-toy shininess will wear off and I’ll get back to using this as a means of talking to my friends about other stuff. I certainly have a lot of other stuff coming down the pike, at least. Hopefully some of it turns out well.

I guess it’s mostly just that what I have to write about is what I’m working on, and this is (mostly) what I’m working on. If I were working on other things they’d be getting posted to other parts of my site.

Not-unrelatedly, I really want to get back into making comics.

## Post privacy

I finally have private posts working in Publ. This is just a test; in particular this post should only appear to people who are not logged in, and should disappear as soon as they do.

Think of it as the sound of one hand yapping.

## My webmention endpoint wish list

While it has some rough edges, the Webmention protocol has a lot going for it. One of the nice things about it is that it’s easy to add support via a third-party endpoint, such as webmention.io, which is what I (and many others) use.

There’s a few things I wish were better, though, and I think these can all be addressed by the endpoint itself, while remaining within the specification as it’s written today. I would be tempted to write an endpoint that works this way, if I weren’t already overwhelmed with other projects.

1. Definitely support the webmention.io API. There’s a lot of folks already using that to retrieve mentions to display them on their site, and I see no reason for that to change.

2. Having some form of moderation would be nice. Mentions at their core should be kept perpetually but with a disposition of accept/reject/pending, and domains should also have a default disposition (which defaults to pending). When a new webmention comes in, it should get the domain’s default disposition (along with an unmoderated flag), and then when moderating them, the user should be able to change the default disposition for the domain.

3. Mentions should be periodically refreshed to see if they’re still valid. The refresh interval can be some form of slow exponential growth, like the Fibonacci sequence or something. Whenever the status of the mention changes, that should reset the refresh interval. Mentions which have disappeared should not be rendered while they’re invalid, and the moderation queue should also show a section for “approved but disappeared” mentions.

4. When a mention is sent or refreshed, it should also get a source and destination pointer; track the mention in terms of the original URLs provided, but they should be displayed and fetched based on what their current URL is, after chasing redirections or the like.

5. Relatedly, multiple incoming mentions should be consolidated based on what their source and destination URLs resolve to. For example, if Alice pings Bob from http://alice.example.com/1/first-entryhttps://bob.example.org/blog/hello.html, and then Alice’s URL updates to https://alice.example.com/blog/1/First-Entry, if Alice’s site re-sends backfill pings, the endpoint should only report a single ping that comes from https://alice.example.com/blog/1/First-Entry. Likewise, if Bob’s URL changes to https://bob.example.org/weblog/hello, when Bob’s site retrieves mentions for the new URL it should also include mentions that went to the old URL.

Obviously for this case there will be a period of time between a site’s URLs changing and the original pings being refreshed, but maybe a new mention to an older target can also trigger a refresh of existing mentions to see if they’re subject to consolidation.

Also the consolidation should only happen at the retrieval level; the original source/destination URLs should always be preserved, since it’s always possible for an old URL to become unique again.

6. There should also be some automatic consolidation of pings that have the same URL aside from the scheme; webmention.js handles this on the rendering end but it’d be nice if the endpoint could do this automatically. For example, if a ping comes in from both http://example.com/12345 and https://example.com/12345, they should be consolidated to both have come from the https: version, probably. It would also probably make sense to do some sort of intelligent auto-consolidation based on domain aliases, like www.example.com vs. example.com. (8/28/2019 update: Or use <link rel="canonical">.)

7. Support for private webmention.

8. Support for Vouch, both from a validation perspective and providing UX to make it easier for folks to present their whitelist (like maybe when a domain is whitelisted it can also be added to a vouch list).

9. Also maybe some form of conversation threading would be nice? I’m not sure how that could be reasonably implemented (aside from supporting Salmention and hoping others come along with that) but it’d do a lot to address the UX problems with Webmention as a conversational platform.

## Bleah

So, the first two dosage tapers on my nortriptyline (40→30 and 30→20) went off without any trouble, but going down from 20→10 was really hard, to the extent that I decided to go back to 20 and keep using it for now. Basically, I had massive SNRI withdrawal symptoms, and also ended up being in severe pain all over. After two days of that I decided that maybe the nortriptyline is doing something for me after all, just not as much as I need it to, and went back to 20mg/day. I’m still feeling pretty hecked up from that so it’ll probably be a couple more days until I’m back up to where I was before.

Supposedly it’s okay to take both nortriptyline and gabapentin, so maybe I’ll try combination therapy once I’m back to my previous homeostasis (which was livable but not great).

Meanwhile, I really hope I’m able to do a song this weekend… it’s a gift for someone and I need it to be done by Monday, and I just plain haven’t had time to work on it.

Wow, I’ve been traveling for most of the past week and a half. Aside from a brief stop back in Seattle between IndieWeb Summit and visiting San Francisco for family gatherings, I’ve mostly been away from home since June 28. Yikes.

I didn’t really get to see a lot of friends on the San Francisco side of things (although I had some good times with my brother and my friend Mark) but that’s okay, since I got a lot of stuff done on Publ. Or, specifically, on Authl, the authentication layer, and the Publ integration with it. I have sign-in by email, IndieLogin, and Mastodon working! I will also probably add direct auth for IndieAuth at some point, now that I know how easy it is to implement an OAuth basic authentication flow. Hopefully soon I’ll have friends-only entries going up on this site!

Pain-wise I’ve been doing a lot better. I’ve been tapering off the nortriptyline, but I’ve been taking magnesium supplements. I still hit a crash point in the evening pretty easily, so it’s not like this has, like, solved everything, but it’s at least doing more for me than the nortriptyline alone was. I’m currently at 20mg and taper down to 10mg tonight, so this is where I’ll probably start to see if it really was a placebo early on.

Gender-wise, something rather interesting has been happening this trip: I’ve been going into the men’s room as usual (because when I travel and am in “boy mode” clothing I don’t want to cause a panic), and pretty much every time, someone’s taken it upon themselves to point out that I was in the men’s room and redirected me to the women’s room. At the same time, I still keep getting “sir"ed a lot, although I don’t know how much of that is people changing their mental alignment for me after they hear my voice. (Probably a lot.) I don’t feel like my appearance has changed at all over the past year, so I dunno what’s going on there.

Also gender-wise, a lot of people have been respecting the use of she/her pronouns for me, and that just feels… off. Still. I think I’m back to thinking of they/them as my primary pronoun. Honestly, the main reason I switched to she/her was because if I was requesting they/them, people would just treat it as unspecified and still default to he/him. I think my way of specifying pronouns is going to switch to "they/them, but she/her is fine.” Because if someone’s going to misgender me I’d rather it go to the femme side of things.

And a really cute thing happened at my nephew’s 1st birthday party: Camille, one of my nieces (who just turned 6 yesterday), wanted to get to know me better, and the first question she asked me was, “Are you a he, a she, or a they?” And I sort of fumbled over things and I eventually said “it depends but ‘they’ and she are ‘fine.’” Anyway, I wonder where she picked that up from. Wherever it was, it fills me with hope for the future. It’s also what got my mind grinding away about, like, which situations call for which pronouns. I think generally it’s they/them for folks my age or younger, and she/her for folks who are stuck in their ways regarding “proper” English.

Anyway, I guess that’s all for now. Unless something else occurs to me in the next hour fifteen minutes, apparently before my flight boards.

Edit: oh yeah, I think I need to switch to a backpack as my only conveyance. They’re kind of cumbersome for keys and wallet and stuff but purses are heavy and lopsided, and having both a backpack and a small purse is really awkward. My current backpack is great for just carrying my laptop to work but it’s garbo for actually organizing all my needs. My larger purse carries my iPad and all my other regular needs but it hurts my back after a whole day of using it. Any recommendations for better backpacks (ideally ones which are femmy and have room for an iPad, a laptop, some sketchbooks, and makeup et al) would be appreciated.

Edit 2: oh and another thing: fuck all the plastic straw bans, seriously. I’m gonna start just carrying my own plastic straws with me everywhere. I swear, people see one injured sea turtle and suddenly all people with disabilities and sensory issues just get completely thrown under the bus…

Edit 3: oh god only 4 weeks until my next big trip why is everything happening all at once

## Lending Club update

Remember how a few months ago I had a positive interaction with Lending Club regarding deadnames on 2FA emails? Well, the other day when I logged in it required a 2FA email and, amazingly enough, they actually fixed the problem! I hope more companies actually start to take these complaints seriously and fix issues with how they handle trans peoples' names.

Kevin and Ryan raise some very good points about where OStatus went wrong. I absolutely agree that Webfinger is a terrible approach to identity brokering (and I have a lot of problems with the /.well-known thing in general), and while I haven’t looked seriously into Salmon because it seemed unnecessary, it also sounds like it was a major pain in the butt to deal with on top of that.