Shiny new authentication stuff
There’s new versions of Publ and Authl in town, and they support some fun stuff with user profiles. Go and check it out!
Rambles that are fluffy, by fluffy
There’s new versions of Publ and Authl in town, and they support some fun stuff with user profiles. Go and check it out!
I’m personally physically all right, at least for now. The house guest also made it here safely, right before things got really weird.
I gotta say, getting an urgent group text informing my building of an incoming teargas cloud and “Close your windows” is not a thing I thought I’d ever experience first-hand.
So, some updates of the things that have been going on in my life since the last update, because I’m waiting for my car to get some overdue scheduled maintenance and I forgot to bring my Switch, so why not.
I finally got around to making a better store page. It’s still not great but it’s better than just linking to either my Threadless or Storenvy or whatever, and I’ll be able to backfill a bunch more of my items into it eventually.
There’s a lot of stuff I’d like to change of course, but this at least gives me a hook to setting up my own PayPal/Stripe/etc. cart as well.
Anyway I’m glad that Publ is in a state where it’s gotten easier and easier for me to make new sites from scratch with it. And I also released a new version of Publ with some shiny new features.
I have accepted a job at maven.io as a full-stack engineer. I’ll be working on web publishing stuff as an actual source of income now!
I am very optimistic about this. Everyone at the interview was super-awesome and friendly, and their ethics seem pretty much aligned with mine. I hope to be part of making curated published content on the web better for everyone! (Readers and publishers alike.)
While Publ is still going to be an IndieWeb-first platform (simply because it’s so much easier to integrate – having modular Lego bricks and a pick-and-choose functionality set that is as simple as adding it to one’s HTML templates is a very compelling approach), I’ve had some good discussions regarding ActivityPub lately and it’s starting to seem a bit more possible to add that as an add-on for Publ.
In response to a Publ blog post, Kicks Condor writes:
One question, though—could the Atom feed list
rel alternateversions of the feed? (That would have type
application/atom+xml?) It also seems like
rel selfcould have the non-authenticated version of the feed. It doesn’t make sense for credentials to be in that URL. These are possibly naive suggestions—apologies, if so. Again, fantastic write-up!
The problem is that it’s up to the sharing news reader to know which URL to use for the sharing, and there’s no way to control what URL the reader happens to use. I know that Feed On Feeds will use the URL for the actual subscription (since that’s the only source URL it tracks in the first place), and who knows what other readers with sharing features will do!
And changing the
rel="self" URL has a different problem – some readers (again, such as Feed On Feeds) treat that as the canonical URL and will update their subscriptions to point to that URL instead, so setting
rel="self" to the unauthenticated feed means most users will be unable to remain logged in.
Basically, it’s a tricky issue that has no right answer with the Atom spec as it currently exists. So if some other mechanism has to be designed, it might as well be done in a safe, unambiguous way from the beginning. If some other use case for magic auth links comes up I’ll reconsider implementing them, but at least for friends-only subscription access, the privacy risks are simply not worth it.
Okay, instead of trying to modify Isso to support thread IDs that are separate from page URIs, I ended up leveraging the way that Publ request routing works and just made all thread IDs consist of a
/<signature>/<entry_id> path, where
<signature> is computed from an HMAC signature on the entry ID and a secret key. So, now the thread ID is only visible to people who have access to the entry in the first place (as long as my signing key never leaks), and the fact that Isso only uses the thread ID when generating a reply email link isn’t a problem.
So, for example, this entry has an entry ID of 4678, and the generated thread ID is (for example)
/890824f4d450d4ac/4678, so when someone gets a reply notification the email will say something like:
such-and-such <email@example.com> wrote:
Link to comment: http://beesbuzz.biz/890824f4d450d4ac/4678
which will then redirect back here.
It’s not ideal, of course, but it works well enough.
Of course, to do this I had to migrate all of my thread IDs again, but hopefully this is the last time I’ll have to do that, and it also takes care of all my legacy Movable Type-era thread IDs. It does set a bad precedent that I’ll have to migrate thread IDs more in the future if I ever change my publishing system but the fact I was able to get away with not doing that for so long is a pretty good testament to my laziness, which I ended up having to pay interest on in the future anyway. So, lesson learned.
Also, this approach is even better privacy than what I was hoping to get out of the Disqus method; as it stood before, someone on my friends list (or who saw an
Auth: * entry) could have theoretically figured out the way I was determining private thread IDs and used that to explore comments on entries they don’t have access to, and also there was an issue that if I ever took a public entry private, its thread ID would remain the same as when it was public. But this way, it’s unguessable as long as my HMAC key never leaks, and if my HMAC key does leak I can just reset it and regenerate the thread IDs. (Edit from the future: Ha. Haha. Ha hahaha ha haha. Ha.)
This approach is also useful for things other than Publ; my advice to anyone who’s using Isso for comments is that instead of using the actual entry URI as the thread ID, they should have some sort of stable mechanism for forwarding an opaque thread ID to the actual entry, and use that. This just happened to be really easy to implement for Publ since Publ already supports opaque ID chasing.
I finally have private posts working in Publ. This is just a test; in particular this post should only appear to people who are not logged in, and should disappear as soon as they do.
Think of it as the sound of one hand yapping.
Wow, I’ve been traveling for most of the past week and a half. Aside from a brief stop back in Seattle between IndieWeb Summit and visiting San Francisco for family gatherings, I’ve mostly been away from home since June 28. Yikes.
I didn’t really get to see a lot of friends on the San Francisco side of things (although I had some good times with my brother and my friend Mark) but that’s okay, since I got a lot of stuff done on Publ. Or, specifically, on Authl, the authentication layer, and the Publ integration with it. I have sign-in by email, IndieLogin, and Mastodon working! I will also probably add direct auth for IndieAuth at some point, now that I know how easy it is to implement an OAuth basic authentication flow. Hopefully soon I’ll have friends-only entries going up on this site!
Pain-wise I’ve been doing a lot better. I’ve been tapering off the nortriptyline, but I’ve been taking magnesium supplements. I still hit a crash point in the evening pretty easily, so it’s not like this has, like, solved everything, but it’s at least doing more for me than the nortriptyline alone was. I’m currently at 20mg and taper down to 10mg tonight, so this is where I’ll probably start to see if it really was a placebo early on.
Gender-wise, something rather interesting has been happening this trip: I’ve been going into the men’s room as usual (because when I travel and am in “boy mode” clothing I don’t want to cause a panic), and pretty much every time, someone’s taken it upon themselves to point out that I was in the men’s room and redirected me to the women’s room. At the same time, I still keep getting “sir"ed a lot, although I don’t know how much of that is people changing their mental alignment for me after they hear my voice. (Probably a lot.) I don’t feel like my appearance has changed at all over the past year, so I dunno what’s going on there.
Also gender-wise, a lot of people have been respecting the use of she/her pronouns for me, and that just feels… off. Still. I think I’m back to thinking of they/them as my primary pronoun. Honestly, the main reason I switched to she/her was because if I was requesting they/them, people would just treat it as unspecified and still default to he/him. I think my way of specifying pronouns is going to switch to "they/them, but she/her is fine.” Because if someone’s going to misgender me I’d rather it go to the femme side of things.
And a really cute thing happened at my nephew’s 1st birthday party: Camille, one of my nieces (who just turned 6 yesterday), wanted to get to know me better, and the first question she asked me was, “Are you a he, a she, or a they?” And I sort of fumbled over things and I eventually said “it depends but ‘they’ and she are ‘fine.’” Anyway, I wonder where she picked that up from. Wherever it was, it fills me with hope for the future. It’s also what got my mind grinding away about, like, which situations call for which pronouns. I think generally it’s they/them for folks my age or younger, and she/her for folks who are stuck in their ways regarding “proper” English.
Anyway, I guess that’s all for now. Unless something else occurs to me in the next
hour fifteen minutes, apparently before my flight boards.
Edit: oh yeah, I think I need to switch to a backpack as my only conveyance. They’re kind of cumbersome for keys and wallet and stuff but purses are heavy and lopsided, and having both a backpack and a small purse is really awkward. My current backpack is great for just carrying my laptop to work but it’s garbo for actually organizing all my needs. My larger purse carries my iPad and all my other regular needs but it hurts my back after a whole day of using it. Any recommendations for better backpacks (ideally ones which are femmy and have room for an iPad, a laptop, some sketchbooks, and makeup et al) would be appreciated. (The preceding Amazon links are affiliate links.)
Edit 2: oh and another thing: fuck all the plastic straw bans, seriously. I’m gonna start just carrying my own plastic straws with me everywhere. I swear, people see one injured sea turtle and suddenly all people with disabilities and sensory issues just get completely thrown under the bus…
Edit 3: oh god only 4 weeks until my next big trip why is everything happening all at once
One of the biggest bits of functionality I want to get in the next milestone for Publ is private posts. Doing private posts requires some way of determining the identity of the person who is reading the site. There are a lot of mechanisms to choose from. Most of them are largely incompatible with one another, and there isn’t any single mechanism that checks all my boxes. And of course the standards keep on shifting, and keep on getting a new unifying standard that will fix everything.
So, IndieLogin is a really great way to get started with IndieWeb authentication for people who are in the IndieWeb ecosystem. If you have your own website on your own domain name and an account on one of its connected RelMeAuth providers, it covers everything. But not everyone who I want to grant stuff to has their own website, or the ability to set one up. Siloed OAuth is still useful. And being able to log in via email address is also beneficial.
I just read this great essay by Matthias Ott. It does a great job of summarizing the state of affairs of blogging and social media, and how we can try to escape the current orbit to get back to where the web was meant to be.
I especially like the bit about “Don’t do it like me. Do it like you.” Because that is exactly why I’ve been building Publ the way I have; I have specific goals in mind for how I manage, maintain, and organize my site, and these goals are very different than what other existing blogging and site-management software has in mind. The fact that I post so many different kinds of content and that they need different organizational structures to make sense makes this a somewhat unique problem. I’d like to think that Publ is a very general piece of web-publishing software, but it’s probably so general because I have such specific needs. Which makes for an interesting paradox, I suppose.
I guess what I’m saying is that I want to see more types of web-based publishing where the schema and layout fit the content, not the other way around. But it also needs to be able to interoperate with other stuff, while still making sense from a producer-consumer UX perspective.
I believe that I will go to the 2019 IndieWeb summit. It’s in nearby Portland in about a month. It’d be nice to talk to folks in person about IndieWeb stuff and maybe get more eyes on Publ, in particular.
v0.4.0 released! Let’s talk future!:
Oh wow, I finally closed out the Publ 0.4.0 milestone. So, wow, this is a pretty big deal for me.
I feel like this is a pretty big deal :)
It’s been a while since I’ve worked on IndieWeb stuff, but I finally got around to releasing an extremely preliminary version of reblob, a little commandline thingus to make this stuff easier. Eventually I’ll also have a server-based version here, at least as an example.
Of course this is the first entry I’ve written actually using it. Lots of rough edges but whatever!
In response to my tagging announcement, Marty McGuire writes:
This could be a use case for tag-reply posts!
Brid.gy supports this for tagging people in Flickr posts, as well as adding labels to GitHub issues.
(wow I really have got to write some sort of reply-to post importer… hand-converting that to Markdown was way more work than it should have been!)
I’m not quite sure I understand the use case that’s being called for, here. Publ tags are “tags” in the Tumblr sense, where they’re used to filter and organize posts, like being able to limit things to rants or whatever; I get the feeling that this is confusion over multiple uses of the word “tag,” like how on Twitter/Facebook/Flickr/etc. “tagging” means signaling to someone that they should read a post (akin to “Tag! You’re it!”). Think Technorati tags from way back when, or Atom categories, which are most akin to hashtags on Twitter and Facebook.
I think a tag-as-in-notification thing would be implemented in Publ the same way I implement
in-reply-to and so on – I have a corresponding header in the entry file and my template generates an invisible
<a class="u-in-reply-to" href="..."> in the post body. The relevant bit in my entry template is:
So in that sense Publ already supports that at the template level; I can simply add
tag-of to the list of microformat types. Or am I completely misunderstanding what is being suggested?
So hey, Publ now has a tagging system, so I’ve updated my site to show tags in a lot of places. I’m not sure if I should make some sort of tag explorer view or if it’s okay to just pivot between tags within a category listing. Insight or ideas would be most welcome.
What I want to do at some point is tag all of my comics with subject matter and characters, but that seems like a lot of work. I wonder if there’s a way to outsource that to other folks which doesn’t involve opening up my git repo to the world. Maybe I’ll build a simple tool which lets people suggest tags for entries which don’t have tags. Iunno.
Right now I’m sitting bored in a waiting room, so I decided to give CodeAnywhere a shot as a means of editing entries directly on my site, since that’s a use case I’ve mentioned as a possibility for the future.
Here are some of my observations as I run across them while writing this entry.
So, I’ve started yet another web programming project, a generic authentication wrapper library for Python. Because I need something like this for Publ and just want to do it once.
So I’ve been talking about distributed social stuff a lot lately, especially Publ (my publishing engine, which runs this site, in case you are new here), and also ecosystem stuff for things like private entries and other things that have been pinging around in my head for a while.
A thing I keep on mentioning is Subl, but generally only talking about it tangentially without actually going into detail with what it even is. So, I guess I should talk about that at some point.