busybee fluffy rambles

I have had private posts on the open web for quite some time, and this has been one of my personal bugbears in IndieWeb for as long as I’ve been participating.

My site uses an authentication layer, Authl, which allows people to sign in with a bunch of different identity providers, including IndieAuth, Fediverse (specifically tested with Mastodon and Pleroma but it should work with anything that supports the Mastodon client protocol), and emailed links. (It also used to support Twitter, but, y'know. And I’ve wanted to add support for bsky but its third-party client UX isn’t amenable to using it as basic SSO, but hopefully that changes when they refine their scopes better.) If someone signs in, or provides a bearer token to their feed reader, then they will be able to see private posts.

The other thing is I’ve been pushing for TicketAuth as well, although I haven’t kept up with the latest protocol changes and I’m kind of lost when it comes to playing catch-up. The use case for this is to better support feed readers; the basic idea is that there’s an unattended mechanism for a bearer token to be provided to someone’s feed reader, which can then use that bearer token in order to subscribe to posts and then those show up in full to the reader.

But since nobody actually supports it so far as I can tell (and if they were to start supporting it, it’d be based on the latest spec which I am definitely not complying with), I also have my feed set to show an anonymous stub entry for people who aren’t logged in. It provides minimal information beyond a shortlink that will redirect to the entry itself, and a sanitized title that’s just the first letter of each word in the title so that people have some clue as to whether they’ve seen it already. For example, the privacy title of this post would be “rPpotow.”

Also, for people who aren’t signed in, if there is a private entry which might become visible to them if they are authorized, a small notice appears on the top of the page to that effect. For example, if you aren’t signed in to my site, this page should show such a notice.

This gives me a pretty good balance of privacy and security. Content is only ever visible to people who are actually signed in, and people are notified about the potential for additional content if they sign in, without leaking information about the nature of that content.

Incidentally, this is stuff I had designed Publ for from the beginning, specifically from my experiences with hacking private posts into my old MovableType blog and needing to vent in private in a centralized way. I also make use of the login system for other stuff, like the anti-AI-scraping measures and the Novembeat submissions page, and I plan to eventually add things like comment system and a few other things.

This carries a tonne of complexity into the most trivial things. Not only that, people have stopped developing things entirely, and now just rely on cobbling together commercial “solutions”. Rube Goldberg machines at their finest.

Yes, this exactly. I even used the term “Rube Goldberg machine” when ranting about this to my therapist earlier today.

Early in my career it was seen as a luxury to have 4MB of RAM on a consumer device, and now it’s a given that 4GB isn’t even remotely enough for even the most basic things. A factor of 1000, all for devices that just do largely the same thing, only worse, and slower, and requiring even more bandwidth and power to do even the most basic shit.

It’s maddening but it’s also good to know that I’m not the only one who feels this way.

I build things to be tools that can be used generally, and what we have is an ecosystem where every device has its own set of screwdrivers that work differently and each need a complete infrastructure to even function, and they’re made of lead and fall apart the moment you exert any pressure on them.

It’s enough to make me want to become a hermit but I suspect that even the hermit life requires an active cellphone connection these days.