Post privacy fluffy rambles


I finally have private posts working in Publ. This is just a test; in particular this post should only appear to people who are not logged in, and should disappear as soon as they do.

Think of it as the sound of one hand yapping.

My webmention endpoint wish list fluffy rambles


While it has some rough edges, the Webmention protocol has a lot going for it. One of the nice things about it is that it’s easy to add support via a third-party endpoint, such as, which is what I (and many others) use.

There’s a few things I wish were better, though, and I think these can all be addressed by the endpoint itself, while remaining within the specification as it’s written today. I would be tempted to write an endpoint that works this way, if I weren’t already overwhelmed with other projects.

  1. Definitely support the API. There’s a lot of folks already using that to retrieve mentions to display them on their site, and I see no reason for that to change.

  2. Having some form of moderation would be nice. Mentions at their core should be kept perpetually but with a disposition of accept/reject/pending, and domains should also have a default disposition (which defaults to pending). When a new webmention comes in, it should get the domain’s default disposition (along with an unmoderated flag), and then when moderating them, the user should be able to change the default disposition for the domain.

  3. Mentions should be periodically refreshed to see if they’re still valid. The refresh interval can be some form of slow exponential growth, like the Fibonacci sequence or something. Whenever the status of the mention changes, that should reset the refresh interval. Mentions which have disappeared should not be rendered while they’re invalid, and the moderation queue should also show a section for “approved but disappeared” mentions.

  4. When a mention is sent or refreshed, it should also get a source and destination pointer; track the mention in terms of the original URLs provided, but they should be displayed and fetched based on what their current URL is, after chasing redirections or the like.

  5. Relatedly, multiple incoming mentions should be consolidated based on what their source and destination URLs resolve to. For example, if Alice pings Bob from, and then Alice’s URL updates to, if Alice’s site re-sends backfill pings, the endpoint should only report a single ping that comes from Likewise, if Bob’s URL changes to, when Bob’s site retrieves mentions for the new URL it should also include mentions that went to the old URL.

    Obviously for this case there will be a period of time between a site’s URLs changing and the original pings being refreshed, but maybe a new mention to an older target can also trigger a refresh of existing mentions to see if they’re subject to consolidation.

    Also the consolidation should only happen at the retrieval level; the original source/destination URLs should always be preserved, since it’s always possible for an old URL to become unique again.

  6. There should also be some automatic consolidation of pings that have the same URL aside from the scheme; webmention.js handles this on the rendering end but it’d be nice if the endpoint could do this automatically. For example, if a ping comes in from both and, they should be consolidated to both have come from the https: version, probably. It would also probably make sense to do some sort of intelligent auto-consolidation based on domain aliases, like vs. (8/28/2019 update: Or use <link rel="canonical">.)

  7. Support for private webmention.

  8. Support for Vouch, both from a validation perspective and providing UX to make it easier for folks to present their whitelist (like maybe when a domain is whitelisted it can also be added to a vouch list).

  9. Also maybe some form of conversation threading would be nice? I’m not sure how that could be reasonably implemented (aside from supporting Salmention and hoping others come along with that) but it’d do a lot to address the UX problems with Webmention as a conversational platform.

Bleah fluffy rambles


So, the first two dosage tapers on my nortriptyline (40→30 and 30→20) went off without any trouble, but going down from 20→10 was really hard, to the extent that I decided to go back to 20 and keep using it for now. Basically, I had massive SNRI withdrawal symptoms, and also ended up being in severe pain all over. After two days of that I decided that maybe the nortriptyline is doing something for me after all, just not as much as I need it to, and went back to 20mg/day. I’m still feeling pretty hecked up from that so it’ll probably be a couple more days until I’m back up to where I was before.

Supposedly it’s okay to take both nortriptyline and gabapentin, so maybe I’ll try combination therapy once I’m back to my previous homeostasis (which was livable but not great).

Meanwhile, I really hope I’m able to do a song this weekend… it’s a gift for someone and I need it to be done by Monday, and I just plain haven’t had time to work on it.

Finally heading home fluffy rambles


Wow, I’ve been traveling for most of the past week and a half. Aside from a brief stop back in Seattle between IndieWeb Summit and visiting San Francisco for family gatherings, I’ve mostly been away from home since June 28. Yikes.

I didn’t really get to see a lot of friends on the San Francisco side of things (although I had some good times with my brother and my friend Mark) but that’s okay, since I got a lot of stuff done on Publ. Or, specifically, on Authl, the authentication layer, and the Publ integration with it. I have sign-in by email, IndieLogin, and Mastodon working! I will also probably add direct auth for IndieAuth at some point, now that I know how easy it is to implement an OAuth basic authentication flow. Hopefully soon I’ll have friends-only entries going up on this site!

Pain-wise I’ve been doing a lot better. I’ve been tapering off the nortriptyline, but I’ve been taking magnesium supplements. I still hit a crash point in the evening pretty easily, so it’s not like this has, like, solved everything, but it’s at least doing more for me than the nortriptyline alone was. I’m currently at 20mg and taper down to 10mg tonight, so this is where I’ll probably start to see if it really was a placebo early on.

Gender-wise, something rather interesting has been happening this trip: I’ve been going into the men’s room as usual (because when I travel and am in “boy mode” clothing I don’t want to cause a panic), and pretty much every time, someone’s taken it upon themselves to point out that I was in the men’s room and redirected me to the women’s room. At the same time, I still keep getting “sir"ed a lot, although I don’t know how much of that is people changing their mental alignment for me after they hear my voice. (Probably a lot.) I don’t feel like my appearance has changed at all over the past year, so I dunno what’s going on there.

Also gender-wise, a lot of people have been respecting the use of she/her pronouns for me, and that just feels… off. Still. I think I’m back to thinking of they/them as my primary pronoun. Honestly, the main reason I switched to she/her was because if I was requesting they/them, people would just treat it as unspecified and still default to he/him. I think my way of specifying pronouns is going to switch to "they/them, but she/her is fine.” Because if someone’s going to misgender me I’d rather it go to the femme side of things.

And a really cute thing happened at my nephew’s 1st birthday party: Camille, one of my nieces (who just turned 6 yesterday), wanted to get to know me better, and the first question she asked me was, “Are you a he, a she, or a they?” And I sort of fumbled over things and I eventually said “it depends but ‘they’ and she are ‘fine.’” Anyway, I wonder where she picked that up from. Wherever it was, it fills me with hope for the future. It’s also what got my mind grinding away about, like, which situations call for which pronouns. I think generally it’s they/them for folks my age or younger, and she/her for folks who are stuck in their ways regarding “proper” English.

Anyway, I guess that’s all for now. Unless something else occurs to me in the next hour fifteen minutes, apparently before my flight boards.

Edit: oh yeah, I think I need to switch to a backpack as my only conveyance. They’re kind of cumbersome for keys and wallet and stuff but purses are heavy and lopsided, and having both a backpack and a small purse is really awkward. My current backpack is great for just carrying my laptop to work but it’s garbo for actually organizing all my needs. My larger purse carries my iPad and all my other regular needs but it hurts my back after a whole day of using it. Any recommendations for better backpacks (ideally ones which are femmy and have room for an iPad, a laptop, some sketchbooks, and makeup et al) would be appreciated. (The preceding Amazon links are affiliate links.)

Edit 2: oh and another thing: fuck all the plastic straw bans, seriously. I’m gonna start just carrying my own plastic straws with me everywhere. I swear, people see one injured sea turtle and suddenly all people with disabilities and sensory issues just get completely thrown under the bus…

Edit 3: oh god only 4 weeks until my next big trip why is everything happening all at once

Lending Club update fluffy rambles


Remember how a few months ago I had a positive interaction with Lending Club regarding deadnames on 2FA emails? Well, the other day when I logged in it required a 2FA email and, amazingly enough, they actually fixed the problem! I hope more companies actually start to take these complaints seriously and fix issues with how they handle trans peoples' names.

Addendum to the previous fluffy rambles


Kevin and Ryan raise some very good points about where OStatus went wrong. I absolutely agree that Webfinger is a terrible approach to identity brokering (and I have a lot of problems with the /.well-known thing in general), and while I haven’t looked seriously into Salmon because it seemed unnecessary, it also sounds like it was a major pain in the butt to deal with on top of that.

What’s frustrating to me is that Mastodon (and possibly ActivityPub itself?) makes Webfinger absolutely necessary to support (and provides worse feed discovery/modeling as a result!), and I believe it does something Salmon-esque for conversational threading as well (although I’m sure someone will correct me on this point).

Meanwhile, another reason to avoid ActivityPub is that things like this are necessary.

A long-winded IndieWeb ramble I wrote on the train back from Portland fluffy rambles


(This is a somewhat-edited version of a disconnected ramble I posted on Twitter/Mastodon while on the train home today. I feel like putting this somewhere that I own it, but am not in a good enough mental state to actually write it properly.)

Yesterday at IndieWeb Summit, someone – Aaron, I believe – mentioned that one of the big differences between IndieWeb initiatives and ActivityPub is that IndieWeb is made up of simple building blocks you can pick and choose while ActivityPub frontloads a lot of complex work. This is a sentiment I very much agree with and it’s unfortunate that the main reason Mastodon switched from OStatus (which is very IndieWeb-esque) is because it made it slightly less inconvenient to pretend to have private posts. Which aren’t even implemented that well.

Mastodon’s “private” posts really suck from a bunch of standpoints. There’s no ability to backfill or even view on web without being on the same instance, and Mastodon’s actual privacy controls go in the wrong direction, so it’s still necessary for a separate vent account. As usual I don’t know if this is a problem with ActivityPub itself, or an artifact of how Mastodon shoehorned its functionality into ActivityPub, but either way, the end result is that Mastodon’s post privacy isn’t really all that useful, nor is it really all that private.

So, right now ActivityPub is the darling of the fediverse, but I’m hoping that the current push toward AutoAuth and trying to use it as a basis for private webmentions and the obvious next steps of private feeds and private WebSub will change that. I do worry that IndieAuth/AutoAuth are kind of hard to do in piecemeal ways though (well, okay, IndieAuth becomes really easy using IndieLogin but I don’t want to see a single endpoint become what everyone on the Internet relies on). And of course once you get into an integration between auth stuff and content stuff you also need to worry a lot more about content management and how it integrates, as well as this seeming fundamentally incompatible with static site generation.

At the Summit there was definitely a lot of compromise that people were doing, such as using Javascript libraries to introduce externally-hosted dynamic IndieWeb stuff onto statically generated pages. I think in this world where SSGs can be supplemented with third-party endpoints that use client-side JavaScript there could be a world where some level of privacy can happen via clever use of client-side includes of data at non-public unguessable URLs. (Although the ideal solution for that is to use the third-party APIs to generate webhooks that then trigger a file change → git commit → commit hook → build/redeploy.)

Non-public unguessable URLs aren’t great for privacy in general (and I mean, Publ has had “privacy through obscurity” since day one and there’s several reasons why I rarely use it anyway) but it’s at least better than nothing.

IndieWeb Summit day 2: Authl finally gets some love fluffy rambles


One of the biggest bits of functionality I want to get in the next milestone for Publ is private posts. Doing private posts requires some way of determining the identity of the person who is reading the site. There are a lot of mechanisms to choose from. Most of them are largely incompatible with one another, and there isn’t any single mechanism that checks all my boxes. And of course the standards keep on shifting, and keep on getting a new unifying standard that will fix everything.

So, IndieLogin is a really great way to get started with IndieWeb authentication for people who are in the IndieWeb ecosystem. If you have your own website on your own domain name and an account on one of its connected RelMeAuth providers, it covers everything. But not everyone who I want to grant stuff to has their own website, or the ability to set one up. Siloed OAuth is still useful. And being able to log in via email address is also beneficial.

Feelings fluffy rambles


So, the last few days have been feeling a lot better overall. I’m not sure how much of that is reducing my nortriptyline dose or how much is because I’ve been taking magnesium regularly. But either way, I’m just like… in less agony. My wrists still hurt most of the time, especially after I’ve been working for a few hours, and I’m still driving to work more often than I’d like, but all in all I’m feeling, I dunno, better?

I was in a pretty dark place about a week ago and now things are just feeling like how they are on average for me in general, so to me that’s a pretty big improvement.

This weekend I’m going down to Portland for IndieWeb Summit and I’m looking forward to it. Hopefully I can improve my understanding of the current ecosystem, and maybe make some contributions to it which are important to me. In particular it’ll be nice to chat with Aaron and Jamey about our respective areas of overlapping interest, and talk everyone’s ear off about Publ and what I’m trying to do with it. Maybe I can even get others to want to contribute to it! Also definitely looking forward to meeting Jacky, Darius, and everyone else I’ve interacted with in IndieWeb stuff!

