From W3C Wiki
Jump to: navigation, search


Social Web Incubator Community Group

19 May 2017

See also: IRC log


tantek, sandro, geppy, DenSchub, evan, albino, cwebber2, Rushyo, MMN-work, knutsoned, aaronpk, astronouth7303, ben_thatmustbeme
sandro, cwebber2


<astronouth7303> Sorry, first time on Mumble

<DenSchub> i am /that guy/

<Loqi> tantek: strugee left you a message 6 hours, 29 minutes ago: I seem to recall you mentioning a while back that Google still parses mf2 even though they've replaced their proprietary markup like 3 times. do you remember where that was from? not sure if it was on a web page or in this IRC channel. context:

<Loqi> tantek: strugee left you a message 6 hours, 23 minutes ago: ignore ^^^ that; I was thinking of something aaronpk wrote :)


<tantek> !tell strugee looks like you found your answer re: Google and microformats? They definitely still do parse microformats, question is where they are with parsing mf2, since they have unofficially made positive remarks about it for a few years, and may just be waiting for some measure of critical mass (which has accelerated in the past 2 years)

<Loqi> Ok, I'll tell them that when I see them next

<tantek> DenSchub++

<Loqi> denschub has 1 karma

<albino> sandro: voice overs? what do you mean?

<sandro> the app is always saying people are joining/leaving server and channel. on desktop you can turn it off, but not android, it seems.

<sandro> scribenick: sandro

<MMN-work> OSM:ing in parallell


<tantek> This config screen reminds me of PPP

<tantek> hey what's the Username

<aaronpk> aaronpk: Aaron Parecki

cwebber2: Please join IRC

<tantek> "Unable to validate server certificate".

aaronpk: co-chair of group, editor of some W3C specs in this space, MicroPub, Webmention, and co-editor of WebSub (aka PuSH)

<tantek> whoa voice!

<albino> Hi, I'm albino and my mic isn't working :(


<Loqi> Aaron Parecki h

<albino> I'll talk in ~15 minutes if we're lucky

<astronouth7303> (no quiet spot) Jamie, independent, interested person.

<astronouth7303> Good enough

Ben Roberts (Ben that must be me)

<ben_thatmustbeme> ben_thatmustbeme: Ben Roberts,

cwebber2: swwg, working on ActivityPub, a client-to-server and server-to-server, using AS2 as vocab

<DenSchub> DenSchub: Dennis Schubert,, working on diaspora*

<tantek> yay another Mozilla person! (nice not to be the only one :) )

denschub: at mozilla, but here in private role

evan: At InternetArchive, but here in private capacity as well

<geppy> geppy (legal name Brian Geppert)

<knutsoned> Ed Knutson

MMN-work: AS1.0 and GnuSocial

Rushyo: end-to-end encryption

<cwebber2> scribenick: cwebber2

<DenSchub> sandro hawk, works at the w3c, one of the group contacts

<DenSchub> (scribing for him so he can talk ;))

sandro: hi i'm Sandro Hawke, I work at the w3c, and am one of the two staff contacts for the socialwg, and am excited about this work

<scribe> scribenick: sandro

tantek: first time using mumble :-) also works at mozilla, co-chair of SWWG, and on W3C AB and CSS WG, cofounder of indieweb
... own personal CMS
... editor of some microformat specs




Social Web WG Updates

aaronpk: websub test suite finished! you can go test your implementations. it'll act as fake server, subscriber, hub, so you can see how your implementation is doing
... W3C lifecycle: Working Draft, Candidate Recommendation, Proposed Recommendation, Recommendation
... We need to show people are implementing and interoperating, to move past CR
... one of the goals was to make very few functional changes to PubSubHubbub
... so if you've implemented that, we'd GREATLY APPRECIATE you trying your impl against the test suite
... and submitting implementation report

<tantek> Note to self, submit a WebSub (publisher) implementation report for @Falcon!

aaronpk: USEFUL even if you only pass half the tests

<MMN-work> aaronpk: I should submit reports for GNU social (nightly branch has recently renamed PuSH to WebSub in most documentation). .)

<aaronpk> please do!

<cwebber2> scribenick: cwebber2

sandro: is it reasonable to run the test suite on pubsubhubbub implementations we use and know of and submit them as third party specs?
... and I say absolutely yes as long as you identify that in your implementation report

<scribe> scribenick: sandro

<tantek> when do we need these impl reports by?

<astronouth7303> cwebber2: ^^



<tantek> \o/ new AP CR

cwebber2: Includes nice tutorial, and changes you can see in change log
... still working on test suite, sorry it's not done yet

<aaronpk> haha

cwebber2: When do we need impl reports by

<ben_thatmustbeme> hah

<Loqi> nice

<cwebber2> scribenick: cwebber2

sandro: two to 3 weeks is the estimation

<sandro> aaronpk: Very helpful if you're building it, too

aaronpk: I'll also point out if you're implementing, your test suite will is a great way to debug

<scribe> scribenick: sandro

tantek: So do it sooner, in case it exposes bugs in your code

aaronpk: Or bugs in spec!

Social Web Charter Extension

cwebber2: We're asking for an extension
... strong indicator at last meeting here that people want to explore it
... so if we don't get extension, maybe we'll keep working on it any way

<Zakim> ben_thatmustbeme, you wanted to mention other test suites for WG specs

ben_thatmustbeme: Most SWWG have .rocks for test suite, webmention, activitystreams, etc

tantek: What are editor's preferences for AP on whether ...

cwebber2: My feelings have shifted since last meeting. I previously imagined I'd feel like I failed if we didnt get AP to Rec before the group ended
... but since there are a bunch of people saying they want to implement, and 2-3 weeks are not a lot of time
... (and there's a lot of value to having implementations)
... what about y'all?

<astronouth7303> I probably won't be done in 3 weeks

cwebber2: how do you feel about getting Gold Foil Stamp of W3C, if we have to cut off iterations to get it

geppy: I'll need more than three weeks

evan: Me, too

<cwebber2> scribenick: cwebber2

sandro: w3c has maturity process of proposed recommendation and recommendation, some people take that very seriously and won't build things without a w3c spec. we can't make changes beyond the group charter, and that means freezing the spec, which has risks if there are problems. In that case, shoudl we just not freeze it in stone, and keep it in a living document in the community group? we don't have to decide that immediately

<sandro> (For W3C Advisory Committee Representative Only) Vote on whether to extend group

sandro: what I was going to say, if you happy to be involved with a w3c member org, then by all means point them at the link I just pasted. that link is access controlled and won't work for anyone who aren't advisory members, but part of the problem is getting peoples' attention so I am urging people there

<sandro> scribenick: sandro

<astronouth7303> Is the living document route work for other specs?

<astronouth7303> Can we move back to cr?

cwebber2: There are some proponents of living documents

<tantek> aaronpk go ahead

aaronpk: Living specs have worked well for other things.

sandro: They wouldn't be at W3C

cwebber2: Community groups don't have authority to publish Candidate Recommendations, etc.
... only Community Group documents
... Maybe not a lot of interest from W3C paying members.

<Zakim> tantek, you wanted to answer as requested

tantek: good summary, living specs can work well, eg WHAT-WG,,
... and then submitted to W3C

<evan> I actually do have thoughts on this current topic now

tantek: Challenge if it's already at w3c, like AP, but it doesn't mean there's no option
... we can have the last CR say where you go instead, eg pointing to github for spec. Implementors have learned to look for stuff like that. So it's not the gold seal of approval, but there is a path forward.
... in spirit that's what a standard is about. SO I tend to be for that sort of thing.
... personal opinion

<DenSchub> evan++

<Loqi> evan has 2 karma

evan: I feel like Mastodon, recent popularity, seems to indicate this space is going to be much more driven by what's out there. Which leads me to living document. People will use what's in use.

<tantek> I also agree, W3C works best when it documents emerging interoperability

<tantek> rather than legislating

Rushyo: In terms of deadline, that was created before Mastodon movement,

<cwebber2> sandro: that's exactly the argument I made, a few years ago there was business intro in open social and that died down, but I'm trying to make the argument that there's reason to see excitement and the Mastodon stuff shows interest / value

<astronouth7303> sandro: +1 business discussion


cwebber2: I'm part of Verifiable Claims work, representing spec-ops, but I'm actinging independly here

<ben_thatmustbeme> random aside, i released a new version of the microformats-ruby gem, includes a console based fetch and parse to json of any mf2 page, which includes most of the social sites here



cwebber2: Please fill this out! For weekly meeting times!


<Loqi> [sandhawke] #2 Meetings (perma-issue)

<tantek> githubissue++

<Loqi> githubissue has 1 karma

<ben_thatmustbeme> githubissue++

<Loqi> githubissue has 2 karma

<geppy> (nota bene, that issue is how I remembered today's call)

<albino> can we not just announce these things in irc topic?

<aaronpk> all of the above!

<MMN-work> I thought it worked well with cwebber2 reminding via XMPP :]

aaronpk: issue/2 is where the discussion happens, NOT an issue of where the discussion should happen

<wilkie> I definitely need these reminders heh

Discussion of ActivityPub

evan: Nice new stuff in draft
... as an implementor what's giving me a headache is authn/authz
... is there something we can do to make sure folks are doing the same thing, and it's secure?

cwebber2: Spec goes in two directions at once for auth
... there was a discussion a few weeks ago. I'm still a bit lost about oath2 mechanisms
... minimal is bearer tokens, ....
... we have stuff in spec, but what are implementors comfortable with?
... some people are allergic to signatures, and some people want to see signatures

evan: I've been playing around with HTTP signatures and Linked-Data Signatures. This is not my area of expertise. But once I figured it out, it was fairly straightforward. Unlike OAuth which has a lot of questionmarks.
... few areas to diverge.
... which is good

cwebber2: I agree, but I know there are disagreements
... maybe we can try interop
... I don't think we'll be able to make this as 'authy' as we'd like in the timeframe we have

+1 getting interop working

aaronpk: Not to derail, but there is an alternative to auth, which is how WebMention solves it, with just using dialback
... Avoids need for authentication
... is there a way to do that with AP?

evan: I was already doing those round trips in my impl

cwebber2: Unless you don't have permission

aaronpk: Private WebMention solves this!
... Does not solve all auth, just makes private dialback work


cwebber2: Is this similar to EvanP's two-legged dialback?

aaronpk: Very specific way to get token

evan: Is this useful for the other places we need auth?
... Like when a server needs ...

aaronpk: This is server-to-server only

<Zakim> cwebber, you wanted to mention

cwebber2: Link to evanp's dialback stuff that uses currently. Maybe aaronpk you can talk to evanp ?

<aaronpk> ( here's the actual spec link:


Controlling Availability To Search

<Loqi> [sandhawke] #221 Controlling availability to search

<cwebber2> sandro: I want to go meta for a second, is this 5 more minutes or do people want to go longer?

<DenSchub> (somewhat off-the-record, but i'd like to join any discussions, aaronpk and evan. the missing/undefined/imprecise definition of signing is one of the main issues we have right now)

<cwebber2> sandro: do we want to extend for 35 minutes from now or wrap up in next 5 minutes?

+1 extend 30 mins

<cwebber2> +1 on extend to 15-30 mins

<knutsoned> +1 extend

<evan> +1 extend

<DenSchub> +1

<MMN-work> 0

<ben_thatmustbeme> 0

<tantek> +1 extend

<Rushyo> 0

<astronouth7303> +1, but I'll only have 15 or so

<ben_thatmustbeme> i won't be able to talk though

<aaronpk> DenSchub, i'd be happy to!

thanks aaronpk

<cwebber2> scribenick: sandro

<cwebber2> scribenick: cwebber2

sandro: I made this because there was a big mastodon thread on mastodon a while ago... someone made a search engine that gathered stuff from public timelines and allowed search, which many of us found useful, but some people were extremely upset about. The person who brought it up took it down again because they didn't want to upset people. In the github thread you see me going back and forth with one of these people to deal with it.

as a programmer I like to say "if I have access to this why I can't I index it etc". But there are users who want this functionality, but is there something we can do to balance waht different parties want here

<Zakim> DenSchub, you wanted to add some user-perspective context

<sandro> DenSchub: we had the same discussion over and over again, on diaspora, public and private stuff

<scribe> scribenick: sandro

UNKNOWN_SPEAKER: we worked around it by adding robots.txt
... that seemed to make most users happy

<tantek> DenSchub++

sandro: that wouldn't make me, as a user who wants to search, very happy

<tantek> I appreciate the user-privacy by default design

DenSchub: We were marked as private social network, so this (non-google) approach seemed to make our users happy

<tantek> opt-in would be nice if people really want their posts indexed

sandro: that makes sense

<Zakim> MMN-work, you wanted to describe GNU social stance on public posts

MMN-work: gnusocial idea about this is we never say anything is private
... you can never guarantee the remote side in a federation will honor anything
... as long as the admin can read it, the remote side can publish
... we even license the content as CC-attr so there is explicit permission to replicate posts
... it's important to be clear about this
... of course Diaspora* is marketed as private, but I don't see how you can do that without explicity e2r crypto
... we're very open about this
... so transparency

<tantek> interesting, in contrast email "seems" to work for private by default (as long you don't get phished by Russians :P )

MMN-work: with Mastodon introducting scoping, ... it doesn't work in Federated environment

Rushyo: The Mastodon ecosystem has a very wide variety of different privacy expectaitons. Some enforced by tech, some social

<DenSchub> tantek: you still have to somewhat trust the mail server

Rushyo: and instance might have a whitelist, with other instances that will use data responsibility
... lots of instances have users with privacy requests

<tantek> DenSchub: yes, that's my point. somehow mail servers have evolved to trust each other

Rushyo: with Mastodon it's all kinds of gray (colors!)

<tantek> though I agree end to end encryption is preferable :)

Rushyo: posts sent to an instance, but ... only some interface ... some instance rules, ... unless enforced by some kind of 'treaty', it works or doesn't if someone tries to abuse it
... it gets really complicated and messy

<DenSchub> i always argue with "it's clear what server you're sending to, so if you don't trust the server, do not send your messages there" in such discussions about diaspora

Rushyo: the implementations is relatively naive, but social seems to work

<MMN-work> +1 rushyo

<DenSchub> but that's just the user's feelings, not actual technical facts

Rushyo: search engine tramples on this, race to bottom, we'll get technical blocks

<MMN-work> (how did you do the karma thing?)

Rushyo: one of the reasons behind 2crypt is to create minimum baseline

<cwebber2> MMN-work, foo++

Rushyo: person to person solution

<MMN-work> rushyo++

<Loqi> rushyo has 1 karma

Rushyo: for groups across federation you'd need something else
... anything more than 2crypt is going to need some kind of agreement
... maybe just don't subscribe to people who want high privacy?

evan: Mostly agree with MMN-work that nothing is private unless end-to-end encrypted
... nothing is really private on FB and Twitter, right? But you can indicate that things are generally going to be private?
... I'm really sympathetic to desire to avoid harassment
... but systems need to acknowledge that there will be bad actors
... so unless there's access control, it is searchable.
... robots.txt is helpful as a hint, but the problem is
... people want a guarantee of privacy. Without e2e, private posts are the only answer

<DenSchub> evan++

<ben_thatmustbeme> evan:++

<MMN-work> evan++

<Loqi> evan has 3 karma

<ben_thatmustbeme> evan++

<Loqi> evan has 4 karma

cwebber2: a few things going on here

<tantek> FWIW FB has "public" posts that are only "public" to logged in users. Not available to search engines or non-logged in users.

cwebber2: at one end gnusocial, everything is public
... some ability to do private, but not much
... Mastodon is in between
... at the other end is end2end encryption
... but people can still break that trust

<Rushyo> cwebber++

<Loqi> cwebber has 20 karma

<ben_thatmustbeme> indieweb tends to do that same of 'everything is public' by default and a few have experimented with access controlled posts

cwebber2: in the middle we have email, esp unencrypted email
... if I send to a public mailing list
... if I send to just Tantek, I don't expect it to end up in Aaron's inbox
... maybe gmail or NSA can screw with that, but there's still an expectation of privacy
... maybe a DRM solution would help, but we don't really want that eiuther
... on this AP issue, can/should we add anything?
... right now, it's a lot like email, with also a Public destination
... some risks
... if you say 'do not index' that's kind of a flag that'll get you attention
... my feeling is we should say it's email like
... we can add other flags, but let's be careful

+1 modeling it like email

<astronouth7303> (sorry, phone) I have two thoughts on this topic:

<astronouth7303> 1. I think that there should be room for different providers to compete while maintaining interop

<astronouth7303> 2. S2s auth has a role in this

<cwebber2> astronouth7303: ACK when done :)

<astronouth7303> Verifying the provider making the request means you can enforce some level of acl

<wilkie> it just needs to be clear that any extension that adds a form of e2e crypto or privacy creates messages that are ignored by implementations that do not understand them, which can be done by an extension that creates a new inbox for encrypted private messages

<wilkie> I look forward to seeing such extensions

<Rushyo> (which is how TootCrypt works, extensions be damned ;])

cwebber2: EvanP suggested a public-no-indexing inbox maybe

evan: astronouth7303 made a good point. We could consider, maybe in an extension, rather than auth'ing as user, when fetching an outbox, a search engine could have to provide some proof that it's the user it says it is. So a bad actor
... a harassment-centric search engine, you could black-list it.

<scribe> scribenick: sandro

cwebber2: diaspora, because of "own your data", and Mastodon fear of harassment

<Zakim> tantek, you wanted to give a personal user anecdote example using robots.txt to block bots from my blog for its first two years felt "good enough" and then afterwards I changed

tantek: I'm personally really interested in seeing this solved
... use cases like privacy and avoiding abuse

<Rushyo> tantek++

<Loqi> tantek has 55 karma in this channel (342 overall)

tantek: are pretty important to making a different with federation
... very happy to see this much work
... has "safe-replies"

<MMN-work> +q to discuss technical and social problems

tantek: when I started my blog, I used robots.txt, because I didn't want results from search engine folks
... I wanted to blog freely, and mostly be seen only by people who knew me
... but then I wanted my CSS stuff to be found
... maybe I want per-post robots.txt
... I worked for technorati, blog search engine, before twitter had search
... and we had this challenge as well
... google sucked for indexing blogs, but we were really good at it, they pinged us
... we ignored robots.txt because we were being requested to crawl
... sometimes people complained, and when someone complained, we took them out of the index
... and generally people found that acceptable.

<geppy> Does anyone respect <meta name="robots"...> or whatever it is?

tantek: so I think there is a social evolution aspect here
... good social engine actors, respecting people's requests, that will be self-reinfocing I think
... but then there are bad actors I have to block from my site

cwebber2: I think part of this is an expression of intent.
... important but tricky

<scribe> ... ongoing

UNKNOWN_SPEAKER: from Mastodon side, seems to be about abuse-mitigation, which is in-scope for this group
... we don't have tooling as good as we'd like
... anti-abuse stuff has come up a few times

<ben_thatmustbeme> anti-spam interesting bit for webmention

UNKNOWN_SPEAKER: blocking search engines might be enough, might not

<Zakim> cwebber, you wanted to discuss abuse briefly

UNKNOWN_SPEAKER: sandro mentioned possibility that someone could still implement a search used by abusers, might be most desired by them, could be flag in opposite direction. I think we have to do a lot of work on anti-abuse tooling.

evan: In terms of how there wasn't a race to the bottom in Diaspora, the problem isn't just technical. I think Mastodon is probably more lgbt / social justice aligned, which indicates to me it would be much more likely for a group of tech-savvy harassers to WANT to break in,
... because of the dynamics of that sort of culture war
... "nobody has built a harrassers search engine yet" might attract bad actors

DenSchub: The problems we had weren't really technical, because we always claimed public posts are public and visible to anyone, but there were
... still a lot of misconceptions about what Public means.
... not a technical problem, psychological problem. Not a lot one can do in spec.
... clear from technical side, but user's feelings are sometimes a little bit tricky to understand.

<Zakim> MMN-work, you wanted to discuss technical and social problems

MMN-work: most has been said, but re race-to-bottom
... I don't know if I've given up on technical
... but the idea behind
... if there's some way to encourage people to create nodes that are not huge mega-nodes
... it's much better. Small, community/friend instances, that kind of size is much better, because then admin/community solves moderation issues

<Rushyo> MMN-work++

<Loqi> mmn-work has 1 karma

MMN-work: if the network is properly federated it wont be possible to keep white/black list without very good community moderation
... probably not in scope for AP
... Community for moderately sized instance, vs mega-nodes

cwebber2: People would probably agree smaller instances makes moderation easier

<tantek> sandro++ for minuting

<Loqi> sandro has 37 karma in this channel (44 overall)

cwebber2: Let's wrap up, postpone anything else to next week

<tantek> cwebber++ for chairing!

<Loqi> cwebber has 21 karma

<cwebber2> and thanks sandro for scribing :)

<cwebber2> sandro++

<Loqi> sandro has 38 karma in this channel (45 overall)

<astronouth7303> Yay! My plane has not taken off yet!

cwebber2, I don't actually know what we do with minutes for the CG

<Loqi> 😃

<cwebber2> astronouth7303: :)

<tantek> also

<tantek> Mumble++

<Loqi> slow down!

<tantek> lol

<DenSchub> karma overflow

<cwebber2> sandro, last week we posted to

<DenSchub> oh, holdon. next week will be on the same time, right?

<astronouth7303> I have Opinions and would like to be part of several future discussions

<cwebber2> trackbot, end meeting

Summary of Action Items

Summary of Resolutions

[End of minutes]