Bluesky Dev
Community discussion of the AT Protocol and Bluesky. (This room is not officially affiliated with the Bluesky team.)
Mon, Apr 24, 2023
- rawkode
- damon/
- George Antoniadis
In reply to this message
Not sure how that could be done without these services to support atproto's plc did.
Maybe through a series of "verification" providers/services? Similar to how they plan on dealing with moderation and content discovery.(edited) - @planetoryd:matrix.org
- @planetoryd:matrix.org
- rawkode
In reply to this message
This seems like a challenge the protocol may need to solve for wider adoption. The narrative of people owning their data is great, but if it cant be expanded it may miss the mark - @planetoryd:matrix.org
- George Antoniadis
In reply to this message
The lexicon is really open, anyone can create their own schemas.
Yes, it's currently narrow, but that doesn't stop anyone from introducing new schemas to it. - snarfed
In reply to this message
right, and they've actually thought a fair amount about this, eg hoping to see a de facto standard clearinghouse/repo emerge for community schemas. thought I might have captured that in https://github.com/bluesky-social/atproto/discussions/855 , guess not, may be in this channel's history - @planetoryd:matrix.orgjust wrote a short criticism on activitypub https://reddit.com/r/Rad_Decentralization/comments/12v4v98/can_activitypub_save_the_internet/jhgjntr?context=3
- rawkode
In reply to this message
Yes, but if bsky doesnt merge them and they cant be supported dynamically, then people need a PDS and identity for each type of content? - snarfed
- George Antoniadis
In reply to this message
Right now the only PDS is the bsky one which most likely doesn't support random schemas as it's designed as a micro blogging service.
That doesn't mean people won't be spinning up PDSes that are general purpose in the future. Think of it like dropbox.
You register, pay for storage, and you can hold any schemas you want.The main issue right now with this ^ is that right now from what I understand the server implementation is both a PDS as-well-as a bsky-server that is needed for the client to work. I think that these will eventually need to be decoupled to two distinct servers/services for what we're discussing to work nicely.
- @planetoryd:matrix.org
- rawkode
- snarfed
In reply to this message
PDSes and app servers are decoupled logically and semantically, but I think you're right that right now it's implicitly expected that they're generally colocated in the same service. I don't think that's a strict req't though - George Antoniadis
In reply to this message
The main issue right now that I see is that you can't use bksy as a client with another PDS.
You will soon be able to federate with another PDS, but you won't be able to provide your credentials to another PDS and use it from the bsky client. -- This is specifically a restriction of the current bsky implementation though and nothing stopping other clients from not behaving this way, or bsky to allow you to connect to third party PDSes. - snarfed
In reply to this message
hmm, that doesn't sound right? I think at least the current mobile apps explicitly include a "choose your server" step in onboarding - George Antoniadis
- snarfedno, true, you're right. the line btw app server and PDS is currently fuzzy at best, and I don't think they currently allow explicit decoupling. maybe eventually! as with most of the current design, it's not "this is a permanent, deliberate decision" as much as it's "one of many good ideas that we'll get to eventually"
- George Antoniadis
In reply to this message
Yeah 100% agree, what they are doing is the best thing they could have done as it allows them to move fast. - George Antoniadis
- ilcergioNeed Bluesky invite code maildiscapacidad5@gmail.com
- retr0id
- retr0id
RE: placeholder did https://github.com/bluesky-social/did-method-plc
The DID itself is derived from the sha256 hash of the first operation in the log. It is then base32 encoded and truncated to 24 chars.
According to my calculations, it is computationally feasible (on the order of "a few thousand dollars") to generate a hash collision of this truncated length. i.e. to generate a pair of new identities with the same ID string - but not to match with a chosen existing ID (aka a preimage attack). I don't yet have a very solid understanding of the rest of the protocol, so I'm asking here, would there be any security implications of generating such a collision?
(edited) - George Antoniadis
In reply to this message
Well at least you can ban people out for just having agreed to the rules :P - George Antoniadis
In reply to this message
Main challenge in terms of compute would be that in order to do anything meaningful with this attack you'd still need to have generated a valid create operation for that did. - George Antoniadis
In reply to this message
yeah, it's something like
12345678910
{ type: 'create', signingKey: 'did:key:zDnaejYFhgFiVF89LhJ4UipACLKuqo6PteZf8eKDVKeExXUPk', recoveryKey: 'did:key:zDnaeSezF2TgCD71b5DiiFyhHQwKAfsBVqTTHRMvP597Z5Ztn', username: 'alice.example.com', service: 'https://example.com', prev: null, sig: 'vi6JAl5W4FfyViD5_BKL9p0rbI3MxTWuh0g_egTFAjtf7gwoSfSe1O3qMOEUPX6QH3H0Q9M4y7gOLGblWkEwfQ' } ``` (from the docs) In reply to this message
what is the signature algorithm btw? I can't see it mentioned anywhere obvious- George Antoniadis
In reply to this message
correct, but I just assume it will be much more expensive if you're limited to the ut8 space for usernames, given length, and then you need to also calculate a signature here's a collision with 24 matching hex digits (not base32!) that I generated in ~hours of GPU time the other day
1234
$ echo -n retr0id_662d970782071aa7a038dce6 | sha256sum 307e0e71a409d2bf67e76c676d81bd0ff87ee228cd8f991714589d0564e6ea9a - $ echo -n retr0id_430d19a6c51814d895666635 | sha256sum 307e0e71a4098e7fb7d72c86cd041a006181c6d8e29882b581d69d0564e6ea9a -- retr0id
- jamanfredi
- Kjartan
- @dream:envs.net
- panji.bsky.social
In reply to this message
<
@alrozzi:matrix.org> Anyone got an invite for me?This is a developer room, please don't ask for invite codes here
- snarfed
- Kjartan
- snarfed
In reply to this message
https://github.com/bluesky/atproto/blob/main/packages/lexicon/ has the team's code for doing it in typescript, or you can just decode the JSON directly(edited) In reply to this message
the response gives you the PDS's DID. right now the server will pretty much always bebsky.social. you can check that for a given did:plc with https://plc.directory/did:plc:...- George Antoniadis
In reply to this message
There is a notion of a plc directory (https://plc.directory), not sure if there is documentation around it though yet. - Indigo for example gets a PLC registry as an argument, so I can only assume there will be a bunch of available registries with the first/main one beingplc.directory. https://github.com/bluesky-social/indigo/blob/f1f2480888ab5d0ac1e03bd9b7de090a3d26cd13/cmd/gosky/admin.go#L37
- rawkode
- George Antoniadis
- George Antoniadis
In reply to this message
Sorry by "currently" I meant that I'm not sure what the future holds.
As far as we know there isn't a plan to use ipfs for atproto.
It is using XRPC over HTTP. Federation is currently being worked on, but will also be over XRPC, -- again, AFAIK.(edited) - @tayyabrazin:matrix.orgRequest for Invited Code for Bluesky I am writing to express my interest in joining Bluesky, the new social media platform that is creating a decentralized protocol. I believe that Bluesky has the potential to transform the way that we interact with each other online and I am excited to be a part of this initiative. I have heard that Bluesky is currently invite-only, and I would be grateful if you would be able to provide me with an invite code to join the platform. I am confident that I would be able to contribute to the community on Bluesky and provide valuable insights and perspectives.
- rawkode
In reply to this message
OK. I’ll try and find some issues on GitHub for federation. Ive made too many assumptions. - snarfed
In reply to this message
it's definitely early! they haven't fully published the technical details of their federation plans yet. sounds like they're imminent though. George Antoniadis is right, we have an educated guess at the relatively complete picture, it's probably based on thecom.atproto.sync.*methods for data transfer and the commit hash chain and MST for data model synchronization and merging. no IPFS involved - achuvyas
- rawkode
- achuvyas
- whyrusleeping
- George Antoniadis
In reply to this message
whyrusleeping since you're around, ^ this one is an interesting one that we really don't seem to know much, do you know if there are any docs or notes on how plc directories/registries are going to work? - snarfedhttps://atproto.com/specs/did-plc is decently descriptive, even if it doesn't enumerate API endpoints. my guess is, they don't want did:plc to get so entrenched or formalized that it syncs across registries or otherwise provides long-lived guarantees, Certificate Transparency style, but I don't know for sure
- George Antoniadis
In reply to this message
considering that the plc did seems to be chain of operations that an arbitrary/malicious did registry could fake or stop accepting updates, I'm kind of expecting pdses to be asking more than one plc registry. -- KERI does something similar and it basically considers each registry a "witness" so they keep each other honest. - retr0id
- @tayyabrazin:matrix.orgOne invited Code please please please please please please
To this email addresstayyabhussin988@gmail.com - George Antoniadis
- George Antoniadis
- @tayyabrazin:matrix.org
- @00c:matrix.org
In reply to this message
I don't have an invite code and I want it. But this room was not created for that purpose, so please don't ask invite code in this room. - douganderson444
- @planetoryd:matrix.org
- George Antoniadis
- @planetoryd:matrix.org
- wdprobably a repeat question -- if I'm interested in self-hosting an instance, is that something I could do today while interacting w/ the rest of the ecosystem? or is it still a bit experimental? for context I have azure credits to light on fire as well as capability of home-hosting and a plethora of experience running daemons (I did a bit of searching of the chat and was hoping for a pinned 'RTFM' for this but failed to find anything obvious so now I'm being lazy :) sorry!)
- snarfed
- wd
- snarfed
- thebennyboy
- nipperinshorts
- moved to @shreyan:beeper.com@shreyanjain:matrix.org
In reply to this message
rn the frontend isnt public code but the protocol code, typescript PDS + API is all on github - nipperinshorts
In reply to this message
Thanks! I wasn't sure if it was the case of it wasn't there yet, we're taking help to get there, or if it would ever be public. - lamrongolIn this time, about 3000 posts per hour and 50% is English, 20% is Portuguese and 10% is Japanese according to https://github.com/pemistahl/lingua .
Tue, Apr 25, 2023
- Chris Lace
- snarfedsaw enough questions and assumptions about Jack and Bluesky's ownership and structure here that I ended up collecting everything I'd heard so far: https://snarfed.org/bluesky-corporate-ownership-and-structure
- lamrongol
- moved to @shreyan:beeper.com@shreyanjain:matrix.org
- lamrongolSorry, I mean "accounts that don't have DID" is default domain("bsky.social").
- moved to @shreyan:beeper.com@shreyanjain:matrix.org
- lamrongol
In reply to this message
Yes, I think it is desirable to display some kinds of mark for accounts that have custom domain. In reply to this message
In addition, I think it is also needed a reminder message of a domain itself is real.- moved to @shreyan:beeper.com@shreyanjain:matrix.org
In reply to this message
I dont know if this would actually be helpful because as Paul said on BlueSky earlier, custom domain doesnt necessarily mean authentic. e.g. anyone can just buypfrazee.xyzand then verify that and pretend to be him if we assume some sort of "verification" from that - wdI would assume that when I can host my domain etc that the simple indicator of a domain-specific account is enough -- it removes any concern about, e.g., "verified" users fromwashingtonpost.comor whatever -- if you're posting from the domain you clearly are authorized.
- lamrongolWe are developers and have some knowledge, however, common people may not check an account has custom domain. and if an evil person have "washingtnpost.info"('o' is removed and "com" is replaced "info") domain, people may think the account is real because it have "custom domain".
- wd
- pizzaknight
In reply to this message
These offer a solid solution path around the issue wd has brought yp. Ultimately clients will also have to play their part by signaling/highlighting accounts based on their own registry of identifiers and verifiable credential checks. The onus will be on casual end-users to use the most appropriate/recommended clients(edited) - wd
- pizzaknight
In reply to this message
exactly. this will require the creation of client-level standards and conventions. - snarfed
- lamrongolI may not be able to understand conversations because my English or skill level is low, only thing I want to say is a way to prevent identity theft is needed. Bluesky team also prevent impersonation https://staging.bsky.app/profile/bnewbold.bsky.team/post/3ju3rgczmfl2h https://staging.bsky.app/profile/bnewbold.bsky.team/post/3ju3rhsie7322(edited)
- pizzaknightAbout Verifiable Credentials, recommend checking out: https://atalaprism.io
- KjartanA probably very stupid question, but without asking, I might never know: Why isn't there just another TXT record pointing to the used PLC directory (assuming there will be more than just https://plc.directory in the future)? Or the already existing record could just have the plc directory added (like
did:blablabla;pd:plc.directory). I'm sure the idea isn't new and that it was simply decided against it - I'm just curious for the reasons - Aakash Bhadu
- @planetoryd:matrix.org
- Aakash Bhadu
- @planetoryd:matrix.org
- Xe Iaso
- Aakash Bhadu
- George Antoniadis
In reply to this message
You can run a pds, but the uses on that pds will one see each other and their posts.
Your users can use the official bsky app to connect to your pds.
Once federation is done and deployed your pds should also be able to communicate with the bsky and other ones as well.
The pds server is available on the gothub repo.
- Agusti
- pablo_clueless
In reply to this message
I beg to differ on the matter of authenticity. If left to clients to verify and manage, then there's still room for fakers to gain ground. The onus is on bsky, or other PDS, to issue this icon/mark of authenticity. - robertvh
- SoliHi everyone, I have been trying to get an invite for a while and thought I might get lucky on here. This is my personal website: https://soliman.life/#/. I have been an early adopter and most social media apps and would love to see what bluesky has to offer. I will probably host on my domain too undersoli.blueonce I get access (If I understand this correctly). Would really appreciate an invite.
- Aakash Bhadu
- RojHey there, this PR is ready for review now. Sorry about the the title edit spams. https://github.com/bluesky-social/atproto/pull/894
- pizzaknight
In reply to this message
then what you're asking is for providers to become the root of trust/source of truth, at that point you don't need bluesky or anything else, facebook and twitter do this just fine. it's essentially antithetical to everything being built here
clients utilising a registry or parsing verified credentials from the protocol for the purpose of indicating authenticity is merely an abstraction to streamline general UX.
users won't and don't have to depend on their providers as they can self-certify and verify these same facts at the protocol level independently.
(edited) - snarfed
- the canonical example is, say I want to follow Taylor Swift. there are multiple accounts that seem like her, and multiple have self certified (say) their DNS domains, but I don't know which is her real web site. Is ittaylorswift.com?tayswift.com? something else?
- organizations that verify identities manually can help solve this. bluesky's approach of https://blueskyweb.xyz/blog/4-13-2023-moderation is nice in that there can be multiple to choose from, with different processes etc, ie no single forced authority like facebook or twitter
- snarfedhas anyone figured out how to sign repo commits yet? specifically, the
sigfield here: https://atproto.com/specs/atp#repo-data-layout - Then the actual signing is done here: https://github.com/whyrusleeping/go-did/blob/master/key.go#L67-L91
- snarfedwhyrusleeping: ah thanks! I found https://github.com/bluesky-social/atproto/blob/main/packages/repo/src/util.ts#L238-L248 and the crypto package too, but wasn't sure if the current sigs are secp256k1 or P-256
- @10allday:matrix.org
- @tayyabrazin:matrix.org
- snarfedwhyrusleeping: have you all settled on the supported ciphers? eg Ed25519 seems to be in Go but not TS. should I stick with, say, P-256 for safety?
- @tayyabrazin:matrix.org
- nipperinshorts
In reply to this message
Not gonna happen in here. This is for engineering discussions.
Also, try not to spam repeatedly. - @tayyabrazin:matrix.org
- naim
- pfrazee
- stienmanhttps://atproto.com/guides/overview#speech-reach-and-moderation - seems to imply that indexing services (reach) are probably closed endeavors and there's very little information on what a "good" (in all senses of that word) indexing service should implement, nor any examples, discussion, or code towards that end. Is discussing and defining this relatively important part of the puzzle being left for later, or happening now but not openly, or happening somewhere I just haven't found yet?
- Aaron Goldman
In reply to this message
This may end up split. With a server push informing your client that a repo they follow has a new head. Then the client can fetch at it's convenience. - snarfed
In reply to this message
apart from moderation tools, https://blueskyweb.xyz/blog/4-13-2023-moderation , other work around global indexing services seems left for later so far - moved to @shreyan:beeper.com@shreyanjain:matrix.org
In reply to this message
LinkedIn recently added this, using Verifiable Credentials, surprisingly enough. - snarfed
- moved to @shreyan:beeper.com@shreyanjain:matrix.org
- snarfed
- moved to @shreyan:beeper.com@shreyanjain:matrix.org
- Aaron Goldman
- mikuhlReady to start implementing zaps when you guys allow creating records in unknown collections. https://cdn.discordapp.com/attachments/1100630242852352031/1100630411870216274/image.png
Wed, Apr 26, 2023
- George Antoniadis
In reply to this message
Would they be a different collection/repo/whatever or just additional attributes on posts? - ifeeltiredboss
- jesopo
- jesopothis room isnt "on"matrix.org; the room's alias is
- ifeeltiredbosslulz.matrix.orggoes down and the room is gone as well
- @neilalexander:matrix.org
In reply to this message
No, the alias to the room might be onmatrix.orgbut the room will continue to exist on all other participating servers - ifeeltiredboss
- jesopo
- naz
- panji.bsky.social
In reply to this message
This is a developer room, please don't ask for invite codes here. You can personally DM @whyrusleeping on twitter. - nazno worries. not asking for anything :) I'm an OSS contributor myself - https://github.com/naz
- George Antoniadis
- @planetoryd:matrix.org
- mikuhl
In reply to this message
They said that adding fields to schemas that aren't yours is frowned upon, so I would use new schemas / collections - Aaron Goldman
In reply to this message
Some times I want to point people back to old-school SQL many-to-many relationships. You can link to tables you don't have permission to add collums to by making a table that foreign keys off to both of them. If you want to add a field to a lexicon you don't own Make one you do own and reference the other record - @10allday:matrix.org
- @10allday:matrix.org
In reply to this message
This would ensure that everything is truly decentralized and cannot be taken away without approval from IETF. In reply to this message
Because you only need one unrevokeable ip address to then send incoming traffic to another ip address run by other users. (The IPs used by users would be the only revokeable ones used.)In reply to@10allday:matrix.org
This would ensure that everything is truly decentralized and cannot be taken away without approval from IETF.(edited)- @10allday:matrix.org
In reply to this message
Who is the CEO of Bluesky, PBLLC. Are they able to respond to these messages as they are in charge of the organization? - @10allday:matrix.orgLet's say ipv4 33.87.150.174 is permanently unrevokeablly mandated by IETF to be used to let people connect and receive a list of all servers running atproto, these servers would be connected to the root zone of atproto. (If it were to exist) This is what would further decentralization as the ip address would always be used to let clients search for servers.
- @neilalexander:matrix.org
In reply to this message
And absolutely nothing would stop any network or ISP from directing traffic to that IP to something they control instead, so it is still a very bad discovery mechanism - @10allday:matrix.org
- @planetoryd:matrix.org
- @10allday:matrix.org
In reply to this message
This is the only option that can be put in a configuration file and still have it work forever as long as ICANN and IETF honner standards. - @neilalexander:matrix.org
- @planetoryd:matrix.org
- @10allday:matrix.org
In reply to this message
The only option in that case would be using radio communication for peer discovery. - @planetoryd:matrix.org
- KjartanI'm not sure about this: Are the records ofplc.directoryto be trusted? Or would a client, pds server, etc, still have to verify the information of the directory?
- Because: if the information is supposed to be reliable, it seems to me, that it is not (yet); and if it's not supposed to be reliable and needs verification, then I'm not sure if I understand the point of the plc directory, as the information could be probably gathered at the same spot where it would get verified - or am I missing something?
- Aaron Goldmanplc.directoryis being trusted to provide ordering. Imagine you have a did:plc and have added the two keys. One is in your laptop's TPM the other is in your phone's TPM. They each attempt to revoke the others key. Who's update is successful in revoking the other and who's is rejected. One of the updates needs to be first and one second. This ordering is the value ofplc.directoryas an append only log.
In reply to this message
The server is not trusted with updates to DID Documents just with ordering the updates.- @10allday:matrix.org
- @10allday:matrix.org
- snarfednothing's written in stone. auto renewing DNS domains depends on registrars, IP addresses depend on IANA and BGP from tier 1 carriers, private keys depend on memorizing passwords or otherwise keeping them safe, without any recourse if you forget them. protocols depend on standards bodies, implementors, organizations that all have governance in some form.(edited)
- the best and maybe most famous description of this is Loop Etiquette: I thought using loops was cheating, so I programmed my own using samples. I then thought using samples was cheating, so I recorded real drums. I then thought that programming it was cheating, so I learned to play drums for real. I then thought using bought drums was cheating, so I learned to make my own. I then thought using premade skins was cheating, so I killed a goat and skinned it. I then thought that that was cheating too, so I grew my own goat from a baby goat. I also think that is cheating, but I'm not sure where to go from here. I haven't made any music lately, what with the goat farming and all. https://www.mnml.nl/phpBB3/viewtopic.php?f=17&t=62658&hilit=goat&start=16(edited)
- @10allday:matrix.org
In reply to this message
The internet engineering task force sets things into stone, can't the v1 standards of atproto be submitted as international standards? - snarfed
- @10allday:matrix.org
- Aaron Goldman
In reply to this message
I would hope the immutable legger moves to something more decentralized before 100 years.
Yeah now the legger is
plc.directorybut in the long run it is whatever the PDSs decide to trust. - elmustachioI'm seeing a lot of questions here I answered in this feature about Bluesky: https://www.forbes.com/sites/digital-assets/2023/04/25/twitter-hatchling-bluesky-emerges-from-its-shell/?sh=ffbece5c21a7 Hopefully it's helpful!
- snarfedembrace evolution, flow like water, that's more likely to keep things alive than trying to harden them into bunkers. ASCII text and HTML documents will survive for a long time, but only because we keep copying onto new hard drives, LOCKSS style, not because we back them up on tape and put that in a vault underground(edited)
- @10allday:matrix.org
- Kjartan
- snarfed
- elmustachio++ awesome thanks! also https://snarfed.org/bluesky-corporate-ownership-and-structure
- Kjartan
- snarfed
- Aaron Goldman
- Kjartan
- Kjartan
- bangerrang
- Kjartan
- Kjartan
- snarfedyou'd use the recovery key to change your DID doc: https://atproto.com/guides/overview#account-portability
- Likegates.microsoft.com🤭
- snarfed
- Aaron Goldman
In reply to this message
Think of it as mutual auth.
If I have the DID in the DNS text record I have half a binding.
If I have the domain name in the DID Document I have half a binding.
If I have both then I have bound a DID to a DNS name. - KjartanI have registeredgates.microsoft.comwith theplc.directory. I have neither control over the dns, nor the pds it was officially registered with.
- Aaron Goldman
- snarfed
- Kjartan
In reply to this message
But if that means that Mr Gates cant getgates.microsoft.comthis would be bad.
But yeah, another case, even if everything gets checked properly, is that I can get a domain which was already used on a plc. The handle shouldn't stay any longer in the control of the old did holder - snarfed^ you registeringgates.microsoft.comdoesn't necessarily prevent him from using it. its DNS TXT record doesn't point to your DID, so no complete binding has happened
- anyway, they're actively working through all this, eg the issue above, https://github.com/bluesky-social/atproto/issues/837 , etc
- Kjartan
In reply to this message
But as far as I see it, this prevents now any other did from changing to this handle on the plc - Aaron Goldman
- Kjartan
- Kjartan
In reply to this message
I would say accept it. But release it when someone else tries to "claim" it legitimately - Aaron Goldman
- Kjartan
- snarfedthere can be two TXT records 😀 https://github.com/bluesky-social/atproto/issues/837
- Kjartan
- Kjartan
- Aaron Goldman
- mikuhl
- mikuhl
- its embedding a post fromillumi.bsky.social
Thu, Apr 27, 2023
- Peter Fritz
In reply to this message
Hi, you probably don't need an invite nor access to Bluesky right now. Soon everyone will be able to join without an invite.
Furthermore, this channel is intended for developers interested in the AT Protocol and Bluesky, so it's not the best place to ask for invites. - @r_ob:matrix.org
- atomdmac
- Kjartan
- snarfed
- @r_ob:matrix.orgIt's gonna turn in another https://damus.io/ I guess.
- damon/
- atomdmac
In reply to this message
Based on this, it sounds like they received initial funding from Twitter but it's not clear to me how they currently keep the lights on. - snarfed
- snarfed
atomdmac: "
jack doesn’t have unilateral power. he has 1/3 influence on the board. i’m the CEO...i have the most control over this endeavor, and i’m grateful for everyone who’s trusted me with it." https://blue.amazingca.dev/?username=jay.bsky.team&postid=3ju6gsfeyda2j
- re how ATP differs from AP, a couple notable ones: 1) true account portability, even if your server goes offline or malicious. 2) support for centralized indexing, moderation, and feed algorithms by third parties. more: https://atproto.com/guides/overview
- atomdmac
In reply to this message
To be clear, I'm not blaming Jack for anything here :) I'm just saying that the centralized nature of the hosting makes me wonder if a "take-over" could happen again. - snarfed
- Brad Brownatomdmac: i think you want to distinguish between the current state of the service (one central server) from the planned state (unlimited federated servers) that is in-development now
- snarfed
In reply to this message
https://blue.amazingca.dev/?username=snarfed.org&postid=3ju7hcjsana2o (click on "More replies") - atomdmac
In reply to this message
Ah OK - so right now Bluesky is the only "instance" (to borrow a federation term) but others will be able to spin up instances later? - snarfedright. more on https://atproto.com/guides/overview
- Brad Brown
- @r_ob:matrix.org
In reply to this message
Thanks but you're just making me even more bullish to try this out. I'm coming from AP where I have an instance where I heard about AT. - snarfed
In reply to this message
I felt the same! I've implemented AP too, https://fed.brid.gy/ , I like both. fediverse can be big tent - anil dash has advocated for "big tent" (ie multi protocol) fediverse for a long time, eg https://blue.amazingca.dev/?username=anildash.com&postid=3juea365ir72c
- atomdmac
- damon/
- damon/re how ATP differs from AP, a couple notable ones: 1) true account portability, even if your server goes offline or malicious. 2) support for centralized indexing, moderation, and feed algorithms by third parties. more: https://atproto.com/guides/overview
- Brad Brown
- snarfed
- Kjartan
In reply to this message
In my case: I absolutely hate a few design decisions of mastodon (one example: the finger'ing instead of using dns records, like other protocols do). So I'm happy if there will be an alternative which fits more to my liking - atomdmac
- snarfed
- atomdmac
- snarfed
- Kjartan
- Aaron Goldman
In reply to this message
Nostr has individual notes as it's core objects where atproto has repositories. The relays are not tied to any particular publisher in the way that the PDS is expected to have all the content a DID published.
I generally think about the difference as a best effort distribution vs a completeness distribution.
- atomdmac
- snarfedAaron Goldman someday I need to talk you into this as a side project 😀 https://github.com/snarfed/bridgy-fed/issues/446
- Aaron Goldman
In reply to this message
Should this page include?
"
Company Name: BLUESKY, PBLLC,
File Number: 6282898,
Filing State: Delaware (DE),
Filing Date: October 4, 2021
" - Aaron Goldman
- KjartanIf one created an account via one of the official clients (staging.bsky.appor the apps for iOS or Android) - is there a chance to still get the recoveryKey or is this opportunity just lost forever?
- snarfed
In reply to this message
hah, maybe? I'm not really trying to reproduce DE Secretary of State or D&B records, but you're welcome to add it in a comment! - snarfed
In reply to this message
probably in the future. https://github.com/bluesky-social/atproto/issues/884 - snarfed
- @r_ob:matrix.org
- @r_ob:matrix.org
from
selenium.webdriver.common.byimport By
fromselenium.webdriver.support.ui import WebDriverWait
fromselenium.webdriver.supportimport expected_conditions as EC
from selenium.webdriver.common.keys import Keys
from selenium.webdriver.common.action_chains import ActionChains
import time
import random
import stringdef generate_code():
return ''.join(random.choices(string.ascii_lowercase + string.digits, k=7))driver =
webdriver.Chrome()driver.get("https://staging.bsky.app")
time.sleep(3)wait = WebDriverWait(driver, 10)
wait.until(EC.presence_of_element_located((By.XPATH, "//div[@data-testid='createAccountButton']")))create_account_button = driver.find_element(By.XPATH, "//div[@data-testid='createAccountButton']")
create_account_button.click()
time.sleep(3)bluesky = driver.find_element(By.XPATH, "//div[contains(text(),'Bluesky')]")
bluesky.click()
time.sleep(3)next_button = driver.find_element(By.XPATH, '//div[@data-testid="nextBtn"]')
next_button.click()
time.sleep(3)invite_code_input = wait.until(EC.presence_of_element_located((By.CSS_SELECTOR, "input[data-testid='inviteCodeInput']")))
email_input = driver.find_element(By.CSS_SELECTOR, "[data-testid='emailInput']")
password_input = driver.find_element(By.CSS_SELECTOR, "[data-testid='passwordInput']")
legal_check = driver.find_element(By.CSS_SELECTOR, ".css-175oi2r")
next_button = driver.find_element(By.XPATH, "//div[contains(text(),'Next') and contains(@class, 'css-1rynq56')]")next_
button.click()
time.sleep(3)wait.until(EC.presence_of_element_located((By.XPATH, "//input[@data-testid='phoneNumberInput']")))
while True:
invite_code = "bsky-social-" + generate_code()
ActionChains(driver).move_to_element(invite_code_input).click().perform()1234567891011121314151617181920212223242526272829303132
invite_code_input.send_keys(invite_code) email_input = wait.until(EC.element_to_be_clickable((By.CSS_SELECTOR, "[data-testid='emailInput']"))) email_input.send_keys("exemple@domain.com") password_input = driver.find_element(By.CSS_SELECTOR, "[data-testid='passwordInput']") password_input.send_keys("password") legal_check.click() time.sleep(3) next_button.click() time.sleep(3) try: wait.until(EC.presence_of_element_located((By.XPATH, "//div[@data-testid='someElementOnNextPage']"))) next_button = driver.find_element(By.XPATH, "//div[contains(text(),'Next') and contains(@class, 'css-1rynq56')]") next_button.click() time.sleep(1) except: pass error_messages = driver.find_elements(By.XPATH, "//div[contains(text(),'Invite code not accepted.')]") if not error_messages: print("Invite code accepted:", invite_code) break invite_code_input.clear() email_input.clear() password_input.clear() legal_check.click() time.sleep(1) - Bastianhttps://atproto.com/lexicons/com-atproto-session is a 404, can I read the docs somewhere else?
- @r_ob:matrix.org
- snarfed
- @10allday:matrix.org
- @10allday:matrix.org
In reply to this message
If it's possible it should be part of version two of atprotocol, along with virtual items as those are the future. - @10allday:matrix.org
- @10allday:matrix.org
- nocha1ni feel like this is verging on being off-topic, but the point as i see it is to have a great underlying social protocol and then let people build whatever apps and experiences they want on top of it. an "everything app" sounds extremely vague and... pointless? though i suppose atp's lexicons and such will enable better data interoperability and maybe embedding more things into social feeds?
- ok there is https://staging.bsky.app/ this and this https://callmearta.github.io/kite/#/login
- @r_ob:matrix.org
- @10allday:matrix.org
In reply to this message
There needs to be a commonly understood programming language known to every client.In reply tonocha1n
i feel like this is verging on being off-topic, but the point as i see it is to have a great underlying social protocol and then let people build whatever apps and experiences they want on top of it. an "everything app" sounds extremely vague and... pointless? though i suppose atp's lexicons and such will enable better data interoperability and maybe embedding more things into social feeds?(edited) - nocha1n
In reply to this message
it seems undesirable that every client for every application should be able to parse a custom scripting language or whatever you're trying to propose... considering both bloat, complexity, and security. if you want to make an app that, say, runs WASM published by people then i suppose you could create one like that. - @r_ob:matrix.orgAaron Goldman: what kind of mushroom is this on your head dude?
- @10allday:matrix.org
In reply to this message
Lexicons provided by ATP won't do every use case wanted by a developer, that every client can be sent and seemlessly have it just work, without having a custom client made just to read whatever a developer sent.In reply tonocha1n
it seems undesirable that every client for every application should be able to parse a custom scripting language or whatever you're trying to propose... considering both bloat, complexity, and security. if you want to make an app that, say, runs WASM published by people then i suppose you could create one like that.(edited) - @10allday:matrix.org
In reply to this message
It just needs a JavaScript interpreter, so it can function like a web browser.In reply to@r_ob:matrix.org
Anyway, good luck guys with your Activity Pub fork.(edited) - @dead10ck:dead10ck.com
In reply to this message
Wow. I'm just learning about Bluesky and don't really know enough about it yet to have a solid opinion, but I've seen so much panic over it in the Fediverse it's kind of ridiculous. Do these drive by trolls happen often too? - @dead10ck:dead10ck.com
In reply to this message
The centralized indexing is I think going to be the big divider. Every time anyone tries to make a Fediverse indexer, people come out of the woodwork in droves to harass them into stopping. Centralized indexing seems to be anathema to many people invested in the Fediverse / AP.
But the thing is, having every node do everything by itself is why AP is not scalable. You need a ridiculous amount of resources to even run a single user node, because it's basically useless without using a relay, and relays are just insanely inefficient, copying all data to every single node that subscribes. Relays go offline all the time simply because someone defederated.
I get the concerns of consent absolutely, and it's really honestly unsurprising that people get upset by randos building an indexer without talking to anyone in the very privacy centric community about it, but at the same time, it's simply not scalable without centralizing and distributing some responsibilities.
I suspect in the end, AP will still thrive, but will, by choice and architectural necessity, stay more focused on smaller and more insular communities
- @10allday:matrix.org
In reply to this message
Bluesky shouldn't cater to privacy activists conserns about indexing or other things. There won't be any useful features.In reply to@dead10ck:dead10ck.comThe centralized indexing is I think going to be the big divider. Every time anyone tries to make a Fediverse indexer, people come out of the woodwork in droves to harass them into stopping. Centralized indexing seems to be anathema to many people invested in the Fediverse / AP.
But the thing is, having every node do everything by itself is why AP is not scalable. You need a ridiculous amount of resources to even run a single user node, because it's basically useless without using a relay, and relays are just insanely inefficient, copying all data to every single node that subscribes. Relays go offline all the time simply because someone defederated.
I get the concerns of consent absolutely, and it's really honestly unsurprising that people get upset by randos building an indexer without talking to anyone in the very privacy centric community about it, but at the same time, it's simply not scalable without centralizing and distributing some responsibilities.
I suspect in the end, AP will still thrive, but will, by choice and architectural necessity, stay more focused on smaller and more insular communities
(edited) - damon/
In reply to this message
This is a flaw within the culture. I primarily see this amongst Mastodon users. So I can’t label it a fediverse problem. The gatekeeping is counterintuitive. It’s disappointing as it has a negative impact on those that want most of the benefits with Mastodon but would prefer efficiency and a slightly more tailored and informative experience. At some point it will have to adjust or just be home to purists - @10allday:matrix.org
In reply to this message
Bluesky should have the algorithm of Twitter, people who do not like usefulness can stay in the fediverse.In reply to@damon
This is a flaw within the culture. I primarily see this amongst Mastodon users. So I can’t label it a fediverse problem. The gatekeeping is counterintuitive. It’s disappointing as it has a negative impact on those that want most of the benefits with Mastodon but would prefer efficiency and a slightly more tailored and informative experience. At some point it will have to adjust or just be home to purists(edited) - damon/
In reply to this message
No it should not. Anyone that wants Twitter’s algorithm can simply use Twitter- @10allday:matrix.org
- @dead10ck:dead10ck.comWell I actually like what little I've read so far about BSky's attitude on this: there's clearly a dissatisfaction around the opaque algorithms chosen by a central authority solely meant to optimize more and more user interaction, outrage, and addiction. Giving users more transparency and choice seems like a good goal to have. I'll be very interested to see how it turns out
- damon/
- @dead10ck:dead10ck.comI'm also very intrigued by the decision to piggyback on DNS for authenticated user name ownership. As someone who has worked with a lot of DNS data in my career, this strikes me as a really smart way to delegate this function to existing internet infrastructure, and enable ownership transfer, without building a whole system for this from scratch(edited)
- @10allday:matrix.org
In reply to this message
This and advertisements need to be the default/baked hard into the protocol. - T5
- @10allday:matrix.org
- @10allday:matrix.org
In reply to this message
Also, there's huge marketing potential behind this. Every billboard, bus, train, website, should promote this with the funds to pay for these promotions from advertisers paying for advertising on the protocol, and having their post promoted.In reply to@10allday:matrix.org
So, users get normalcy instead of it felling like a decentralized product, but with the same features as Twitter and the like.(edited) - damon/
In reply to this message
Correct. I believe this is the better way to go. But another method has actually been brought to my attention. https://www.kevinmarks.com/distributed-verify.html - @dead10ck:dead10ck.com
In reply to this message
Hmm, yeah, this is more like "I'm proving this is me by virtue of confirming access to some other number of big popular sites", whereas DNS's authentication is more centralized, placing all trust in the registrar and that it's very difficult to poison them. There is also dnssec now though. I wonder if they make use of that - snarfed^ rel-me can integrate with big popular sites, but it definitely doesn't depend on them. it's how Mastodon's green checks verifying your profile links work. it's also a core part of https://indieauth.net/
- Aaron Goldman
In reply to this message
Each community has its own context. There are discords I am in that I would be offended if one community member decided to publish all the history. My conference talks I am happy for anyone to share. There is nothing wrong with some places being indexed and others not as long as the norms are agreed upon. - @dead10ck:dead10ck.com
In reply to this message
Well it also generally has less teeth and substance. It still places the onus of verification on the user to visit each verified site and try on their own to research within each site whether this particular one is in fact the same person. Anyone can make a Github account to put a green checkmark on their profile - snarfedyup. same with DNS domains. if I want to follow Taylor Swift, but I don't know her web site, do I follow the Bluesky accounttaylorswift.com? ortayswift.com? or something else entirely?
- @10allday:matrix.org
In reply to this message
There cannot be any choice in disabling the indexer, otherwise the atprotocol won't function at all? - @dead10ck:dead10ck.com
In reply to this message
Yeah this is why I'm not firmly placing those that are upset by AP indexers popping up without any consent or involvement in the wrong. Within the context of the existing communities, this was majorly frowned upon, and it's usually done by someone that never considered the wishes of the community they decided to mine - snarfed
In reply to this message
there won't be a single indexer, and federation and app functionality won't have to depend on any of them, or can degrade gracefully. https://atproto.com/guides/overview#achieving-scale(edited) - nzheretic
- Aaron GoldmanIt is about what is the meaningful handle. If I want Taylor Swift's view on Web Application Security I go to https://twitter.com/SwiftOnSecurity the twitter handle is the name I recognize. For xkcd https://xkcd.com/ is far more meaningful to me then https://twitter.com/xkcd bind to the identifiers that make sence for your audeance.
- @dead10ck:dead10ck.comWith that said, I can't firmly side with them either. It is, after all, an open protocol. It was already built from the ground up in such a way that any public posts can end up on any server anywhere. If anything, the way AP is designed to federate, it has even less control over your data than a centralized service like Twitter. It goes to any server that asks for it
- snarfedAaron Goldman: true! two related but different questions. 1) which of all these accounts is the real Taylor Swift? 2) where is it best to follow Taylor Swift? (depending on what I want to see)
- Aaron Goldman
In reply to this message
oh, you want access control in your distributed content addressed system. Can I recommend a paper?
https://github.com/Peergos/Peergos/blob/master/papers/wuala-cryptree.pdf - I misswua.lais was cool
- @10allday:matrix.org
In reply to this message
Who do the indexers index? Will all indexers pay each other for the privilege of staying updated, like how internet service providers pay to route traffic across two networks? This could potentially be a very good business model for Bluesky as the users are just what get people to use the service, so indexers can get paid for providing updates, while keeping everything free for end-users.In reply tosnarfed
there won't be a single indexer, and federation and app functionality won't have to depend on any of them, or can degrade gracefully. https://atproto.com/guides/overview#achieving-scale(edited) - snarfed
In reply to this message
it's decentralized, so the default answer to questions like these is, "whatever they want," at least if it's not specified by the protocol. and yes, the team has implied that they'd look into running some of these services and generating their own revenue in the future - @10allday:matrix.org
In reply to this message
Hopefully the protocol can include a built-in tracker for the indexers to keep track of who's paying for who. - Aaron Goldman
- @10allday:matrix.org
- snarfed
In reply to this message
that's...not clear. the fediverse effectively doesn't have any, and it still works, even if it's not perfect - @10allday:matrix.org
- @10allday:matrix.org
- nzheretic
- @10allday:matrix.org
- Aaron GoldmanMy understanding of mastodon is that it is like the first drawing. My instance talks to your instance directly. So if there are a lot of instances that want your content it gets expensive for your instances. Authenticated Data is different. Since it is signed a PDS can get your repo from literally anyone that has it. As long as the signature is valid that is the repo. So PDSs can pull your data from indexers. Indexers can pull from each other. You only need to bother the authoritative PDS if nobody else has it.
- nzheretic
In reply to this message
If the act of indexing produces value for the indexer, why couldn't the indexing bot "pay" the account it follows, which goes towards any subscription the account pays. - @10allday:matrix.org
- @dead10ck:dead10ck.comSo if I'm understanding this architecture correctly, if you are a very privacy centric person that wants to self host a bsky instance, and you want to control the whole stack and how data gets handled and who gets access to it, you would run a PDS and an indexer, right? Is it easy to control who is allowed to federate, and thus get another copy of your data? And if another indexer federates with yours, do they store it indefinitely so they can serve search queries on their own, or do they each delegate searches to each other?
- @10allday:matrix.org
- nzheretic
In reply to this message
Will later. Normal user accounts have a nominal virtual subscription charge, various bots doing the indexing or data suck for AI training data operating as user accounts. Indexing bots offer users a nominal amount to follow their accounts . Bluesky/Server Operators take a cut. - Aaron GoldmanSo a PDS operator could want to minimize it's cloud bill. Say it charged 1 USD/month or 10 USD/year for accounts. Then for the sync API it charged indexers 10x the cloud provider's egress bandwidth costs. Other PDSs would not want to pay the egress costs so they would pull all the repos on that PDS from the indexers. Many of the indexers would try each other to pull the repos before pulling from the charging PDS. One of the indexers would be first and pay the PDS the rest of the world would pull from the indexers. The PDS would in this way disincentivize the world from bothering it.
- Aaron Goldman
- snarfedit's worth reminding ourselves that the answer to loooots of these questions and ideas is "we don't know yet." there are a number of hints on https://atproto.com/ , but often they're very high level. the team has said a number of times that big parts of this are either incomplete and TBD (some parts of federation, big world indexing, successor to did:plc) or just not specified at all (eg access control)
- @dead10ck:dead10ck.com
- nzheretic
In reply to this message
Indexers compete in an open market. Bad behaviour will lead to users denying indexers the right to follow. - snarfed
- @10allday:matrix.org
- Aaron Goldman
- nzheretic
- @dead10ck:dead10ck.com
- snarfed(fwiw this the gossip-like idea is also kinda speculation. the code and docs so far imply a more standard direct conection approach, not sig-checked gossip. Aaron Goldman is right that it's possible though!)
In reply to this message
right. the team has been talking about E2E encryption ideas, but not for anytime soon)- Aaron Goldman
In reply to this message
Datacenter to Datacenter, I don't know what they will charge each other but I bet it will be way less then they charge the PDSs. - @10allday:matrix.org
In reply to this message
What cryptocurrencies would be used, as these have to be instant payments.In reply toAaron Goldman
Datacenter to Datacenter, I don't know what they will charge each other but I bet it will be way less then they charge the PDSs.(edited) - snarfed
- @dead10ck:dead10ck.com
- Aaron Goldman
- @dead10ck:dead10ck.comIs it currently possible to run a PDS and/or indexer to use bsky today without an invite tobsky.social?
- @10allday:matrix.org
- snarfed
In reply to this message
yes, but you'd be an island, federation isn't turned on on the main instance yet - @dead10ck:dead10ck.com
In reply to this message
Ah ok, that makes sense. I'll probably stand one up when federation is enabled - Aaron Goldman
In reply to this message
Just an example of someone that counts bandwidth in real time but pays later.
Two indexers may want to only pay each other if there was a massive in balence that month - @10allday:matrix.org
In reply to this message
Indexers would beIn reply toAaron Goldman
Just an example of someone that counts bandwidth in real time but pays later.
Two indexers may want to only pay each other if there was a massive in balence that monthindexer1.com,indexer2.com, etc?(edited) - moved to @shreyan:beeper.com@shreyanjain:matrix.org
- @10allday:matrix.org
In reply to this message
When they have something requested, would the payment happen first, or would it happen later, what happens if an indexer defaults?In reply to@10allday:matrix.org
Indexers would beindexer1.com,indexer2.com, etc?(edited) - @10allday:matrix.org
In reply to this message
Would the indexer that never received their money, put that cost onto the servers hosting users? - nzheretic
