Thu, May 4, 2023
- mikuhl13:06twitters home page when not logged in still shows tweets
- code.13:13people have already made projects to allow embedding messages on other sites, so it wouldn't surprise me if we get a 3rd party logged out client
- snarfed13:23they definitely exist already, https://blue.amazingca.dev/ launched months ago
- 13:23among others
- 13:29HeckinDang joined the room
- HeckinDang13:43While I'm waiting on an invite, I thought I's ask the dev community: Would the best course of action for the AT protocol in setting up a handle be to self-host (owned domain name), or jump in headfirst and rely on default?
- snarfed13:54your DNS domain handle is separate from the Bluesky server you use, you don't need to serve anything on your handle domain
- 13:55also they haven't turned on federation yet, so self-hosting won't let you interact with the main service yet
- Kjartan14:18Message deleted
- Kjartan14:20Half offtopic but related: what client for matrix do you use on your phone?
- 14:21
In reply to this message
If its just in order to play with the protocol - I have started a playground (and left a few codes for it somewhere in the threads) - HeckinDang14:26Aye, looking forward to just playing with the protocol in general... while I wait I will lurk in the dev channel here and read up on things
- @neeg:nitro.chat
- Kjartan
- 14:49Actually I'm not convinced by the protocol anymore at all (but I think it solves what was to solve, so that's no complain). What I meant with the playground: If you want to play around with the protocol but just haven't got a way to try your code on some server - you can on my instance (it's just for dev purposes so, nothing exciting is happening there - but you can try your code there)
- lamrongol16:33
In reply to this message
I am not familiar with web technology, but do you mean that we can distinguish whether it is fake or not if we look into it properly? However, if we can't distinguish just by looking at it on Bluesky, then I think a way to prevent is needed. - snarfed17:24
In reply to this message
on the Bluesky PDS itself, a user only gets a domain handle if it's bidirectionally verified, ie not fake - 17:25we don't yet know exactly how that will work once federation is on
- 17:30caleb joined the room
- caleb
- 17:48mesajatmakicin joined the room
- mesajatmakicin17:52Hello. Is the waiting list too crowded? I've been waiting for confirmation for a long time.
- Dominick Rangel18:42read the rules please
- 20:07nakasyou (Shotaro Nakamura) joined the room
- nakasyou (Shotaro Nakamura)20:07Hello!
- @dead10ck:dead10ck.com20:14
In reply to this message
You can set up DNSSEC to have authentication transparently, and for even further protection against specifically targeted attacks on your PDS infrastructure, you can set it up to use DNS over TLS/HTTPS. But this would be a separate protocol layer from the PDS software itselfIn reply ton@neeg:nitro.chat
Is there any protection from DNS hijacking in bsky/atproto?(edited) - 20:15
In reply to this message
I would not recommend encouraging anyone to attempt DNS spoofing, since it's probably a crime 😛 - 20:15
In reply to this message
If DNS were the only source of truth, this could be completely preventable 🙂 - moved to @shreyan:beeper.com@shreyanjain:matrix.org20:18
In reply to this message
Unfortunately DNS is somewhat inconvenient to implement on a massive scale - mark20:19If I wanted a stream of all posts containing some text, is my only option to get all the subscribe repo data, and filter for posts matching the text on the client side? Or is there some way to either filter subscribe repos on the server side (I'm just a cheapskate trying to limit my network usage if possible), or maybe poll an endpoint similar to /search/posts?
- moved to @shreyan:beeper.com@shreyanjain:matrix.org20:19rn there's no search endpoint yeah
- 20:20Dominick Rangel set a profile picture
- @dead10ck:dead10ck.com20:20Yeah I think what bsky is doing right now with arbitrary implementation and DNS as a fallback makes sense at the MVP stage. But DNS only would be a good long term goal to prevent identity theft
- mark20:21And subscribe repos is just one big firehose, you can't tune it?
- Dominick Rangel20:21
In reply to this message
if you really wanted to test this you can set up a spoof towards a "trusted site" and sort of make it a challenge for the other person throughout the week in a somewhat blue and red team testing situation - 20:22I don't know exactly how all of that works since I am still learning but I imagine that is how it would be set up to test those sorts of things 😵💫😵💫
- moved to @shreyan:beeper.com@shreyanjain:matrix.org20:22
In reply to this message
yep. for now i wouldn't mess with the firehose unless you're willing to get your hands a little dirty - 20:22it's all in cbor, and is a websocket
- 20:23it's really different from every other endpoint so
- @dead10ck:dead10ck.com20:23
In reply to this message
Yeah if you're going to do this sort of test, make sure it's on domains you own so you're not committing fraud - Dominick Rangel
- @dead10ck:dead10ck.com20:24Even then if you don't own the nameservers too, I'd be a little nervous, since it still involves tricking infrastructure you don't own, but ianal(edited)
- mikuhl21:05I am using a javascript framework that is saying for some reason BlobRef isn't serializable, I am guessing that somewhere it uses a weird type?
- Yiko Song21:25Can anyone tell me how to authenticate between xrpc services? A complete documentation would be great.
- 22:12@kookoy:matrix.org joined the room
- 23:459rw7stf869 joined the room
Fri, May 5, 2023
- Yiko Song00:02can anyone tell me how to get an invite code?(edited)
- Dominick Rangel
- 00:13lx-is joined the room
- Kjartan
- 02:27mileszim joined the room
- mileszim02:29Are the DB migrations for bsky and pds meant to be shared on a single schema/overlap? They're frustratingly close but the code does not seem to suggest they share any tables
- 02:30Also the use case for bsky is unclear atm--pds works with the apps, but the xrpc in the bsky service does not seem compatible. What is that meant for?
- 02:31finally just want to say this software is hella cool already and you all have done a wonderful job bringing it to life
- Kjartan02:44I have no answers, but asked myself exact the same things already. I eventually just ignored bsky (and everything seems to work) 🤷♂️
- 03:02pheebs joined the room
- Kjartan03:03
In reply to this message
Is it really though? Or is it maybe a chicken-egg kind of thing, and it's just inconvenient, because of poor tooling, which itself is just a result of it getting avoided all too often? Not trying to be snarky, but I have fully automated most of my dns needs (and convenience scripts for a few others). I also recognised a loot of tools have popped up since "let's encrypt"'s dns challenges exist (not a proof, but it kinda supports my claim) - Kjartan03:09Btw: you can simply use the client on https://schnitzel-mit-pommes.de directly (no need to change the server etc, it's preconfigured). Also all hard coded links to for example "what's hot" should be fixed and work (unlike the client on staging.bsky). But so far there isn't anything hot
- xnf0k03:13I may be biased here as a Handshake fan, but DNS is perfect for domain ownership verification. It's possible to write dynamic DNS servers that create record on the fly do its not like you need to have a duplicate table of records with all users.
- Kjartan03:15
In reply to this message
Additionally: let's not forget that the imo best federated service - email - uses dns as well (and I'm not aware of anyone having tried to challenge that for convenience). - Kjartan03:26In general I wished atproto would have copied more of email. Have a dns record which points all users of a domain to a pds, this would also remove the need for anyplc.directory. And I actually don't see the point in having a did I can move to another pds (what I really care about is being able to move a handle from server to server, as I personally identify with the handle and not with the did).(edited)
- kcchu03:36
In reply to this message
I think it is to allow changing the user handle (i.e. domain) without affecting the actual user identity (e.g. contents, follow graph) - Kjartan03:39
In reply to this message
Absolutely. That's the intention. What I question is how useful that is. Without a doubt: there are some who will use it (especially as it exists). But is that something people really missed so far? I only missed it in cases where I haven't been able to have my own handle in the first place (so I was forced to change my handle) - 03:40But once you can have your own handle, I don't think there is a real demand/ need for changing your handle
- xnf0k03:41Many don't own domains. Even if you seebsky.social, most use the default subdomain. And when a PDS service goes down, there's really no way to migrate without changing the handle
- kcchu03:45I think one of the elegance in the current design is that every handle is a domain name, regardless whether it is a domain you own yourself or subdomain given by the PDS you first sign up. If the system will need to allow changing the handle (even if only once from subdomain to your own domain), it still need a separated user identifier so that other server in the network know that they are the same user.
- Kjartan03:46
In reply to this message
I agree. But don't see it as such a big issue. More like a nice to have. But maybe that's just because I'm used to it from email (again). It's just not something which happens every week, if even at all (it never happened to me, that an email server disappeared suddenly, but I at least know cases, yeah) - 03:49
In reply to this message
Yes and no. It has been working fine for email. And if the server still exists, you could simply also add some kind of redirect/forwarding - kcchu03:50I think it doesn't work fine for email. User changes email addresses from time to time (e.g. changing ISP, changing job). It is really a hassle to change email address and setup redirection, or lost some of your old contacts(edited)
- Kjartan03:51It's not like I don't see some nice advantages. It's just that it probably solves an issue, which noone was concerned about so far with email (so maybe a solution to something no one cared much/enough about)
- 03:52
In reply to this message
Even before I had my own domains, it wasn't an issue for me. Just an email to everyone with the new address. Then some forwarding for a few months, to catch whoever you might have missed to inform. But it's probably personal experience which might not have been for everyone like this - kcchu03:53I think the question isn't no one care about the problem, but that you think the solution is too complex to justify the benefits?
- Kjartan03:55I mean so far atproto hasn't solved the decentralisation (which the email approach would have solved already). Not speaking of missing implementation, but of a general idea how to solve it without the need of plc registries
- 03:56(there I'm unaware of them not bothering about having registries or them being unable to solve it without (but I wouldn't see a way how they could be avoided))
- kcchu03:57could you elaborate which part of atproto isn't decentralized (i understand that plc did is just their server)
- Kjartan04:00Let's imagine federation arrived. Your pds want's to interact with a did from a different pds. Your pds needs to figure out which pds acts for the target did - and has to look it up somewhere. This doesn't have to be plc.registry specifically, also doesn't have to be limited to just one. But still, it would be more than just a "nice to have" to be able to skip this
- 04:01If it was all focused on a handle (which like I said, will be imo anyway more important to most users) the already existing dns network would serve the function of the plc registries
- kcchu04:02as I understand, the plc (which stands for Placeholder) DID is a stopgap solution before a real DID is available. So, even with federation, there should be only one PLC server that everyone use
- 04:02until they could replace PLC with a real decentralized DID
- Kjartan04:02
In reply to this message
And the one server that everyone uses is exactly how it's central and not decentralised - 04:03
In reply to this message
So it's something which still needs solving in a did-focused setting, but would be unnecessary if it was handle-focssed - kcchu04:04if the concern about centralization is the DID only, then yes, it is currently (very) centralized. I think their assumption is that there will be DID solution available soon (perhaps by other team), so they can free-ride on the effort of others
- Kjartan04:06One could be snarky and say, it's currently the same as twitter - jsut with the data being stored by pds'. with theplc.directorybeing like what's today twitter. They could still "kill your identity" by simply deleting you on bsky and removing you fromplc.directory. Then no other pds would be able to take you in either, because all other pds' wouldn't be able to find you either(edited)
- kcchu04:09yes, you are right about the current situation. that's why they call it Placeholder DID with the intention that it will be replaced soon
- Kjartan04:12
In reply to this message
Yeah. I know. And I might get all excited myself one day. But the status quo is not so different from what already exists (I don't like Mastodon, but right now Mastodon is actually ahead regarding a decentralised network - even though I really don't like to see it this way, as I'm not happy about Mastodon at all) - 04:13And to somewhat close the circle to my statement in the beginning - this would be already and right now different if the focus was on the handle instead a did
- kcchu04:14I personally take that AT Protocol is under development and incomplete, so I accept that there things that need time to sort out. But if you ask me whether it is getting too much publicity before it is ready, i think it is.(edited)
- Kjartan04:15Absolutely. Fully agree. We are talking about a beta. Many of my concerns might be just temporary, and next time I might have a compeltely different view on it.
- Kjartan04:22I think it was unwise to get the "common people" into it so early. This way they have to deal already with moderation or clients and such stuff, instead of focusing fully on the protocol itself. Would have been better imo to work just on the server - and have independent devs trying it out on their own instances. They could still collect what's missing (like blocking was) or what's buggy, while the Bsky team would be able to work on the protocol itself without any interruption or urgencies to act on specific bugs(edited)
- kcchu04:24Absolutely agree on this
- Kjartan04:27But now with WashingtonPost or politicians etc onbsky.social- they have no choice but to act on some bugs immediately, maybe spend hours even for just temporary workarounds, to prevent any damage or liability. But it's their decision to make, not mine :)
- @neilalexander:matrix.org04:35
In reply to this message
IMO it's useful to have some "common people" because a) they will definitely discover things that power users will ignore, b) the usage patterns are very different and c) it prevents you from designing for a single class of users - Kjartan04:36Yes. But those things would be discovered likely on private instances - with the instance admins would have to deal with moderation etc
- @neilalexander:matrix.org04:37
In reply to this message
Instance admins would find their hands are tied if the tooling doesn't exist, which is why the feedback loop is essential - 04:38It is important for the devs to understand what it feels like to admin a server
- Kjartan04:40
In reply to this message
Then just make "test weekends" (not encessarily weekends) and switch it off in between (like a lot of other services do as well in their early stages) - @neilalexander:matrix.org04:40But that doesn't really capture the usage patterns
- kcchu04:40I think Kjartan's point wasn't that "common people" should not be invited to Bluesky, I do think that a variety of people should try the platform and their feedbacks are important. But it is a matter of scale. If there were too much attention from the public too early, Bluesky team will be overwhelmed by the issues and skew their priorities as we have seen.(edited)
- xnf0k04:41
In reply to this message
The moderation app (redsky?) Is not open source yet afaik. There's not much "admin experience" right now. Which is fine, they're dealing with a lot of stuff and rapid dev, etc. - @neilalexander:matrix.org04:41
In reply to this message
The thing is, Bluesky is and always was destined to get outside attention because of the nature of how the project was founded in the first place. I agree that not onboarding too many users is absolutely the right thing to do, but I don't really agree that shifting the problem off onto other server admins to figure out how to moderate is right yet - Kjartan04:42
In reply to this message
Oh the commons absolutely should try it. Their feedback is somewhat even the most important (as they are targeted as users later). It's also about who has to care for/ is responsible for them. This shouldn't be Bsky imo. At least not 24/7. - 04:44
In reply to this message
It's probably also a thing about what to expect as a user. I think no one would expect a perfect service of some small individual service. And even though it's officially only a beta, there are huge expectations inbsky.social(like I said, with newspapers and politicians etc on board) - 04:46Hyolobrika (carrier pigeon bridge (sorry about the delay)) joined the room
- Kjartan04:46If things go out of hand, the individual server can be just shut down until a solution is found (if the problem can't be solved otherwise). I think A LOT would have to happen in order to bsky considering to flip the switch forbsky.social
- 04:47Before this would happen, the whole team would focus on an issue even if it's of a nature which might be known to be of no importance in the future (for example an issue which might be obsolete within days or weeks anyway because soemthing gets replaced or whatever)
- 04:49It kinda removed the freedom of saying "we're aware, but we don't want to deal with it right now"
- 04:51If 50 private instances decide to go temporary offline, it wouldn't matter. If the instance which has been mentioned in media goes offline, it's a different thing
- kcchu04:53I get the points. I just hope that the people and mainstream media could calm down a bit and give bsky team more time and freedom to prioritize things. I think they have been doing very good so far. But I can only hope and as a reminder, maybe we are getting slightly off topic 😀(edited)
- Dominick Rangel04:55I would move this chat to a different room
- Kjartan04:56You're both right
- @neilalexander:matrix.org04:58(on the plus side, at least it's not invite spam for once)
- Kjartan05:05Is there any other value needed? I have a value set, but don't see any codes created
- xnf0k05:14
In reply to this message
no just that. What value is it set to and how old is that user account? - Kjartan05:36I have tried values from 60 to what would be one day in milliseconds. It's maybe about a week old.
- xnf0k
- 05:50Maybe `createAvailable` is not sent?
- xnf0k05:55Maybe the client you're using isn't sending true for that
- Kjartan05:55I was just wondering the same
- 05:55Default is false?
- 05:55The staging.bsky… doesn't seem to send it
- 05:58nope, it doesn't. then that's it, probably
- 05:58Thanks!
- xnf0k
- Kjartan06:17
In reply to this message
Hm… Maybe on a different client. Like maybe it's just on the phone apps. Or it's by default true and not necessary… I'll do some debugging later :) - 07:19ryota joined the room
- Kjartan07:49Haven't checked it yet (as in: tried things again) but the default is actually true. So while the client doesn't send it, it shouldn't be the reason why no codes were created (but yeah, I'll try again)
- 09:44valka joined the room
- LG11:06Hello! I am developing a small bot for fun on bluesky. It primarily uses
@atproto/api
I am wondering if there is a way to filter the author feed by datetime, similar to the twitteruntil
andsince
search parameters? - joshlacal11:27I would also like to know ^
- 13:36morgenruff joined the room
- Mark Foster SSI: @mfoster.io13:59
In reply to this message
Have you looked into some of the new Vercel edge file storage features and https://uploadthing.com/ yet? If I remember correctly some similar topics around this issue came up there… might find some solutions there. - mikuhl14:03
In reply to this message
I'm not uploading anything, just trying to display the timeline. The framework serializes objects but for some reason specifically BlobRef fails. - 14:05possibly due to it being a class not an interface?
- wolix14:05Hey guys iam have question for bluesky be available on Android
- mikuhl
- wolix
- 14:07Iam see very much late to see app
- 14:10Iam not invited on bluesky sadly
- 14:11TwT
- Mark Foster SSI: @mfoster.io14:13
In reply to this message
Are you working in the browser? You can utilize the service worker and WASM as well to compute with blobs in the client so maybe dig in some of those topics. WorkerBox is a package that focuses on Workers and https://github.com/GoogleChromeLabs/squoosh might have some good packages to look at. - 14:17Mark Foster changed their display name to Mark Foster SSI: @mfoster.io
- wolix14:17Actually iam don't get invite code for bluesky
- 14:17Be able to use app probably
- @neilalexander:matrix.org14:18Well it finally happened, I finally managed to get my Swift library to log in and post successfully to Bluesky
- Kjartan
- Mark Foster SSI: @mfoster.io
- wolix
- Kjartan14:20I know how it feels - I was today finally able to read skeets on Safari 14🥳(edited)
- wolix14:21Iam on fluffychat app element have problems to crash me any time open room or space
- @planetoryd:matrix.org
- Kjartan15:00
In reply to this message
Don't know. Is it really the protocols fault (not asking rhetoric, I wouldn't know). But in many (other) cases it's often just the clients' fault - foxlet15:44Yeah, that just sounds like an Element problem (they're rewriting the mobile apps).
- 15:47raymondz (@raymondz:matrix.org) joined the room
- @dead10ck:dead10ck.com
- 16:41
In reply to this message
They have their problems, but I'm optimistic about the new client code they've been working on.
You should also try to keep in mind that people that actually work on Matrix frequent this room, so it would be more polite to keep criticisms productive
- 16:45jroberts joined the room
- 17:06edwardcallow joined the room
- Kandy (They/She, DMs Open)18:00hi, can't wait to see folks use the sandbox stuff
- 18:00seeing how others use federation is gonna be really interesting!
- Compy@compy:hazenet.org18:05
In reply to this message
For sure! I'm ready and waiting. I know when I started running my federated matrix server, the bandwidth rush was insane. - caleb
- caleb18:56lol cinny as an iphone pwa kinda works now that iOS has web push
- 19:06@meowmeowmilktea:matrix.org left the room
- Mark Foster SSI: @mfoster.io19:21Message deleted
- 19:22Message deleted
- Mark Foster SSI: @mfoster.io19:25
In reply to this message
What ATProto package are you using from here to read the CAR?
https://github.com/bluesky-social/atproto/tree/main/packages
Here is an IPLD version of it: https://github.com/ipld/js-car - 20:23engineersam ⚡️ joined the room
- 21:05michaelcw joined the room
- Ed Goode21:56Does anyone have a bluesky invite? 😄 I am not so deep in the social graph that I've been able to get one, but I have been following and working in the DID world for a while. Would love to try out one of the first viral apps
- Anonymous21:57We've been trying to get an invite for days, no luck. They're hard to come by.
- engineersam ⚡️21:57I do wish the sign up page sent an acknowledgement email after submission.
- 22:03@darkflame72:matrix.darkflame.dev joined the room
- foxlet
- caleb22:25tyty
- 22:27hmm...
- 23:11Typo Kign joined the room
- 23:52@ytoooo:matrix.org joined the room
Sat, May 6, 2023
- caleb00:10made a new account onmatrix.org
- 00:11element x ios is snappy if incomplete :p
- 00:13zooooooo joined the room
- syui00:11hi
- engineersam ⚡️00:35Out of curiosity, has anyone done a comparison between the AT Protocol and the Inrupt Solid work?
- moved to @shreyan:beeper.com@shreyanjain:matrix.org
- zooooooo
- moved to @shreyan:beeper.com@shreyanjain:matrix.org00:36even the terminology is similar, Personal Data Store and Personal Online Data Store..
- zooooooo00:37:p
- moved to @shreyan:beeper.com@shreyanjain:matrix.org00:38when I first read about how the at protocol would work my mind immediately jumped to solid
- engineersam ⚡️00:39
In reply to this message
Yes. It feels rather close, and there are already Solid tools for manipulating the Solid PODS. If a Solid PODS could be exposed as an AT Protocol PDS, then we could take advantage of the Solid work. - moved to @shreyan:beeper.com@shreyanjain:matrix.org00:39for sure
- 00:39solid's work still feels very incomplete though
- lamrongol00:41I've started a trend analysis system( https://staging.bsky.app/profile/trend-words-en.bsky.social ). However, there is a problem on Bluesky search. Today "King Charles" is trending. This is obviously in response to the coronation of King Charles of UK. However, when searching for "Charles", We get a bunch of completely unrelated posts from days ago (and they don't even have many Reposts or Likes). I don't know Bluesky search algorithm, but wouldn't it be better to put them in chronological order from the newest to the oldest, instead of making some poor attempts?
- 02:08carlos joined the room
- 04:19@roooy:matrix.org joined the room
- 04:54qpalzmwoskxneidjcb joined the room
- @planetoryd:matrix.org06:04
In reply to this message
Especially the protocol. Their protocol uses full-mesh routing. The solution is either ipfs-pubsub or https://github.com/freenet/locutus/ - 06:05And is their proposal for DID going to be in the RFC hell for years ?(edited)
- kcchu06:19
In reply to this message
I wrote a comparison between ATP and Farcaster (another decentralized social protocol). I understood the architecture of SOLID, but it seems to me the social application on SOLID isn’t solid - they are more like PoC. SOLID is geared more towards personal cloud applications (think Google Suite) than social network imo - @roooy:matrix.org06:21Message deleted by Administrator
- @planetoryd:matrix.org06:24r@roooy:matrix.org: get banned
- 08:15Justin Walker joined the room
- Justin Walker08:16came here because Elon banned me after I called him a dickhead :-)
- damon/08:16Please do not ask for codes
- 08:16This is a developer chat
- Justin Walker08:16not looking for codes, I can wait
- 08:17interested in dev
- damon/08:17Okay, thank you for understanding
- 08:17Welcome!
- Justin Walker08:17ty
- 08:21where is the source base? is it open?
- 09:43Haixuan Tao joined the room
- engineersam ⚡️10:40I will be interested to see how the community labelling develops -- I hope it will have the potentially to support a numerical rating for labels, instead of a just a boolean "this is marked with a label, and that is not."
- 11:09Kandy (They/She) joined the room
- Kandy (They/She)11:10Hey, been getting a lot of articles about bluesky lately. Glad things have been moving the way it has!
- 11:10Also, the fact that they made a chatroom for this is cool omg
- Roj11:13
Which one is the preferred?
- atproto (repo name)
- ATProto (idk if this is written)
- ATProtocol (logo)
- AT Protocol (in docs)
- Kandy (They/She)
- Roj11:14No, as in what the corp writes.
- Kandy (They/She)11:14AtProto is a nice Nickname
- 11:15
In reply to this message
I think they just switch back and forth with it. Almost like bluesky's branding/logo - Roj
- Kandy (They/She)11:15(the branding/logo is a bit more intentional since the loosen is supposed to be their way of symbolizing the decentralization, I think???)
- 11:17I don't think it's a big deal or anything tho
- Roj
- 12:06@flooore:matrix.org joined the room
- 13:26Bryant joined the room
- 13:52Seth Glickman joined the room
- moved to @shreyan:beeper.com@shreyanjain:matrix.org
- @planetoryd:matrix.org14:00
In reply to this message
yes, so i prefer locutus. https://github.com/freenet/locutus/discussions/619(edited) - Kjartan14:10I had somewhat different expectations regarding bluesky, compared to how things start to appear now. I'm just curious: are there others as well, who got maybe more excited than they are now? Or in other words: Was it just me who got it wrong in the first place? This is no criticism (it's a nice protocol), I just hoped for something even better 😅
- moved to @shreyan:beeper.com@shreyanjain:matrix.org14:11yeah, happens a lot
- 14:11i think expectations may have ended up a little too high
- @dead10ck:dead10ck.com14:12
In reply to this message
Seems like a somewhat ridiculous question, given it's not even public yet, tbh - Kjartan15:09
In reply to this message
Why? Just because it's not finished yet, doesn't mean that impressions can't have changed already. I would even argue, that it's more likely that opinions and first impressions will change more (and more frequently) while the development is still in progress - @dead10ck:dead10ck.com15:26
In reply to this message
If a new shopping mall were being built, and they got one section of it constructed, and you got an early look inside this half finished mall, while the rest of it was still just exposed steel framing, would you say "man, this is not what I was expecting"? - Kjartan15:42I would yeah. And when the next section gets added, I would reconsider, and after the next section again. And I see nothing wrong about it. Let's imagine the opposite: I first think it's great, but the shops which matter to me aren't there at the moment (might come later, but no one knows for sure) - then it would be strange to say "OMG this new mall is my absolute favourite - but I never buy there anything and get all my things at OtherMall". Lets even assume my stores will definitely move to that mall in the future, then I still wouldnt do my shopping there right now (because I can't buy my stuff there yet). And I think it would be also justified to be somewhat less enthusiastic at that moment. It's not the mall's fault - still the expectations aren't met (while my expectations might have been too high to begin with - which somewhat was part of my question). To bring it back on topic: I was expecting mail like decentralization (which isn't even anymore discussed as far as I see it - best future scenario seems to be, to pick from several plc registries). I recognised some big concerns regarding GDPR, which I wasn't aware of in the beginning (which right now seem to me basically unsolvable). I liked the idea of a portable identity, but realised that this is something I never really wanted/needed, so while this isn't a disadvantage, I lost my original excitement about it. Next month I might have a completely new view on things. But right now, my excitement isn't the same like it was for example a month ago 🤷♂️(edited)
- 16:36Kjartan left the room
- Aaron Goldman
- 17:03A PDS should be able to remove repos at the controller's request
- 17:46rettetdemdativ joined the room
- 17:53goykasi joined the room
- 18:24Kjartan joined the room
- @flooore:matrix.org18:52Message deleted by Administrator
- Kandy (They/She, DMs Open)19:10oh no, scammers learned about matrix lmao
- zooooooo19:11@mods ? idk how moderation on matrix effectively works 🙈
- Mark Foster SSI: @mfoster.io19:11This is why we need article intent in meta tags for cross posting
- kcchu19:38
In reply to this message
If you prefer email like architecture, Mastodon (and Fediverse) already did that. You don’t need AT Protocol. But I wrote an article on why Mastodon’s federation model is undesirable and why the DID part of AT Protocol is an essential improvement to the shortcoming of Mastodon. https://paragraph.xyz/@kc/content-moderation-of-social-internet - Kjartan19:39
In reply to this message
The amount of data shared is "crazy". And offers possibilities in a way we haven't seen before. A lot of those have been so far only available for the service(=Twitter, Facebook,...); but they are problematic, that's why the GDPR limits those possibilities. They aren't allowed to use the data for whatever purpose they want, they aren't even allowed to collect some of the data. Like they aren't allowed to use a mobile number which was given for 2fa, they can't just use to inform you about a new product. And some data may not be collected at all, if there is no good reason to collect it.
I'm not a lawyer so I'm only speaking from my amateur point of view: the first issue already is: whoever wants to do "evil" doesn't even need to store data anymore (so all parts of GDPR regarding storage is circumvented), they can simply access them on demand. The access is easier than ever before - you can download literally just everything of a user by requesting their whole repo. With dids this isn't even anymore limited to a "username" it'll be often the whole history of a person, following even dozens of username changes (also nice: you can already check which other handles someone used - a lot of this information will give deeper information into external user databases, like "oh, we have also two such users, which we thought were two different individuals - look at those, they really made a new account because... some reason"). The user gave this information to this social media, without understanding what they do possible to totally different areas of their life.
The bigger issue though is - I have doubts, that any "evil entity" even does anything illegal. The data is offered publicly. It's most likely offered for federation, but can the data abuser know that it wasn't offered for whatever purposes - can anyone proof them any knowingly wrong doing? They never even had to pretend to use it for anything else than "evil". If someone goes to town center and yells their secrets for everyone to hear, it is okay for everyone who can hear it to know it. There was no illegal action in obtaining the information. But if the information is accessible on demand and doesn't need to be stored, they don't have to fear being caught anyway. Amazon could access your repo and adjust their advertising based on your repo data. On demand, on the fly. Without the need for cookies, without having anything about you stored, and without you knowing. Yes, they need to know your did - hopefully you have a custom handle and it's a match (
user.example.comforuser@example.comcustomer email) or maybe its just a matter of time until there will be a "login via did" or "get shipping updates direct as a (then existing) atproto-DM). I guess it would be legal, but even if not, who will catch them doing, their HDDs are clean. You need a mortgage - well the bank is definitely allowed to base their decision on "public knowledge". Insurances, etc - everyone could use it far better than "old social media" ever allowed. You can't even request that access cant happen before the accessor acknowledges that your data is not to be used for any such evil purposes, because then things wouldnt work anymore. Yes, you can request your data to be deleted, but this means that your data is gone. This was one of the parts which were intended to be avoided in the first place. It's like deleting your Google account - kinda what you would like, but also something you simply won't do, because a lot of the data you really still want to access and use. While deleting is problematic too - you have no control over who has got already your repo stored somewhere away (probably then against GDPR - but it's impossible to follow where it landed). Right now on HN you can download a backup of 1.6M skeets.And it's still early, with the first tools appearing. I guess it's by far not even the top of the iceberg, leave alone the massive threat lurking in the dark waters. Crazier tools will appear, with possibilities I likely even haven't though of yet. Labels might make it a lot easier/faster/more efficient to access already somewhat preprocessed data. Yes it's all beta and some things hopefully will get more restricted, but I think we also don't know yet the possibilities.
But to me it looks (right now) like the wet dream of any data collector/ processor (regarding laws, but also the collection, storing gets so much cheaper as it'll done by others), and a nightmare/ruin for pds servers (if GDPR makes the pds service liable) or a complete sellout of your private data in a way one hasn't even imagined. I personally don't mind any of the content I post to be known by anyone (or I wouldnt post it in the first place) but most average users aren't aware of what they are doing. And even I slowly start to feel uncomfortable (like the handle history is something I haven't thought of).
My interest in bluesky/atproto is not only for private use but business purposes, too. For the later it seems right now too "dangerous" to me (although likely highly lucrative).
GDPR is quite strict what you may do. Things which seem maybe pretty harmless can get heavy fines. One can argue who exactly would get burned (the data abusers are possibly safe here, but again, ianal), but someone will get burned, I would guess (probably the pds instances as they were the once who shared the data, without their users being fully aware of how the data could be used). And even if not - then the loss in trust by the users, which would happen eventually, might cost as much.
Like in the former message: this is my view right now. Things still change, as the information about atproto/bsky changes. Next month it might be completely different.
- 19:41
In reply to this message
I really like a lot about mastodon. I just disagreed with some of their design decision too much. Sadly, because the majority of it I liked. Interestingly: the disagreeing in mastodon was for 95% about things, I wished they had copied of emails :D - 20:47adamwilson joined the room
- 21:18bullworm joined the room
- 22:01@dead10ck:dead10ck.com left the room
- 22:36Joshua Hastings joined the room
- 22:51@yakimapride:matrix.org joined the room
- 23:26@yakimapride:matrix.org left the room
- 23:44pedropaulovc joined the room
Sun, May 7, 2023
- goykasi00:32Is it intended that all signing and rotation keys are the same for a particular PDS? I was expecting each DID/user to have unique keypairs. At this point, it makes sense that they are the same, but is there a time in the future where they would be unique?(edited)
- 00:34If it is meant to stay that way, how would a user be able to move to a different PDS since they dont have control of the keys?
- 00:41blckwd joined the room
- moved to @shreyan:beeper.com@shreyanjain:matrix.org01:17
In reply to this message
Eventually I think you'll have access to your recovery key for that purpose - 01:17@confidant1118:matrix.org joined the room
- @confidant1118:matrix.org01:18Hey, can the AT Protocol be self-hosted kind of like Mastodon?
- goykasi01:19Itd be nice to have access to the signing key too. That would allow potentially doing public e2e encrypted messaging
- 01:20
In reply to this message
Some of it is functional, but if you dont have an invite code, it doesnt look possible to federate and broadcast tobsky.socialusers - @confidant1118:matrix.org01:40
In reply to this message
Well I guess, I will have to wait till someone in my circles gets an invite. - 01:43Danny Garden (they/them) joined the room
- @alexdeltax:genix.chat02:08
In reply to this message
In the context of backups, GDPR seems like doesn’t regulate this part. For example we have weekly backups of fb for decade. We can store this data on LTO data-cartridges or any other cheap storage systems. As a rule, they are isolated. In this case, any company still have access to your data even if in current state it was removed. - 02:17konsti_ joined the room
- goykasi03:17Question to users that have been able to signup on bluesky. Do they allow you register via a self-hosted PDS? Or do you have to usebsky.social?
- moved to @shreyan:beeper.com@shreyanjain:matrix.org03:17you can totally sign up on any pds. they just don't federate yet.
- goykasi03:20
In reply to this message
Right. I have been playing around with that over the weekend https://plc.directory/did:plc:qrfk2dvrkl4nqqmzpr4zq4mz/log
But I guess I wont be able to push any data until they launch the federation sandbox - moved to @shreyan:beeper.com@shreyanjain:matrix.org03:20yep. they will probably open it up soon though 🙂
- 06:07@atika12939:matrix.org left the room
- 06:47goodmachine joined the room
- 07:05Jason Blum joined the room
- 07:21@nic:matrix.nicfab.it joined the room
- @nic:matrix.nicfab.it07:24Hi everyone! I stumbled upon your project and am interested in following the development. I am not a developer but a lawyer dealing with data protection, privacy, and cybersecurity.(edited)
- sylphrenetic07:25
In reply to this message
I really appreciate you bringing this up, because I had this concern a while back and completely forgot about it. it certainly does seem like if indexers' and PDSs' data are fully public that companies could profit off the the public data without ever having to worry about GDPR concerns, while users are left out to dry.
it's also a good question about whether PDSs themselves would be liable for being "irresponsible" with people's data by just letting it be public (even by design, even with people's permission). I think the law just hasn't caught up yet to this kind of tech and really needs to.
- 08:32Khushraj Rathod joined the room
- 08:48souramoo joined the room
- @flooore:matrix.org09:23Message deleted by Administrator
- 10:1110.0.90 joined the room
- 10:20suzuwu joined the room
- 11:12Vitaly Goncharenko joined the room
- 13:55Jafet Benítez joined the room
- konsti_14:54
In reply to this message
I’m not sure I’m thinking the same way about this. I look at having a repository with posts in it like having a public blog on the internet. Don’t the same rules apply there as well? I guess it’s right that it might be unintuitive or seem more open than Twitter or a tradition social network but since posts are generally intended for a public audience anyway the jump isn’t that big, no? - 15:48Justin Appler joined the room
- Kjartan15:52
In reply to this message
Not sure about that. With a blog, it's basically really just the content. And access/processing blog content can be somewhat monitored (and limited if needed). That's what my concern is: it comes with integrated bulk access (you wouldn't be able to get a complete blog with just one request) and if you ever changed the domain of a blog, it likely wouldn't include all earlier names/addresses (and there is likely more, we haven't thought of/ seen yet). Even if WE are aware of it - the average user likely isn't aware of, and might not have agreed to it - Justin Appler16:14Is there any notion of record privacy or record namespacing in the protocol? That is, are all records public to everyone and are all records part of the same global graph?
- Aaron Goldman16:45I think of publishing a repo like publishing a magazine. Once Time published an issue and it's on news stands it's hard for them to guarantee that all copies are destroyed. Some individuals and libraries keep old issues of magazines. Some researchers use old magazines for unintended uses like tracking how word use changes over time. Even well documenting word use is not the primary reason the articles are included.
- 16:46They can print retractions but can't really un-publish a edition
- Justin Appler16:54Gotcha, so the Bsky lexicon as it stands today only supports a single, global, public graph of posts and other records? AFAICT from the existing docs, no affordance for private messaging either?
- goykasi16:56I think that is mostly correct, but there is nothing stopping other teams to extending the lexicon to include more privacy oriented features
- 16:59I would personally like to see more control given to users over signing keys. Currently, each PDS has a single keypair for signing and verification (from what I can tell). This makes it difficult for users to truly move around. I am hoping this will change in the future. If we had keypairs generated per user, we could very easily have encrypted messaging on the network.(edited)
- 17:02But I understand why that wasn't done atm. Keeping keypairs secure is not necessarily an easy thing to do. And most people probably wouldnt want that responsibility. But as the blockchain people like to say... "not your keys, not your .... posts"
- Aaron Goldman17:24Not your key not your repo
- 19:07Skyler Hawthorne joined the room
- 19:47@rbtgeorgi:matrix.org joined the room
- 20:01@00c:matrix.org removed their profile picture
- 20:01@00c:matrix.org removed their display name (00c)
- 20:01@00c:matrix.org left the room
- 20:03Mike Freeman joined the room
- mikuhl20:42Can you guys PLEASE put "type": "module" in your package.json
- Kjartan20:43YOu want me to put my what in my what? 👀
- mikuhl20:43You are using es exports, but your packages have commonjs type.
- 20:44Makes it really annoying to use.
- Kjartan20:44commonjs like javascript?
- mikuhl20:44yes
- 20:45all the atproto packages default to commonjs, despite using ecmascript exports
- 20:46
you have to do this ugly thing because of it
12
import bsky from "@atproto/api"; const { BskyAgent } = bsky;
- Kjartan20:47To be fair JS is always ugly. Sorry. I'll shut up 🤣
- justthisguyatx
- snarfed22:59jjustthisguyatx: they do different things! lexrpc is XRPC + Lexicon, arroba is a PDS repo
- justthisguyatx23:02
In reply to this message
Thanks. I suppose I could have actually looked closer rather than skim, rather than taking this lazy route. I appreciate the response. - 23:02amparise joined the room
- 23:21chinchilla optional joined the room
- 23:56@alexdeltax:genix.chat left the room
Mon, May 8, 2023
- Chris Lace00:23Keep up the good work guys
The app. is steady improving 👍 - panji.bsky.social
- Chris Lace00:27Will (BlueSky) be doing verification checkmarks? 🤔
- moved to @shreyan:beeper.com@shreyanjain:matrix.org00:28oh that could work as an account labeling thing
- Chris Lace00:30
In reply to this message
I would love it. It’ll make accounts official from others and keep down these bots or trolls. Stop impersonating(edited) - ryangallagher00:33Oh so many jokes. Must bite tongue. 😏
- justthisguyatx00:33Chris Lace: Do you mean adding some indicator on accounts that have validated handles against a domain, as opposed to accounts just using the native handle? Or do you mean some additional verification?
- Chris Lace00:35
In reply to this message
Just checkmark verification whatever you guys create, because there’s gonna be more Brands, Entertainers, Athletes, and Businesses a-boarding the app.(edited) - Aaron Goldman00:35
In reply to this message
It may be better to frame the question as How will bluesky support verifiable credentials?
Verification of control of a domain name is different than an email address is different than verified employee of an organization is different than verified age.
- Chris Lace
- Aaron Goldman00:37I hope a lot of this can be done by verified domain names.
- Chris Lace00:37My Apologies
- Aaron Goldman00:40Some domains have a lot of trustwhitehouse.govnpr.orgxkcd.com
- Chris Lace00:41I don’t have my own domain name but I have I.D. Google Knowledge Panel, or a Wiki article 🤔(edited)
- justthisguyatx00:42Chris Lace: At the moment, if you own a domain, you can verify your handle/I'd against that domain via DNS. For example, when I joined, I was assignedjustthisguy.bsky.social. Since I ownjustthisguy.net, I was able to add a record in that domain's DNS, and makejustthisguy.netmy Bluesky handle. It verifies that I at least control that domain, which adds some credibility to the account. That's currently the (very rough) equivalent to a blue check.
- Aaron Goldman00:44Wikipedia is tricky. For a Google knowledge panel I don't see a reason they couldn't have a DID uri in the panel
- Chris Lace
- justthisguyatx00:44Larger trusted domains, as Aaron Goldman mentioned, could be considered pretty well validated.
- Aaron Goldman00:46It's a good argument for letting users bind multiple urls to their DID
- justthisguyatx00:48@chrislace I'm currently using my domain only for this purpose, with no website or other exposed asset, so I don't bring any real validation other than the fact I own that domain. Not sure it adds that much value, aside from that ownership connection.
- Chris Lace00:48So I can just go to the platform and create one? Because I don’t have a domain name now(edited)
- Aaron Goldman00:49The trick with most validations is Who should witness which facts? It is easy to send a email verification code to an address if you wanted to run an email verification service. Harder is using DKIM signed email as the credential
- justthisguyatx00:49
In reply to this message
If you bought a domain now, you could easily link it to your Bluesky identity. - Chris Lace00:50Well I will be in tuned until everything is worked out. Thank You! 👍
- Aaron Goldman00:52Extra credit reading https://www.w3.org/TR/vc-data-model/
- justthisguyatx00:52
In reply to this message
I need to go back and check, but I believe this is part of the W3C DID standard. And yes, absolutely. Multiple points of verification is a good thing. - 00:54Ah. Nevermind. You're way ahead of me. :D
- Aaron Goldman00:55,"alsoKnownAs":["at://bsky.social"] is a list the DID certainly allows it
- justthisguyatx00:56
@chrislace Broader extra credit much reading:
- justthisguyatx01:05I think alsoKnownAs is one the most interesting aspects of the DID, going forward.
- 01:23gatya45 joined the room
- 02:33@aqua:aquatica.space left the room
- Matthew07:58(can i get an invite code topup at some point please? O:-)
- Chris Lace08:00Goodmorning everyone
- Chris Lace08:06Is @whyrusleeping still available? 🤔
- 10:53tiago joined the room
- whyrusleeping11:20Sup?
- damon/11:52whyrusleeping: me too please if possible
- snarfed12:00
In reply to this message
the broad answer to this is https://blueskyweb.xyz/blog/4-13-2023-moderation . they plan to let third parties moderate and verify all sorts of different things about accounts, and users can choose to use any of those they want - Matthew
- 12:01(is it just me or are all the “bluesky needs to ban X now” people missing the nature of decentralisation and bsky’s moderation plans?)
- damon/12:03Yes and no. Some of them are well aware but have convinced themselves that BlueSky is a Twitter alternative
- goykasi12:03whyrusleeping: do you know if there is ETA for when federation lexicons will be published? i saw some mentioned while poking around the repos, but i didnt see them in the docs
- damon/12:03Thus they have said the team needs to forget federation
- valka12:04most people don't get it because they're normal social media users so some don't understand what decentralization means in the first place, much less how bluesky can - and will - be something different than they've never experienced before, and a lot of them who vaguely understand seem to think it's going to be like mastodon
- 12:04so user education is clearly needed using more analogies like in the first faq post, or something
- 12:07seeing the opinion of "why would we want federation at all" and even "why would we want open source with a permissable license" broke my brain a little bit (in a "I've never encountered this this before" kind of way)
- 12:08anyway I think all of it just highlights why ux is so important
- Seth Glickman12:16is there a preferred place to report web app JS errors?
- TabAtkins12:24"Decentralization" doesn't somehow remove the need for banning. Each server still needs to ban bad actors as appropriate. Andbsky.socialis (a) currently the only server, and (b) intending to remain as a primary starting server, so keeping itself safe and trustworthy is important.
- 12:24Decentralization just means that servers get to make their own decisions about banning and can disagree on what bannable offenses are. We're deciding what that is for this server right now. There's literally zero contradiction.
- suzuwu
- Chris Lace12:54Yes I would like to have some invites
- 13:10unclegordy joined the room
- Seth Glickman13:28Message deleted
- suzuwu14:01We all I guess 😁
- 17:19Sasha Savchuk joined the room
- 18:00Cameron Pfiffer joined the room
- foxlet18:43
In reply to this message
To be fair all that means very little when there's no real federation going on yet. - moved to @shreyan:beeper.com@shreyanjain:matrix.org
- moved to @shreyan:beeper.com@shreyanjain:matrix.org18:49pfrazee's medium article about moderation in decentralized social networks is always what I think about whenever I see a post asking about bluesky moderation.
- Matthew18:59the second half of https://matrix.org/blog/2020/10/19/combating-abuse-in-matrix-without-backdoors is pretty aligned, from the matrix perspective
- 18:59(not that we have made fast progress on hooking it up)
- moved to @shreyan:beeper.com@shreyanjain:matrix.org19:04wait: are you THE matthew? creator of Matrix?
- Matthew19:09yes, i started matrix (although not sure that’s very special given the name of the game around here is new decentralisation projects :)
- moved to @shreyan:beeper.com@shreyanjain:matrix.org
- 20:16makoto_aijima52 joined the room
- engineersam ⚡️20:21I will admit to some curiosity as to how the Bluesky identity/verification scheme will age. Tying it to domain names is an interesting idea, but... suppose someone uses @i.am.bob.com. Can that ever be re-used by someone else? If Bob dies after fifty years and some other Bob gets the domain, then what? Is Bob 2 stuck with being associated with everything the first Bob did? Etc.
- moved to @shreyan:beeper.com@shreyanjain:matrix.org20:22nope!
- 20:22they just update the dns record
- engineersam ⚡️20:23So does that mean Bob 2 could then pretend to be Bob 1 and have access/auth to everything Bob 1 did?
- moved to @shreyan:beeper.com@shreyanjain:matrix.org20:23no, because the domain verification is separated from the actual account.
- goykasi20:24Bob2 would need Bob1's credentials to auth on Bob1's PDS
- 20:25and/or recovery key to move (i believe)(edited)
- engineersam ⚡️20:25Okay. Hmm.
- moved to @shreyan:beeper.com@shreyanjain:matrix.org20:25yep
- Chris Lace20:38I would like to get an invite code if possible ..Thanks!
- 22:19Brenden Riggs joined the room
- 22:25@aaap:matrix.org left the room
- Aaron Goldman22:34
In reply to this message
It is worth noting the distinction between a handle and a DID.
Let's take the example of @whitehouse.govcontrol of this domain changes about every 4-8 years.When I search for @
whitehouse.govI will get the DID that is named in the DNS record1
_atproto.whitehouse.gov. IN TXT "did=did:plc:fivojrvylkim4nuo3pfqcf3k"
but when I click follow the DID uri is the string that is added to my follow list.
When I @mention the handle string will appear in the text of the post but the DID uri will appear in the metadata on the post.
Even once the domain moves to the next president the link in your post will still go to the controller of the DID not the controller of the DNS name. Someone that looks at your follows will see you as following the DID not the DNS name.The handle is basically a fancy search that you used to find a DID at a moment in time. Also when you localy do a search after the transfer you should get a result that looks like a disambiguation page with the @
whitehouse.govfrom your follow list and the current one from DNS telling you that the old one has renamed.This is analogues to what happens to the https://twitter.com/potus twitter handle when there is a new potus the old handle is renamed to https://twitter.com/potus45 and a new account with a new UserID is renamed to https://twitter.com/potus all the old follows and mentions stay linked to
@potus45 => 822215679726100480
and the new mentions point to@potus => 1349149096909668363
if you follow https://twitter.com/potus today you will find you are folowwing@potus46 => 1349149096909668363
at some point in the future. - Brenden Riggs22:36I don't have an invite yet, but I think the AT protocol looks promising. Already the GitHub ecosystem is looking very healthy. Looking forward to when my name gets called on the wait-list so I can take a swing at some of the outstanding issues on some of the existing python repos.
- 22:38This was a great explainer! Thanks for taking the time to write this up!
- 22:45suzuwu changed their profile picture
- 23:33MightySpaceman changed their display name to MightySpaceman (OLD -> m_spaceman:matrix.org
- 23:33MightySpaceman (OLD -> m_spaceman:matrix.org changed their display name to MightySpaceman (OLD -> m_spaceman:matrix.org)
Tue, May 9, 2023
- 06:20Brenden Riggs set a profile picture
- Kjartan08:00
In reply to this message
And yet they reward those who invite people "who bring growth" with a shit load of codes (talking of many HUNDREDS of codes). It's very contradicting to be honest. And of course it gives those who remain on the waiting list a feeling of being ignored. I think every single one of the early subscribers would fit better into a beta(!) than accounts like weRateDogs, who just login once to safe their handles, but don't serve any purpose to the actual testing or developing 3rd party toolsIn reply tomoved to @shreyan:beeper.com (@shreyanjain:matrix.org)
the reason they are limiting invites right now is because it is a beta. things are not ready for the general public yet. they need a smaller subset of people to test and give feedback before releasing it to the general public(edited) - 08:45malcolmm joined the room
- 08:49Miguel Malcolm changed their display name to malcolmm
- 08:50malcolmm set a profile picture
- 08:51Jay Pinho joined the room
- 09:50hellstabber changed their display name to hellstabber (Old)
- 10:20Jy D joined the room
- 12:10Lizz joined the room
- 13:53@toranosora:matrix.org left the room
- 15:16couragic joined the room
- 15:26zeitgeist21 joined the room
- zeitgeist2115:28Anybody have an invite?
- panji.bsky.social15:32Nope
- 15:44luffy joined the room
- 15:51duckless_quack joined the room
- 16:12Eren joined the room
- 16:12hellstabber changed their display name to Eren
- 16:15swalexint joined the room
- 16:43redsolver joined the room
- 17:13Sam changed their display name to Sam Bulon
- 19:11@shadowislord:matrix.org left the room
- 19:27Lizz left the room
- Chris Lace19:52verified checkmarks coming soon I hope. Ijs ..the celebrities are coming
- Marcio Alves19:53Message deleted by Aaron Goldman
- moved to @shreyan:beeper.com@shreyanjain:matrix.org
- Brenden Riggs20:19Spam
- moved to @shreyan:beeper.com@shreyanjain:matrix.org20:22
In reply to this message
yk, this could actually work really well as just another labeling service under composable moderation - Brenden Riggs20:26Oh interesting. So perhaps an individual could be verified/labeled by multiple trustworthy orgs.
- engineersam ⚡️20:53I am hoping to be able to chain the moderation together like a loose neural net. "If ten of the people in this group like the post then this moderation 'fires' and feeds the post with a new labeled weight into the next moderation service" sort of thing.
- moved to @shreyan:beeper.com@shreyanjain:matrix.org20:55that's more of a custom algorithmic feeds thing
- 20:55but sure(edited)
- Chris Lace21:02moved to @shreyan:beeper.com (@shreyanjain:matrix.org): yeah’ but it is what it is ..in this social media world of impersonating someone. If you guys do sign me up because I have protect my brand. Thank You!(edited)
- 21:20Andrew Adams joined the room
- 21:28@plausibledenial:matrix.org joined the room
Wed, May 10, 2023
- 02:39@toshiw:matrix.org left the room
- 03:31Romans Malinovskis joined the room
- 03:57Brice joined the room
- Soli05:29
Hii, I am struggling a bit getting @atproto/api (https://socket.dev/npm/package/@atproto/api) to work on an expo iOS client. Everything is working perfectly on the web but for some reason, the login function fails when running Expo on iOS (
npx expo start --ios
).await agent.login({ identifier: email, password });
The code snippet above returns the error function is undefined, specifically, it tries to use a function in URL.js
ERROR [TypeError: undefined is not a function]
I attached a screenshot of the error below. Does anyone know what I can do?
(edited) - 05:42callmearta joined the room
- 06:25owenn joined the room
- owenn06:32Hello everyone, been reading up on the AT Protocol and I've been liking what I read so far. Looking forward to hearing more and see what I can build upon it !
- 06:43@cubixle:matrix.org left the room
- Matthew07:03i wrote a thing which might or might not be of interest: https://news.ycombinator.com/edit?id=35886140
- 07:17@app1ep1e:matrix.org left the room
- 09:20@foxyzlove:matrix.org removed their profile picture
- 09:20@foxyzlove:matrix.org removed their display name (foxyzlove)
- 09:20@foxyzlove:matrix.org left the room
- 09:42@transrights:hot-chilli.im joined the room
- madiator201110:05I have question: How Bluesky aims to be decentralized? Where data is being stored and also if it's going to allow to self host?
- Brice10:07
In reply to this message
What’s a “federated” network? It’s a way for servers to communicate with each other – like email. Instead of one site running the network, you can have many sites. Users get a choice of provider, and individuals and businesses can self-host if they want. - 10:07From Bluesky Twitter
- madiator201110:07Ah so it goes same tech stack as Mastodon?
- Brice
- 10:09Basically the middle one
- madiator201110:09I mean both platforms will work in federation model :)
- Brice10:10yes :)
- Kjartan10:12I still can't see how atproto is supposed to be decentralised (with the upcoming "federation") in any way (it might be in the future, though)
- Brice10:14
In reply to this message
I mean if you want to delve deeper into the architecture, you're lucky, they released a blog post explaining it here: https://blueskyweb.xyz/blog/5-5-2023-federation-architecture - Kjartan10:14But if we count future intentions, I would like everyone to address me with "Almighty emperor of the world, universe, and everything there is"
- 10:16
In reply to this message
And if you remove the plc.registry and bgs, then every pds is on its own. That's just what Twitter and the others always have been, jsut with PDSs as external storage - kcchu10:19
In reply to this message
Could you define what decentralized mean to you? Besides PLA DID, which is not intended to be the final design, what else in AT Protocol do you think doesn’t meet the definition of decentralized? - Kjartan10:21Yes, it's not intended to be final. But until it's been replaced, one can't call it decentralised. Maybe "intended to become decentralised eventually"
- 10:22That's why I said: if we count intentions, then please call me "Almighty emperor of the world, universe, and everything there is" already
- 10:22I'm a nobody just temporarily. I really want to become almighty, etc
- Brice10:29
In reply to this message
Not fully maybe but mostly decentralized, which I guess is where the nuance is. - Kjartan10:30
In reply to this message
I'm mostly a god. Sorry, for being snarky, but this is really a boolean type of thing - 10:31Especially for this use case. I'm not saying they ever would do that - but if they wanted, they could easily remove any user from federation
- Brice10:31
In reply to this message
Also I don't really understand your "if you remove". Maybe I'm very literal but the architecture doesn't intend to remove these components. - Kjartan10:32
In reply to this message
In a decentralised network, you can remove any random element. Yes, this element will be gone, but the rest continues to work as intended. If you remove my mailserver for example, you everyone who wasn't one my server, could still email to/ and receive from anyone else - Brice10:33
In reply to this message
That's a possibility. Now, for ATProtocol's future I don't think that would be a smart possibility, hence I don't attach to it a big probability. - kcchu10:33Architecturally, DID is an independent building block used by AT Protocol. It is a framework being developed under the umbrella of W3C and it is not even part of ATP. So, may I assume that your only concern not being decentralized is referring only to DID, and the parts that are actually in ATP are okay?
- Kjartan10:34Please don't get me wrong in one thing: I don't try to move atproto in a bad light or anything. I just think it's celebrated for something already, which so far is just a statement of them (which might or might not happen)
- 10:38
In reply to this message
Even if it would never get decentralised (which is a possibility) ATP cn still be nice and a success. My only point is: one can't call it decentralised yet. Maybe in a few weeks or months, or maybe even a bit further in future. But right now, it's not (doesn't even have to be something bad; I like cake, oh, I love cake, but still, a cake is no steak, no matter what) - kcchu10:40I think as engineers a more fruitful question would be whether ATP is making progress in the right direction. You can’t control how media and celebrities perceive what Bluesky is. And I don’t think Bluesky team was trying to make false statements about the current progress.(edited)
- Kjartan10:42
In reply to this message
My criticism is actually here not even towards the bsky team (I have criticism there, too, and some false claims). Here I guess it's indeed more the narrative of devs. As far as I remember, bsky team itself, talks always of the intentions to get it decentralised, but not that it would actually be the case already - @planetoryd:matrix.org10:44Message deleted
- Brice10:44I don't know. To be fair, I'm not technically equipped to answer to this kind of question. My only take is that it might be unfair to also call it centralized as it is trying to go in the direction of decentralization and the architecture seems to support this direction. Thinking in "centralized" or "decentralized" only is a bit simplistic as it really depends on what you look at. It's quite black and white thinking and it might not be really relevant to how a development environment actually functions.
- 10:45Maybe I'm wrong and I would gladly receive the criticism but that's how I view things as of now.
- Kjartan10:49Is it unfair if one refuses to call a cake a steak, even though the cake is god damn delicious? Like I said, there isn't anything horrible about it being cake. There is a good chance that a decentralised social media platform jsut doesn't work for some reasons (like: too much data to handle, or whatever). It's not unfair if you call things by how they are. Really, the cake/steak example isn't so bad. Because I think you and some others, might think my disagreement would also mean I would devalue atproto, but that's not my intention here. I like a lot of centralised stuff (and I love cake)(edited)
- madiator201110:52is there any way to access Bluesky expect just invite?
- @planetoryd:matrix.org
- Kjartan
- 10:55Because it's in both cases a yes (but with different solutions)
- madiator201110:57Mostly want to compare it with mastodon and if there is dev api probably start thinkering. As daily I run my mastodon instance.
- Kjartan10:57Message deleted
- Kjartan10:57Give me a second
- 10:59John Moore joined the room
- Kjartan11:00Message from Kjartan there you find dozens of invites to a test instance (absolutely nothing is happening there, like really NOTHING at all. but you can play with the protocol, try to write a client or whatever; and as there is nothing happening, feel free to create a couple of accounts, so you can talk to yourself when the situation requires it (please don't do many big file uploads, I'm extremely low on free space)(edited)
- 11:01And for checking out the content of the real server: https://blue.amazingca.dev/
- 11:02
In reply to this message
If you have anymore questions to the test instance, it has to wait for two hours, as I really have to cook as the family is starving 😭(edited) - madiator201111:03np thanks for info
- 12:38Lizz joined the room
- 13:54nKantarell3Sky joined the room
- 13:54@njkekantarell517:matrix.org left the room
- whyrusleeping
- Kjartan15:11So, invite codes for everyone, to celebrate? 👀(edited)
- 15:23James Lund joined the room
- Matthew15:51
In reply to this message
np. it really pisses me off when open/decentralised projects attack other ones, and it feels important to try to show folks can be supportive instead - @neeg:nitro.chat15:51always has been
- Matthew15:52perversely i have better diplomatic relations with element’s commercial competitors (rocket.chat, mattermost, zulip, wire etc) than with other chat protocols, which is 🤯
- 15:53foss sometimes brings out the worst in people. 😞
- @neeg:nitro.chat15:57I think in FOSS people often invest a lot of their "mental energy" into believing that something is future so they take it personal and see alternatives as enemies.
- Kjartan16:03To be fair: while I wouldn't call atproto an enemy, I would say it is indeed a potential threat to for example ActivityPub, isn't it? And from the point of view of the ones being threatened, I think it's not a far stretch if they see them as the enemy. I'm glad for the competition to be honest (please don't hit me), because it's usually a good thing for the users in the long run
- @neeg:nitro.chat16:11And what the reason for people to be tied for a certain protocol? In popular services people use apps and don't think what's inside. Fediverse/Mastodon has changed the protocol from OStatus to ActivityPub also. But ATProto is rather incompatible with fediverse-like federation.
- Kjartan16:15About the OStatus to ActivityPub change: I'm sure the OStatus people weren't happy about that either :D I'm not agreeing with the AP people, just saying that I can kinda understand those, who see ATprotocol as an enemy (that doesn't mean I support their view, just that's imo somewhat understandable)
- @neeg:nitro.chat16:18Fediverse and ATProto are not direct competitors. Nostr and ATProto are. And Nostr is popularized amongst people who are extremely specialized on hating alternatives.
- Kjartan16:20Oh, I would see AP and AT absolutely as competitors. I wouldn't say they are the same product (especially as their solution looks very different behind the surface), but they try to serve the somewhat same purpose (from the end-users' point of view)
- 16:23(and Nostr might have a serious advertising issue: I have heard about Nostr only at bsky - I asked friends, colleagues, etc and no one had ever heard of it)
- Skyler Hawthorne16:27I don't see any decentralized services as competitors. Personally I'm glad that we are seeing decentralized services gaining enough popularity for there to be several federated decentralized ecosystems popping up
- 16:28It's a nice change of pace from yet another walled garden, that is competing with others for users and advertising dollars
- @neeg:nitro.chat
- Skyler Hawthorne16:31AP and AT have no reason to try to "outdo" the other, afaik
- Kjartan16:34
In reply to this message
Only if one even knows about them. Never heard about them before, never read anywhere anything about it before 🤷♂️ But I have meanwhile indeed tried it (but the client was ugly, and I was also too hyped about atproto anyway 🤣) - 16:35
In reply to this message
Even if they don't - some users might see their pals move to the other platform (and will be obviously unhappy about it) - Aaron Goldman16:43Kjartan: there are different opinions on what constitutes decentralized but here is my 2¢. The thing that makes AtProto decentralized is Authenticated Data. If I have your repo and your DID Document I can validate it. This is entirely independent of how I got the repo. The chain of signed commits has the roots of the Merkel trees. If I control my rotationKeys I can sign updates to my did:plc. This splits the problem into two problems. One, the creation and signing of commits to the repo. Two, the discovery and transport of repos. As for the first it is just math. If you control your keys you control your repo. As for the second there is efficiency to be had by a server for PLC and a PDS in the DID Document but if you wanted to have a did:key and use search to find commits signed by that key that could work just less efficiently. The place to look to judge the centralization of AtProto would be to look at what percentage of the users control their own rotationKeys.
- @neeg:nitro.chat16:47Sounds like PGP.
- 16:48Fediverse is what if email was a social network. And Bluesky is what if PGP was a social network.
- Kjartan16:49
In reply to this message
I guess we'll just disagree on this one. I agree, that centralisation has its benefits and perks (as here the efficiency as one example). That's why I say centralization doesn't have to be per se bad in all and every cases. But I'll disagree in regards whether it can be called decentralised (yet)(edited) - Skyler Hawthorne
- 16:51Which is fine, it's still in development
- 17:17@lukuniklo:matrix.org joined the room
- whyrusleeping17:38
In reply to this message
Yeah… it sucks. People feel so threatened that their “free labor with no guarantees” might be threatened by someone elses - Dominick Rangel17:42
In reply to this message
sort of. it is less secure than PGP but still really good comparatively - 17:47Steve Rawlinson joined the room
- Aaron Goldman17:48Pretty Good Authenticity
- Aaron Goldman
- 18:28I think the way to measure the progress on decentralization is did_count / rotation_keys_count
- 18:3078080 did:plc / 59 rotationKeys
- 18:31Very few users are holding their own rotation key.
- 18:32Granted I think a reasonable default is for both the user and the PDS to have a rotation key
- Kjartan18:32Message deleted
- Aaron Goldman18:32the user should opt in to the PDS not being able to help them recover
- 18:34but the fact that the client dose not by default have a recovery key stored locally that can be use for the migration to a new PDS without the old PDS letting you out is a problem
- goykasi18:40What is seen as the ideal situation for PDS? That each user is able to run/control their own?
- 18:40Stems looks interesting. Allowing users to delegate control of running the PDS, but each user still has their own.
- Kjartan
- goykasi18:53i dont think so. they say that on their site.
- Kjartan18:54
In reply to this message
Oh, okay. Haven't checked for a while :D Zach should post those things on stems itself :D(edited) - goykasi18:55I didnt know about them until I saw that doc that Aaron linked. They hold the 2nd highest number of dids behindbsky.social(edited)
- Kjartan18:56
In reply to this message
Yeah. it was a crazy time. Like 500 new users every hour or so. It was wild - 18:59nkantarell3sky changed their display name to nKantarell3Sky
- Kjartan
- 18:59Because I missmicrosoft.com(it was me) while my others are still there
- 19:00murat inanc joined the room
- goykasi19:00Im not sure its up to date. I changed my PDS endpoint. The change isnt reflected there.
- Kjartan19:02I'm also shocked that stems is just 5k something - because the server couldn't handle it at all at some times 🤔
- 19:02schnitzel-mit-pommes.dewas my latest thing. microsoft came before
- 19:03whileschnitzel-mit-pommes.deis horrible for an instance - because the compelte handle is allowed only to be 30 characters (if it uses the instance's suffix)
- murat inanc19:05bluesky invite code
- 19:05is there
- 19:17Taiwan Brown joined the room
- 19:25sandsunsky joined the room
- 19:33garthtrickett joined the room
- retr0id19:51
In reply to this message
wait I didn't even know it was possible to request you rotation key yet - 19:51how?
- Kjartan19:52They don't request it, they send it during account creation
- retr0id19:53huh then where does the number 59 come from
- goykasi19:54some users are running their own PDS
- moved to @shreyan:beeper.com@shreyanjain:matrix.org
- retr0id19:55yeah me neither
- Kjartan19:55I might be wrong, but I think you also can do it withbsky.social
- Kjartan19:55At least I think so
- 19:55Now, I'm unsure
- retr0id19:56how does a PDS "instantiate" a new DID?
- 19:56is it possible to send stuff toplc.directory
- 19:57DID is computed based on the new user info
- Kjartan19:58With your usual request to create an account - you can also provide/send a recoverykey
- retr0id19:58TIL!
- Kjartan
- 20:00That's why I would really like to get a new invite code 😭 (I was to afraid to risk my original invite code by messing up with curl)
- Kjartan20:09And I wasn't even sure, if I would be able to generate a proper key (in the right format etc)
- 20:11talking of that - how would one create a key, so it can be sent by curl? because in 5 months or so I probably might get a code as well
- goykasi20:18
In reply to this message
https://github.com/bluesky-social/indigo/blob/main/cmd/gosky/util/key.go#L54
And then send a string version of the public key - Kjartan20:18
In reply to this message
I'm kinda afraid of creating the string version part. Like as it is (the raw bytes) or converted to hex, or… - 20:19or as a did:key
- goykasi20:19hex (i think)(edited)
- Kjartan20:20I hope till then some client will offer it already oob
- 20:20won't happen any time soon anyway
- goykasi
- Kjartan20:22And even then I probably will give it to someone else. There are people who have been waiting for half a year. It's wrong to create a second account and let them wait
- 20:24Also bsky really would need some new users. My timeline gets a new post every few hours. more than a third of those I follow seem to have left already
- 20:28or they have blocked me - who knows 🤣
- Kjartan20:33I very much assume it's the did:key… format as it is defined in the crypto package. But I don't speak typescript, so it's all to take with a grain of salt
- 20:34was actually meant for a different window, but fits here as well - maybe one of you knows more about it
- 20:35assumption that it's the did-format is because it gets shoved into an array with the pds's keys in did-format (at least that's how it looks to me)
- goykasi20:35yah Im pretty sure the DID format is sent
- Kjartan20:37I really hope atproto reconsiders their naming. did at… that's all really horrible to search for, even within source
- Kjartan20:47Is there btw a way to test your own recoverykey, without already doing something "drastic" (like switching your pds)? Or can I test if the PDS really used my key?
- 20:47Or could an evil PDS just accept my recoveryKey, but use a different one, and I wouldn't know until I want to use it and fail?
- 20:48Or maybe even worse: not use a different one intentionally, but have a faulty implementation
- 20:49(it's not a bug people would have to recognise immediateley)
- Aaron Goldman20:54The client could submit directly toplc.directoryand not give the PDS the chance to mess with the key
- 20:55The PDS would send the PDS's key to the client and let the client create the DID Document
- Kjartan20:57Okay. Is this already possible? As in: does there any public code exist to do this, yet?
- Kjartan21:09And - would this be (by it's form, looks, length) a valid key? 😅 did:key:zQ3shdsnuzAKkKnwPDeu8KXiW2ipt1EREni78ndMPkVdkfyCJ ?
- 21:09(its 57 characters in total, so you don't need to count)
- 21:27Matthew Szklany joined the room
- Kjartan21:54I likely got it. It's already ~4am on my side. But I'll write the necessary steps down, so others don't have to figure it out themselves
- moved to @shreyan:beeper.com@shreyanjain:matrix.org22:20ooh that would be awesome
- 23:09@ab27:matrix.org joined the room
- 23:16yum joined the room
- 23:17yum set a profile picture
Thu, May 11, 2023
- citizenziggy01:54is there a way to run self hosted server instance of bluesky?
- murat inanc02:55hello bluesky invite code is there
- 03:11draganratkovic joined the room
- draganratkovic03:12hello friends how are you
- 03:44draganratkovic set a profile picture
- 04:45@dsenjoyer:matrix.org left the room
- 05:50peterblitz joined the room
- Kjartan
- 07:231inguini joined the room
- 07:29@transrights:hot-chilli.im removed their profile picture
- 07:34@transrights:hot-chilli.im removed their display name (transrights)
- 07:52@transrights:hot-chilli.im left the room
- Kjartan07:52what's the purpose of refreshing the client session, instead of just creating a new one? Is it just so credentials don't need to be stored? Or is there more to it?
- 08:45codesforliving joined the room
- codesforliving08:51Evening everyone, I would like to get started with development. If anyone has spare invite code, kindly share.
- draganratkovic09:12There were more friends with bluesky code ?
- 09:13If there is more code, I will be happy to forward it from private
- 09:14Let's see if we can help with the development for Bluesky.
- 12:51@orpheuslummis:one.ems.host left the room
- 13:24Patryk joined the room
- Patryk14:05Does anybody know what's the difference between lexicon's string
enum
andknownValues
? Doesenum
only allow for the given values andknownValues
is only a hint for which values can be expected? - 14:17Freezlex changed their profile picture
- curiouskoa
- 15:03ic5hoo7er joined the room
- valka15:07Happy to help :)
- Kjartan15:59
In reply to this message
12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758
require "secp256k1" require "big" require "http/client" require "json" key= Secp256k1::Key.new B58BT= "123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz" class Array(T) def to_base58 r= "" n= BigInt.new 0 self.each do |byte| n= n*256+byte end loop do r+= B58BT[n%58] n= n//58 break if n==0 end r.reverse end end class Secp256k1::Key def public_did "did:key:z#{(Bytes[0xe7, 0x1].to_a + public_bytes_compressed.to_a).to_base58}" end end did= key.public_did fn= "#{did.split(':')[-1]}.key" File.write fn, key.private_hex puts "Stored the private key for '#{did}' as a hexstring in #{fn}.\nKeep it safe and secure!" print "On which server do you want to register (just press Enter if you're clueless what that means)? " host= (gets||"").chomp print "What's your email? " email= (gets||"").chomp print "What handle do you want? " handle= (gets||"").chomp print "What password do you want to use? " password= (gets||"").chomp print "And finally: What's your invite code? " inviteCode= (gets||"").chomp host= "https://bsky.social" if host.empty? host= "https://#{host}" unless host.starts_with? "http" resBody= HTTP::Client.post("#{host}/xrpc/com.atproto.server.createAccount", headers: HTTP::Headers{"User-Agent" => "accountCreator0.1", "Content-Type" => "application/json"}, body: "{\"handle\":#{handle.inspect},\"password\":#{password.inspect},\"email\":#{email.inspect},\"inviteCode\":#{inviteCode.inspect},\"recoveryKey\":#{did.inspect}}").body jres= JSON.parse resBody if (error= jres["error"]?) puts "Couldn't create the account, because… #{jres["error"]}: #{jres["message"]?||"???"}" puts "The key has not been removed, in case account creation was somehow successful - but that's unlikely :(" else puts "Hooray! All good. Now go and have fun!" end
It's not perfect, but it should give everyone an idea, how it works (and while not perfect, it works, it just could do the one or the other thing probably a bit better)
- 16:01
In reply to this message
Also, if anyone needs it compiled, I can offer osx(intel), linux and Windows (I've tested so far only the osx version). For devs likely not something they need (or even would want), but I'm thinking of the one or other average user, who got lost here (to ask for an invite code or something) and wouldn't know how to compile something - 16:04used libraries obviously are not, but all the written code lines were done by myself and are licensed under the wtfpl (http://www.wtfpl.net/about/)
- 16:05
In reply to this message
Also the private key is stored in your current directory. Pay attention that it's not /tmp or copy your key to some safer place :D(edited) - 16:31Brendan Abolivier joined the room
- Aaron Goldman16:31Any reason you made your own multibase rather than using an existing jem https://rubygems.org/gems/multibases Disclaimer: I have never used this gem and can't vouch for it
- 16:32I didn't see a gem for did:key which surprised me
- 16:32apra joined the room
- Kjartan16:33It's crystal, not ruby :) I don't think they have already something for base58 (I guess they have not, but I haven't looked for it (it's sometimes hard to find their equivalents of gems), and of how often something like this will be used, I expect that this likely doesn't exist yet)
- Aaron Goldman16:34Oh never tried Crystal but I hear good things
- Kjartan16:34Also, it's something which is quickly written, and performance doesn't matter here. So I would have spent more time looking for something than just writing it quickly myself
- Kjartan
- 16:43If anyone reads this, and they want to build something where performance will matter. I also constructed the string very… slowly. You can get already about 25% improvement just by doing the strings better
- 16:46The way it was posted, a MacPro from 2009 would do 10k base58 strings in 0.22s (with sanely optimised strings down to 0.17s, and with optimal strings down to 0.140s). If you were going to optimise the BigNum operations, I guess you would end up somewhere around 0.06 to 0.08s) - but it really doesn't matter for just one key just the way it was without any optimisations
- 16:48
In reply to this message
It's nice. But it's somewhat wrongly advertised imo (as in "oh, it's almost like ruby"). As someone who loves ruby, one gets very quickly, very frustrated by crystal. But especially for something small like this, and if you want it cross-platform, it's nice, yeah (or if you don't mind it being often very different from ruby by choice) - goykasi16:57Aaron Goldman: can you explain what "rotationKeys" are in the did document data? they arent mentioned in the atproto docs, but they seem to be related to signing and recovery keys. its not clear though
https://github.com/bluesky-social/did-method-plc/blob/main/packages/lib/src/types.ts#L18 - Kjartan16:58if you have 3 of them, the first one is the recoveryKey, the second one is …
- 17:01the second one is the PDS' recoverykey and the third one is plcRotationKey!? Mh, nah, don't trust me. I don't know :(
- 17:01Anoop Bhatia joined the room
- Kjartan
- Anoop Bhatia17:03please give me a bluesky invite code 🙏🏻
- memory-system17:06Is asking in this chat the process by which one receives an invite code?
- Kjartan
- 17:08I sadly don't have any codes. We are talking here only about the technical aspects of the protocol. But we don't have any codes either :(
- memory-system17:08I have been lurking in this chat and I have been waiting for the time to look over the codebase. Hopefully this weekend will be free. Is there a good place to read documentation?
- Kjartan
- Chris Lace17:09
It would be great if the actual people from (BlueSky) start a telegram but don’t invite too many.
Communication Is Key
- Anoop Bhatia
- Kjartan
- 17:11Or probably literally to anyone else in this room
- Anoop Bhatia
- Aaron Goldman17:21
In reply to this message
"verificationMethods":{ "atproto":"did:key:zQ3shXjHeiBuRCKmM36cuYnm7YEMzhGnCmCyW92sRJ9pribSF" }, "rotationKeys":[ "did:key:zQ3shhCGUqDKjStzuDxPkTxN6ujddP4RkEKJJouJGRRkaLGbg", "did:key:zQ3shpKnbdPx3g3CmPf5cRVTPe1HtSwVn5ish3wSnDPQCbLJK" ]
If you want to update the DID Document you need to sign the update. The rotationKeys are the list of keys that are allowed to update the DID Document. This key can be used to rotate theverificationMethods.atproto
thealsoKnownAs
, theatproto_pds
, or any other field in the DID Document.The
verificationMethods.atproto
is the key for signing repo updates. So the rotation keys are really part of did:plc not AtProto.The reason there is an order has to do with the conflicting goals of being able to revoke keys and recover when your keys are compromised.
If two keys try to make conflicting updates within 72 hours like say removing each other the winner is the key that is first in the list.
So if you trust your PDS with a rotation key and they try to steal your DID you, your client, has 72 hours to notice and recover the DID using a higher priority key.
But if you lose your phone and need your PDS to add your new phone to the DID Document once the 72 hours are up the key on the old phone is gone and there is no risk to the key being out in the world. - 17:24It is a good idea for a PDS to have 2 keys for the rotation keys a online lower priority key and a offline high priority key just in case the PDS gets hacked and they need to recover all the did:plc s from the attacker.
- 17:27So you would expect the list to be [users key, offline PDSs key, online PDSs key] unless a user has a lot of confidence in themselves not losing their keys in which case you expect [users offline key, users client key]
- Kjartan17:27
In reply to this message
Thanks! This was highly informative! (all of that, not just the last message) - 17:28You should write more often 🤣
- 17:29And it helps a lot with my own server implementation 👍
- Aaron Goldman17:29did:plc was an exercise in minimizing trust in the PDSs and the directory but at the same time letting users scale their own desires to manage their own keys.
- 17:30We really didn't want to force users to manage their own keys from day one but also needed when the did:plc became important to them that they could rotate themselves into being solely responsible for managing their keys
- Kjartan17:32Only as a thought: If I get it right, the PDS could at any time replace the keys. Yes, because my recovery key is "stronger" I would win any disagreement within 72h. But, I likely wouldn't recognise it, if the PDS just swapped the keys!? Usually I wouldn't, would I?
- 17:33Or should I (ideally) check if my recovery is still there at least once every 72h?
- Aaron Goldman17:33A normal human would never notice such a thing. The clients better be checking the directory and notifying the user
- @neeg:nitro.chat17:34But what is the time source for this 72h window?
- Kjartan17:34And if it was unnoticed, by myself and by my client, etc, then the PDS would have been successful in taking over my account?
- Aaron Goldman17:34I tend to assume that the client is more the users agent then the PDS is
- Kjartan
- @neeg:nitro.chat17:37I mean what prevents the PDS or another bad actor from publishing key change with tampered time as an event happened more than 72h ago.
- Aaron Goldman17:38
In reply to this message
Now that is the correct question. Now it is the directory if a PDS were to collude with the directory It could take any did:plc they had a rotation key for. But what are the chances the largest most popular PDS would be run by the same organization that runs the directory? - 17:40The ordering of the DID Document deltas is the thing we are trusting the directory with and the reason once there are many PDS operators we need to find a way to replace the centralized directly with a decentralized immutable legger
- draganratkovic17:42Aaron Goldman, can you check in private?
- @neeg:nitro.chat17:42Time is subjective in decentralized context. So maybe a sort of distributed timestamp server could help.
- Aaron Goldman17:42Essentially the question of how to manage the directory can't be answered because it's about buyin from the PDS operators. That's why it was PLC. It had to be a placeholder because there couldn't be a community of PDS operators until the protocol launched and we needed a community of PDS operators to decide what to do with the directory. So a centralized placeholder it is. 😭(edited)
- goykasi
- Kjartan17:47Somewhat less important, but for the full understanding, and while we are at it: the pds offline key, and pds online key, is there again a 72h window?
- Aaron Goldman17:47did:ion solved this by using Bitcoin's chain as the timestamp server but that makes it slow and not free
- Kjartan17:48
In reply to this message
To be honest, this discussion is kinda the stuff I hoped for, for a long time - moved to @shreyan:beeper.com@shreyanjain:matrix.org
- Aaron Goldman17:50The only thing is that keys earlier in the list have priority over keys later in the list. Did:plc has no concept of what the key are. If you put them in the wrong order sucks to be you.
- goykasi17:50
In reply to this message
Thank you for the explanation. To clarify, rotationKeys are specifically for updating the did document and verificationMethods are published application keys (ie used to sign posts added to user repos)?
The current Go implementation seems to place the signing key into both the rotationKeys and verificationMethods parts of the did document? Is that just out of simplicity of getting it up an running?
- Aaron Goldman
- goykasi
- Kjartan17:52
In reply to this message
I think I can answer that, because my impl does it too. It's because the ts repo kinda does it like that. One keypair gets created, and is then used for both - goykasi17:52
In reply to this message
Yah that is more or the less the source of the original question. It was a bit confusing - Kjartan
- 17:53
In reply to this message
Might be related to that weird overrides? thing I couldn't make much sense of - Aaron Goldman17:53Had you seen https://atproto.com/specs/did-plc
- 17:54Maybe it needs more discussion of how the trust in the directory is so low and why it is still scary.
- Kjartan
- 17:56Docs could also do with a few examples every now and then ;)
- Aaron Goldman17:57Also someone who doesn't work for Bluesky PBLLC should make a website hasThePlcDirectoryMutated.example let downloads the whole ledger periodically and checks if anything's been removed.
- Kjartan17:58Or it was new to me, that the keys are basically only different in their priority. That they would be (of functionality) interchangable
- Aaron Goldman18:04I think `/xrpc/com.atproto.server.createAccount` takes `recoveryKey` but the PDSs also adds it's two rotation key after the one provided by the client.
- Kjartan
- Aaron Goldman18:10I think it's important for the user to have the highest priority key incase there PDS betrayed them but maybe most users are so don't want to keep track of an offline key badly enough that they disagree
- goykasi18:12
In reply to this message
Its still a good feature though. But you are correct. Most people wont want to explicitly secure their key(s). They would most likely depend on the client to hold them and track DID doc changes - Aaron Goldman18:13I kinda like [user offline key, PDSs offline key, PDSs server key, client device key] but that is probably complicated for the user to understand the difference between the key in there phones local TPM and the rescue words on paper in their sock drawer
- Kjartan18:13
In reply to this message
Probably depends on the case. Those who selfhost, will likely trust their PDS a lot more than others. While the most average user probably doesn't care about it at all (and would be even still happy with being on twitter, but their friends asked them to join) - Aaron Goldman18:16
In reply to this message
Yup, on boarding needs to be seamless. Sign them up now. Let them generate a recovery key and print out the recovery words later once they care about the account - Kjartan18:19
In reply to this message
You are very optimistic, that they will ever care about it :D I'm not talking about the "nerds", but the most casual user :D - 18:21@turing_k:matrix.org left the room
- Chris Lace
- Aaron Goldman18:30Here is the scenario I worry about. 1) user signed up with a somewhat random PDS. 2) user uses AtProto for Bluesky and other Apps for years without thinking much about who their PDS is. 3) the PDS goes out of business and vanishes with no notice other than the client spins on a connecting screen. 4) user tries to migrate to a new PDS and finds out that they never had any of the rotation keys 5) 😭 The clients should have a rotation key. Without the user needing to think about it.
- moved to @shreyan:beeper.com@shreyanjain:matrix.org18:30oh for sure
- 18:31clients might even want to automate pds switching selection if one goes down
- 18:31but that raises the issue of what if it's only temporarily offline
- Aaron Goldman18:31But I am more likely to install malware on my phone the most PDSs are on the server
- 18:32If the key on my phone is hacked and the highest priority then I'm done.
- 18:34[user offline key(optional), PDSs offline key, PDSs server key, client device(s) key(s)]
- 18:34After this conversation that were I'm leaning
- goykasi18:35Very true. And there likely isn’t a great way to solve it without centralizing PDS instances. Or without having some sort of permanent authority hub. But who would run that?
- retr0id18:36
In reply to this message
I think the answer here is to require "paper wallet" key backups to be made during signup (show on one screen, ask the user to re-input as verification on the next), but maybe that's too much friction for a mass audience idk(edited) - goykasi18:37A Bip39 route could be taken, but not many users will care to write down their seed words
- moved to @shreyan:beeper.com@shreyanjain:matrix.org18:37that could run into the same issues as what nostr clients, bitcoin wallets etc have with adoption
- retr0id18:37as an aside, yubikey as signing key would be neat
- goykasi18:38True, but that also doesnt reach the masses. Most regular users have never even heard of a yubikey.
- retr0id18:38right, hence aside
- moved to @shreyan:beeper.com@shreyanjain:matrix.org18:39android lets google's password manager work with apps, I don't know about iOS though, or if people even trust Google
- goykasi18:41ios has a similar feature. And I would assume most users (android and ios) "trust" the password managers, because that is the platform's default offering
- Aaron Goldman18:42
In reply to this message
Well "entire maze dynamic wedding proud essay run present average delay seat essay ticket hobby spirit" is all I have to say about that. - goykasi18:42It doesnt fully solve the problem of recovery in the case that a phone is lost, but its an entry to 90% (higher?) regular users
- Aaron Goldman18:44Yup my password manager is much better at remembering 15 random words than I am
- 18:45As to Yubikey that's just one more device like the TPM in my phone, tablet, or laptop.
- goykasi18:46Most users just want something easy. And, in all reality, usually dont care much about decentralization or keypairs. They want to use something easy, popular and fun. Jumping through hoops isnt fun. We may have other concerns (which are neat), but AT/Bsky is meant to hit the masses (and not be another bitcoin)
- Kjartan18:50Is there a limit of keys the plc-reg will accept? And if so, what is the limit?
- Aaron Goldman18:58There was a limit on the total size of the document the directory will accept. I don't remember what it was something like 1kb or 4kb. Can't seem to matter much at the time most of the documents are only a quarter kb
- Kjartan19:08Oh, and limits are in general a thing, where I never know, is that limited by the protocol, or by the server implementation,… like number of pictures embedded (probably server), file-size-limits. json-size, etc
- 19:09but if it's server side, I would have expected that describeServer would inform the client about a lot of those limits, and not just let it try and fail(edited)
- kcchu19:09
In reply to this message
iPhone users who use iCloud is easier here. iCloud Keychain is considered secure enough that even some crypto wallets use it to store wallet key without additional encryption. And the best part is that it covers device lost situation - goykasi19:11Aaron Goldman: Thanks again for the explanations. Im a lot more clear on how the PLC operations happen. Another source of confusion is that there are multiple formats for the operations (request and response) to the PLC server: create, plc_operation, plc_tombstone. And terminology in those formats dont always overlap.
Maybe create and rotate/op could be changed to be more similar. The purpose of the message parts might be more clear and consistent. - kcchu19:28While we are at here. I want to ask a question about PLC. I understand it is temporary but it is a centralized service which gives Bluesky the power to remove or take over an user. I think it will soon become an hot issue when there are more user and media attention. What is the plan for replacing the PLC with something long term?(edited)
- Kjartan